enable request_auth module to send auth service error message body when it is allowed
Maxim Dounin
mdounin at mdounin.ru
Tue May 9 00:52:10 UTC 2023
Hello!
On Tue, May 09, 2023 at 01:40:18AM +0200, Davood Falahati wrote:
> # HG changeset patch
> # User Davood Falahati <0x0davood at gmail.com>
> # Date 1683588448 -7200
> # Tue May 09 01:27:28 2023 +0200
> # Node ID 0977f155bc2d288eedf006033b9a5094d0e8098f
> # Parent b71e69247483631bd8fc79a47cc32b762625b1fb
> let request_auth_module pass auth body when it is allowed
>
> diff -r b71e69247483 -r 0977f155bc2d
> src/http/modules/ngx_http_auth_request_module.c
> --- a/src/http/modules/ngx_http_auth_request_module.c Mon May 01 19:16:05
> 2023 +0400
> +++ b/src/http/modules/ngx_http_auth_request_module.c Tue May 09 01:27:28
> 2023 +0200
> @@ -13,6 +13,7 @@
> typedef struct {
> ngx_str_t uri;
> ngx_array_t *vars;
> + ngx_flag_t enable;
> } ngx_http_auth_request_conf_t;
>
>
> @@ -62,6 +63,12 @@
> NGX_HTTP_LOC_CONF_OFFSET,
> 0,
> NULL },
> + { ngx_string("send_auth_body"),
> + NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF |
> NGX_CONF_TAKE1,
> + ngx_conf_set_flag_slot,
> + NGX_HTTP_LOC_CONF_OFFSET,
> + offsetof(ngx_http_auth_request_conf_t, enable),
> + NULL },
>
> ngx_null_command
> };
> @@ -106,6 +113,9 @@
> ngx_http_post_subrequest_t *ps;
> ngx_http_auth_request_ctx_t *ctx;
> ngx_http_auth_request_conf_t *arcf;
> + ngx_list_t *hs;
> + ngx_buf_t *b;
> + ngx_chain_t out, *in;
>
> arcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_request_module);
>
> @@ -141,6 +151,36 @@
> if (ctx->status == NGX_HTTP_UNAUTHORIZED) {
> sr = ctx->subrequest;
>
> + if (arcf->enable) {
> +
> + r->headers_out.content_type = sr->headers_out.content_type;
> +
> + hs = &sr->headers_out.headers;
> +
> + r->headers_out.headers = *hs;
> +
> + b = ngx_calloc_buf(r->pool);
> + if (b == NULL) {
> + return NGX_ERROR;
> + }
> +
> + r->headers_out.status = ctx->status;
> +
> + b->last_buf = 1;
> + b->last_in_chain = 1;
> + b->memory = 1;
> +
> + out.buf = b;
> + out.next = NULL;
> +
> + in = ctx->subrequest->out;
> + in->next = &out;
> +
> + ngx_http_send_header(r);
> +
> + return ngx_http_output_filter(r, in);
> + }
> +
> h = sr->headers_out.www_authenticate;
>
> if (!h && sr->upstream) {
> @@ -323,6 +363,8 @@
>
> conf->vars = NGX_CONF_UNSET_PTR;
>
> + conf->enable = NGX_CONF_UNSET;
> +
> return conf;
> }
>
> @@ -335,6 +377,7 @@
>
> ngx_conf_merge_str_value(conf->uri, prev->uri, "");
> ngx_conf_merge_ptr_value(conf->vars, prev->vars, NULL);
> + ngx_conf_merge_value(conf->enable, prev->enable, 0);
>
> return NGX_CONF_OK;
> }
Thanks for the patch. It is, however, is not going to work for at
least two reasons:
1. The ctx->subrequest->out is only available when there is a
NGX_HTTP_SUBREQUEST_IN_MEMORY flag (and implies various
restrictions).
2. The auth subrequst is created with the sr->header_only flag
set, so the will be no response body available in at all.
Futher, it might not be a good idea to copy all headers from the
subrequest while not providing various links and pointers from the
r->headers_out structure. This is going to break various filter
modules, such as charset filter (which uses
r->headers_out.charset, r->headers_out.override_charset,
r->headers_out.content_encoding), sub filter (as testing content
type uses r->headers_out.content_type_len), and many more things.
Note well that "enable" isn't a good name for a field responsible
for an optional feature. Similarly, "send_auth_body" does not
look self-explanatory.
Overall, please also take a look at
http://nginx.org/en/docs/contributing_changes.html for some basic
hints on how to submit patches.
Most notably, it might be a good idea outline the use case for the
feature you are trying to introduce and why existing features are
not enough for this use case. The design of the module generally
suggests that the custom response body, if needed, can be provided
using the error_page directive, much like with other auth modules.
Hope this helps.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list