From 6c02f178347507aac3dfc38f54d11038480ef131 Mon Sep 17 00:00:00 2001 From: Jeremiah Millay Date: Tue, 24 Oct 2023 23:36:29 -0400 Subject: [PATCH 1/2] Fix st2 cli client auth in st2auth proxy mode --- CHANGELOG.rst | 3 +++ st2auth/st2auth/handlers.py | 19 +++++++++++++++++++ st2auth/tests/unit/test_handlers.py | 25 +++++++++++++++++++++++++ 3 files changed, 47 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a319356872..bc1a125c10 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,9 @@ in development Fixed ~~~~~ +* Additional fixes for st2 client auth when proxy auth mode enabled + Contributed by @floatingstatic + * Fix issue with linux pack actions failed to run remotely due to incorrect python shebang. #5983 #6042 Contributed by Ronnie Hoffmann (@ZoeLeah Schwarz IT KG) diff --git a/st2auth/st2auth/handlers.py b/st2auth/st2auth/handlers.py index f6540bcda7..0bf9600c3e 100644 --- a/st2auth/st2auth/handlers.py +++ b/st2auth/st2auth/handlers.py @@ -130,6 +130,25 @@ def handle_auth( remote_addr = headers.get("x-forwarded-for", remote_addr) extra = {"remote_addr": remote_addr} + # Needed to support st2client which does not connect via st2web + if authorization and not remote_user: + try: + auth_value = base64.b64decode(authorization[1]) + except Exception: + LOG.audit("Invalid authorization header", extra=extra) + abort_request() + return + + split = auth_value.split(b":", 1) + if len(split) != 2: + LOG.audit("Invalid authorization header", extra=extra) + abort_request() + return + + remote_user = split[0] + if six.PY3 and isinstance(remote_user, six.binary_type): + remote_user = remote_user.decode("utf-8") + if remote_user: ttl = getattr(request, "ttl", None) username = self._get_username_for_request(remote_user, request) diff --git a/st2auth/tests/unit/test_handlers.py b/st2auth/tests/unit/test_handlers.py index cf00e642a6..bb29732913 100644 --- a/st2auth/tests/unit/test_handlers.py +++ b/st2auth/tests/unit/test_handlers.py @@ -48,6 +48,31 @@ def test_proxy_handler(self): ) self.assertEqual(token.user, "test_proxy_handler") + def test_proxy_handler_no_remote_user(self): + h = handlers.ProxyAuthHandler() + request = {} + token = h.handle_auth( + request, + headers={}, + remote_addr=None, + remote_user=None, + authorization=("basic", DUMMY_CREDS), + ) + self.assertEqual(token.user, "auser") + + def test_proxy_handler_bad_auth(self): + h = handlers.ProxyAuthHandler() + request = {} + + with self.assertRaises(exc.HTTPUnauthorized): + h.handle_auth( + request, + headers={}, + remote_addr=None, + remote_user=None, + authorization=None, + ) + def test_standalone_bad_auth_type(self): h = handlers.StandaloneAuthHandler() request = {} From 661fd715faa71de2ac81c753a354761f29ce9f28 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Tue, 7 Nov 2023 13:51:34 +0000 Subject: [PATCH 2/2] Update CHANGELOG.rst for #6049 --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index bc1a125c10..a306838c8e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,7 +6,7 @@ in development Fixed ~~~~~ -* Additional fixes for st2 client auth when proxy auth mode enabled +* Additional fixes for st2 client auth when proxy auth mode enabled #6049 Contributed by @floatingstatic * Fix issue with linux pack actions failed to run remotely due to incorrect python shebang. #5983 #6042