Fix st2 cli client auth in st2auth proxy mode

Author: floatingstatic

st2auth/st2auth/handlers.py

@@ -130,6 +130,25 @@ def handle_auth(
         remote_addr = headers.get("x-forwarded-for", remote_addr)
         extra = {"remote_addr": remote_addr}
 
+        # Needed to support st2client which does not connect via st2web
+        if authorization and not remote_user:
+            try:
+                auth_value = base64.b64decode(authorization[1])
+            except Exception:
+                LOG.audit("Invalid authorization header", extra=extra)
+                abort_request()
+                return
+
+            split = auth_value.split(b":", 1)
+            if len(split) != 2:
+                LOG.audit("Invalid authorization header", extra=extra)
+                abort_request()
+                return
+
+            remote_user = split[0]
+            if six.PY3 and isinstance(remote_user, six.binary_type):
+                remote_user = remote_user.decode("utf-8")
+
         if remote_user:
             ttl = getattr(request, "ttl", None)
             username = self._get_username_for_request(remote_user, request)

st2auth/tests/unit/test_handlers.py

@@ -48,6 +48,31 @@ def test_proxy_handler(self):
         )
         self.assertEqual(token.user, "test_proxy_handler")
 
+    def test_proxy_handler_no_remote_user(self):
+        h = handlers.ProxyAuthHandler()
+        request = {}
+        token = h.handle_auth(
+            request,
+            headers={},
+            remote_addr=None,
+            remote_user=None,
+            authorization=("basic", DUMMY_CREDS),
+        )
+        self.assertEqual(token.user, "auser")
+
+    def test_proxy_handler_bad_auth(self):
+        h = handlers.ProxyAuthHandler()
+        request = {}
+
+        with self.assertRaises(exc.HTTPUnauthorized):
+            h.handle_auth(
+                request,
+                headers={},
+                remote_addr=None,
+                remote_user=None,
+                authorization=None,
+            )
+
     def test_standalone_bad_auth_type(self):
         h = handlers.StandaloneAuthHandler()
         request = {}