Merge pull request #4175 from GeoNode/ISSUE_4174

[Fixes #4174] Proxy should pass Bearer authentication to Geoserver transparently
GeoNode · Jan 24, 2019 · 81255d5 · 81255d5
2 parents 7f82e24 + e6cf56a
commit 81255d5
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 18 deletions.
diff --git a/geonode/geoserver/signals.py b/geonode/geoserver/signals.py
@@ -525,7 +525,7 @@ def command_url(command):
 
     for style in instance.styles.all():
         legend_url = ogc_server_settings.PUBLIC_LOCATION + \
-            'wms?request=GetLegendGraphic&format=image/png&WIDTH=20&HEIGHT=20&LAYER=' + \
+            'ows?service=WMS&request=GetLegendGraphic&format=image/png&WIDTH=20&HEIGHT=20&LAYER=' + \
             instance.alternate + '&STYLE=' + style.name + \
             '&legend_options=fontAntiAliasing:true;fontSize:12;forceLabels:on'
 

diff --git a/geonode/proxy/views.py b/geonode/proxy/views.py
@@ -59,14 +59,16 @@
     "^(?i)(version)=(\d\.\d\.\d)(?i)&(?i)request=(?i)(GetCapabilities)&(?i)service=(?i)(\w\w\w)$")
 
 
-def header_auth_view(auth_header):
-    encoded_credentials = auth_header.split(' ')[1]  # Removes "Basic " to isolate credentials
-    decoded_credentials = base64.b64decode(encoded_credentials).decode("utf-8").split(':')
-    username = decoded_credentials[0]
-    password = decoded_credentials[1]
-    # if the credentials are correct, then the feed_bot is not None, but is a User object.
-    feed_bot = authenticate(username=username, password=password)
-    return feed_bot
+def user_from_basic_auth(auth_header):
+    if 'Basic' in auth_header:
+        encoded_credentials = auth_header.split(' ')[1]  # Removes "Basic " to isolate credentials
+        decoded_credentials = base64.b64decode(encoded_credentials).decode("utf-8").split(':')
+        username = decoded_credentials[0]
+        password = decoded_credentials[1]
+        # if the credentials are correct, then the feed_bot is not None, but is a User object.
+        user = authenticate(username=username, password=password)
+        return user
+    return None
 
 
 @requires_csrf_token
@@ -172,9 +174,11 @@ def proxy(request, url=None, response_callback=None,
             'HTTP_AUTHORIZATION',
             request.META.get('HTTP_AUTHORIZATION2'))
         if auth:
-            _user = header_auth_view(auth)
+            _user = user_from_basic_auth(auth)
             if not _user:
-                headers['Authorization'] = auth
+                if 'Bearer' in auth:
+                    access_token = auth.replace('Bearer ', '')
+                    headers['Authorization'] = auth
             else:
                 try:
                     from oauth2_provider.models import AccessToken, get_application_model
@@ -185,9 +189,8 @@ def proxy(request, url=None, response_callback=None,
                     traceback.print_exc()
                     logger.error("Could retrieve OAuth2 Access Token for user %s" % _user)
 
-    if access_token:
-        if request.method in ("POST", "PUT", "DELETE"):
-            headers['Authorization'] = 'Bearer %s' % access_token
+    if access_token and not headers.get('Authorization'):
+        headers['Authorization'] = 'Bearer %s' % access_token
 
     site_url = urlsplit(settings.SITEURL)
 
@@ -211,14 +214,11 @@ def proxy(request, url=None, response_callback=None,
 
     _url = parsed.geturl()
 
-    if access_token and 'access_token' not in _url:
+    if request.method == "GET" and access_token and 'access_token' not in _url:
         query_separator = '&' if '?' in _url else '?'
         _url = ('%s%saccess_token=%s' %
                 (_url, query_separator, access_token))
 
-    logger.debug(" - REQUEST HEADERS %s " % headers)
-    logger.debug(" - URL %s " % _url)
-
     conn.request(request.method, _url, request.body, headers)
     response = conn.getresponse()
     content = response.read()