-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: add www-authenticate based on user agent #1350
Conversation
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a small typo correction and a comment, looks good
👍 this works as intended > PROPFIND /remote.php/dav/files HTTP/1.1
> Host: localhost:9200
> Accept: */*
> User-Agent: mirall
> depth: 0
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 0
< Date: Tue, 01 Dec 2020 11:04:02 GMT
< Www-Authenticate: Basic realm="localhost:9200"
<
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host localhost left intact
* Closing connection 0
-:1: parser error : Document is empty
^
~/code/reva auth-user-agent*
❯ curl -v -k -H "User-Agent: mirall" -H "depth: 0" -X PROPFIND https://localhost:9200/remote.php/dav/files | xmllint --format - The only changes in ocis are when configuring the webdav service in the frontend: ...
"auth": map[string]interface{}{
"credentials_by_user_agent": map[string]string{
"mirall": "basic",
},
},
... |
I don't think we need to add this to ocis at all, since we're only forwarding the unauthorized request to the backend. It would be a matter of config for ocis, and be on the same page on adding www-authenticate headers in some services |
Changes are complete now, please review. |
@refs can you point me how we can configure it in OCIS and bump your Reva version once this is merged? |
working on making it configurable right now, should be ready by noon, pinging you then 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One small change. Otherwise looks good.
tkn := tokenStrategy.GetToken(r) | ||
if tkn == "" { | ||
log.Warn().Msg("core access token not set") | ||
|
||
credKeys := applyWWWAuthenticate(r.UserAgent(), conf.CredentialsByUserAgent, conf.CredentialChain) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe rename this as userAgentCredKeys
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apparently with 4528d1 reva no longer adds Www-Authenticate
for unauthenticated requests with unconfigured user agents. I'm testing through ocis proxy with:
curl -v -k -H "depth: 0" -X PROPFIND https://localhost:9200/remote.php/dav/files | xmllint --format -
and reverting such commit yields this response:
> PROPFIND /remote.php/dav/files HTTP/1.1
> Host: localhost:9200
> User-Agent: curl/7.64.1
> Accept: */*
> depth: 0
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 0
< Date: Wed, 02 Dec 2020 09:43:51 GMT
< Www-Authenticate: Basic realm="localhost:9200"
< Www-Authenticate: Bearer realm="localhost:9200"
however without reverting it and providing with mirall
user agent and unauthenticated request it correctly adds Www-Authenticate: basic
to the response.
@refs I'm probably missed something. |
glad we watched it on time |
@refs I think it has to do with OCIS.
This request goes directly to Reva and without configuring anything, I get all available challenges. The only change I did to OCIS to test this is to point to this PR the Reva version:
|
@labkode got the same behavior, but as soon as I configure reva to work with this PR's new config as:
I got the following:
Without setting |
@refs gitter :) |
@refs @ishank011 I've added the missing test. If user agent is set but is not found in the map, we return the available credentials.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with the latest changes work just fine, thanks :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah missed that case!
@refs some tests don't like me |
weird, you actually have no failing tests but tests that either passed or did not run: @phil-davis is it possible that some tests didn't run? I'm checking the run logs and don't see apiWebdavUploadTUS/uploadToShare.feature:66 running: |
@labkode just need to rebase. The core tests commit was updated earlier today |
No description provided.