Some more news about that, debugged that a little bit further and imho i think its a bug in the module code of access_checker - or there are assumptions made which do not hold in my usecase - at least its unclear to me why its done that way, maybe someone can give some input.
The problem is that the authorization module mod_authz_svn does expect a AuthType to be set and that a Authorization header must be there - but this is optional - authentication can be done without both of them using lua: https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookauthchecker ... Invoke a lua function in the auth_checker phase of processing a request. This can be used to implement arbitrary authentication and authorization checking. ... Looking in the RedBean book it reads: http://svnbook.red-bean.com/de/1.8/svn.serverconfig.httpd.html#svn.serverconfig.httpd.ref.mod_authz_svn ... Die folgenden Konfigurations-Direktiven werden geliefert von mod_authz_svn, Subversions Apache HTTP Server Modul für pfad-basierte Autorisierung. ... So its about Authorization, not Authentication in that module - why does the Authorization part makes assumptions about how authentication is done? The code in question (to me) is this (trunk): 886 /* Authentication is configured */ 887 authn_configured = ap_auth_type(r) != NULL; 888 if (authn_configured) 889 { 890 /* If the user is trying to authenticate, let him. It doesn't 891 * make much sense to grant anonymous access but deny authenticated 892 * users access, even though you can do that with '$anon' in the 893 * access file. 894 */ 895 if (apr_table_get(r->headers_in, 896 (PROXYREQ_PROXY == r->proxyreq) 897 ? "Proxy-Authorization" : "Authorization")) 898 { 899 /* Set the note to force authn regardless of what access_checker_ex 900 hook requires */ 901 apr_table_setn(r->notes, FORCE_AUTHN_NOTE, (const char*)1); 902 903 /* provide the proper return so the access_checker hook doesn't 904 * prevent the code from continuing on to the other auth hooks */ 905 if (ap_satisfies(r) != SATISFY_ANY) 906 return OK; 907 else 908 return HTTP_FORBIDDEN; 909 } 910 } I was able to get the authentication running using gdb and doing a: set authn_configured=1 on line 888. Line 887 assumes that Authentication is only configured if there is a auth_type set on the request, but this is wrong - its not needed to authenticate a user, see the lua docs. After that it runs the code where the "Authorization" is checked - L885: (gdb) print apr_table_get(r->headers_in, "Proxy-Authorization") $8 = 0 (gdb) print apr_table_get(r->headers_in, "Authorization") $9 = 0 (gdb) This should not be done here (at least there should be a way to skip that) - i did not sent and did not ask the user to sent this header so, its not basic authentication here. If i do sent an arbitrary faked Authorization header, which has nothing todo with what authentication needs, it passes and the lua hook is called and the request does succeed like this: [Wed Jan 24 09:45:02.751169 2018] [authz_core:debug] [pid 12109:tid 140737127630592] mod_authz_core.c(809): [client 127.0.0.1:18984] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Wed Jan 24 09:45:02.751214 2018] [authz_core:debug] [pid 12109:tid 140737127630592] mod_authz_core.c(809): [client 127.0.0.1:18984] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Wed Jan 24 09:45:02.751644 2018] [lua:debug] [pid 12109:tid 140737127630592] lua_request.c(1838): [client 127.0.0.1:18984] AH01486: request_rec->dispatching headers_in -> apr table, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Wed Jan 24 09:45:02.751663 2018] [lua:debug] [pid 12109:tid 140737127630592] lua_request.c(1856): [client 127.0.0.1:18984] AH01488: request_rec->dispatching user -> string, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Wed Jan 24 09:45:02.751670 2018] [lua:debug] [pid 12109:tid 140737127630592] lua_request.c(1856): [client 127.0.0.1:18984] AH01488: request_rec->dispatching user -> string, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Wed Jan 24 09:45:02.751676 2018] [lua:debug] [pid 12109:tid 140737127630592] lua_request.c(1848): [client 127.0.0.1:18984] AH01487: request_rec->dispatching debug -> lua_CFunction, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Wed Jan 24 09:45:02.751682 2018] [lua:debug] [pid 12109:tid 140737127630592] @/etc/apache2/auth.lua(23): [client 127.0.0.1:18984] user foo: OK, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Wed Jan 24 09:45:02.751706 2018] [authz_svn:debug] [pid 12109:tid 140737127630592] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:18984] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Wed Jan 24 09:45:02.751902 2018] [authz_svn:info] [pid 12109:tid 140737127630592] [client 127.0.0.1:18984] Access granted: 'foo' GET basic_tests-10:/iota, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ Without that header it passes too - but the callstack is different (just for information). 948 status = req_check_access(r, conf, &repos_path, &dest_repos_path); After this it takes is way to L884 which returns DECLINED. Run till exit from #0 ap_some_authn_required (r=0x7ffff7f310a0) at request.c:149 0x00007ffff2b55389 in access_checker (r=0x7ffff7f310a0) at subversion/mod_authz_svn/mod_authz_svn.c:968 968 authn_required = ap_some_authn_required(r); Value returned is $5 = 1 After that the request asks the lua hook for the user and later on mod_authz_svn can check the path based stuff which succeeds: [Wed Jan 24 10:34:38.624611 2018] [authz_svn:debug] [pid 1841:tid 140737152808704] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:19746] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz [Wed Jan 24 10:36:50.581672 2018] [authz_core:debug] [pid 1841:tid 140737152808704] mod_authz_core.c(809): [client 127.0.0.1:19746] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Wed Jan 24 10:36:50.581740 2018] [authz_core:debug] [pid 1841:tid 140737152808704] mod_authz_core.c(809): [client 127.0.0.1:19746] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Wed Jan 24 10:39:27.506910 2018] [authz_core:debug] [pid 1841:tid 140737152808704] mod_authz_core.c(809): [client 127.0.0.1:19746] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Wed Jan 24 10:39:27.506972 2018] [authz_core:debug] [pid 1841:tid 140737152808704] mod_authz_core.c(809): [client 127.0.0.1:19746] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Wed Jan 24 10:39:27.507366 2018] [lua:debug] [pid 1841:tid 140737152808704] lua_request.c(1848): [client 127.0.0.1:19746] AH01487: request_rec->dispatching debug -> lua_CFunction [Wed Jan 24 10:39:27.507384 2018] [lua:debug] [pid 1841:tid 140737152808704] @/etc/apache2/auth.lua(13): [client 127.0.0.1:19746] user foo: OK [Wed Jan 24 10:39:27.507412 2018] [authz_svn:debug] [pid 1841:tid 140737152808704] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:19746] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz [Wed Jan 24 10:39:27.507487 2018] [authz_svn:info] [pid 1841:tid 140737152808704] [client 127.0.0.1:19746] Access granted: 'foo' GET basic_tests-10:/iota HTH someone to dive into that - should i file a Bug about that in the tracker to get that fixed? kind regards Torsten
smime.p7s
Description: S/MIME cryptographic signature
