mod_auth_cas 1.1-RC1, lost ability to use with Satisfy Any

[sarcasticsys]

A common configuration where I am employed is something like the following:

<Location /login.action> AuthType CAS CASScope / AuthName "CAS" Require valid-user Order allow,deny Allow from env=no_cas_use Satisfy Any

(where no_cas_use is set usually by mod_rewrite for specific special cases - generally things like API calls or the like that can't cope with gateway mode).

This has worked fine historically, but mod_auth_cas 1.1 with Apache 2.4 throws a 500 internal error which logs (debug on)

[authz_core:debug] [pid 5664] mod_authz_core.c(809): AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [authz_core:debug] [pid 5664] mod_authz_core.c(809): AH01626: authorization result of : denied (no authenticated user yet) [authn_core:error] [pid 5664] AH01796: AuthType CAS configured without corresponding module

Removing the Satisfy Any bit (i.e. just going to Rolling back to mod_auth_cas 1.0.9 (which works fine in Apache 2.4 without any patching), everything seems fine. mod_auth_cas 1.0.10 (w/ Apache 2.4 patch; won't work otherwise) shows the same error so I assume it's related to a change made from 1.0.9->1.0.10 (controlling access via CAS attributes, it looks like). I suspect it's related to switching from chaging the hook from:

ap_hook_check_user_id(cas_authenticate, NULL, NULL, APR_HOOK_MIDDLE);

to

ap_hook_check_access( cas_authenticate, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_URI);

but admittedly don't know Apache modules that well.

I'm going to try and dig into it, but it's a major blocker for upgrades in our environment. I'll keep poking at it, but thought I would report it.

[dhawes]

I think you're correct about the hook. Apache changed a lot with regard to authnz with 2.4, and has deprecated some things including ap_hook_check_user_id.

If you change ap_hook_check_access() to ap_hook_check_authn(), I think your example with "Satisfy Any" and "Require valid-user" should work. Note that this will probably break "require cas-attribute" if you use that.

I'd be curious if this works for you.

This is related to https://github.com/Jasig/mod_auth_cas/pull/60#issuecomment-146967590 which I still intend on reviewing. I'll keep this issue in mind when I do that.

[dotmjs]

Is this regression a 1.1 release blocker? On Feb 23, 2016 17:10, "David Hawes" notifications@github.com wrote:

I think you're correct about the hook. Apache changed a lot with regard to authnz with 2.4, and has deprecated some things including ap_hook_check_user_id.

If you change ap_hook_check_access() to ap_hook_check_authn(), I think your example with "Satisfy Any" and "Require valid-user" should work. Note that this will probably break "require cas-attribute" if you use that.

I'd be curious if this works for you.

This is related to #60 (comment) https://github.com/Jasig/mod_auth_cas/pull/60#issuecomment-146967590 which I still intend on reviewing. I'll keep this issue in mind when I do that.

— Reply to this email directly or view it on GitHub https://github.com/Jasig/mod_auth_cas/issues/93#issuecomment-187938819.

[dhawes]

Is this regression a 1.1 release blocker?

I'm trying to figure that out.

2.4 supported started in 2012 with 79201c13dfa3f8301d79559a94cb1219af009e0c. It's possible that this has been an issue since then (it would have been referred to as 1.0.10 at that time). If that's the case, is this a blocker in your opinion?

I think I have a patch working that allows the above config and doesn't break "require cas-attribute". It definitely needs testing to see if it introduces some other error, but it's short and sweet:

diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c
index 6da29ab..8772f3b 100644
--- a/src/mod_auth_cas.c
+++ b/src/mod_auth_cas.c
@@ -2343,6 +2343,8 @@ authz_status cas_check_authorization(request_rec *r,
                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                              "Entering cas_check_authorization.");

+    if(!r->user) return AUTHZ_DENIED_NO_USER;
+
        t = require_line;
        while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
                count_casattr++;
@@ -2753,7 +2755,7 @@ void cas_register_hooks(apr_pool_t *p)
 #endif

 #if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
-       ap_hook_check_access(
+       ap_hook_check_authn(
                cas_authenticate,
                NULL,
                NULL,

[sarcasticsys]

Just applied the patch and built it and it's working well in my environment using both the old deprecated syntax (Satisfy Any) and the new 2.4 syntax ( stanzas) as well as just a plain vanilla require valid-user. Looking at the logs with debug enabled show pretty much the expected behavior as well, with cas_authenticate not running if authorization is satisfied elsewhere.

Never used the cas-attribute feature before, but just tested it and it seems to work fine as well once I set up the proper SAML validation end point and what not.

Unfortunately, the system I'm setting this up for isn't going production for a number of weeks still; I have a few minor systems I can push the patched module out to in order to get more data and will do so. I'll bang on this system a bit more as well.

Also, fairly sure that this behavior was happening in 1.0.10 w/ the 2.4 patch that was floating around. I didn't report it at the time because it was unclear to me how official the 2.4 patch was (and even 1.0.10 seemed to up in the air - I recall several distros seemed to have stopped at 1.0.9; just checked Debian unstable and it's still on 1.0.9 right now for example - not sure why).

[dhawes]

Thanks for all the testing. It's especially useful to know that this works for both the old and the new syntax. I verified it with the new 2.4 syntax as well, and everything seems good.

[dhawes]

I'll leave this link here in case anyone wants to test:

https://github.com/Jasig/mod_auth_cas/compare/master...dhawes:authn-hook?expand=1