diff --git a/changelog/unreleased/add-basic-auth-option.md b/changelog/unreleased/add-basic-auth-option.md new file mode 100644 index 0000000000..811d7388e5 --- /dev/null +++ b/changelog/unreleased/add-basic-auth-option.md @@ -0,0 +1,6 @@ +Enhancement: Add basic auth option + +We added a new `enable-basic-auth` option and `PROXY_ENABLE_BASIC_AUTH` environment variable that can be set to `true` to make the proxy verify the basic auth header with the accounts service. This should only be used for testing and development and is disabled by default. + +https://github.com/owncloud/ocis/pull/627 +https://github.com/owncloud/product/issues/198 diff --git a/docs/ocis/development/testing.md b/docs/ocis/development/testing.md index eb5c21150d..3fd74cce3f 100644 --- a/docs/ocis/development/testing.md +++ b/docs/ocis/development/testing.md @@ -29,9 +29,11 @@ File versions need a redis server. Start one with docker by using: To start ocis: ``` -bin/ocis server +PROXY_ENABLE_BASIC_AUTH=true bin/ocis server ``` +`PROXY_ENABLE_BASIC_AUTH` will allow the acceptance tests to make requests against the provisioning api (and other endpoints) using basic auth. + ### Run the acceptance tests First we will need to clone the testing app in owncloud which contains the skeleton files required for running the tests. In the ownCloud 10 core clone the testing app with the following command: diff --git a/ocis/go.sum b/ocis/go.sum index 98dfc55609..091161bb60 100644 --- a/ocis/go.sum +++ b/ocis/go.sum @@ -623,7 +623,6 @@ github.com/golang/protobuf v1.3.0/go.mod h1:Qd/q+1AKNOZr9uGQzbzCmRO6sUih6GTPZv6a github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= @@ -870,8 +869,6 @@ github.com/marten-seemann/qtls v0.4.1/go.mod h1:pxVXcHHw1pNIt8Qo0pwSYQEoZ8yYOOPX github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= -github.com/mattn/go-colorable v0.1.7 h1:bQGKb3vps/j0E9GfJQ03JyhRuxsvdAanXlT9BTw3mdw= -github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= diff --git a/proxy/changelog/unreleased/add-basic-auth-option.md b/proxy/changelog/unreleased/add-basic-auth-option.md new file mode 100644 index 0000000000..811d7388e5 --- /dev/null +++ b/proxy/changelog/unreleased/add-basic-auth-option.md @@ -0,0 +1,6 @@ +Enhancement: Add basic auth option + +We added a new `enable-basic-auth` option and `PROXY_ENABLE_BASIC_AUTH` environment variable that can be set to `true` to make the proxy verify the basic auth header with the accounts service. This should only be used for testing and development and is disabled by default. + +https://github.com/owncloud/ocis/pull/627 +https://github.com/owncloud/product/issues/198 diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go index d6c2892f71..bb7b982b06 100644 --- a/proxy/pkg/command/server.go +++ b/proxy/pkg/command/server.go @@ -266,6 +266,7 @@ func loadMiddlewares(ctx context.Context, l log.Logger, cfg *config.Config) alic middleware.AccountsClient(accounts), middleware.SettingsRoleService(roles), middleware.AutoprovisionAccounts(cfg.AutoprovisionAccounts), + middleware.EnableBasicAuth(cfg.EnableBasicAuth), ) // the connection will be established in a non blocking fashion diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go index f5252cc7c3..681d0abe03 100644 --- a/proxy/pkg/config/config.go +++ b/proxy/pkg/config/config.go @@ -99,6 +99,7 @@ type Config struct { Reva Reva PreSignedURL PreSignedURL AutoprovisionAccounts bool + EnableBasicAuth bool } // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 1ccc497d64..50d19b5086 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -219,6 +219,15 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Usage: "--presignedurl-allow-method GET [--presignedurl-allow-method POST]", EnvVars: []string{"PRESIGNEDURL_ALLOWED_METHODS"}, }, + + // Basic auth + &cli.BoolFlag{ + Name: "enable-basic-auth", + Value: false, + Usage: "enable basic authentication", + EnvVars: []string{"PROXY_ENABLE_BASIC_AUTH"}, + Destination: &cfg.EnableBasicAuth, + }, } } diff --git a/proxy/pkg/middleware/account_uuid.go b/proxy/pkg/middleware/account_uuid.go index 6850db1444..4d7b396bc7 100644 --- a/proxy/pkg/middleware/account_uuid.go +++ b/proxy/pkg/middleware/account_uuid.go @@ -85,22 +85,31 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { l := opt.Logger claims := oidc.FromContext(r.Context()) - if claims == nil { - next.ServeHTTP(w, r) - return - } - var account *acc.Account var status int - if claims.Email != "" { + switch { + case claims == nil: + login, password, ok := r.BasicAuth() + if opt.EnableBasicAuth && ok { + l.Warn().Msg("basic auth enabled, use only for testing or development") + account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("login eq '%s' and password eq '%s'", strings.ReplaceAll(login, "'", "''"), strings.ReplaceAll(password, "'", "''"))) + // fake claims for the subsequent code flow + claims = &oidc.StandardClaims{ + Iss: opt.OIDCIss, + } + } else { + next.ServeHTTP(w, r) + return + } + case claims.Email != "": account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("mail eq '%s'", strings.ReplaceAll(claims.Email, "'", "''"))) - } else if claims.PreferredUsername != "" { + case claims.PreferredUsername != "": account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("preferred_name eq '%s'", strings.ReplaceAll(claims.PreferredUsername, "'", "''"))) - } else if claims.OcisID != "" { + case claims.OcisID != "": account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("id eq '%s'", strings.ReplaceAll(claims.OcisID, "'", "''"))) - } else { + default: // TODO allow lookup by custom claim, eg an id ... or sub - l.Error().Err(err).Msgf("Could not lookup account, no mail or preferred_username claim set") + l.Error().Err(err).Msg("Could not lookup account, no mail or preferred_username claim set") w.WriteHeader(http.StatusInternalServerError) } if status != 0 || account == nil { diff --git a/proxy/pkg/middleware/options.go b/proxy/pkg/middleware/options.go index 4c7cbd623a..b012c8cf5b 100644 --- a/proxy/pkg/middleware/options.go +++ b/proxy/pkg/middleware/options.go @@ -39,6 +39,8 @@ type Options struct { PreSignedURLConfig config.PreSignedURL // AutoprovisionAccounts when an account does not exist. AutoprovisionAccounts bool + // EnableBasicAuth to allow basic auth + EnableBasicAuth bool } // newOptions initializes the available default options. @@ -128,3 +130,10 @@ func AutoprovisionAccounts(val bool) Option { o.AutoprovisionAccounts = val } } + +// EnableBasicAuth provides a function to set the EnableBasicAuth config +func EnableBasicAuth(enableBasicAuth bool) Option { + return func(o *Options) { + o.EnableBasicAuth = enableBasicAuth + } +}