Skip to content

Fix st2 cli client auth in st2auth proxy mode #6049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arm4b merged 3 commits into from
Nov 10, 2023
Merged

Fix st2 cli client auth in st2auth proxy mode #6049

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6c02f17
Fix st2 cli client auth in st2auth proxy mode
floatingstatic Oct 25, 2023
661fd71
Update CHANGELOG.rst for #6049
arm4b Nov 7, 2023
580c278
Merge branch 'master' into proxy-st2client
arm4b Nov 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ in development

Fixed
~~~~~
* Additional fixes for st2 client auth when proxy auth mode enabled #6049
Contributed by @floatingstatic

* Fix issue with linux pack actions failed to run remotely due to incorrect python shebang. #5983 #6042
Contributed by Ronnie Hoffmann (@ZoeLeah Schwarz IT KG)

Expand Down
19 changes: 19 additions & 0 deletions st2auth/st2auth/handlers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,25 @@ def handle_auth(
remote_addr = headers.get("x-forwarded-for", remote_addr)
extra = {"remote_addr": remote_addr}

# Needed to support st2client which does not connect via st2web
if authorization and not remote_user:
try:
auth_value = base64.b64decode(authorization[1])
except Exception:
LOG.audit("Invalid authorization header", extra=extra)
abort_request()
return

split = auth_value.split(b":", 1)
if len(split) != 2:
LOG.audit("Invalid authorization header", extra=extra)
abort_request()
return

remote_user = split[0]
if six.PY3 and isinstance(remote_user, six.binary_type):
Copy link
Contributor

@amanda11 amanda11 Nov 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to have checks on whether its python3 any more?

Copy link
Contributor Author

@floatingstatic floatingstatic Nov 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not but i was just keeping consistent with what is used in other handlers, for example:

st2/st2auth/st2auth/handlers.py

Lines 212 to 216 in 32a243a

if six.PY3 and isinstance(username, six.binary_type):
username = username.decode("utf-8")
if six.PY3 and isinstance(password, six.binary_type):
password = password.decode("utf-8")

decode("utf-8") is needed even without the conditional in my testing.

remote_user = remote_user.decode("utf-8")

if remote_user:
ttl = getattr(request, "ttl", None)
username = self._get_username_for_request(remote_user, request)
Expand Down
25 changes: 25 additions & 0 deletions st2auth/tests/unit/test_handlers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,31 @@ def test_proxy_handler(self):
)
self.assertEqual(token.user, "test_proxy_handler")

def test_proxy_handler_no_remote_user(self):
h = handlers.ProxyAuthHandler()
request = {}
token = h.handle_auth(
request,
headers={},
remote_addr=None,
remote_user=None,
authorization=("basic", DUMMY_CREDS),
)
self.assertEqual(token.user, "auser")

def test_proxy_handler_bad_auth(self):
h = handlers.ProxyAuthHandler()
request = {}

with self.assertRaises(exc.HTTPUnauthorized):
h.handle_auth(
request,
headers={},
remote_addr=None,
remote_user=None,
authorization=None,
)

def test_standalone_bad_auth_type(self):
h = handlers.StandaloneAuthHandler()
request = {}
Expand Down