As a quick validation, I've changed this a few times to test EITHER the ldap auth or the lua auth and the tests passed. I ended up changing the lua final auth bits to the following:
local authed = authenticate()
if authed == false then
ngx.log(ngx.ERR, "Failing authentication finally")
return ngx.exit(401)
else
return ngx.exit(ngx.OK)
end
The only time the connection hangs is using the auth chain. This is the output of curl against this:
[root@06a3c774adf2 /]# curl -v -u test2:abcd http://localhost:1984/test
* About to connect() to localhost port 1984 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 1984 (#0)
* Server auth using Basic with user 'test2'
> GET /test HTTP/1.1
> Authorization: Basic dGVzdDI6YWJjZA==
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:1984
> Accept: */*
>
Here's what's showing up in the logs:
2016/11/07 16:14:46 [error] 1502#0: *35 http_auth_ldap: Could not find user DN, client: 127.0.0.1, server: localhost, request: "HEAD /test HTTP/1.1", host: "localhost:1984"
2016/11/07 16:14:49 [debug] 1502#0: *35 [lua] auth.lua:73: authenticate(): Got auth headers: Basic dGVzdDI6YWJjZA==
2016/11/07 16:14:49 [debug] 1502#0: *35 [lua] auth.lua:46: auth_user(): checking test2 with password abcd
2016/11/07 16:14:49 [debug] 1502#0: *35 [lua] auth.lua:22: user_exists(): Checking if user exists: test2
2016/11/07 16:14:49 [info] 1502#0: *35 [lua] auth.lua:48: auth_user(): user exists while sending response to client, client: 127.0.0.1, server: localhost, request: "HEAD /test HTTP/1.1", host: "localhost:1984"
2016/11/07 16:14:49 [error] 1502#0: *35 [lua] auth.lua:54: auth_user(): password: abcd | password_entry: testpassword while sending response to client, client: 127.0.0.1, server: localhost, request: "HEAD /test HTTP/1.1", host: "localhost:1984"
2016/11/07 16:14:49 [info] 1502#0: *35 [lua] auth.lua:59: auth_user(): got to final test with no matches while sending response to client, client: 127.0.0.1, server: localhost, request: "HEAD /test HTTP/1.1", host: "localhost:1984"
2016/11/07 16:14:49 [error] 1502#0: *35 [lua] auth.lua:102: Failing authentication finally while sending response to client, client: 127.0.0.1, server: localhost, request: "HEAD /test HTTP/1.1", host: "localhost:1984"
2016/11/07 16:14:49 [info] 1502#0: *35 client 127.0.0.1 closed keepalive connection
On Monday, November 7, 2016 at 10:51:32 AM UTC-5, John E. Vincent wrote:
Hello all,
I'm running into an issue attempting to use access_by_lua_* with satisfy any.
You can read the relevant code here:
The idea is that a user is either authenticated by an external lookup in lua (using a json file currently) or by LDAP
The lua logic for authentication works fine (there are other tests covering valid lookups there)
The end result is that when running the test, it hangs if the lua lookup fails:
not ok 1 - ERROR: client socket timed out - TEST 2: test_json_auth_no_perms
#
# Failed test 'ERROR: client socket timed out - TEST 2: test_json_auth_no_perms
# '
# at /usr/local/share/perl5/Test/Nginx/Socket.pm line 1710.
not ok 2 - TEST 2: test_json_auth_no_perms - status code ok
# Failed test 'TEST 2: test_json_auth_no_perms - status code ok'
# at /usr/local/share/perl5/Test/Nginx/Socket.pm line 878.
# got: ''
# expected: '403'
Failed 2/2 subtests
Test Summary Report
-------------------
t/shield.t (Wstat: 0 Tests: 2 Failed: 2)
Failed tests: 1-2
Parse errors: No plan found in TAP output
Files=1, Tests=2, 3 wallclock secs ( 0.01 usr 0.00 sys + 0.07 cusr 0.01 csys = 0.09 CPU)
Result: FAIL
I've verified this on the command line with curl as well.
I've tried ordering the auth chain multiple ways. I've also tried with ngx.DECLINED from lua and nothing seems to matter. Failed auths from the lua side result in a hanging connection.
Thoughts?
