Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

auth: add www-authenticate based on user agent #1350

Merged
merged 6 commits into from
Dec 3, 2020

Conversation

labkode
Copy link
Member

@labkode labkode commented Dec 1, 2020

No description provided.

@update-docs
Copy link

update-docs bot commented Dec 1, 2020

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

refs
refs previously approved these changes Dec 1, 2020
Copy link
Member

@refs refs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a small typo correction and a comment, looks good

internal/http/interceptors/auth/auth.go Outdated Show resolved Hide resolved
internal/http/interceptors/auth/auth.go Outdated Show resolved Hide resolved
internal/http/interceptors/auth/auth_test.go Show resolved Hide resolved
@refs
Copy link
Member

refs commented Dec 1, 2020

👍 this works as intended

> PROPFIND /remote.php/dav/files HTTP/1.1
> Host: localhost:9200
> Accept: */*
> User-Agent: mirall
> depth: 0
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 0
< Date: Tue, 01 Dec 2020 11:04:02 GMT
< Www-Authenticate: Basic realm="localhost:9200"
<
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host localhost left intact
* Closing connection 0
-:1: parser error : Document is empty

^

~/code/reva auth-user-agent*
❯ curl -v -k -H "User-Agent: mirall" -H "depth: 0" -X PROPFIND https://localhost:9200/remote.php/dav/files | xmllint --format -

The only changes in ocis are when configuring the webdav service in the frontend:

...
"auth": map[string]interface{}{
	"credentials_by_user_agent": map[string]string{
	"mirall": "basic",
	},
},
...

@refs
Copy link
Member

refs commented Dec 1, 2020

I don't think we need to add this to ocis at all, since we're only forwarding the unauthorized request to the backend.

It would be a matter of config for ocis, and be on the same page on adding www-authenticate headers in some services

@labkode labkode changed the title [WIP] auth: add www-authenticate based on user agent auth: add www-authenticate based on user agent Dec 2, 2020
@labkode labkode requested review from refs, ishank011 and butonic December 2, 2020 08:20
@labkode
Copy link
Member Author

labkode commented Dec 2, 2020

Changes are complete now, please review.

@labkode
Copy link
Member Author

labkode commented Dec 2, 2020

@refs can you point me how we can configure it in OCIS and bump your Reva version once this is merged?

@refs
Copy link
Member

refs commented Dec 2, 2020

@refs can you point me how we can configure it in OCIS and bump your Reva version once this is merged?

working on making it configurable right now, should be ready by noon, pinging you then 👍

Copy link
Member

@refs refs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

ishank011
ishank011 previously approved these changes Dec 2, 2020
Copy link
Contributor

@ishank011 ishank011 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small change. Otherwise looks good.

tkn := tokenStrategy.GetToken(r)
if tkn == "" {
log.Warn().Msg("core access token not set")

credKeys := applyWWWAuthenticate(r.UserAgent(), conf.CredentialsByUserAgent, conf.CredentialChain)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe rename this as userAgentCredKeys?

Copy link
Member

@refs refs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently with 4528d1 reva no longer adds Www-Authenticate for unauthenticated requests with unconfigured user agents. I'm testing through ocis proxy with:

curl -v -k -H "depth: 0" -X PROPFIND https://localhost:9200/remote.php/dav/files | xmllint --format -

and reverting such commit yields this response:

> PROPFIND /remote.php/dav/files HTTP/1.1
> Host: localhost:9200
> User-Agent: curl/7.64.1
> Accept: */*
> depth: 0
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 0
< Date: Wed, 02 Dec 2020 09:43:51 GMT
< Www-Authenticate: Basic realm="localhost:9200"
< Www-Authenticate: Bearer realm="localhost:9200"

however without reverting it and providing with mirall user agent and unauthenticated request it correctly adds Www-Authenticate: basic to the response.

@labkode
Copy link
Member Author

labkode commented Dec 2, 2020

@refs I'm probably missed something.

@refs
Copy link
Member

refs commented Dec 2, 2020

@refs I'm probably missed something.

glad we watched it on time

@labkode
Copy link
Member Author

labkode commented Dec 2, 2020

@refs I think it has to do with OCIS.

[gonzalhu@iota ocis]$ curl -i http://localhost:9140/
HTTP/1.1 401 Unauthorized
Www-Authenticate: Basic realm="localhost:9140"
Www-Authenticate: Bearer realm="localhost:9140"
Date: Wed, 02 Dec 2020 12:37:42 GMT
Content-Length: 0

This request goes directly to Reva and without configuring anything, I get all available challenges.

The only change I did to OCIS to test this is to point to this PR the Reva version:

[gonzalhu@iota ocis]$ git diff
diff --git a/ocis/go.mod b/ocis/go.mod
index 01ca7ad..db094ad 100644
--- a/ocis/go.mod
+++ b/ocis/go.mod
@@ -38,6 +38,7 @@ require (
 )

 replace (
+       github.com/cs3org/reva => github.com/labkode/reva v0.0.0-20201202075545-1b0465435bec
        github.com/gomodule/redigo => github.com/gomodule/redigo v1.8.2
        github.com/owncloud/ocis/accounts => ../accounts
        github.com/owncloud/ocis/glauth => ../glauth

@refs
Copy link
Member

refs commented Dec 2, 2020

@labkode got the same behavior, but as soon as I configure reva to work with this PR's new config as:

"auth": map[string]interface{}{
	"credentials_by_user_agent": map[string]interface{}{
		"mirall": "basic",
	},
},

I got the following:

~/code/reva auth-user-agent
❯ curl -i http://localhost:9140/
HTTP/1.1 401 Unauthorized
Date: Wed, 02 Dec 2020 12:55:16 GMT
Content-Length: 0

Without setting credentials_by_user_agent I got the same behavior as you. Reverting 4528d1a works for me, that's why I think the changes in that commit cause this. Can you confirm?

@labkode
Copy link
Member Author

labkode commented Dec 2, 2020

@refs gitter :)

@labkode
Copy link
Member Author

labkode commented Dec 2, 2020

@refs @ishank011 I've added the missing test. If user agent is set but is not found in the map, we return the available credentials.

[gonzalhu@iota ocis]$ curl -i http://localhost:9140/ -H "User-Agent: mirall"
HTTP/1.1 401 Unauthorized
Www-Authenticate: Basic realm="localhost:9140"
Date: Wed, 02 Dec 2020 13:42:57 GMT
Content-Length: 0

[gonzalhu@iota ocis]$ curl -i http://localhost:9140/ -H "User-Agent: "
HTTP/1.1 401 Unauthorized
Www-Authenticate: Basic realm="localhost:9140"
Www-Authenticate: Bearer realm="localhost:9140"
Date: Wed, 02 Dec 2020 13:43:02 GMT
Content-Length: 0

[gonzalhu@iota ocis]$ curl -i http://localhost:9140/ -H "User-Agent: peter"
HTTP/1.1 401 Unauthorized
Www-Authenticate: Basic realm="localhost:9140"
Www-Authenticate: Bearer realm="localhost:9140"
Date: Wed, 02 Dec 2020 13:43:08 GMT
Content-Length: 0

[gonzalhu@iota ocis]$ curl -i http://localhost:9140/
HTTP/1.1 401 Unauthorized
Www-Authenticate: Basic realm="localhost:9140"
Www-Authenticate: Bearer realm="localhost:9140"
Date: Wed, 02 Dec 2020 13:43:11 GMT
Content-Length: 0

Copy link
Member

@refs refs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with the latest changes work just fine, thanks :)

Copy link
Contributor

@ishank011 ishank011 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah missed that case!

@labkode
Copy link
Member Author

labkode commented Dec 2, 2020

@refs some tests don't like me

@refs
Copy link
Member

refs commented Dec 2, 2020

weird, you actually have no failing tests but tests that either passed or did not run:

image

@phil-davis is it possible that some tests didn't run? I'm checking the run logs and don't see apiWebdavUploadTUS/uploadToShare.feature:66 running:

image

https://cloud.drone.io/cs3org/reva/3287/13/6

@ishank011
Copy link
Contributor

@labkode just need to rebase. The core tests commit was updated earlier today

@labkode labkode merged commit 1fb968b into cs3org:master Dec 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants