RegistryAuthentication fails to fall back to PulpRemoteUserAuthentication if no authorization header exists #1577

ianballou · 2024-03-28T15:08:16Z

Version
I believe any version of pulp-container that supports container push (for me, specifically 2.16.3)

Describe the bug
The following auth settings are set:

REMOTE_USER_ENVIRON_NAME = 'HTTP_REMOTE_USER'
AUTHENTICATION_BACKENDS = ['pulpcore.app.authentication.PulpNoCreateRemoteUserBackend']

REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = (
    'rest_framework.authentication.SessionAuthentication',
    'pulpcore.app.authentication.PulpRemoteUserAuthentication'
)
TOKEN_AUTH_DISABLED=True

When trying to push container content (like blobs) to Pulp, authentication always fails even if REMOTE_USER is correctly set to 'admin'.

It's caused by the following:

pulp_container/pulp_container/app/token_verification.py

Lines 82 to 88 in ef0a194

    
           try: 
        
               return super().authenticate(request) 
        
           except AuthenticationFailed: 
        
               if self.PULP_AUTHENTICATION_CLASS in self.AUTH_CLASSES: 
        
                   return RemoteUserRegistryAuthentication().authenticate(request) 
        
               else: 
        
                   raise

If there is no auth header, or if it doesn't have "Bearer ..." in it, super().authenticate(request) returns None instead of throwing AuthenticationFailed. This in turn causes the AnonymousUser to be used instead of admin.

The rules for returning None vs throwing AuthenticationFailed are here: https://github.com/encode/django-rest-framework/blob/085b7e166ba80aa973645e5249b441f2dbdc0c96/rest_framework/authentication.py#L66-L67

To Reproduce
Try to push container content, like blobs with the settings above. HTTP_REMOTE_USER should be set to 'admin'.

Expected behavior
Auth is successful

Additional context
This was tested on a Katello development install with in-development container push code. Ping me if anything should be tested on my environment.

The text was updated successfully, but these errors were encountered:

ianballou · 2024-03-28T17:04:18Z

Example headers:

{'Host': 'centos8-katello-devel.example.com', 'Remote-User': 'admin', 'X-Forwarded-Host': 'centos8-katello-devel.example.com', 'Ssl-Client-Verify': 'SUCCESS', 'Accept': '', 'User-Agent': 'rest-client/2.1.0 (linux x86_64) ruby/2.7.8p225', 'Via': '1.1 centos8-katello-devel.example.com', 'X-Forwarded-For': '192.168.122.147', 'Connection': 'Keep-Alive', 'X-Forwarded-Server': 'centos8-katello-devel.example.com', 'X-Forwarded-Proto': 'https', 'Ssl-Client-S-Dn': 'CN=centos8-katello-devel.example.com,OU=PUPPET,O=FOREMAN,ST=North Carolina,C=US', 'Authorization': 'OAuth oauth_nonce="83uUxZN8iMwMkmB9AEscNb85YRzcq4NjT5WuTlTto", oauth_signature="InlN1ZJlQ1W1EuNetAfk8Gr%2FPkc%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1711576760", oauth_version="1.0"', 'Accept-Encoding': 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'Ssl-Client-Cert': '-----BEGIN CERTIFICATE----- <REDACTED> -----END CERTIFICATE----- '}

closes pulp#1577

If the header is not valid, DRF returns None when calling the authenticate() method. This can cause troubles when users are leveraging the remote authentication because Pulp thinks they are using anonymous tokens. In the end, authorized users cannot push or pull content from Pulp. closes pulp#1577

If the header is not valid, DRF returns None when calling the authenticate() method. This can cause troubles when users are leveraging the remote authentication because Pulp thinks they are anonymous users. In the end, authorized users cannot push or pull content from Pulp. This affects only admin users in scenarios where the token authentication is disabled. closes pulp#1577

If the header is not valid, DRF returns None when calling the authenticate() method. This can cause troubles when users are leveraging the remote authentication because Pulp thinks they are anonymous users. In the end, authorized users cannot push or pull content from Pulp. This affects only admin users in scenarios where the token authentication is disabled. closes #1577

If the header is not valid, DRF returns None when calling the authenticate() method. This can cause troubles when users are leveraging the remote authentication because Pulp thinks they are anonymous users. In the end, authorized users cannot push or pull content from Pulp. This affects only admin users in scenarios where the token authentication is disabled. closes #1577 (cherry picked from commit b1c5d70)

ianballou added Issue Triage-Needed labels Mar 28, 2024

github-project-automation bot added this to Pulp Container Roadmap Mar 28, 2024

github-project-automation bot moved this to Not Started in Pulp Container Roadmap Mar 28, 2024

ianballou mentioned this issue Mar 28, 2024

Push api seems to not support PulpRemoteUserAuthentication #558

Closed

ianballou mentioned this issue Apr 1, 2024

Fixes #37302 - push containers through Katello Katello/katello#10952

Merged

lubosmj removed the Triage-Needed label Apr 2, 2024

lubosmj self-assigned this Apr 2, 2024

lubosmj moved this from Not Started to In Progress in Pulp Container Roadmap Apr 2, 2024

pulpbot added this to RH Pulp Kanban board Apr 2, 2024

pulpbot moved this to In Progress in RH Pulp Kanban board Apr 2, 2024

lubosmj added a commit to lubosmj/pulp_container that referenced this issue Apr 13, 2024

Check if the Authorization header for Basic Authentication is valid

6c313b1

closes pulp#1577

lubosmj mentioned this issue Apr 13, 2024

Check if the Authorization header for Basic Authentication is valid #1589

Merged

lubosmj added a commit to lubosmj/pulp_container that referenced this issue Apr 13, 2024

Check if the Authorization header for Basic Authentication is valid

3f8f8fa

closes pulp#1577

lubosmj closed this as completed in #1589 Apr 23, 2024

github-project-automation bot moved this from In Progress to Done in Pulp Container Roadmap Apr 23, 2024

pulpbot moved this from In Progress to Done in RH Pulp Kanban board Apr 23, 2024

patchback bot mentioned this issue Apr 23, 2024

[PR #1589/b1c5d706 backport][2.19] Check if the Authorization header for Basic Authentication is valid #1600

Merged

lubosmj moved this from Done to Shipped in Pulp Container Roadmap Apr 23, 2024

BlueCase mentioned this issue Apr 29, 2024

401 - unauthorized pull /v2 #1605

Closed

patchback bot mentioned this issue Jun 27, 2024

[PR #1589/b1c5d706 backport][2.16] Check if the Authorization header for Basic Authentication is valid #1678

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RegistryAuthentication fails to fall back to PulpRemoteUserAuthentication if no authorization header exists #1577

RegistryAuthentication fails to fall back to PulpRemoteUserAuthentication if no authorization header exists #1577

ianballou commented Mar 28, 2024

ianballou commented Mar 28, 2024 •

edited

Loading

RegistryAuthentication fails to fall back to PulpRemoteUserAuthentication if no authorization header exists #1577

RegistryAuthentication fails to fall back to PulpRemoteUserAuthentication if no authorization header exists #1577

Comments

ianballou commented Mar 28, 2024

ianballou commented Mar 28, 2024 • edited Loading

ianballou commented Mar 28, 2024 •

edited

Loading