From 51ed1c32a9a76217fb6d4f669e53f90bdf5b89ac Mon Sep 17 00:00:00 2001
From: Lubos Mjachky <lmjachky@redhat.com>
Date: Sat, 13 Apr 2024 16:48:11 +0200
Subject: [PATCH] Check if the Authorization header for Basic Authentication is
 valid

If the header is not valid, DRF returns None when calling the
authenticate() method. This can cause troubles when users are
leveraging the remote authentication because Pulp thinks they
are using anonymous tokens. In the end, authorized users cannot
push or pull content from Pulp.

closes #1577
---
 CHANGES/1577.bugfix                      |  1 +
 pulp_container/app/token_verification.py | 12 +++++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 CHANGES/1577.bugfix

diff --git a/CHANGES/1577.bugfix b/CHANGES/1577.bugfix
new file mode 100644
index 000000000..effd11439
--- /dev/null
+++ b/CHANGES/1577.bugfix
@@ -0,0 +1 @@
+Fixed a bug that disallowed users from leveraging the remote authentication.
diff --git a/pulp_container/app/token_verification.py b/pulp_container/app/token_verification.py
index cf0426b08..81e94de09 100644
--- a/pulp_container/app/token_verification.py
+++ b/pulp_container/app/token_verification.py
@@ -64,8 +64,9 @@ class RegistryAuthentication(BasicAuthentication):
     A basic authentication class that accepts empty username and password as anonymous.
     """
 
-    PULP_AUTHENTICATION_CLASS = "pulpcore.app.authentication.PulpRemoteUserAuthentication"
+    PULP_REMOTE_AUTHENTICATION_CLASS = "pulpcore.app.authentication.PulpRemoteUserAuthentication"
     AUTH_CLASSES = settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
+    ALLOWS_REMOTE_AUTHENTICATION = PULP_REMOTE_AUTHENTICATION_CLASS in AUTH_CLASSES
 
     def authenticate(self, request):
         """
@@ -80,13 +81,18 @@ def authenticate(self, request):
             return (AnonymousUser, None)
 
         try:
-            return super().authenticate(request)
+            result = super().authenticate(request)
         except AuthenticationFailed:
-            if self.PULP_AUTHENTICATION_CLASS in self.AUTH_CLASSES:
+            if self.ALLOWS_REMOTE_AUTHENTICATION:
                 return RemoteUserRegistryAuthentication().authenticate(request)
             else:
                 raise
 
+        if result is None and self.ALLOWS_REMOTE_AUTHENTICATION:
+            return RemoteUserRegistryAuthentication().authenticate(request)
+        else:
+            return result
+
 
 class RemoteUserRegistryAuthentication(RemoteUserAuthentication):
     """