enable request_auth module to send auth service error message body when it is allowed

Maxim Dounin mdounin at mdounin.ru
Tue May 9 00:52:10 UTC 2023


Hello!

On Tue, May 09, 2023 at 01:40:18AM +0200, Davood Falahati wrote:

> # HG changeset patch
> # User Davood Falahati <0x0davood at gmail.com>
> # Date 1683588448 -7200
> #      Tue May 09 01:27:28 2023 +0200
> # Node ID 0977f155bc2d288eedf006033b9a5094d0e8098f
> # Parent  b71e69247483631bd8fc79a47cc32b762625b1fb
> let request_auth_module pass auth body when it is allowed
> 
> diff -r b71e69247483 -r 0977f155bc2d
> src/http/modules/ngx_http_auth_request_module.c
> --- a/src/http/modules/ngx_http_auth_request_module.c Mon May 01 19:16:05
> 2023 +0400
> +++ b/src/http/modules/ngx_http_auth_request_module.c Tue May 09 01:27:28
> 2023 +0200
> @@ -13,6 +13,7 @@
>  typedef struct {
>      ngx_str_t                 uri;
>      ngx_array_t              *vars;
> +    ngx_flag_t                enable;
>  } ngx_http_auth_request_conf_t;
> 
> 
> @@ -62,6 +63,12 @@
>        NGX_HTTP_LOC_CONF_OFFSET,
>        0,
>        NULL },
> +    { ngx_string("send_auth_body"),
> +      NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF |
> NGX_CONF_TAKE1,
> +      ngx_conf_set_flag_slot,
> +      NGX_HTTP_LOC_CONF_OFFSET,
> +      offsetof(ngx_http_auth_request_conf_t, enable),
> +      NULL },
> 
>        ngx_null_command
>  };
> @@ -106,6 +113,9 @@
>      ngx_http_post_subrequest_t    *ps;
>      ngx_http_auth_request_ctx_t   *ctx;
>      ngx_http_auth_request_conf_t  *arcf;
> +    ngx_list_t *hs;
> +    ngx_buf_t *b;
> +    ngx_chain_t out, *in;
> 
>      arcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_request_module);
> 
> @@ -141,6 +151,36 @@
>          if (ctx->status == NGX_HTTP_UNAUTHORIZED) {
>              sr = ctx->subrequest;
> 
> +            if (arcf->enable) {
> +
> +                r->headers_out.content_type = sr->headers_out.content_type;
> +
> +                hs = &sr->headers_out.headers;
> +
> +                r->headers_out.headers = *hs;
> +
> +                b = ngx_calloc_buf(r->pool);
> +                if (b == NULL) {
> +                   return NGX_ERROR;
> +                }
> +
> +                r->headers_out.status = ctx->status;
> +
> +                b->last_buf = 1;
> +                b->last_in_chain = 1;
> +                b->memory = 1;
> +
> +                out.buf = b;
> +                out.next = NULL;
> +
> +                in = ctx->subrequest->out;
> +                in->next = &out;
> +
> +                ngx_http_send_header(r);
> +
> +                return ngx_http_output_filter(r, in);
> +            }
> +
>              h = sr->headers_out.www_authenticate;
> 
>              if (!h && sr->upstream) {
> @@ -323,6 +363,8 @@
> 
>      conf->vars = NGX_CONF_UNSET_PTR;
> 
> +    conf->enable = NGX_CONF_UNSET;
> +
>      return conf;
>  }
> 
> @@ -335,6 +377,7 @@
> 
>      ngx_conf_merge_str_value(conf->uri, prev->uri, "");
>      ngx_conf_merge_ptr_value(conf->vars, prev->vars, NULL);
> +    ngx_conf_merge_value(conf->enable, prev->enable, 0);
> 
>      return NGX_CONF_OK;
>  }

Thanks for the patch.  It is, however, is not going to work for at 
least two reasons:

1. The ctx->subrequest->out is only available when there is a 
   NGX_HTTP_SUBREQUEST_IN_MEMORY flag (and implies various 
   restrictions).

2. The auth subrequst is created with the sr->header_only flag 
   set, so the will be no response body available in at all.

Futher, it might not be a good idea to copy all headers from the 
subrequest while not providing various links and pointers from the 
r->headers_out structure.  This is going to break various filter 
modules, such as charset filter (which uses 
r->headers_out.charset, r->headers_out.override_charset, 
r->headers_out.content_encoding), sub filter (as testing content 
type uses r->headers_out.content_type_len), and many more things.

Note well that "enable" isn't a good name for a field responsible 
for an optional feature.  Similarly, "send_auth_body" does not 
look self-explanatory.

Overall, please also take a look at 
http://nginx.org/en/docs/contributing_changes.html for some basic 
hints on how to submit patches.

Most notably, it might be a good idea outline the use case for the 
feature you are trying to introduce and why existing features are 
not enough for this use case.  The design of the module generally 
suggests that the custom response body, if needed, can be provided 
using the error_page directive, much like with other auth modules.

Hope this helps.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list