diff --git a/editoast/src/views/mod.rs b/editoast/src/views/mod.rs index 3d784f03cc2..79fa63b9828 100644 --- a/editoast/src/views/mod.rs +++ b/editoast/src/views/mod.rs @@ -123,8 +123,7 @@ editoast_common::schemas! { pub enum Authentication { /// The issuer of the request did not provide any authentication information. Unauthenticated, - /// The issuer of the request provided the 'x-remote-user' header, which contains the - /// identity and name of the user. + /// The issuer of the request provided the 'x-remote-user-identity' header. Authenticated(Authorizer>), /// The requests comes from a Core instance. All requests are considered safe. Core, @@ -172,17 +171,23 @@ async fn authenticate( PgAuthDriver::::new(db_pool), ))); } - let Some(header) = headers.get("x-remote-user") else { + let Some(identity) = headers.get("x-remote-user-identity") else { if headers.contains_key("x-osrd-core") { return Ok(Authentication::Core); } return Ok(Authentication::Unauthenticated); }; - let (identity, name) = header + let identity = identity .to_str() - .expect("unexpected non-ascii characters in x-remote-user") - .split_once('/') // FIXME: the gateway should inject two headers instead - .expect("odd x-remote-user format"); + .expect("unexpected non-ascii characters in x-remote-user-identity"); + + let name = match headers.get("x-remote-user-name") { + Some(name) => name + .to_str() + .expect("unexpected non-ascii characters in x-remote-user-name"), + None => "", + }; + let authorizer = Authorizer::try_initialize( UserInfo { identity: identity.to_owned(), diff --git a/gateway/src/request_modifier.rs b/gateway/src/request_modifier.rs index 0bc8fb96801..17c73a1fd8f 100644 --- a/gateway/src/request_modifier.rs +++ b/gateway/src/request_modifier.rs @@ -2,18 +2,25 @@ use actix_auth::{AuthStatus, RequestAuth, RequestAuthExt}; use actix_proxy::{ClientRequest, HeaderName, HeaderValue, WebsocketsRequest}; use actix_web::error::ErrorForbidden; -fn check_auth(request_auth: &RequestAuth) -> Result { +struct UserInformation { + identity: String, + name: String, +} + +fn check_auth(request_auth: &RequestAuth) -> Result { match request_auth.status() { AuthStatus::Unknown => Err(ErrorForbidden("authentication required")), AuthStatus::Error(_) => Err(ErrorForbidden("authentication error")), AuthStatus::Known { provider_handler, user_id, - .. + username, } => { let provider_id = request_auth.context().get_provider_id(*provider_handler); - let remote_user = format!("{provider_id}/{user_id}"); - Ok(remote_user) + Ok(UserInformation { + identity: format!("{provider_id}/{user_id}"), + name: username.clone().unwrap_or_default(), + }) } } } @@ -21,7 +28,8 @@ fn check_auth(request_auth: &RequestAuth) -> Result { #[derive(Clone)] pub struct ProxyAuthAdapter; -static AUTH_USER_ID: HeaderName = HeaderName::from_static("x-remote-user"); +static AUTH_USER_ID: HeaderName = HeaderName::from_static("x-remote-user-identity"); +static AUTH_USER_NAME: HeaderName = HeaderName::from_static("x-remote-user-name"); impl actix_proxy::RequestModifier for ProxyAuthAdapter { fn modify_http_request( @@ -34,7 +42,15 @@ impl actix_proxy::RequestModifier for ProxyAuthAdapter { }; let remote_user = check_auth(&request_auth)?; let headers = back_request.headers_mut(); - headers.insert(AUTH_USER_ID.clone(), HeaderValue::from_str(&remote_user)?); + headers.insert( + AUTH_USER_ID.clone(), + HeaderValue::from_str(&remote_user.identity)?, + ); + headers.insert( + AUTH_USER_NAME.clone(), + HeaderValue::from_str(&remote_user.name)?, + ); + Ok(()) } @@ -47,6 +63,8 @@ impl actix_proxy::RequestModifier for ProxyAuthAdapter { return Err(ErrorForbidden("missing authentication data")); }; let remote_user = check_auth(&request_auth)?; - Ok(back_request.set_header(AUTH_USER_ID.clone(), remote_user)) + Ok(back_request + .set_header(AUTH_USER_ID.clone(), remote_user.identity) + .set_header(AUTH_USER_NAME.clone(), remote_user.name)) } }