Re: Problem with authorized user and SVN access

Some more news about that, debugged that a little bit further and imho i
think its a bug in the module code of access_checker - or there are
assumptions made which do not hold in my usecase - at least its unclear
to me why its done that way, maybe someone can give some input.

The problem is that the authorization module mod_authz_svn does expect a
AuthType to be set and that a Authorization header must be there - but
this is optional - authentication can be done without both of them using
lua:

https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookauthchecker

...
Invoke a lua function in the auth_checker phase of processing a request. This can be used to implement arbitrary authentication and authorization checking.
...

Looking in the RedBean book it reads:

http://svnbook.red-bean.com/de/1.8/svn.serverconfig.httpd.html#svn.serverconfig.httpd.ref.mod_authz_svn

...
Die folgenden Konfigurations-Direktiven werden geliefert von
mod_authz_svn, Subversions Apache HTTP Server Modul für pfad-basierte
Autorisierung.
...

So its about Authorization, not Authentication in that module - why does
the Authorization part makes assumptions about how authentication is
done?

The code in question (to me) is this (trunk):

 886 /* Authentication is configured */
 887 authn_configured = ap_auth_type(r) != NULL;
 888 if (authn_configured)
 889 {
 890 /* If the user is trying to authenticate, let him. It doesn't
 891 * make much sense to grant anonymous access but deny authenticated
 892 * users access, even though you can do that with '$anon' in the
 893 * access file.
 894 */
 895 if (apr_table_get(r->headers_in,
 896 (PROXYREQ_PROXY == r->proxyreq)
 897 ? "Proxy-Authorization" : "Authorization"))
 898 {
 899 /* Set the note to force authn regardless of what access_checker_ex
 900 hook requires */
 901 apr_table_setn(r->notes, FORCE_AUTHN_NOTE, (const char*)1);
 902
 903 /* provide the proper return so the access_checker hook doesn't
 904 * prevent the code from continuing on to the other auth hooks */
 905 if (ap_satisfies(r) != SATISFY_ANY)
 906 return OK;
 907 else
 908 return HTTP_FORBIDDEN;
 909 }
 910 }

I was able to get the authentication running using gdb and doing a:

set authn_configured=1

on line 888.

Line 887 assumes that Authentication is only configured if there is a
auth_type set on the request, but this is wrong - its not needed to
authenticate a user, see the lua docs.

After that it runs the code where the "Authorization" is checked - L885:

(gdb) print apr_table_get(r->headers_in, "Proxy-Authorization")
$8 = 0
(gdb) print apr_table_get(r->headers_in, "Authorization")
$9 = 0
(gdb)

This should not be done here (at least there should be a way to skip that) - i did not sent and did not ask the user to sent this header so, its not basic authentication here.
If i do sent an arbitrary faked Authorization header, which has nothing
todo with what authentication needs, it passes and the lua hook is
called and the request does succeed like this:

[Wed Jan 24 09:45:02.751169 2018] [authz_core:debug] [pid 12109:tid 140737127630592] mod_authz_core.c(809): [client 127.0.0.1:18984] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Wed Jan 24 09:45:02.751214 2018] [authz_core:debug] [pid 12109:tid 140737127630592] mod_authz_core.c(809): [client 127.0.0.1:18984] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Wed Jan 24 09:45:02.751644 2018] [lua:debug] [pid 12109:tid 140737127630592] lua_request.c(1838): [client 127.0.0.1:18984] AH01486: request_rec->dispatching headers_in -> apr table, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Wed Jan 24 09:45:02.751663 2018] [lua:debug] [pid 12109:tid 140737127630592] lua_request.c(1856): [client 127.0.0.1:18984] AH01488: request_rec->dispatching user -> string, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Wed Jan 24 09:45:02.751670 2018] [lua:debug] [pid 12109:tid 140737127630592] lua_request.c(1856): [client 127.0.0.1:18984] AH01488: request_rec->dispatching user -> string, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Wed Jan 24 09:45:02.751676 2018] [lua:debug] [pid 12109:tid 140737127630592] lua_request.c(1848): [client 127.0.0.1:18984] AH01487: request_rec->dispatching debug -> lua_CFunction, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Wed Jan 24 09:45:02.751682 2018] [lua:debug] [pid 12109:tid 140737127630592] @/etc/apache2/auth.lua(23): [client 127.0.0.1:18984] user foo: OK, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Wed Jan 24 09:45:02.751706 2018] [authz_svn:debug] [pid 12109:tid 140737127630592] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:18984] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Wed Jan 24 09:45:02.751902 2018] [authz_svn:info] [pid 12109:tid 140737127630592] [client 127.0.0.1:18984] Access granted: 'foo' GET basic_tests-10:/iota, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/

Without that header it passes too - but the callstack is different (just
for information).

948 status = req_check_access(r, conf, &repos_path, &dest_repos_path);

After this it takes is way to L884 which returns DECLINED.

Run till exit from #0 ap_some_authn_required (r=0x7ffff7f310a0) at request.c:149
0x00007ffff2b55389 in access_checker (r=0x7ffff7f310a0) at subversion/mod_authz_svn/mod_authz_svn.c:968
968 authn_required = ap_some_authn_required(r);
Value returned is $5 = 1

After that the request asks the lua hook for the user and later on
mod_authz_svn can check the path based stuff which succeeds:

[Wed Jan 24 10:34:38.624611 2018] [authz_svn:debug] [pid 1841:tid 140737152808704] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:19746] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz
[Wed Jan 24 10:36:50.581672 2018] [authz_core:debug] [pid 1841:tid 140737152808704] mod_authz_core.c(809): [client 127.0.0.1:19746] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 24 10:36:50.581740 2018] [authz_core:debug] [pid 1841:tid 140737152808704] mod_authz_core.c(809): [client 127.0.0.1:19746] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 24 10:39:27.506910 2018] [authz_core:debug] [pid 1841:tid 140737152808704] mod_authz_core.c(809): [client 127.0.0.1:19746] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 24 10:39:27.506972 2018] [authz_core:debug] [pid 1841:tid 140737152808704] mod_authz_core.c(809): [client 127.0.0.1:19746] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 24 10:39:27.507366 2018] [lua:debug] [pid 1841:tid 140737152808704] lua_request.c(1848): [client 127.0.0.1:19746] AH01487: request_rec->dispatching debug -> lua_CFunction
[Wed Jan 24 10:39:27.507384 2018] [lua:debug] [pid 1841:tid 140737152808704] @/etc/apache2/auth.lua(13): [client 127.0.0.1:19746] user foo: OK
[Wed Jan 24 10:39:27.507412 2018] [authz_svn:debug] [pid 1841:tid 140737152808704] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:19746] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz
[Wed Jan 24 10:39:27.507487 2018] [authz_svn:info] [pid 1841:tid 140737152808704] [client 127.0.0.1:19746] Access granted: 'foo' GET basic_tests-10:/iota

HTH someone to dive into that - should i file a Bug about that in the tracker to get that fixed?

kind regards

Torsten