Merge pull request #4 from iij/serial_auth_2502

Release serial_auth_2502
iij · Feb 20, 2025 · 7f59640 · 7f59640
2 parents b375146 + 94715e1
commit 7f59640
Show file tree

Hide file tree

Showing 32 changed files with 981 additions and 226 deletions.
diff --git a/conf/auth-header-path.conf b/conf/auth-header-path.conf
@@ -14,3 +14,19 @@ default_right = "@admin"
 
 [authz.path_right]
 "test" = "@dev"
+
+#[response.ok]
+#code=200
+#message="Authorized"
+
+#[response.forbidden]
+#code=403
+#message="Forbidden"
+
+#[response.nopath]
+#code=403
+#message="No path header"
+
+#[response.nouser]
+#code=403
+#message="No user header"
diff --git a/conf/auth-ldap-path.conf b/conf/auth-ldap-path.conf
@@ -2,6 +2,7 @@ socket_type = "tcp"
 socket_path = "127.0.0.1:9200"
 #cache_seconds = 0
 #use_etag = false
+#use_serialized_auth = false
 auth_realm = "TEST Authentication"
 path_header = "X-Authz-Path"
 
@@ -28,3 +29,19 @@ default_right = "@admin"
 
 [authz.path_right]
 "test" = "@dev"
+
+#[response.ok]
+#code=200
+#message="Authorized"
+
+#[response.unauth]
+#code=401
+#message="Not authenticated"
+
+#[response.forbidden]
+#code=403
+#message="Forbidden"
+
+#[response.nopath]
+#code=403
+#message="No path header"
diff --git a/conf/auth-ldap-path2ldap.conf b/conf/auth-ldap-path2ldap.conf
@@ -2,6 +2,7 @@ socket_type = "tcp"
 socket_path = "127.0.0.1:9200"
 #cache_seconds = 0
 #use_etag = false
+#use_serialized_auth = false
 auth_realm = "TEST Authentication"
 path_header = "X-Authz-Path"
 
@@ -27,3 +28,19 @@ ban_default = true
 
 [authz.path_filter]
 "test" = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Group1,DC=example,DC=com)(userPrincipalName=%[email protected]))"
+
+#[response.ok]
+#code=200
+#message="Authorized"
+
+#[response.unauth]
+#code=401
+#message="Not authenticated"
+
+#[response.forbidden]
+#code=403
+#message="Forbidden"
+
+#[response.nopath]
+#code=403
+#message="No path header"
diff --git a/conf/auth-ldap.conf b/conf/auth-ldap.conf
@@ -2,6 +2,7 @@ socket_type = "tcp"
 socket_path = "127.0.0.1:9200"
 #cache_seconds = 0
 #use_etag = false
+#use_serialized_auth = false
 auth_realm = "TEST Authentication"
 
 host_url = "ldaps://ldap.example.com"
@@ -15,3 +16,11 @@ base_dn = "DC=example,DC=com"
 bind_dn = "CN=%s,OU=Users,DC=example,DC=com"
 uniq_filter = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Group1,DC=example,DC=com)(userPrincipalName=%[email protected]))"
 timeout = 5000
+
+#[response.ok]
+#code=200
+#message="Authorized"
+
+#[response.unauth]
+#code=401
+#message="Not authenticated"
diff --git a/conf/auth-simple.conf b/conf/auth-simple.conf
@@ -6,3 +6,11 @@ auth_realm = "TEST Authentication"
 [password]
 admin1 = "hoge"
 user1 = "hogehoge"
+
+#[response.ok]
+#code=200
+#message="Authorized"
+
+#[response.unauth]
+#code=401
+#message="Not authenticated"
diff --git a/docs/ngx_header_path_auth.md b/docs/ngx_header_path_auth.md
@@ -1,6 +1,7 @@
+[auth request module]: http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
 # ngx\_header\_path\_auth
 
-**ngx\_header\_path\_auth** is a module for [nginx auth request module](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) that authorizes with the user name and path information set in the HTTP header.
+**ngx\_header\_path\_auth** is a module for nginx [auth request module] that authorizes with the user name and path information set in the HTTP header.
 
 ## Error handling
 
@@ -19,7 +20,7 @@ start it via a process management system such as systemd.
 
 ## Configuration file format
 
-See the [auth request module documentation](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) for how to configure nginx.
+See the [auth request module] documentation for how to configure nginx.
 
 The **ngx\_header\_path\_auth** configuration file is in TOML format, and the following is a sample configuration file.
 
@@ -39,6 +40,22 @@ default_right = "*/
 
 [authz.path_right]
 "test" = "@dev"
+
+#[response.ok]
+#code=200
+#message="Authorized"
+
+#[response.forbidden]
+#code=403
+#message="Forbidden"
+
+#[response.nopath]
+#code=403
+#message="No path header"
+
+#[response.nouser]
+#code=403
+#message="No user header"
 ```
 
 Each parameter of the configuration file is as follows.
@@ -49,7 +66,9 @@ Each parameter of the configuration file is as follows.
 | :--- | :--- |
 | **socket\_type** | Set this parameter to tcp(TCP socket) or unix(UNIX domain socket). |
 | **socket\_path** | Set the IP address and port number for tcp, and UNIX domain socket file path for unix. |
-| **cache\_seconds** | The cache duration in seconds to pass to nginx. However, if its value is 0, it will not use the cache.<br>See [Authentication Cache Control](proxy_cache.md) for details.|
+| **cache\_seconds** | Cache duration in seconds passed to nginx upon successful authentication. If the value is 0, cache will not be used. <br>See [Authentication Cache Control](proxy_cache.md) for details. |
+| **neg\_cache\_seconds** | Cache duration in seconds passed to nginx upon failed authentication. If the value is 0, cache will not be used. <br>See [Authentication Cache Control](proxy_cache.md) for details. |
+| **use\_etag** | Set to `true` if you want to validate the cache using the `ETag` tag. <br>See [Authentication Cache Control](proxy_cache.md) for details. |
 | **path\_header** | A HTTP header that sets the path used for authorization processing. The default value is `X-Authz-Path`. In the appropriate place of the nginx configuration file, use `proxy_set_header` directive to set the HTTP header. (Eg `proxy_set_header X-Authz-Path $request_uri;`) |
 | **user\_header** | A HTTP header to set the user name. The default value is `X-Forwarded-User`. In the appropriate place of the nginx configuration file, use `proxy_set_header` directive to set the HTTP header. (Eg `proxy_set_header X-Forwarded-User $remote_user;`) |
 
@@ -64,6 +83,34 @@ Each parameter of the configuration file is as follows.
 | **default\_right** | Authorization rights when it matches the **path\_pattern**の regular expression and is not specified in **path\_right**. For more information on authorization rights, see "_Authorization rights details_". |
 | **path\_right** | Authorization rights map for each extracted string when matching **path\_pattern** regular expression. Specify the extraction string as the key. For more information on authorization rights, see "_Authorization rights details_" section. |
 
+### **\[response.ok\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **code** | The HTTP response status code indicates authorized requests. (Default value: `200`)<br>This value is used by the [auth request module]. Therefore, Malfunctions may be caused by the incorrect setting value. |
+| **message** |  The HTTP response message indicates authorized requests. (Default value: `"Authorized"`) |
+
+### **\[response.forbidden\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **code** | The HTTP response status code indicates failed authorization requests. (Default value: `403`)<br>This value is used by the [auth request module]. Therefore, Malfunctions may be caused by the incorrect setting value. |
+| **message** | The HTTP response message indicates failed authorization requests. (Default value: `"Forbidden"`) |
+
+### **\[response.nopath\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **code** | The HTTP response status code indicates an unexpected HTTP header in **path\_header**. (Default value: `403`)<br>This value is used by the [auth request module]. Therefore, Malfunctions may be caused by the incorrect setting value. |
+| **message** | The HTTP response message indicates an unexpected HTTP header in **path\_header**. (Default value: `"No path header"`) |
+
+### **\[response.nouser\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **code** | The HTTP response status code indicates an unexpected HTTP header in **user\_header**. (Default value: `403`)<br>This value is used by the [auth request module]. Therefore, Malfunctions may be caused by the incorrect setting value. |
+| **message** | The HTTP response message indicates an unexpected HTTP header in **user\_header**. (Default value: `"No user header"`) |
+
 ## Authorization rights details
 
 In **\[authz\]** part, **nomatch\_right**, **default\_right**, and **path\_right** table value specify a character string that combines the following judgment descriptions with `|`. The combined judgment process is calculated by logical disjunction("OR"). If the result is true, it is authorized.
@@ -73,8 +120,8 @@ In **\[authz\]** part, **nomatch\_right**, **default\_right**, and **path\_right
 | empty string | Always considers true regardless of the user name. |
 | `!` | Always considers false regardless of the user name. |
 | `*` | If the user name exists, it is considered true. |
-| `@groupname` | The character string after @ is treated as a group name. True if the group contains users. Groups are defined in the **user_map** file. |
-| `@` (no group name) | True if the user is described in the **user_map** file. |
+| `@groupname` | The character string after @ is treated as a group name. True if the group contains users. Groups are defined in the **user\_map** file. |
+| `@` (no group name) | True if the user is described in the **user\_map** file. |
 | user name | True if the user name matches. |
 
 ## **user\_map\_config** file details

diff --git a/docs/ngx_ldap_auth.md b/docs/ngx_ldap_auth.md
@@ -1,6 +1,7 @@
+[auth request module]: http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
 # ngx\_ldap\_auth
 
-**ngx\_ldap\_auth** is a module for [nginx auth request module](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) that authenticates using an LDAP bind operation.
+**ngx\_ldap\_auth** is a module for nginx [auth request module](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) that authenticates using an LDAP bind operation.
 
 ## Error handling
 
@@ -9,7 +10,7 @@ On error, the process terminates with an unsuccessful status.
 ## How to start
 
 Run it on the command line like this:
-[ngx_header_path_auth](ngx_header_path_auth.md)
+[ngx\_header\_path\_auth](ngx_header_path_auth.md)
 ```
 ngx_ldap_auth <config file>
 ```
@@ -21,15 +22,16 @@ If you want to limit authenticated users by LDAP information, use the LDAP searc
 
 ## Configuration file format
 
-See the [auth request module documentation](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) for how to configure nginx.
+See the [auth request module] documentation for how to configure nginx.
 
 The **ngx\_ldap\_auth** configuration file is in TOML format, and the following is a sample configuration file.
 
 ```ini
 socket_type = "tcp"
 socket_path = "127.0.0.1:9200"
 #cache_seconds = 0
-#use_etag = true
+#use_etag = false
+#use_serialized_auth = false
 auth_realm = "TEST Authentication"
 
 host_url = "ldaps://ldap.example.com"
@@ -43,16 +45,28 @@ base_dn = "DC=example,DC=com"
 bind_dn = "CN=%s,OU=Users,DC=example,DC=com"
 uniq_filter = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Group1,DC=example,DC=com)(userPrincipalName=%[email protected]))"
 timeout = 5000
+
+#[response.ok]
+#code=200
+#message="Authorized"
+
+#[response.unauth]
+#code=401
+#message="Not authenticated"
 ```
 
 Each parameter of the configuration file is as follows.
 
+### Root part
+
 | Parameter | Description |
 | :--- | :--- |
 | **socket\_type** | Set this parameter to tcp(TCP socket) or unix(UNIX domain socket). |
 | **socket\_path** | Set the IP address and port number for tcp, and UNIX domain socket file path for unix. |
-| **cache\_seconds** | The cache duration in seconds to pass to nginx. However, if its value is 0, it will not use the cache.<br>See [Authentication Cache Control](proxy_cache.md) for details.|
-| **use_etag** | Set to `true` to enable cache validation using `ETag` tags.<br>See [Authentication Cache Control](proxy_cache.md) for details.|
+| **cache\_seconds** | Cache duration in seconds passed to nginx upon successful authentication. If the value is 0, cache will not be used. <br>See [Authentication Cache Control](proxy_cache.md) for details. |
+| **neg\_cache\_seconds** | Cache duration in seconds passed to nginx upon failed authentication. If the value is 0, cache will not be used. <br>See [Authentication Cache Control](proxy_cache.md) for details. |
+| **use\_etag** | Set to `true` if you want to validate the cache using the `ETag` tag. <br>See [Authentication Cache Control](proxy_cache.md) for details. |
+| **use\_serialized\_auth** | Set to `true` if you want authentication to be serialized for each account. <br>When authentications for the same account conflict, the authentication will be blocked and delayed. |
 | **auth\_realm** | HTTP realm string. |
 | **host\_url** | The URL of the LDAP server connection address. The pass part is not used. |
 | **start\_tls** | Set to 1 when using TLS STARTTLS. |
@@ -62,3 +76,17 @@ Each parameter of the configuration file is as follows.
 | **bind\_dn** | This is the bind DN when performing LDAP bind processing. Rewrite `%s` as the remote user name and `%%` as `%`. |
 | **uniq\_filter** | Only if this value is set, search with this value filter. If the search result is one DN, the authentication will be successful. |
 | **timeout** | Communication timeout(unit: ms) with the LDAP server. |
+
+### **\[response.ok\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **code** | The HTTP response status code indicates authorized requests. (Default value: `200`)<br>This value is used by the [auth request module]. Therefore, Malfunctions may be caused by the incorrect setting value. |
+| **message** |  The HTTP response message indicates authorized requests. (Default value: `"Authorized"`) |
+
+### **\[response.unauth\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **code** | The HTTP response status code indicates unauthenticated requests. (Default value: `401`)<br>This value is used by the [auth request module]. Therefore, Malfunctions may be caused by the incorrect setting value. |
+| **message** | The HTTP response message indicates unauthenticated requests. (Default value: `"Not authenticated"`) |
diff --git a/docs/ngx_ldap_path2ldap_auth.md b/docs/ngx_ldap_path2ldap_auth.md
@@ -1,6 +1,7 @@
+[auth request module]: http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
 # ngx\_ldap\_path2ldap\_auth
 
-**ngx\_ldap\_path2ldap\_auth** is a module for is a module for [nginx auth request module](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) that authenticates using an LDAP bind operation, and authorizes by file path and LDAP information.
+**ngx\_ldap\_path2ldap\_auth** is a module for is a module for nginx [auth request module] that authenticates using an LDAP bind operation, and authorizes by file path and LDAP information.
 
 ## Error handling
 
@@ -19,15 +20,16 @@ start it via a process management system such as systemd.
 
 ## Configuration file format
 
-See the [auth request module documentation](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) for how to configure nginx.
+See the [auth request module] documentation for how to configure nginx.
 
 The **ngx\_ldap\_path2ldap\_auth** configuration file is in TOML format, and the following is a sample configuration file.
 
 ```ini
 socket_type = "tcp"
 socket_path = "127.0.0.1:9203"
 #cache_seconds = 0
-#use_etag = true
+#use_etag = false
+#use_serialized_auth = false
 auth_realm = "TEST Authentication"
 path_header = "X-Authz-Path"
 
@@ -54,6 +56,22 @@ ban_default = true
 
 [authz.path_filter]
 "test" = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Group1,DC=example,DC=com)(userPrincipalName=%[email protected]))"
+
+#[response.ok]
+#code=200
+#message="Authorized"
+
+#[response.unauth]
+#code=401
+#message="Not authenticated"
+
+#[response.forbidden]
+#code=403
+#message="Forbidden"
+
+#[response.nopath]
+#code=403
+#message="No path header"
 ```
 
 Each parameter of the configuration file is as follows.
@@ -64,8 +82,10 @@ Each parameter of the configuration file is as follows.
 | :--- | :--- |
 | **socket\_type** | Set this parameter to tcp(TCP socket) or unix(UNIX domain socket). |
 | **socket\_path** | Set the IP address and port number for tcp, and UNIX domain socket file path for unix. |
-| **cache\_seconds** | The cache duration in seconds to pass to nginx. However, if its value is 0, it will not use the cache.<br>See [Authentication Cache Control](proxy_cache.md) for details.|
-| **use_etag** | Set to `true` to enable cache validation using `ETag` tags.<br>See [Authentication Cache Control](proxy_cache.md) for details.|
+| **cache\_seconds** | Cache duration in seconds passed to nginx upon successful authentication. If the value is 0, cache will not be used. <br>See [Authentication Cache Control](proxy_cache.md) for details. |
+| **neg\_cache\_seconds** | Cache duration in seconds passed to nginx upon failed authentication. If the value is 0, cache will not be used. <br>See [Authentication Cache Control](proxy_cache.md) for details. |
+| **use\_etag** | Set to `true` if you want to validate the cache using the `ETag` tag. <br>See [Authentication Cache Control](proxy_cache.md) for details. |
+| **use\_serialized\_auth** | Set to `true` if you want authentication to be serialized for each account. <br>When authentications for the same account conflict, the authentication will be blocked and delayed. |
 | **auth\_realm** | HTTP realm string. |
 | **path\_header** | A HTTP header that sets the path used for authorization processing. The default value is `X-Authz-Path`. In the appropriate place of the nginx configuration file, use `proxy_set_header` directive to set the HTTP header. (Eg `proxy_set_header X-Authz-Path $request_uri;`) |
 
@@ -86,8 +106,36 @@ Each parameter of the configuration file is as follows.
 
 | Parameter | Description |
 | :--- | :--- |
-| **path\_pattern** | A regular expression that extracts the authorization judgment string from the path of the header specified by **path_header**. The extracted string is used for the key in **path\_filter**. Use the `()` subexpression regular expression only once to specify the extraction location. |
+| **path\_pattern** | A regular expression that extracts the authorization judgment string from the path of the header specified by **path\_header**. The extracted string is used for the key in **path\_filter**. Use the `()` subexpression regular expression only once to specify the extraction location. |
 | **ban\_nomatch** | If true, authorization will fail if the **path\_pattern** regular expression does not match. (As a result, **nomatch\_filter** is disabled.) |
 | **nomatch\_filter** | LDAP filter for authorization when the **path\_pattern** regular expression is not matched. **nomatch\_filter** results is processed in the same way as **uniq\_filter**. |
 | **ban\_default** | If true, authorization will fail if the **path\_pattern** regular expression does not match. (As a result, **default\_filter** is disabled.) |
 | **default\_filter** | LDAP filter for authorization rights when it matches the **path\_pattern** regular expression and is not specified in **path\_filter**. **default\_filter** results is processed in the same way as **uniq\_filter**. |
+
+### **\[response.ok\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **code** | The HTTP response status code indicates authorized requests. (Default value: `200`)<br>This value is used by the [auth request module]. Therefore, Malfunctions may be caused by the incorrect setting value. |
+| **message** |  The HTTP response message indicates authorized requests. (Default value: `"Authorized"`) |
+
+### **\[response.unauth\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **code** | The HTTP response status code indicates unauthenticated requests. (Default value: `401`)<br>This value is used by the [auth request module]. Therefore, Malfunctions may be caused by the incorrect setting value. |
+| **message** | The HTTP response message indicates unauthenticated requests. (Default value: `"Not authenticated"`) |
+
+### **\[response.forbidden\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **code** | The HTTP response status code indicates failed authorization requests. (Default value: `403`)<br>This value is used by the [auth request module]. Therefore, Malfunctions may be caused by the incorrect setting value. |
+| **message** | The HTTP response message indicates failed authorization requests. (Default value: `"Forbidden"`) |
+
+### **\[response.nopath\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **code** | The HTTP response status code indicates an unexpected HTTP header in **path\_header**. (Default value: `403`)<br>This value is used by the [auth request module]. Therefore, Malfunctions may be caused by the incorrect setting value. |
+| **message** | The HTTP response message indicates an unexpected HTTP header in **path\_header**. (Default value: `"No path header"`) |