Update changelog for 4.4.2

security: rework previous fixes to use the new use_remote_user_var_in_nginx_conf in ssowat conf introduced in yunohost 11.1.2
Stupid typo
2024-09-03 20:06:27 +02:00 · 2023-01-10 14:11:39 +01:00 · 2023-01-10 14:10:40 +01:00 · 2023-01-10 14:10:40 +01:00 · 2023-01-10 14:10:40 +01:00 · 2023-01-10 14:10:40 +01:00
3 changed files with 80 additions and 27 deletions
--- a/access.lua
+++ b/access.lua
@ -315,9 +315,28 @@ for permission_name, permission_infos in pairs(conf["permissions"]) do
    end
 end
 ---
 --- 5. CHECK CLIENT-PROVIDED AUTH HEADER (should almost never happen?)
 ---
 if permission ~= nil then
    perm_user_remote_user_var_in_nginx_conf = permission["use_remote_user_var_in_nginx_conf"]
    if perm_user_remote_user_var_in_nginx_conf == nil or perm_user_remote_user_var_in_nginx_conf == true then
        is_logged_in_with_basic_auth = hlp.validate_or_clear_basic_auth_header_provided_by_client()
        -- NB: is_logged_in_with_basic_auth can be false, true or nil
        if is_logged_in_with_basic_auth == false then
            return ngx.exit(ngx.HTTP_UNAUTHORIZED)
        elseif is_logged_in_with_basic_auth == true then
            is_logged_in = true
        end
    end
 end
 --
 --
-- 5. APPLY PERMISSION
+-- 6. APPLY PERMISSION
 --
 --
@ -333,7 +352,11 @@ if hlp.has_access(permission) then
        -- add it to the response
        if permission["auth_header"] then
            hlp.set_headers()
        else
            hlp.clear_headers()
        end
    else
        hlp.clear_headers()
    end
    return hlp.pass()
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,18 @@
 ssowat (4.4.2) stable; urgency=low
  - Authentication headers are ONLY set when user is logged in and has access to app Prevents impersonating users on public applications where the auth headers were not cleared (676f157)
  - security: Also check client-provided auth headers to prevent impersonation, based on new use_remote_user_var_in_nginx_conf in ssowatconf (7e8b0e0, f59accd, f939b63, 56c2726)
  Thanks to all contributors <3 ! (selfhoster1312)
 -- Alexandre Aubin <alex.aubin@mailoo.org>  Tue, 10 Jan 2023 14:03:06 +0100
 ssowat (4.4.1) stable; urgency=low
  - Bump version for 4.4.1 stable
 -- Alexandre Aubin <alex.aubin@mailoo.org>  Tue, 09 Aug 2022 23:34:30 +0200
 ssowat (4.4.0) testing; urgency=low
  - Bump version for 4.4.0
--- a/helpers.lua
+++ b/helpers.lua
@ -256,35 +256,40 @@ function refresh_logged_in()
        return false
    end
    -- If client set the `Proxy-Authorization` header before reaching the SSO,
    -- we want to match user and password against the user database.
    --
    -- It allows to bypass the cookie-based procedure with a per-request
    -- authentication. This is useful to authenticate on the SSO during
    -- curl requests for example.
    local auth_header = ngx.req.get_headers()["Proxy-Authorization"]
    if auth_header then
        _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
        if b64_cred == nil then
            return is_logged_in
        end
        _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
        user = authenticate(user, password)
        if user then
            logger.debug("User got authenticated through basic auth")
            authUser = user
            is_logged_in = true
        else
            -- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
            ngx.status = 407
        end
    end
    return is_logged_in
 end
 function validate_or_clear_basic_auth_header_provided_by_client()
    -- Ignore if no Auth header
    local auth_header = ngx.req.get_headers()["Authorization"]
    if auth_header == nil then
        return nil
    end
    -- Ignore if not a Basic auth header
    _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
    if b64_cred == nil then
        return nil
    end
    -- Try to authenticate the user,
    -- or remove the Auth header if not valid
    _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
    user = authenticate(user, password)
    if user then
        logger.debug("User got authenticated through basic auth")
        authUser = user
        return true
    else
        ngx.req.clear_header("Authorization")
        return false -- ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
 end
 -- Check whether a user is allowed to access a URL using the `permissions` directive
 -- of the configuration file
 function has_access(permission, user)
@ -413,6 +418,16 @@ function set_headers(user)
 end
 -- Removes the authentication headers. Call me when:
 --   - app is public and user is not authenticated
 --   - app requests that no authentication headers be sent
 -- Prevents user from pretending to be someone else on public apps
 function clear_headers()
    -- NB: Basic Auth header is cleared in validate_or_clear_basic_auth_header_provided_by_client
    for k, v in pairs(conf["additional_headers"]) do
        ngx.req.clear_header(k)
    end
 end
 function refresh_user_cache(user)
    -- We definitely don't want to pass credentials on a non-encrypted
Author	SHA1	Message	Date
Alexandre Aubin	43cfb9684f	Update changelog for 4.4.2	2023-01-10 14:11:39 +01:00
Alexandre Aubin	8bd2a53ee7	security: rework previous fixes to use the new use_remote_user_var_in_nginx_conf in ssowat conf introduced in yunohost 11.1.2	2023-01-10 14:10:40 +01:00
Alexandre Aubin	b6aba201cd	Stupid typo	2023-01-10 14:10:40 +01:00
Alexandre Aubin	ca7cf2c2cc	Iterate on previous security fixes: ignore Auth header on PROPFIND routes, and don't drop Auth header which are not Basic auth	2023-01-10 14:10:40 +01:00
Alexandre Aubin	1f56a08621	security: Also check client-provided auth headers to prevent impersonation	2023-01-10 14:10:40 +01:00
selfhoster1312	7fc0350788	Authentication headers are ONLY set when user is logged in and has access to app Prevents impersonating users on public applications where the auth headers were not cleared	2023-01-10 14:10:40 +01:00
Alexandre Aubin	7719d46240	Update changelog for 4.4.1	2022-08-09 23:34:47 +02:00