From af458f9d904fc1ddee4ab81f11625f705c557bc9 Mon Sep 17 00:00:00 2001 From: Andrew Ruthven Date: Sun, 21 Apr 2024 01:08:38 +1200 Subject: [PATCH] Remove default expiry times, make 0 disabled. --- config/example-config.php | 16 +++++----- htdocs/always.php | 4 +-- inc/HTTPAuthSession.php | 30 ++++++++++++------- inc/always.php.in | 4 +-- testing/regression-conf.php.example | 2 ++ .../ldap_memcache/0007-test-invalid-user.test | 4 +-- 6 files changed, 36 insertions(+), 24 deletions(-) diff --git a/config/example-config.php b/config/example-config.php index 088e47a2..d1c78b0f 100644 --- a/config/example-config.php +++ b/config/example-config.php @@ -636,7 +636,8 @@ $c->admin_email = 'calendar-admin@example.com'; * * Both the hash and the per user salt are stored in memcached. The hash has * an expiry set as either $c->auth_cache_pass or $c->auth_cache_fail as -* appropriate. +* appropriate. You must enable either (or both) of these with suitable +* expiry times (15 minutes?) based on your requirements. * * Default: false */ @@ -652,18 +653,19 @@ $c->admin_email = 'calendar-admin@example.com'; // $c->auth_cache_secret = NULL; /** -* How long to cache credentials which username & password match. +* How long to cache credentials where username & password match (seconds). * -* Default: 15 minutes +* Default: 0 (aka don't cache passwords that match) */ -// $c->auth_cache_pass = 15 * 60; +// $c->auth_cache_pass = 0; /** -* How long to cache credentials which username & password don't match. +* How long to cache credentials where username & password don't match +* (seconds). * -* Default: 15 minutes +* Default: 0 (aka don't cache passwords that don't match) */ -// $c->auth_cache_fail = 15 * 60; +// $c->auth_cache_fail = 0; /*************************************************************************** * * diff --git a/htdocs/always.php b/htdocs/always.php index a2c8eacf..914e29e6 100644 --- a/htdocs/always.php +++ b/htdocs/always.php @@ -167,8 +167,8 @@ $c->rrule_loop_limit = 100; // Authentication caching details $c->auth_cache = false; // Default to off -$c->auth_cache_pass = 15 * 60; // 15 minutes -$c->auth_cache_fail = 15 * 60; // 15 minutes +$c->auth_cache_pass = 0; // Default to off +$c->auth_cache_fail = 0; // Default to off // Kind of private configuration values $c->total_query_time = 0; diff --git a/inc/HTTPAuthSession.php b/inc/HTTPAuthSession.php index c260dda7..1226bb93 100644 --- a/inc/HTTPAuthSession.php +++ b/inc/HTTPAuthSession.php @@ -506,6 +506,25 @@ class HTTPAuthSession { return 0; } + # Work out the expiry to use, some sites might prefer different TTLs for + # pass/fail results. + if ($state === 'pass') { + $expiry = $c->auth_cache_pass; + } else if ($state === 'fail') { + $expiry = $c->auth_cache_fail; + } else { + dbg_error_log('ERROR', 'HTTPCheckCache: SetCache: Unexpected state %s, bailing out from caching credential.', $state); + return 0; + } + + # Only cache if the expiry is set to non-zero. This allows disabling + # caching on a pass or fail basis. + if ($expiry == 0) { + dbg_error_log('ERROR', 'HTTPCheckCache: SetCache: Expiry set to 0, not caching credential.', $state); + return 0; + } + + $cache = getCacheInstance(); if ($cache->isActive() === false) return 0; @@ -533,17 +552,6 @@ class HTTPAuthSession { return 0; } - # Work out the expiry to use, some sites might prefer different TTLs for - # pass/fail results. - if ($state === 'pass') { - $expiry = $c->auth_cache_pass; - } else if ($state === 'fail') { - $expiry = $c->auth_cache_fail; - } else { - dbg_error_log('ERROR', 'HTTPCheckCache: SetCache: Unexpected state %s, bailing out from caching credential.', $state); - return 0; - } - if (! $cache->set($cache_ns, $hash, $state, $expiry) ) { dbg_error_log('ERROR', 'HTTPCheckCache: SetCache: Failed to store credential.'); return 0; diff --git a/inc/always.php.in b/inc/always.php.in index e3872a5d..6274ee52 100644 --- a/inc/always.php.in +++ b/inc/always.php.in @@ -163,8 +163,8 @@ $c->readonly_webdav_collections = true; // WebDAV access is readonly // Authentication caching details $c->auth_cache = false; // Default to off -$c->auth_cache_pass = 15 * 60; // 15 minutes -$c->auth_cache_fail = 15 * 60; // 15 minutes +$c->auth_cache_pass = 0; // Default to off +$c->auth_cache_fail = 0; // Default to off // Kind of private configuration values $c->total_query_time = 0; diff --git a/testing/regression-conf.php.example b/testing/regression-conf.php.example index 4176cc10..162453a6 100644 --- a/testing/regression-conf.php.example +++ b/testing/regression-conf.php.example @@ -28,6 +28,8 @@ // if testing cached of auth with memcache //memcache_auth $c->auth_cache = true; //memcache_auth $c->auth_cache_secret = 'not safe, regression testing only'; + //memcache_auth $c->auth_cache_pass = 15 * 60; + //memcache_auth $c->auth_cache_fail = 15 * 60; // if testing LDAP //ldap $c->authenticate_hook['call'] = 'LDAP_check'; diff --git a/testing/tests/ldap_memcache/0007-test-invalid-user.test b/testing/tests/ldap_memcache/0007-test-invalid-user.test index 8feac916..32cff077 100644 --- a/testing/tests/ldap_memcache/0007-test-invalid-user.test +++ b/testing/tests/ldap_memcache/0007-test-invalid-user.test @@ -81,9 +81,9 @@ if (defined $request_id) { while (<$log>) { if (/davical: $request_id: ALL: (HTTPAuthLogin:CheckCache|LDAP:drivers_ldap ): (.*)/) { my $msg = $2; - if ($msg =~ /^No salt, assuming no cached credentials/) { + if ($msg =~ /^No stored salt for ldap2,/) { $no_salt = 1; - } elsif ($msg =~ /^Cached credentials are good and invalid/) { + } elsif ($msg =~ /^Cached credentials for ldap2 are good and invalid/) { $cached_creds = 1; } elsif ($msg =~ /^Connected to LDAP server/) { $ldap_conn = 1;