diff --git a/deploy/docker/cp-edge/validate_proxy_auth.lua b/deploy/docker/cp-edge/validate_proxy_auth.lua index dae90cede3..dd7d2d4763 100644 --- a/deploy/docker/cp-edge/validate_proxy_auth.lua +++ b/deploy/docker/cp-edge/validate_proxy_auth.lua @@ -178,6 +178,9 @@ local function get_basic_token() local user = user_pass[1] local pass = user_pass[2] + -- Remove any whitespace/newline from the token (some clients tend to add trailing newline) + pass = string.gsub(pass, '%s+', '') + if (is_empty(user) or is_empty(pass)) then ngx.log(ngx.WARN, "Basic HTTP Authorization header is set and decoded, but user or pass is missing: " .. authorization) return nil @@ -188,10 +191,10 @@ end local token = get_basic_token() if is_empty(token) then - ngx.status = ngx.HTTP_UNAUTHORIZED ngx.log(ngx.WARN, "[SECURITY] Request " .. ngx.var.request .. " is rejected; Status: Authentication failed; Message: Token is not provided") - ngx.exit(ngx.HTTP_UNAUTHORIZED) + ngx.header["Proxy-Authenticate"] = "Basic realm=\"Cloud Pipeline EDGE\"" + ngx.exit(407) end local cert_path = os.getenv("JWT_PUB_KEY") diff --git a/workflows/pipe-common/resources/linux/template.dcv b/workflows/pipe-common/resources/linux/template.dcv index e39506cd1c..f26b097b1d 100644 --- a/workflows/pipe-common/resources/linux/template.dcv +++ b/workflows/pipe-common/resources/linux/template.dcv @@ -5,6 +5,8 @@ format=1.0 proxytype=HTTP proxyhost={CP_PROXY} proxyport={CP_PROXY_PORT} +proxyuser={CP_PROXY_USER} +proxypassword={CP_PROXY_TOKEN} host={CP_HOST} port={CP_HOST_PORT} -sessionid=session +sessionid={CP_USERNAME}-session diff --git a/workflows/pipe-common/resources/windows/template.dcv b/workflows/pipe-common/resources/windows/template.dcv index cc13c6f7b3..68e6ff5bc4 100644 --- a/workflows/pipe-common/resources/windows/template.dcv +++ b/workflows/pipe-common/resources/windows/template.dcv @@ -5,6 +5,8 @@ format=1.0 proxytype=HTTP proxyhost={CP_PROXY} proxyport={CP_PROXY_PORT} +proxyuser={CP_PROXY_USER} +proxypassword={CP_PROXY_TOKEN} host={CP_HOST} port={CP_HOST_PORT} sessionid=console diff --git a/workflows/pipe-common/scripts/serve_desktop.py b/workflows/pipe-common/scripts/serve_desktop.py index 5a9da1cc7c..f10c086137 100644 --- a/workflows/pipe-common/scripts/serve_desktop.py +++ b/workflows/pipe-common/scripts/serve_desktop.py @@ -48,6 +48,7 @@ class Config: template_path = None connection_name = None personal = None + api_token = '' app = Flask(__name__) @@ -66,7 +67,9 @@ def get_desktop_file(): CP_HOST=Config.local_ip, CP_HOST_PORT=Config.local_port, CP_USERNAME=user_name, - CP_PASSWORD=Config.user_pass) + CP_PASSWORD=Config.user_pass, + CP_PROXY_USER=user_name, + CP_PROXY_TOKEN=Config.api_token) elif template_type == NXS: template_data = template_data.format(CP_PROXY=proxy_host, CP_PROXY_PORT=proxy_port, @@ -156,6 +159,7 @@ def start(serving_port, desktop_port, template_path): user_pass = _extract_parameter('OWNER_PASSWORD', default=user_name) if not user_pass: raise RuntimeError('Cannot get OWNER_PASSWORD from environment') + api_token = _extract_parameter('API_TOKEN') personal = _extract_boolean_parameter('CP_CAP_DESKTOP_NM_USER_CONNECTION_FILES', default='true') logging.basicConfig(level=logging_level, format=logging_format) @@ -187,6 +191,7 @@ def start(serving_port, desktop_port, template_path): Config.template_path = template_path Config.connection_name = connection_name Config.personal = personal + Config.api_token = api_token logger.info('Starting web server on {} port...'.format(serving_port)) app.run(port=serving_port, host='0.0.0.0')