add enable basic auth option and check permissions #627

butonic · 2020-09-29T11:31:41Z

We added a new enable-basic-auth option and PROXY_ENABLE_BASIC_AUTH environment variable that can be set to true to make the proxy verify the basic auth header with the accounts service. This should only be used for testing and development and is disabled by default.

first step for owncloud/product#198

I am not using a new middleware, because I want to save an additional trip to the accounts service.

felixboehm · 2020-09-29T12:22:43Z

default is disabled, code looks good. maybe add a docs page for testing??

IljaN

Maybe we should add a log message with Level WARN that says that the configuration is insecure? Other than that

butonic · 2020-09-29T13:24:06Z

Maybe we should add a log message with Level WARN that says that the configuration is insecure? Other than that

yep, I am annoying admins on every request made with basic auth: https://github.com/owncloud/ocis/pull/627/files#diff-f41fd6020fdfa56d329e7af72f4aab2cR94

butonic · 2020-09-29T18:24:31Z

a lot of the background steps are now failing because the ocs api now dies with a 500 when basic auth is enabled:

Background:                                                                                # /drone/src/ocis/tests/acceptance/features/apiOcisSpecific/apiTrashbin-trashbinDelete.feature:7
--
1300 | Given user "Alice" has been created with default attributes and without skeleton files   # FeatureContext::userHasBeenCreatedWithDefaultAttributesAndWithoutSkeletonFiles()
1301 | HTTP status code 500 is not the expected value 200
1302 | Failed asserting that 500 matches expected 200.

butonic · 2020-09-29T18:32:43Z

it tries to contact 9152 ... the old root storage that should no longer be in use ...

2020-09-29T14:57:25Z WRN core access token not set pkg=rhttp service=reva traceid=20e0dc60f131f4f40840fb7531893d8c | 1010s
-- | --
100016 | 2020-09-29T14:57:25Z INF unary code=OK end="29/Sep/2020:14:57:25 +0000" from=tcp://127.0.0.1:56608 pkg=rgrpc service=reva start="29/Sep/2020:14:57:25 +0000" time_ns=26930 traceid=20e0dc60f131f4f40840fb7531893d8c uri=/cs3.auth.registry.v1beta1.RegistryAPI/GetAuthProvider user-agent=grpc-go/1.26.0 | 1010s
100017 | 2020-09-29T14:57:25Z INF user id:<idp:"https://ocis-server:9200" opaque_id:"Alice" > username:"Alice" mail:"alice@example.org" display_name:"Alice Hansen" opaque:<map:<key:"gid" value:<decoder:"plain" > > map:<key:"uid" value:<decoder:"plain" > > >  authenticated pkg=rgrpc service=reva traceid=20e0dc60f131f4f40840fb7531893d8c | 1010s
100018 | 2020-09-29T14:57:25Z INF unary code=OK end="29/Sep/2020:14:57:25 +0000" from=tcp://127.0.0.1:51924 pkg=rgrpc service=reva start="29/Sep/2020:14:57:25 +0000" time_ns=111354513 traceid=20e0dc60f131f4f40840fb7531893d8c uri=/cs3.auth.provider.v1beta1.ProviderAPI/Authenticate user-agent=grpc-go/1.26.0 | 1010s
100019 | 2020-09-29T14:57:25Z INF unary code=OK end="29/Sep/2020:14:57:25 +0000" from=tcp://127.0.0.1:56684 pkg=rgrpc service=reva start="29/Sep/2020:14:57:25 +0000" time_ns=213920 traceid=20e0dc60f131f4f40840fb7531893d8c uri=/cs3.storage.registry.v1beta1.RegistryAPI/GetStorageProvider user-agent=grpc-go/1.26.0 | 1010s
100020 | 2020-09-29T14:57:25Z INF unary code=OK end="29/Sep/2020:14:57:25 +0000" from=tcp://127.0.0.1:58436 pkg=rgrpc service=reva start="29/Sep/2020:14:57:25 +0000" time_ns=504263 traceid=20e0dc60f131f4f40840fb7531893d8c uri=/cs3.storage.provider.v1beta1.ProviderAPI/CreateHome user-agent=grpc-go/1.26.0 | 1010s
100021 | 2020-09-29T14:57:25Z INF unary code=OK end="29/Sep/2020:14:57:25 +0000" from=tcp://127.0.0.1:56606 pkg=rgrpc service=reva start="29/Sep/2020:14:57:25 +0000" time_ns=119674203 traceid=20e0dc60f131f4f40840fb7531893d8c uri=/cs3.gateway.v1beta1.GatewayAPI/Authenticate user-agent=grpc-go/1.26.0 | 1010s
100022 | 2020-09-29T14:57:25Z INF core access token generated pkg=rhttp service=reva traceid=20e0dc60f131f4f40840fb7531893d8c | 1010s
100023 | 2020-09-29T14:57:25Z INF unary code=OK end="29/Sep/2020:14:57:25 +0000" from=tcp://127.0.0.1:56684 pkg=rgrpc service=reva start="29/Sep/2020:14:57:25 +0000" time_ns=134703 traceid=20e0dc60f131f4f40840fb7531893d8c uri=/cs3.storage.registry.v1beta1.RegistryAPI/GetStorageProvider user-agent=grpc-go/1.26.0 | 1010s
100024 | 2020-09-29T14:57:25Z ERR unary code=Unavailable end="29/Sep/2020:14:57:25 +0000" from=tcp://127.0.0.1:56606 pkg=rgrpc service=reva start="29/Sep/2020:14:57:25 +0000" time_ns=1417563 traceid=20e0dc60f131f4f40840fb7531893d8c uri=/cs3.gateway.v1beta1.GatewayAPI/Stat user-agent=grpc-go/1.26.0 | 1010s
100025 | 2020-09-29T14:57:25Z ERR error sending grpc stat request error="rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 127.0.0.1:9152: connect: connection refused\"" pkg=rhttp service=reva traceid=20e0dc60f131f4f40840fb7531893d8c | 1010s
100026 | 2020-09-29T14:57:25Z ERR http end="29/Sep/2020:14:57:25 +0000" host=127.0.0.1 method=PUT pkg=rhttp proto=HTTP/1.1 service=reva size=0 start="29/Sep/2020:14:57:25 +0000" status=500 time_ns=126606817 traceid=20e0dc60f131f4f40840fb7531893d8c uri=/remote.php/webdav/textfile0.txt-chunking-8703-3-2 url=/remote.php/webdav/textfile0.txt-chunking-8703-3-2

butonic · 2020-09-30T08:51:00Z

this is what is going on. the testsuite uses the ocs api to provision accounts. the requests were not authenticated, yet. now the proxy tries to authenticate 'admin', the default admin account, which does not exist, so the proxy returned a 500 because it was trying to create a new account ... so we now end the request when basic auth fails. We also now use the default admin account now, which is moss.

.drone.star

kulmann · 2020-10-08T14:35:41Z

Rebased and force pushed...

kulmann · 2020-10-08T15:28:51Z

I introduced an admin:admin user as part of this PR, because phoenix webUI tests use a hardcoded admin:admin user. I don't want to go the extra mile and make it configurable in the test suite. Sufficient for now to have this as an extra default admin user.

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

sonarqubecloud · 2020-11-05T12:15:02Z

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities (and 0 Security Hotspots to review)
0 Code Smells

No Coverage information
No Duplication information

butonic force-pushed the add-basic-auth-option branch from b2d605f to c5cfc10 Compare September 29, 2020 11:32

butonic requested review from IljaN and C0rby September 29, 2020 11:34

felixboehm approved these changes Sep 29, 2020

View reviewed changes

butonic force-pushed the add-basic-auth-option branch from c5cfc10 to f8bc7cf Compare September 29, 2020 13:01

IljaN reviewed Sep 29, 2020

View reviewed changes

butonic self-assigned this Sep 29, 2020

butonic force-pushed the add-basic-auth-option branch from f8bc7cf to 9f4bcf9 Compare September 29, 2020 15:45

butonic force-pushed the add-basic-auth-option branch 3 times, most recently from 8d187a8 to 64f9db7 Compare October 6, 2020 11:41

kulmann reviewed Oct 6, 2020

View reviewed changes