From 96c7d4cfbedb0d76c85de16952c955b901ffbd47 Mon Sep 17 00:00:00 2001 From: Lubos Mjachky Date: Sat, 13 Apr 2024 16:48:11 +0200 Subject: [PATCH] Check if the Authorization header for Basic Authentication is valid If the header is not valid, DRF returns None when calling the authenticate() method. This can cause troubles when users are leveraging the remote authentication because Pulp thinks they are anonymous users. In the end, authorized users cannot push or pull content from Pulp. This affects only admin users in scenarios where the token authentication is disabled. closes #1577 --- CHANGES/1577.bugfix | 1 + pulp_container/app/token_verification.py | 18 +++++++++--------- 2 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 CHANGES/1577.bugfix diff --git a/CHANGES/1577.bugfix b/CHANGES/1577.bugfix new file mode 100644 index 000000000..effd11439 --- /dev/null +++ b/CHANGES/1577.bugfix @@ -0,0 +1 @@ +Fixed a bug that disallowed users from leveraging the remote authentication. diff --git a/pulp_container/app/token_verification.py b/pulp_container/app/token_verification.py index cf0426b08..119a61f26 100644 --- a/pulp_container/app/token_verification.py +++ b/pulp_container/app/token_verification.py @@ -64,29 +64,29 @@ class RegistryAuthentication(BasicAuthentication): A basic authentication class that accepts empty username and password as anonymous. """ - PULP_AUTHENTICATION_CLASS = "pulpcore.app.authentication.PulpRemoteUserAuthentication" + PULP_REMOTE_AUTHENTICATION_CLASS = "pulpcore.app.authentication.PulpRemoteUserAuthentication" AUTH_CLASSES = settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"] + ALLOWS_REMOTE_AUTHENTICATION = PULP_REMOTE_AUTHENTICATION_CLASS in AUTH_CLASSES def authenticate(self, request): """ Perform basic authentication with the exception to accept empty credentials. - For anonymous user, Podman sends 'Authorization': 'Basic Og=='. - This represents ":" in base64. - If basic authentication could not success, remote webserver authentication is considered. """ - if request.headers.get("Authorization") == "Basic Og==": - return (AnonymousUser, None) - try: - return super().authenticate(request) + user = super().authenticate(request) except AuthenticationFailed: - if self.PULP_AUTHENTICATION_CLASS in self.AUTH_CLASSES: + if self.ALLOWS_REMOTE_AUTHENTICATION: return RemoteUserRegistryAuthentication().authenticate(request) else: raise + if user is None and self.ALLOWS_REMOTE_AUTHENTICATION: + return RemoteUserRegistryAuthentication().authenticate(request) + else: + return user + class RemoteUserRegistryAuthentication(RemoteUserAuthentication): """