commit ae3c01022622da4c1733a15f3f01cb8b9e82b382
author Willy Tarreau <w@1wt.eu> Mon Apr 28 23:22:08 2014 +0200
committer Willy Tarreau <w@1wt.eu> Tue Apr 29 00:46:01 2014 +0200
tree 219b4e8e8f2cd4f17ce421da774d006f10229e1c
parent f75e5c3d84ee5a67c6ebc5aeb5c708a27d934ae0

MEDIUM: http: factorize the "auth" action of http-request and stats

Both use exactly the same mechanism, except for the choice of the
default realm to be emitted when none is selected. It can be achieved
by simply comparing the ruleset with the stats' for now. This achieves
a significant code reduction and further, removes the dependence on
the pointer to the final rule in the caller.

src/proto_http.c

diff --git a/src/proto_http.c b/src/proto_http.c
index 3cfa8e2..8f2b99c 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3186,6 +3186,7 @@
 	struct connection *cli_conn;
 	struct http_req_rule *rule;
 	struct hdr_ctx ctx;
+	const char *auth_realm;
 
 	list_for_each_entry(rule, rules, list) {
 		if (rule->action >= HTTP_REQ_ACT_MAX)
@@ -3219,6 +3220,22 @@
 			return rule;
 
 		case HTTP_REQ_ACT_AUTH:
+			/* Auth might be performed on regular http-req rules as well as on stats */
+			auth_realm = rule->arg.auth.realm;
+			if (!auth_realm) {
+				if (px->uri_auth && rules == &px->uri_auth->http_req_rules)
+					auth_realm = STATS_DEFAULT_REALM;
+				else
+					auth_realm = px->id;
+			}
+			/* send 401/407 depending on whether we use a proxy or not. We still
+			 * count one error, because normal browsing won't significantly
+			 * increase the counter but brute force attempts will.
+			 */
+			chunk_printf(&trash, (txn->flags & TX_USE_PX_CONN) ? HTTP_407_fmt : HTTP_401_fmt, auth_realm);
+			txn->status = (txn->flags & TX_USE_PX_CONN) ? 407 : 401;
+			stream_int_retnclose(&s->si[0], &trash);
+			session_inc_http_err_ctr(s);
 			return rule;
 
 		case HTTP_REQ_ACT_REDIR:
@@ -3816,7 +3833,6 @@
 	struct http_req_rule *http_req_last_rule = NULL;
 	struct redirect_rule *rule;
 	struct cond_wordlist *wl;
-	const char *auth_realm = NULL;
 
 	if (unlikely(msg->msg_state < HTTP_MSG_BODY)) {
 		/* we need more data */
@@ -3857,12 +3873,8 @@
 			goto done;
 
 		/* we can be blocked here because the request needs to be authenticated. */
-		if (http_req_last_rule->action == HTTP_REQ_ACT_AUTH) {
-			auth_realm = http_req_last_rule->arg.auth.realm;
-			if (!auth_realm)
-				auth_realm = px->id;
-			goto auth;
-		}
+		if (http_req_last_rule->action == HTTP_REQ_ACT_AUTH)
+			goto return_prx_cond;
 	}
 
 	/* OK at this stage, we know that the request was accepted according to
@@ -3893,12 +3905,8 @@
 				goto deny;
 
 			/* stats auth / stats http-request auth ? */
-			if (http_req_last_rule->action == HTTP_REQ_ACT_AUTH) {
-				auth_realm = http_req_last_rule->arg.auth.realm;
-				if (!auth_realm)
-					auth_realm = STATS_DEFAULT_REALM;
-				goto auth;
-			}
+			if (http_req_last_rule->action == HTTP_REQ_ACT_AUTH)
+				goto return_prx_cond;
 		}
 	}
 
@@ -4009,16 +4017,6 @@
 		s->listener->counters->denied_req++;
 	goto done;
 
- auth:	/* send 401/407 depending on whether we use a proxy or not. We still
-	 * count one error, because normal browsing won't significantly
-	 * increase the counter but brute force attempts will.
-	 */
-	chunk_printf(&trash, (txn->flags & TX_USE_PX_CONN) ? HTTP_407_fmt : HTTP_401_fmt, auth_realm);
-	txn->status = (txn->flags & TX_USE_PX_CONN) ? 407 : 401;
-	stream_int_retnclose(req->prod, &trash);
-	session_inc_http_err_ctr(s);
-	goto return_prx_cond;
-
  deny:	/* this request was blocked (denied) */
 	txn->status = 403;
 	s->logs.tv_request = now;