Bug 4328 - %un format code does not work for external ACLs in credentials-fetching rules
Summary: %un format code does not work for external ACLs in credentials-fetching rules
Status: RESOLVED FIXED
Alias: None
Product: Squid
Classification: Unclassified
Component: helpers: auth_param (show other bugs)
Version: 3.5
Hardware: All All
: P5 normal
Assignee: SQUID BUGS ALIAS
URL:
Depends on:
Blocks:
 
Reported: 2015-09-17 15:27 UTC by Steve Hill
Modified: 2015-09-27 00:01 UTC (History)
1 user (show)

See Also:
Browser: ---
Fixed Versions: 3.5.10
Needs:

Attachments
Bugfix (722 bytes, patch)
2015-09-24 13:31 UTC, Steve Hill 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Steve Hill 2015-09-17 15:27:58 UTC 
I'm using an external ACL to decide whether to bump traffic during SSL bump step 2.  The external ACL needs to know the user's username for requests that have authenticated, but not all requests are authenticated so I can't use %LOGIN and I'm therefore using %un instead.  However, %un is never being filled in with a user name.


The relevant parts of the config are:

http_access allow proxy_auth
http_access deny all
external_acl_type sslpeek children-max=10 concurrency=100 ttl=0 negative_ttl=0 %SRC %un %URI %ssl::>sni %>ha{User-Agent} /usr/sbin/check_bump.sh
acl sslpeek external sslpeek
acl ssl_bump_step_1 at_step SslBump1
acl ssl_bump_step_2 at_step SslBump2
acl ssl_bump_step_3 at_step SslBump3
ssl_bump peek ssl_bump_step_1 #icap_says_peek
ssl_bump bump ssl_bump_step_2 sslpeek
ssl_bump splice all
sslproxy_cert_error allow all


The debug log shows that the CONNECT request is successfully authenticated:

Acl.cc(138) matches: checking proxy_auth
UserData.cc(22) match: user is steve, case_insensitive is 0
UserData.cc(28) match: aclMatchUser: user REQUIRED and auth-info present.
Acl.cc(340) cacheMatchAcl: ACL::cacheMatchAcl: miss for 'proxy_auth'. Adding result 1
Acl.cc(158) matches: checked: proxy_auth = 1

But then later in the log I see:

external_acl.cc(1416) Start: fg lookup in 'sslpeek' for '2a00:1940:1:8:468a:5bff:fe9a:cd7f - www.hsbc.co.uk:443 www.hsbc.co.uk Mozilla/5.0%20(X11;%20Fedora;%20Linux%20x86_64;%20rv:39.0)%20Gecko/20100101%20Firefox/39.0'


The user name given to the external ACL is "-" even though the request has been authenticated.  Setting a->require_auth in parse_externalAclHelper() makes it work, but obviously just makes %un behave like %LOGIN, so isn't a solution.
Comment 1 Steve Hill 2015-09-24 13:31:47 UTC 
Created attachment 3214 [details]
Bugfix

Correction: this is not specific to SSL-bump.

The attached patch copies the credentials into the checklist while processing the Format::LFT_USER_NAME token.
Comment 2 Alex Rousskov 2015-09-24 14:40:00 UTC 
Comment on attachment 3214 [details]
Bugfix

Good catch!

This is not my area of expertise, but would it be better to update the checklist when the credentials are fetched (as opposed to finding all the places where we may have forgotten about the freshly fetched credentials while examining the checklist)? Or is it not possible to update the checklist at that time?
Comment 3 Steve Hill 2015-09-24 14:55:08 UTC 
Not really my area of expertise either (spent ages looking at this when I first reported it and couldn't figure it out - looked again today and the missing code was obvious! :)

The code was copied and pasted from where %LOGIN is handled - I presumed there was a reason for it being done like that.
Comment 4 Amos Jeffries 2015-09-25 05:08:51 UTC 
Thanks. Applied to Squid-4.

(In reply to Alex Rousskov from comment #2)

Ideally yes, but in current code the auth happens independent of the checklist, so its not aware of which checklist to update. I am soon making external ACL depend on ALE instead, so it could work through there in future. But for now working through the request object is the best we can do.
Comment 5 Amos Jeffries 2015-09-27 00:01:02 UTC 
Applied to 3.5