add enable basic auth option

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

proxy/changelog/unreleased/add-basic-auth-option.md

@@ -0,0 +1,6 @@
+Enhancement: Add basic auth option
+
+We added a new `enable-basic-auth` option and `PROXY_ENABLE_BASIC_AUTH` environment variable that can be set to `true` to make the proxy verify the basic auth header with the accounts service. This should only be used for testing and development and is disabled by default.
+
+https://github.com/owncloud/ocis/pull/627
+https://github.com/owncloud/product/issues/198

proxy/pkg/command/server.go

@@ -266,6 +266,7 @@ func loadMiddlewares(ctx context.Context, l log.Logger, cfg *config.Config) alic
 		middleware.AccountsClient(accounts),
 		middleware.SettingsRoleService(roles),
 		middleware.AutoprovisionAccounts(cfg.AutoprovisionAccounts),
+		middleware.EnableBasicAuth(cfg.EnableBasicAuth),
 	)
 
 	// the connection will be established in a non blocking fashion

proxy/pkg/config/config.go

@@ -99,6 +99,7 @@ type Config struct {
 	Reva                  Reva
 	PreSignedURL          PreSignedURL
 	AutoprovisionAccounts bool
+	EnableBasicAuth       bool
 }
 
 // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request

proxy/pkg/flagset/flagset.go

@@ -219,6 +219,15 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Usage:   "--presignedurl-allow-method GET [--presignedurl-allow-method POST]",
 			EnvVars: []string{"PRESIGNEDURL_ALLOWED_METHODS"},
 		},
+
+		// Basic auth
+		&cli.BoolFlag{
+			Name:        "enable-basic-auth",
+			Value:       false,
+			Usage:       "enable basic authentication",
+			EnvVars:     []string{"PROXY_ENABLE_BASIC_AUTH"},
+			Destination: &cfg.EnableBasicAuth,
+		},
 	}
 
 }

proxy/pkg/middleware/account_uuid.go

@@ -85,22 +85,31 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			l := opt.Logger
 			claims := oidc.FromContext(r.Context())
-			if claims == nil {
-				next.ServeHTTP(w, r)
-				return
-			}
-
 			var account *acc.Account
 			var status int
-			if claims.Email != "" {
+			switch {
+			case claims == nil:
+				login, password, ok := r.BasicAuth()
+				if opt.EnableBasicAuth && ok {
+					l.Warn().Msg("basic auth enabled, use only for testing or development")
+					account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("login eq '%s' and password eq '%s'", strings.ReplaceAll(login, "'", "''"), strings.ReplaceAll(password, "'", "''")))
+					// fake claims for the subsequent code flow
+					claims = &oidc.StandardClaims{
+						Iss: opt.OIDCIss,
+					}
+				} else {
+					next.ServeHTTP(w, r)
+					return
+				}
+			case claims.Email != "":
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("mail eq '%s'", strings.ReplaceAll(claims.Email, "'", "''")))
-			} else if claims.PreferredUsername != "" {
+			case claims.PreferredUsername != "":
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("preferred_name eq '%s'", strings.ReplaceAll(claims.PreferredUsername, "'", "''")))
-			} else if claims.OcisID != "" {
+			case claims.OcisID != "":
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("id eq '%s'", strings.ReplaceAll(claims.OcisID, "'", "''")))
-			} else {
+			default:
 				// TODO allow lookup by custom claim, eg an id ... or sub
-				l.Error().Err(err).Msgf("Could not lookup account, no mail or preferred_username claim set")
+				l.Error().Err(err).Msg("Could not lookup account, no mail or preferred_username claim set")
 				w.WriteHeader(http.StatusInternalServerError)
 			}
 			if status != 0 || account == nil {

proxy/pkg/middleware/options.go

@@ -39,6 +39,8 @@ type Options struct {
 	PreSignedURLConfig config.PreSignedURL
 	// AutoprovisionAccounts when an account does not exist.
 	AutoprovisionAccounts bool
+	// EnableBasicAuth to allow basic auth
+	EnableBasicAuth bool
 }
 
 // newOptions initializes the available default options.
@@ -128,3 +130,10 @@ func AutoprovisionAccounts(val bool) Option {
 		o.AutoprovisionAccounts = val
 	}
 }
+
+// EnableBasicAuth provides a function to set the EnableBasicAuth config
+func EnableBasicAuth(enableBasicAuth bool) Option {
+	return func(o *Options) {
+		o.EnableBasicAuth = enableBasicAuth
+	}
+}