auth: add www-authenticate based on user agent #1350
Conversation
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
|
👍 this works as intended > PROPFIND /remote.php/dav/files HTTP/1.1
> Host: localhost:9200
> Accept: */*
> User-Agent: mirall
> depth: 0
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 0
< Date: Tue, 01 Dec 2020 11:04:02 GMT
< Www-Authenticate: Basic realm="localhost:9200"
<
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host localhost left intact
* Closing connection 0
-:1: parser error : Document is empty
^
~/code/reva auth-user-agent*
❯ curl -v -k -H "User-Agent: mirall" -H "depth: 0" -X PROPFIND https://localhost:9200/remote.php/dav/files | xmllint --format -The only changes in ocis are when configuring the webdav service in the frontend: ...
"auth": map[string]interface{}{
"credentials_by_user_agent": map[string]string{
"mirall": "basic",
},
},
... |
|
I don't think we need to add this to ocis at all, since we're only forwarding the unauthorized request to the backend. It would be a matter of config for ocis, and be on the same page on adding www-authenticate headers in some services |
labkode
changed the title
|
Changes are complete now, please review. |
|
@refs can you point me how we can configure it in OCIS and bump your Reva version once this is merged? |
working on making it configurable right now, should be ready by noon, pinging you then 👍 |
| tkn := tokenStrategy.GetToken(r) | ||
| if tkn == "" { | ||
| log.Warn().Msg("core access token not set") | ||
|
|
||
| credKeys := applyWWWAuthenticate(r.UserAgent(), conf.CredentialsByUserAgent, conf.CredentialChain) |
There was a problem hiding this comment.
Maybe rename this as userAgentCredKeys?
There was a problem hiding this comment.
Apparently with 4528d1 reva no longer adds Www-Authenticate for unauthenticated requests with unconfigured user agents. I'm testing through ocis proxy with:
curl -v -k -H "depth: 0" -X PROPFIND https://localhost:9200/remote.php/dav/files | xmllint --format -and reverting such commit yields this response:
> PROPFIND /remote.php/dav/files HTTP/1.1
> Host: localhost:9200
> User-Agent: curl/7.64.1
> Accept: */*
> depth: 0
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 0
< Date: Wed, 02 Dec 2020 09:43:51 GMT
< Www-Authenticate: Basic realm="localhost:9200"
< Www-Authenticate: Bearer realm="localhost:9200"
however without reverting it and providing with mirall user agent and unauthenticated request it correctly adds Www-Authenticate: basic to the response.
|
@refs I'm probably missed something. |
glad we watched it on time |
|
@refs I think it has to do with OCIS. This request goes directly to Reva and without configuring anything, I get all available challenges. The only change I did to OCIS to test this is to point to this PR the Reva version: |
|
@labkode got the same behavior, but as soon as I configure reva to work with this PR's new config as: I got the following: Without setting |
|
@refs gitter :) |
|
@refs @ishank011 I've added the missing test. If user agent is set but is not found in the map, we return the available credentials. |
|
@refs some tests don't like me |
|
weird, you actually have no failing tests but tests that either passed or did not run:
@phil-davis is it possible that some tests didn't run? I'm checking the run logs and don't see apiWebdavUploadTUS/uploadToShare.feature:66 running:
|
|
@labkode just need to rebase. The core tests commit was updated earlier today |
No description provided.