add enable basic auth option

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
owncloud · Sep 29, 2020 · f8bc7cf · f8bc7cf
1 parent 60bc955
commit f8bc7cf
Show file tree

Hide file tree

Showing 9 changed files with 70 additions and 25 deletions.
diff --git a/.drone.star b/.drone.star
@@ -970,6 +970,7 @@ def ocisServer(storage):
         'REVA_LDAP_IDP': 'https://ocis-server:9200',
         'REVA_OIDC_ISSUER': 'https://ocis-server:9200',
         'PROXY_OIDC_ISSUER': 'https://ocis-server:9200',
+        'PROXY_ENABLE_BASIC_AUTH': true,
         'REVA_STORAGE_OC_DATA_SERVER_URL': 'http://ocis-server:9164/data',
         'REVA_DATAGATEWAY_URL': 'https://ocis-server:9200/data',
         'REVA_FRONTEND_URL': 'https://ocis-server:9200',

diff --git a/changelog/unreleased/add-basic-auth-option.md b/changelog/unreleased/add-basic-auth-option.md
@@ -0,0 +1,6 @@
+Enhancement: Add basic auth option
+
+We added a new `enable-basic-auth` option and `PROXY_ENABLE_BASIC_AUTH` environment variable that can be set to `true` to make the proxy verify the basic auth header with the accounts service. This should only be used for testing and development and is disabled by default.
+
+https://github.com/owncloud/ocis/pull/627
+https://github.com/owncloud/product/issues/198
diff --git a/docs/ocis/testing.md b/docs/ocis/testing.md
@@ -29,9 +29,11 @@ File versions need a redis server. Start one with docker by using:
 
 To start ocis:
 ```
-bin/ocis server
+PROXY_ENABLE_BASIC_AUTH=true bin/ocis server
 ```
 
+`PROXY_ENABLE_BASIC_AUTH` will allow the acceptance tests to make requests against the provisioning api (and other endpoints) using basic auth.
+
 ### Run the acceptance tests
 First we will need to clone the testing app in owncloud which contains the skeleton files required for running the tests.
 In the ownCloud 10 core clone the testing app with the following command:

diff --git a/proxy/changelog/unreleased/add-basic-auth-option.md b/proxy/changelog/unreleased/add-basic-auth-option.md
@@ -0,0 +1,6 @@
+Enhancement: Add basic auth option
+
+We added a new `enable-basic-auth` option and `PROXY_ENABLE_BASIC_AUTH` environment variable that can be set to `true` to make the proxy verify the basic auth header with the accounts service. This should only be used for testing and development and is disabled by default.
+
+https://github.com/owncloud/ocis/pull/627
+https://github.com/owncloud/product/issues/198
diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go
@@ -265,6 +265,7 @@ func loadMiddlewares(ctx context.Context, l log.Logger, cfg *config.Config) alic
 		middleware.TokenManagerConfig(cfg.TokenManager),
 		middleware.AccountsClient(accounts),
 		middleware.SettingsRoleService(roles),
+		middleware.EnableBasicAuth(cfg.EnableBasicAuth),
 	)
 
 	// the connection will be established in a non blocking fashion

diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go
@@ -85,19 +85,20 @@ type Reva struct {
 
 // Config combines all available configuration parts.
 type Config struct {
-	File           string
-	Log            Log
-	Debug          Debug
-	HTTP           HTTP
-	Service        Service
-	Tracing        Tracing
-	Asset          Asset
-	Policies       []Policy
-	OIDC           OIDC
-	TokenManager   TokenManager
-	PolicySelector *PolicySelector `mapstructure:"policy_selector"`
-	Reva           Reva
-	PreSignedURL   PreSignedURL
+	File            string
+	Log             Log
+	Debug           Debug
+	HTTP            HTTP
+	Service         Service
+	Tracing         Tracing
+	Asset           Asset
+	Policies        []Policy
+	OIDC            OIDC
+	TokenManager    TokenManager
+	PolicySelector  *PolicySelector `mapstructure:"policy_selector"`
+	Reva            Reva
+	PreSignedURL    PreSignedURL
+	EnableBasicAuth bool
 }
 
 // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request

diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go
@@ -208,6 +208,15 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Usage:   "--presignedurl-allow-method GET [--presignedurl-allow-method POST]",
 			EnvVars: []string{"PRESIGNEDURL_ALLOWED_METHODS"},
 		},
+
+		// Basic auth
+		&cli.BoolFlag{
+			Name:        "enable-basic-auth",
+			Value:       false,
+			Usage:       "enable basic authentication",
+			EnvVars:     []string{"PROXY_ENABLE_BASIC_AUTH"},
+			Destination: &cfg.EnableBasicAuth,
+		},
 	}
 
 }

diff --git a/proxy/pkg/middleware/account_uuid.go b/proxy/pkg/middleware/account_uuid.go
@@ -85,22 +85,31 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			l := opt.Logger
 			claims := oidc.FromContext(r.Context())
-			if claims == nil {
-				next.ServeHTTP(w, r)
-				return
-			}
-
 			var account *acc.Account
 			var status int
-			if claims.Email != "" {
+			switch {
+			case claims == nil:
+				login, password, ok := r.BasicAuth()
+				if opt.EnableBasicAuth && ok {
+					l.Warn().Msg("basic auth enabled, use only for testing or development")
+					account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("login eq '%s' and password eq '%s'", strings.ReplaceAll(login, "'", "''"), strings.ReplaceAll(password, "'", "''")))
+					// fake claims for the subsequent code flow
+					claims = &oidc.StandardClaims{
+						Iss: opt.OIDCIss,
+					}
+				} else {
+					next.ServeHTTP(w, r)
+					return
+				}
+			case claims.Email != "":
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("mail eq '%s'", strings.ReplaceAll(claims.Email, "'", "''")))
-			} else if claims.PreferredUsername != "" {
+			case claims.PreferredUsername != "":
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("preferred_name eq '%s'", strings.ReplaceAll(claims.PreferredUsername, "'", "''")))
-			} else if claims.OcisID != "" {
+			case claims.OcisID != "":
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("id eq '%s'", strings.ReplaceAll(claims.OcisID, "'", "''")))
-			} else {
+			default:
 				// TODO allow lookup by custom claim, eg an id ... or sub
-				l.Error().Err(err).Msgf("Could not lookup account, no mail or preferred_username claim set")
+				l.Error().Err(err).Msg("Could not lookup account, no mail or preferred_username claim set")
 				w.WriteHeader(http.StatusInternalServerError)
 			}
 			if status != 0 || account == nil {

diff --git a/proxy/pkg/middleware/options.go b/proxy/pkg/middleware/options.go
@@ -1,9 +1,10 @@
 package middleware
 
 import (
-	settings "github.com/owncloud/ocis/settings/pkg/proto/v0"
 	"net/http"
 
+	settings "github.com/owncloud/ocis/settings/pkg/proto/v0"
+
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	acc "github.com/owncloud/ocis/accounts/pkg/proto/v0"
 	"github.com/owncloud/ocis/ocis-pkg/log"
@@ -36,6 +37,8 @@ type Options struct {
 	Store storepb.StoreService
 	// PreSignedURLConfig to configure the middleware
 	PreSignedURLConfig config.PreSignedURL
+	// EnableBasicAuth to allow basic auth
+	EnableBasicAuth bool
 }
 
 // newOptions initializes the available default options.
@@ -118,3 +121,10 @@ func PreSignedURLConfig(cfg config.PreSignedURL) Option {
 		o.PreSignedURLConfig = cfg
 	}
 }
+
+// EnableBasicAuth provides a function to set the EnableBasicAuth config
+func EnableBasicAuth(enableBasicAuth bool) Option {
+	return func(o *Options) {
+		o.EnableBasicAuth = enableBasicAuth
+	}
+}