Merge branch 'production_503' into '5.12.z'

Protect rest API in browser

See merge request cloudforms/cfme-api!2

(cherry picked from commit c3d6938)

app/controllers/api/base_controller/authentication.rb

@@ -48,12 +48,8 @@ def require_api_user_or_token
       rescue AuthenticationError => e
         api_log_error("AuthenticationError: #{e.message}")
         response.headers["Content-Type"] = "application/json"
-        case auth_mechanism
-        when :jwt, :system, :token, :ui_session, :basic_async
-          render :status => 401, :json => ErrorSerializer.new(:unauthorized, e).serialize(true).to_json
-        when :basic, nil
-          request_http_basic_authentication("Application", ErrorSerializer.new(:unauthorized, e).serialize(true).to_json)
-        end
+        error_message = ErrorSerializer.new(:unauthorized, e).serialize(true).to_json
+        render :status => 401, :json => error_message
         log_api_response
       end
 

spec/requests/authentication_spec.rb

@@ -5,11 +5,13 @@
   ENTRYPOINT_KEYS = %w(name description version versions identity collections)
 
   context "Basic Authentication" do
-    example "the user is challenged to use Basic Authentication when no credentials are provided" do
+    # Basic Auth challenge is intentionally not supported due to
+    # possible CSRF security concerns.
+    it "test authentication with no password" do
       get api_entrypoint_url
 
       expect(response).to have_http_status(:unauthorized)
-      expect(response.headers["WWW-Authenticate"]).to match("Basic")
+      expect(response.headers["WWW-Authenticate"]).not_to match(/basic/i)
     end
 
     it "test basic authentication with bad credentials" do
@@ -18,7 +20,6 @@
       get api_entrypoint_url
 
       expect(response).to have_http_status(:unauthorized)
-      expect(response.headers["WWW-Authenticate"]).to match("Basic")
     end
 
     it "test basic authentication with correct credentials" do
@@ -40,7 +41,6 @@
 
       expect(response.parsed_body).to include_error_with_message("User's Role is missing")
       expect(response).to have_http_status(:unauthorized)
-      expect(response.headers["WWW-Authenticate"]).to match("Basic")
     end
 
     it "test basic authentication with a user without a group" do
@@ -52,7 +52,6 @@
       get api_entrypoint_url
 
       expect(response).to have_http_status(:unauthorized)
-      expect(response.headers["WWW-Authenticate"]).to match("Basic")
     end
 
     it "returns a correctly formatted versions href" do
@@ -99,7 +98,6 @@
 
       expect(response.parsed_body).to include_error_with_message("Invalid Authorization Group bogus_group specified")
       expect(response).to have_http_status(:unauthorized)
-      expect(response.headers["WWW-Authenticate"]).to match("Basic")
     end
 
     it "test basic authentication with a primary group" do
@@ -226,21 +224,18 @@
     it "fails with missing CSRF token" do
       get api_entrypoint_url
       expect(response).to have_http_status(:unauthorized)
-      expect(response.headers['WWW-Authenticate']).not_to be_nil
     end
 
     it "fails with invalid CSRF token" do
       expect_any_instance_of(Api::ApiController).to receive(:valid_authenticity_token?).and_return(false)
       get api_entrypoint_url, :headers => {'X-CSRF-TOKEN' => 'foo'}
       expect(response).to have_http_status(:unauthorized)
-      expect(response.headers['WWW-Authenticate']).to be_nil
     end
 
     it "fails with missing session and valid CSRF token" do
       expect_any_instance_of(Api::ApiController).to receive(:valid_authenticity_token?).and_return(true)
       get api_entrypoint_url, :headers => {'X-CSRF-TOKEN' => 'foo'}
       expect(response).to have_http_status(:unauthorized)
-      expect(response.headers['WWW-Authenticate']).to be_nil
     end
   end