Skip to content

Commit

Permalink
Check if the Authorization header for Basic Authentication is valid
Browse files Browse the repository at this point in the history 
If the header is not valid, DRF returns None when calling the
authenticate() method. This can cause troubles when users are
leveraging the remote authentication because Pulp thinks they
are anonymous users. In the end, authorized users cannot
push or pull content from Pulp. This affects only admin users
in scenarios where the token authentication is disabled.

closes #1577

(cherry picked from commit b1c5d70)
  • Loading branch information
@lubosmj @patchback
lubosmj authored and patchback[bot] committed Jun 27, 2024
1 parent d776b14 commit 6bdcf21
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 9 deletions.
1 change: 1 addition & 0 deletions CHANGES/1577.bugfix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fixed a bug that disallowed users from leveraging the remote authentication.
18 changes: 9 additions & 9 deletions pulp_container/app/token_verification.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,29 +64,29 @@ class RegistryAuthentication(BasicAuthentication):
A basic authentication class that accepts empty username and password as anonymous.
"""

PULP_AUTHENTICATION_CLASS = "pulpcore.app.authentication.PulpRemoteUserAuthentication"
PULP_REMOTE_AUTHENTICATION_CLASS = "pulpcore.app.authentication.PulpRemoteUserAuthentication"
AUTH_CLASSES = settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
ALLOWS_REMOTE_AUTHENTICATION = PULP_REMOTE_AUTHENTICATION_CLASS in AUTH_CLASSES

def authenticate(self, request):
"""
Perform basic authentication with the exception to accept empty credentials.
For anonymous user, Podman sends 'Authorization': 'Basic Og=='.
This represents ":" in base64.
If basic authentication could not success, remote webserver authentication is considered.
"""
if request.headers.get("Authorization") == "Basic Og==":
return (AnonymousUser, None)

try:
return super().authenticate(request)
user = super().authenticate(request)
except AuthenticationFailed:
if self.PULP_AUTHENTICATION_CLASS in self.AUTH_CLASSES:
if self.ALLOWS_REMOTE_AUTHENTICATION:
return RemoteUserRegistryAuthentication().authenticate(request)
else:
raise

if user is None and self.ALLOWS_REMOTE_AUTHENTICATION:
return RemoteUserRegistryAuthentication().authenticate(request)
else:
return user


class RemoteUserRegistryAuthentication(RemoteUserAuthentication):
"""
Expand Down

0 comments on commit 6bdcf21

Please sign in to comment.