Allow st2web proxy auth mode to work in HA environments

CHANGELOG.rst

@@ -7,6 +7,9 @@ in development
 Fixed
 ~~~~~
 
+* Fix proxy auth mode in HA environments #5766
+  Contributed by @floatingstatic
+
 * Fix CI usses #6015
   Contributed by Amanda McGuinness (@amanda11 intive)
 

conf/HA/nginx/st2.conf.blueprint.sample

@@ -96,6 +96,7 @@ server {
     proxy_set_header      Host $host;
     proxy_set_header      X-Real-IP $remote_addr;
     proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header      X-Forwarded-User $remote_user;
     proxy_pass_header     Authorization;
 
     proxy_set_header Connection '';

conf/HA/nginx/st2.conf.controller.sample

@@ -118,6 +118,7 @@ server {
     proxy_set_header      Host $host;
     proxy_set_header      X-Real-IP $remote_addr;
     proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header      X-Forwarded-User $remote_user;
     proxy_pass_header     Authorization;
 
     proxy_set_header Connection '';

conf/nginx/st2.conf

@@ -146,6 +146,7 @@ server {
     proxy_set_header      Host $host;
     proxy_set_header      X-Real-IP $remote_addr;
     proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header      X-Forwarded-User $remote_user;
     proxy_pass_header     Authorization;
 
     proxy_set_header Connection '';

st2auth/st2auth/controllers/v1/auth.py

@@ -67,6 +67,10 @@ def post(self, request, **kwargs):
         if "x-forwarded-for" in kwargs:
             headers["x-forwarded-for"] = kwargs.pop("x-forwarded-for")
 
+        remote_user = kwargs.pop("remote_user", None)
+        if not remote_user and "x-forwarded-user" in kwargs:
+            remote_user = kwargs.pop("x-forwarded-user", None)
+
         authorization = kwargs.pop("authorization", None)
         if authorization:
             authorization = tuple(authorization.split(" "))
@@ -75,7 +79,7 @@ def post(self, request, **kwargs):
             request=request,
             headers=headers,
             remote_addr=kwargs.pop("remote_addr", None),
-            remote_user=kwargs.pop("remote_user", None),
+            remote_user=remote_user,
             authorization=authorization,
             **kwargs,
         )

st2auth/tests/unit/controllers/v1/test_token.py

@@ -97,6 +97,19 @@ def _test_token_post(self, path=TOKEN_V1_PATH):
         self.assertLess(actual_expiry, expected_expiry)
         return response
 
+    def test_token_post_proxy_user(self):
+        headers = {"X-Forwarded-For": "192.0.2.1", "X-Forwarded-User": "testuser"}
+        response = self.app.post_json(
+            TOKEN_V1_PATH,
+            {},
+            headers=headers,
+            expect_errors=False,
+            extra_environ={"REMOTE_USER": ""},
+        )
+        self.assertEqual(response.status_int, 201)
+        self.assertIsNotNone(response.json["token"])
+        self.assertEqual(response.json["user"], "testuser")
+
     def test_token_post_unauthorized(self):
         response = self.app.post_json(
             TOKEN_V1_PATH, {}, expect_errors=True, extra_environ={"REMOTE_USER": ""}

st2common/st2common/openapi.yaml

@@ -4444,6 +4444,10 @@ paths:
           in: header
           description: set externally to indicate real source of the request
           type: string
+        - name: x-forwarded-user
+          in: header
+          description: set externally to indicate the remote username in the case of proxy auth
+          type: string
         - name: request
           in: body
           description: Lifespan of the token

st2common/st2common/openapi.yaml.j2

@@ -4440,6 +4440,10 @@ paths:
           in: header
           description: set externally to indicate real source of the request
           type: string
+        - name: x-forwarded-user
+          in: header
+          description: set externally to indicate the remote username in the case of proxy auth
+          type: string
         - name: request
           in: body
           description: Lifespan of the token