Skip to content

add decoder for HTTP Basic auth #2875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 24, 2019
Merged

add decoder for HTTP Basic auth #2875

merged 6 commits into from
Jul 24, 2019

Conversation

@vladak
Copy link
Member

@vladak vladak commented Jul 23, 2019

As discussed in #2872, the current documentation on https://github.com/oracle/opengrok/wiki/Authorization gives dangerous advice in terms of enabling HTTP Basic authentication for the web application.

This decoder addition forms a basis for subsequent work (e.g. adding an authorization plugin that checks the user against a whitelist, similarly to what the pre-existing Ldap plugins do).

I will update the above mentioned documentation once this is merged in.

@vladak
Copy link
Member Author

vladak commented Jul 23, 2019

Tested by adding this to WEB-INF/web.xml:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>API endpoints are checked separately by the web app</web-resource-name>
            <url-pattern>/api/*</url-pattern>
        </web-resource-collection>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>In general everything needs to be authenticated</web-resource-name>
            <url-pattern>/*</url-pattern> <!-- protect the whole application -->
        </web-resource-collection>

        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>

        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <security-role>
        <role-name>*</role-name>
    </security-role>

    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

and creating conf/tomcat-users.xml:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

  <user username="foo" password="bar" roles="tomcat,manager-script"/>
</tomcat-users>

and adding this to read-only configuration:

  <void property="pluginStack">
        <void property="stack">
            <!-- get user cred from HTTP headers -->
            <void method="add">
                <object class="org.opengrok.indexer.authorization.AuthorizationPlugin">
                    <void property="name">
                        <string>opengrok.auth.plugin.UserPlugin</string>
                    </void>
                    <void property="flag">
                        <string>REQUISITE</string>
                    </void>
                    <void property="setup">
                        <void method="put">
                             <string>decoder</string>
                             <string>opengrok.auth.plugin.decoders.HttpBasicAuthHeaderDecoder</string>
                        </void>
                    </void>
                </object>
            </void>
        </void>
  </void>

Running the indexer with:

-s
/var/opengrok/src
-d
/var/opengrok/data
-P
-H
-S
-G
-R
/var/opengrok/etc/readonly_configuration-BasicHttpAuth.xml
-W
/var/opengrok/etc/configuration.xml
-U
http://localhost:8080/source

works fine.

@vladak
Copy link
Member Author

vladak commented Jul 23, 2019

To make sure this covers /search API endpoint checks I added project/group matching so that the stack config looks like this:

  <void property="pluginStack">                                                 
        <void property="stack">                                                 
            <!-- get user cred from HTTP headers -->                            
            <void method="add">                                                 
                <object class="org.opengrok.indexer.authorization.AuthorizationPlugin">
                    <void property="forGroups">                                 
                            <void method="add">                                 
                                <string>Solaris</string>                        
                            </void>                                             
                    </void>                                                     
                    <void property="forProjects">                               
                            <void method="add">                                 
                                <string>solaris-userland</string>               
                            </void>                                             
                    </void>                                                     
                    <void property="name">                                      
                        <string>opengrok.auth.plugin.UserPlugin</string>        
                    </void>                                                     
                    <void property="flag">                                      
                        <string>REQUISITE</string>                              
                    </void>                                                     
                    <void property="setup">                                     
                        <void method="put">                                     
                             <string>decoder</string>                           
                             <string>opengrok.auth.plugin.decoders.HttpBasicAuthHeaderDecoder</string>
                        </void>                                                 
                    </void>                                                     
                </object>                                                       
            </void>                                                             
        </void>                                                                 
  </void>

and did a non-localhost request (http_proxy= curl -s 'http://10.x.y.z:8080/source/api/v1/search?full=hack&projects=solaris-userland&projects=jna' | jq) and compared that to the results received from before the change - the solaris-userland was no longer included in the results.

Also, to add some detail about the testing, the read-only configuration had this:

  <void property="pluginDirectory">                                             
   <string>/var/opengrok/share/auth/plugins</string>                            
   <!-- <string>/usr/opengrok/share/plugins</string> -->                        
  </void>

The directory contained plugins.jar from the original install and I copied the new decoder binary to /var/opengrok/share/auth/plugins/opengrok/auth/plugin/decoders/HttpBasicAuthHeaderDecoder.class.

@vladak vladak mentioned this pull request Jul 24, 2019
Merged
tulinkry
tulinkry approved these changes Jul 24, 2019
View reviewed changes
@vladak vladak merged commit a63edcb into oracle:master Jul 24, 2019
@vladak vladak deleted the basic_http_auth_decoder branch July 24, 2019 21:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@tulinkry tulinkry tulinkry approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vladak @tulinkry