Skip to content

Commit

Permalink
Check if the Authorization header for Basic Authentication is valid
Browse files Browse the repository at this point in the history 
If the header is not valid, DRF returns None when calling the
authenticate() method. This can cause troubles when users are
leveraging the remote authentication because Pulp thinks they
are anonymous users. In the end, authorized users cannot
push or pull content from Pulp. This affects only admin users
in scenarios where the token authentication is disabled.

closes pulp#1577
  • Loading branch information
@lubosmj
lubosmj committed Apr 23, 2024
1 parent e040992 commit b1c5d70
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 9 deletions.
1 change: 1 addition & 0 deletions CHANGES/1577.bugfix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fixed a bug that disallowed users from leveraging the remote authentication.
18 changes: 9 additions & 9 deletions pulp_container/app/token_verification.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,29 +64,29 @@ class RegistryAuthentication(BasicAuthentication):
A basic authentication class that accepts empty username and password as anonymous.
"""

PULP_AUTHENTICATION_CLASS = "pulpcore.app.authentication.PulpRemoteUserAuthentication"
PULP_REMOTE_AUTHENTICATION_CLASS = "pulpcore.app.authentication.PulpRemoteUserAuthentication"
AUTH_CLASSES = settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
ALLOWS_REMOTE_AUTHENTICATION = PULP_REMOTE_AUTHENTICATION_CLASS in AUTH_CLASSES

def authenticate(self, request):
"""
Perform basic authentication with the exception to accept empty credentials.
For anonymous user, Podman sends 'Authorization': 'Basic Og=='.
This represents ":" in base64.
If basic authentication could not success, remote webserver authentication is considered.
"""
if request.headers.get("Authorization") == "Basic Og==":
return (AnonymousUser, None)

try:
return super().authenticate(request)
user = super().authenticate(request)
except AuthenticationFailed:
if self.PULP_AUTHENTICATION_CLASS in self.AUTH_CLASSES:
if self.ALLOWS_REMOTE_AUTHENTICATION:
return RemoteUserRegistryAuthentication().authenticate(request)
else:
raise

if user is None and self.ALLOWS_REMOTE_AUTHENTICATION:
return RemoteUserRegistryAuthentication().authenticate(request)
else:
return user


class RemoteUserRegistryAuthentication(RemoteUserAuthentication):
"""
Expand Down

0 comments on commit b1c5d70

Please sign in to comment.