Proof of concept for reverse-proxy auth #95
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
weaversam8
changed the title
|
That looks very good. I don't have time to set up a test environment until the weekend. I will then test and merge or let you know if I run into problems. Awesome work @weaversam8 ! |
|
First test went fine! I have added the commits in the branch feature/proxy-header-auth. This branch includes a minimal test example. A more serious example would be useful. Some thoughts:
|
weaversam8
force-pushed
the
feature/proxy-header-auth
branch
from
3ed05d5 to
cf202ad
Compare
- This commit adds a new auth manager class for authorizing via proxy
headers `ProxyHeaderAuth` which can be selected by setting the
`AUTH_METHOD` env var to `PROXY_HEADER`
- This auth manager looks for the following headers in order to
create a "pseudo-user" on each request. No users are committed to
the SQLite database when using this auth manager.
- `X-OtterWiki-Name` - the name of the user to include on the
Git commit when editing a page
- `X-OtterWiki-Email` - the email of the user to include on the
Git commit when editing a page
- `X-OtterWiki-Permissions` - a comma separated list of
permissions to grant to the user
- The Docker `entrypoint.sh` script has been updated to pass the
`AUTH_METHOD` config option thru if set in the environment.
- `has_permission(permission, user)` is now a method specific to each
auth manager
- auth managers now implement a `supported_features()` method to detail
which features they support (like whether an auth manager allows a
user to change their name or password, or logout)
- the features object this method returns is present in all Jinja
templates as the variable `auth_supported_features`
- the settings page was updated to prevent a user from editing their
password and name if it is not supported by the current auth
manager.
- the dropdown menu present on all page was updated to hide the
"logout" button if it is not supported by the current auth manager
- The `test_settings.py` test was updated to tolerate extra whitespace
- deny unauthenticated user, in case the proxy has been skipped - mini example with Caddy as proxy adding pseudo authenticated headers
weaversam8
force-pushed
the
feature/proxy-header-auth
branch
from
cf202ad to
7203ae0
Compare
|
I just pulled and tested these changes. Fixed one tiny bug in 7b3098c but otherwise this looks great! I think this example is plenty sufficient to show how this is used, thanks for putting that together! I rebased my branch off of main and pushed, so this PR should be good to merge (since it now contains your changes.) |
|
Merged. Thank you for the work. Will do a new release including this feature within the next two days. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds a new auth manager class for authorizing via proxy headers
ProxyHeaderAuthwhich can be selected by setting theAUTH_METHODenv var toPROXY_HEADERThis auth manager looks for the following headers in order to
create a "pseudo-user" on each request. No users are committed to
the SQLite database when using this auth manager.
X-OtterWiki-Name- the name of the user to include on the Git commit when editing a pageX-OtterWiki-Email- the email of the user to include on the Git commit when editing a pageX-OtterWiki-Permissions- a comma separated list of permissions to grant to the userThe Docker
entrypoint.shscript has been updated to pass theAUTH_METHODconfig option thru if set in the environment.has_permission(permission, user)is now a method specific to each auth managerauth managers now implement a
supported_features()method to detail which features they support (like whether an auth manager allows a user to change their name or password, or logout)the features object this method returns is present in all Jinja
templates as the variable
auth_supported_featuresthe settings page was updated to prevent a user from editing their
password and name if it is not supported by the current auth
manager.
the dropdown menu present on all page was updated to hide the
"logout" button if it is not supported by the current auth manager
The
test_settings.pytest was updated to tolerate extra whitespaceCC @redimp. I didn't make the headers configurable for now, and I'm sure this is a bit hacky, so interested to hear what you think.