Mailing List Archive: Query for authorization username

Query for authorization username

Oct 25, 2021, 11:21 AM

Post #1 of 3 (456 views)

In my dev environment, I have a few users configured to use Basic authorization (configured in the Nginx backend) and I'd like to be able to perform VSL queries based on the auth user. This is what I was able to come up with, but I'm wondering if there is a simpler way that I'm just not seeing.

require blob;
if (req.http.Authorization) {
set req.http.X-Auth-User = regsub(blob.encode(IDENTITY,
blob=blob.decode(BASE64,
encoded=regsub(req.http.Authorization, "^Basic (.*)", "\1"))),
":.*$", "");
}

varnishtop -I ReqHeader:X-Auth-User
varnishlog -i ReqURL -q 'ReqHeader:X-Auth-User ~ "someuser"'

Thanks,
Justin

Re: Query for authorization username [ In reply to ]

guillaume.quintard at gmail

Oct 25, 2021, 2:58 PM

Post #2 of 3 (456 views)

Permalink

I think it's close to optimal, given the current tools. I would probably
try to move away from regsub() and use vmod_str (
https://github.com/varnish/varnish-modules/blob/master/src/vmod_str.vcc#L42),
and maaaaaaybe use multiple assignments rather than on big expressions, but
that's a personal preference at this point.

It would look like something like this in my mind (highly untested, don't
sue me if your computer explodes):

import var;
import str;
import blob;

sub vcl_recv {
if (str.split(req.http.Authorization, 0) == "Basic") {
var.set("b64", str.split(req.http.Authorization, 1));
var.set("decoded", bob.transcode(encoding = BASE64URL, encoded =
var.get("b64")));
set req.http.X-Auth-User = str.split(var.get("decoded"), 0, ":");
}
}

everything in one expression:

set req.http.X-Auth-User = str.split(
blob.transcode(
encoding = BASE64URL,
encoded = str.split(req.http.Authorization,
1))
),
0,
":"
);

You should possibly use blob.transcode() anyway.

--
Guillaume Quintard

On Mon, Oct 25, 2021 at 11:25 AM Justin Lloyd <justinl@arena.net> wrote:

> In my dev environment, I have a few users configured to use Basic
> authorization (configured in the Nginx backend) and I’d like to be able to
> perform VSL queries based on the auth user. This is what I was able to come
> up with, but I’m wondering if there is a simpler way that I’m just not
> seeing.
>
>
>
> require blob;
>
> if (req.http.Authorization) {
>
> set req.http.X-Auth-User = regsub(blob.encode(IDENTITY,
>
> blob=blob.decode(BASE64,
>
>
> encoded=regsub(req.http.Authorization, "^Basic (.*)", "\1"))),
>
> ":.*$", "");
>
> }
>
>
>
> varnishtop -I ReqHeader:X-Auth-User
>
> varnishlog -i ReqURL -q 'ReqHeader:X-Auth-User ~ “someuser”'
>
>
>
> Thanks,
>
> Justin
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>

RE: Query for authorization username [ In reply to ]

justinl at arena

Oct 26, 2021, 12:01 PM

Post #3 of 3 (455 views)

Permalink

Hi Guillaume,

Thanks for the feedback! I’m hesitant about adding the external modules just due to the additional complexity of building and maintaining them via my configuration management system (SaltStack) right now.

Here’s what works for me by changing to blob.transcode() while still using regsub():

set req.http.X-Auth-User = regsub(blob.transcode(
encoding=IDENTITY,
decoding=BASE64,
encoded=regsub(req.http.Authorization, "^Basic (.*)", "\1")),
":.*$",
""
);

Best,
Justin

From: Guillaume Quintard <guillaume.quintard@gmail.com>
Sent: Monday, October 25, 2021 2:58 PM
To: Justin Lloyd <justinl@arena.net>
Cc: varnish-misc@varnish-cache.org
Subject: Re: Query for authorization username

I think it's close to optimal, given the current tools. I would probably try to move away from regsub() and use vmod_str (https://github.com/varnish/varnish-modules/blob/master/src/vmod_str.vcc#L42), and maaaaaaybe use multiple assignments rather than on big expressions, but that's a personal preference at this point.

It would look like something like this in my mind (highly untested, don't sue me if your computer explodes):

import var;
import str;
import blob;

sub vcl_recv {
if (str.split(req.http.Authorization, 0) == "Basic") {
var.set("b64", str.split(req.http.Authorization, 1));
var.set("decoded", bob.transcode(encoding = BASE64URL, encoded = var.get("b64")));
set req.http.X-Auth-User = str.split(var.get("decoded"), 0, ":");
}
}

everything in one expression:

set req.http.X-Auth-User = str.split(
blob.transcode(
encoding = BASE64URL,
encoded = str.split(req.http.Authorization, 1))
),
0,
":"
);

You should possibly use blob.transcode() anyway.

--
Guillaume Quintard

On Mon, Oct 25, 2021 at 11:25 AM Justin Lloyd <justinl@arena.net<mailto:justinl@arena.net>> wrote:
In my dev environment, I have a few users configured to use Basic authorization (configured in the Nginx backend) and I’d like to be able to perform VSL queries based on the auth user. This is what I was able to come up with, but I’m wondering if there is a simpler way that I’m just not seeing.

require blob;
if (req.http.Authorization) {
set req.http.X-Auth-User = regsub(blob.encode(IDENTITY,
blob=blob.decode(BASE64,
encoded=regsub(req.http.Authorization, "^Basic (.*)", "\1"))),
":.*$", "");
}

varnishtop -I ReqHeader:X-Auth-User
varnishlog -i ReqURL -q 'ReqHeader:X-Auth-User ~ “someuser”'

Thanks,
Justin

_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org<mailto:varnish-misc@varnish-cache.org>
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc