From d87d05974a1bfaa24bbe1fcede97890d7e784e21 Mon Sep 17 00:00:00 2001
From: afabiani <alessio.fabiani@geo-solutions.it>
Date: Thu, 24 Jan 2019 14:12:55 +0100
Subject: [PATCH 1/4] [Fixes #304] Proxy should pass Bearer authentication to
 Geoserver transparently

---
 geonode/geoserver/signals.py |  2 +-
 geonode/proxy/views.py       | 23 ++++++++++++-----------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/geonode/geoserver/signals.py b/geonode/geoserver/signals.py
index 42cf6e40dda..8a7937c968b 100644
--- a/geonode/geoserver/signals.py
+++ b/geonode/geoserver/signals.py
@@ -525,7 +525,7 @@ def command_url(command):
 
     for style in instance.styles.all():
         legend_url = ogc_server_settings.PUBLIC_LOCATION + \
-            'wms?request=GetLegendGraphic&format=image/png&WIDTH=20&HEIGHT=20&LAYER=' + \
+            'ows?service=WMS&request=GetLegendGraphic&format=image/png&WIDTH=20&HEIGHT=20&LAYER=' + \
             instance.alternate + '&STYLE=' + style.name + \
             '&legend_options=fontAntiAliasing:true;fontSize:12;forceLabels:on'
 
diff --git a/geonode/proxy/views.py b/geonode/proxy/views.py
index 2b42a853d6a..118ec7be4f7 100644
--- a/geonode/proxy/views.py
+++ b/geonode/proxy/views.py
@@ -60,13 +60,15 @@
 
 
 def header_auth_view(auth_header):
-    encoded_credentials = auth_header.split(' ')[1]  # Removes "Basic " to isolate credentials
-    decoded_credentials = base64.b64decode(encoded_credentials).decode("utf-8").split(':')
-    username = decoded_credentials[0]
-    password = decoded_credentials[1]
-    # if the credentials are correct, then the feed_bot is not None, but is a User object.
-    feed_bot = authenticate(username=username, password=password)
-    return feed_bot
+    if 'Basic' in auth_header:
+        encoded_credentials = auth_header.split(' ')[1]  # Removes "Basic " to isolate credentials
+        decoded_credentials = base64.b64decode(encoded_credentials).decode("utf-8").split(':')
+        username = decoded_credentials[0]
+        password = decoded_credentials[1]
+        # if the credentials are correct, then the feed_bot is not None, but is a User object.
+        feed_bot = authenticate(username=username, password=password)
+        return feed_bot
+    return None
 
 
 @requires_csrf_token
@@ -175,6 +177,8 @@ def proxy(request, url=None, response_callback=None,
             _user = header_auth_view(auth)
             if not _user:
                 headers['Authorization'] = auth
+                if 'Bearer' in auth:
+                    access_token = auth.replace('Bearer ', '')
             else:
                 try:
                     from oauth2_provider.models import AccessToken, get_application_model
@@ -211,14 +215,11 @@ def proxy(request, url=None, response_callback=None,
 
     _url = parsed.geturl()
 
-    if access_token and 'access_token' not in _url:
+    if request.method == "GET" and access_token and 'access_token' not in _url:
         query_separator = '&' if '?' in _url else '?'
         _url = ('%s%saccess_token=%s' %
                 (_url, query_separator, access_token))
 
-    logger.debug(" - REQUEST HEADERS %s " % headers)
-    logger.debug(" - URL %s " % _url)
-
     conn.request(request.method, _url, request.body, headers)
     response = conn.getresponse()
     content = response.read()

From 304350363d2810b5ac789067a920c65de2101f3e Mon Sep 17 00:00:00 2001
From: afabiani <alessio.fabiani@geo-solutions.it>
Date: Thu, 24 Jan 2019 14:58:41 +0100
Subject: [PATCH 2/4] [Fixes #4174] - Proxy should pass Bearer authentication
 to Geoserver transparently

---
 geonode/proxy/views.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/geonode/proxy/views.py b/geonode/proxy/views.py
index 118ec7be4f7..502a543789e 100644
--- a/geonode/proxy/views.py
+++ b/geonode/proxy/views.py
@@ -176,9 +176,10 @@ def proxy(request, url=None, response_callback=None,
         if auth:
             _user = header_auth_view(auth)
             if not _user:
-                headers['Authorization'] = auth
                 if 'Bearer' in auth:
                     access_token = auth.replace('Bearer ', '')
+                else:
+                    headers['Authorization'] = auth
             else:
                 try:
                     from oauth2_provider.models import AccessToken, get_application_model

From 393db2c456a94e69a30b977cfd89acd8af9d2d44 Mon Sep 17 00:00:00 2001
From: afabiani <alessio.fabiani@geo-solutions.it>
Date: Thu, 24 Jan 2019 15:39:00 +0100
Subject: [PATCH 3/4] [Fixes #4174] - Proxy should pass Bearer authentication
 to Geoserver transparently

---
 geonode/proxy/views.py | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/geonode/proxy/views.py b/geonode/proxy/views.py
index 502a543789e..c05c5bcc97a 100644
--- a/geonode/proxy/views.py
+++ b/geonode/proxy/views.py
@@ -59,15 +59,15 @@
     "^(?i)(version)=(\d\.\d\.\d)(?i)&(?i)request=(?i)(GetCapabilities)&(?i)service=(?i)(\w\w\w)$")
 
 
-def header_auth_view(auth_header):
+def user_from_basic_auth(auth_header):
     if 'Basic' in auth_header:
         encoded_credentials = auth_header.split(' ')[1]  # Removes "Basic " to isolate credentials
         decoded_credentials = base64.b64decode(encoded_credentials).decode("utf-8").split(':')
         username = decoded_credentials[0]
         password = decoded_credentials[1]
         # if the credentials are correct, then the feed_bot is not None, but is a User object.
-        feed_bot = authenticate(username=username, password=password)
-        return feed_bot
+        user = authenticate(username=username, password=password)
+        return user
     return None
 
 
@@ -174,11 +174,10 @@ def proxy(request, url=None, response_callback=None,
             'HTTP_AUTHORIZATION',
             request.META.get('HTTP_AUTHORIZATION2'))
         if auth:
-            _user = header_auth_view(auth)
+            _user = user_from_basic_auth(auth) #
             if not _user:
                 if 'Bearer' in auth:
                     access_token = auth.replace('Bearer ', '')
-                else:
                     headers['Authorization'] = auth
             else:
                 try:
@@ -190,9 +189,9 @@ def proxy(request, url=None, response_callback=None,
                     traceback.print_exc()
                     logger.error("Could retrieve OAuth2 Access Token for user %s" % _user)
 
-    if access_token:
-        if request.method in ("POST", "PUT", "DELETE"):
-            headers['Authorization'] = 'Bearer %s' % access_token
+
+    if access_token and not headers.get('Authorization'):
+        headers['Authorization'] = 'Bearer %s' % access_token
 
     site_url = urlsplit(settings.SITEURL)
 

From e6cf56a43e2171a09f968644724298abdd871697 Mon Sep 17 00:00:00 2001
From: afabiani <alessio.fabiani@geo-solutions.it>
Date: Thu, 24 Jan 2019 16:39:29 +0100
Subject: [PATCH 4/4]  - Fix pep8 issues

---
 geonode/proxy/views.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/geonode/proxy/views.py b/geonode/proxy/views.py
index c05c5bcc97a..026d64b9390 100644
--- a/geonode/proxy/views.py
+++ b/geonode/proxy/views.py
@@ -174,7 +174,7 @@ def proxy(request, url=None, response_callback=None,
             'HTTP_AUTHORIZATION',
             request.META.get('HTTP_AUTHORIZATION2'))
         if auth:
-            _user = user_from_basic_auth(auth) #
+            _user = user_from_basic_auth(auth)
             if not _user:
                 if 'Bearer' in auth:
                     access_token = auth.replace('Bearer ', '')
@@ -189,7 +189,6 @@ def proxy(request, url=None, response_callback=None,
                     traceback.print_exc()
                     logger.error("Could retrieve OAuth2 Access Token for user %s" % _user)
 
-
     if access_token and not headers.get('Authorization'):
         headers['Authorization'] = 'Bearer %s' % access_token