From b2d605f14524176e1e8dcb36d70f482a7d03ed91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= <jfd@butonic.de>
Date: Tue, 29 Sep 2020 13:30:55 +0200
Subject: [PATCH] add enable basic auth option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---
 changelog/unreleased/add-basic-auth-option.md |  6 ++++
 .../unreleased/add-basic-auth-option.md       |  6 ++++
 proxy/pkg/command/server.go                   |  1 +
 proxy/pkg/config/config.go                    | 27 ++++++++---------
 proxy/pkg/flagset/flagset.go                  |  9 ++++++
 proxy/pkg/middleware/account_uuid.go          | 29 ++++++++++++-------
 proxy/pkg/middleware/options.go               | 12 +++++++-
 7 files changed, 66 insertions(+), 24 deletions(-)
 create mode 100644 changelog/unreleased/add-basic-auth-option.md
 create mode 100644 proxy/changelog/unreleased/add-basic-auth-option.md

diff --git a/changelog/unreleased/add-basic-auth-option.md b/changelog/unreleased/add-basic-auth-option.md
new file mode 100644
index 00000000000..46f26f7015a
--- /dev/null
+++ b/changelog/unreleased/add-basic-auth-option.md
@@ -0,0 +1,6 @@
+Enhancement: Add basic auth option
+
+We added a new `enable-basic-auth` option and `PROXY_ENABLE_BASIC_AUTH` environment variable that can be set to `true` to make the proxy verify the basic auth header with the accounts service. This should only be used for testing and development and is disabled by default.
+
+https://github.com/owncloud/ocis/pull/626
+https://github.com/owncloud/product/issues/198
diff --git a/proxy/changelog/unreleased/add-basic-auth-option.md b/proxy/changelog/unreleased/add-basic-auth-option.md
new file mode 100644
index 00000000000..46f26f7015a
--- /dev/null
+++ b/proxy/changelog/unreleased/add-basic-auth-option.md
@@ -0,0 +1,6 @@
+Enhancement: Add basic auth option
+
+We added a new `enable-basic-auth` option and `PROXY_ENABLE_BASIC_AUTH` environment variable that can be set to `true` to make the proxy verify the basic auth header with the accounts service. This should only be used for testing and development and is disabled by default.
+
+https://github.com/owncloud/ocis/pull/626
+https://github.com/owncloud/product/issues/198
diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go
index 3006b8be0d8..03ae7f0c600 100644
--- a/proxy/pkg/command/server.go
+++ b/proxy/pkg/command/server.go
@@ -265,6 +265,7 @@ func loadMiddlewares(ctx context.Context, l log.Logger, cfg *config.Config) alic
 		middleware.TokenManagerConfig(cfg.TokenManager),
 		middleware.AccountsClient(accounts),
 		middleware.SettingsRoleService(roles),
+		middleware.EnableBasicAuth(cfg.EnableBasicAuth),
 	)
 
 	// the connection will be established in a non blocking fashion
diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go
index 5961b32b536..3d7be835611 100644
--- a/proxy/pkg/config/config.go
+++ b/proxy/pkg/config/config.go
@@ -85,19 +85,20 @@ type Reva struct {
 
 // Config combines all available configuration parts.
 type Config struct {
-	File           string
-	Log            Log
-	Debug          Debug
-	HTTP           HTTP
-	Service        Service
-	Tracing        Tracing
-	Asset          Asset
-	Policies       []Policy
-	OIDC           OIDC
-	TokenManager   TokenManager
-	PolicySelector *PolicySelector `mapstructure:"policy_selector"`
-	Reva           Reva
-	PreSignedURL   PreSignedURL
+	File            string
+	Log             Log
+	Debug           Debug
+	HTTP            HTTP
+	Service         Service
+	Tracing         Tracing
+	Asset           Asset
+	Policies        []Policy
+	OIDC            OIDC
+	TokenManager    TokenManager
+	PolicySelector  *PolicySelector `mapstructure:"policy_selector"`
+	Reva            Reva
+	PreSignedURL    PreSignedURL
+	EnableBasicAuth bool
 }
 
 // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request
diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go
index 4c0521b1689..8abb56c99a7 100644
--- a/proxy/pkg/flagset/flagset.go
+++ b/proxy/pkg/flagset/flagset.go
@@ -208,6 +208,15 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Usage:   "--presignedurl-allow-method GET [--presignedurl-allow-method POST]",
 			EnvVars: []string{"PRESIGNEDURL_ALLOWED_METHODS"},
 		},
+
+		// Basic auth
+		&cli.BoolFlag{
+			Name:        "enable-basic-auth",
+			Value:       false,
+			Usage:       "enable basic authentication",
+			EnvVars:     []string{"PROXY_ENABLE_BASIC_AUTH"},
+			Destination: &cfg.EnableBasicAuth,
+		},
 	}
 
 }
diff --git a/proxy/pkg/middleware/account_uuid.go b/proxy/pkg/middleware/account_uuid.go
index c5877863e04..6b65918b41f 100644
--- a/proxy/pkg/middleware/account_uuid.go
+++ b/proxy/pkg/middleware/account_uuid.go
@@ -85,22 +85,31 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			l := opt.Logger
 			claims := oidc.FromContext(r.Context())
-			if claims == nil {
-				next.ServeHTTP(w, r)
-				return
-			}
-
 			var account *acc.Account
 			var status int
-			if claims.Email != "" {
+			switch {
+			case claims == nil:
+				login, password, ok := r.BasicAuth()
+				if opt.EnableBasicAuth && ok {
+					l.Warn().Msg("basic auth enabled, use only for testing or development")
+					account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("login eq '%s' and password eq '%s'", strings.ReplaceAll(login, "'", "''"), strings.ReplaceAll(password, "'", "''")))
+					// fake claims for the subsequent code flow
+					claims = &oidc.StandardClaims{
+						Iss: opt.OIDCIss,
+					}
+				} else {
+					next.ServeHTTP(w, r)
+					return
+				}
+			case claims.Email != "":
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("mail eq '%s'", strings.ReplaceAll(claims.Email, "'", "''")))
-			} else if claims.PreferredUsername != "" {
+			case claims.PreferredUsername != "":
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("preferred_name eq '%s'", strings.ReplaceAll(claims.PreferredUsername, "'", "''")))
-			} else if claims.OcisID != "" {
+			case claims.OcisID != "":
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("id eq '%s'", strings.ReplaceAll(claims.OcisID, "'", "''")))
-			} else {
+			default:
 				// TODO allow lookup by custom claim, eg an id ... or sub
-				l.Error().Err(err).Msgf("Could not lookup account, no mail or preferred_username claim set")
+				l.Error().Err(err).Msg("Could not lookup account, no mail or preferred_username claim set")
 				w.WriteHeader(http.StatusInternalServerError)
 			}
 			if status != 0 || account == nil {
diff --git a/proxy/pkg/middleware/options.go b/proxy/pkg/middleware/options.go
index c583ee843a4..d8981a465ba 100644
--- a/proxy/pkg/middleware/options.go
+++ b/proxy/pkg/middleware/options.go
@@ -1,9 +1,10 @@
 package middleware
 
 import (
-	settings "github.com/owncloud/ocis/settings/pkg/proto/v0"
 	"net/http"
 
+	settings "github.com/owncloud/ocis/settings/pkg/proto/v0"
+
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	acc "github.com/owncloud/ocis/accounts/pkg/proto/v0"
 	"github.com/owncloud/ocis/ocis-pkg/log"
@@ -36,6 +37,8 @@ type Options struct {
 	Store storepb.StoreService
 	// PreSignedURLConfig to configure the middleware
 	PreSignedURLConfig config.PreSignedURL
+	// EnableBasicAuth to allow basic auth
+	EnableBasicAuth bool
 }
 
 // newOptions initializes the available default options.
@@ -118,3 +121,10 @@ func PreSignedURLConfig(cfg config.PreSignedURL) Option {
 		o.PreSignedURLConfig = cfg
 	}
 }
+
+// EnableBasicAuth provides a function to set the EnableBasicAuth config
+func EnableBasicAuth(enableBasicAuth bool) Option {
+	return func(o *Options) {
+		o.EnableBasicAuth = enableBasicAuth
+	}
+}