From 18df4bbc327193b92a3c4861bdbf6bd388e9a321 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Tue, 30 Jan 2024 19:46:18 +0100 Subject: [PATCH] ssowatconf: replace use_remote_user_var_in_nginx_conf with protect_against_basic_auth_spoofing, and basic-with/without-password for the auth_header flag --- src/app.py | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/src/app.py b/src/app.py index 7348df50f..2ec02cd13 100644 --- a/src/app.py +++ b/src/app.py @@ -1668,16 +1668,34 @@ def app_ssowatconf(): continue app_id = perm_name.split(".")[0] + app_settings = _get_app_settings(app_id) + + # Stupid hard-coded hack until we properly propagate this to apps ... + apps_that_need_password_in_auth_header = ["nextcloud"] + + if perm_info["auth_header"]: + if app_id in apps_that_need_password_in_auth_header: + auth_header = "basic-with-password" + elif app_settings.get("auth_header"): + auth_header = app_settings.get("auth_header") + assert auth_header in ["basic-with-password", "basic-without-password"] + else: + auth_header = "basic-without-password" + else: + auth_header = None permissions[perm_name] = { - "use_remote_user_var_in_nginx_conf": app_id - in apps_using_remote_user_var_in_nginx, "users": perm_info["corresponding_users"], - "auth_header": perm_info["auth_header"], + "auth_header": auth_header, "public": "visitors" in perm_info["allowed"], "uris": uris, } + # Apps can opt out of the auth spoofing protection using this if they really need to, + # but that's a huge security hole and ultimately should never happen... + if app_settings.get("protect_against_basic_auth_spoofing", True) in [False, "False", "false", "0", 0]: + permissions[perm_name]["protect_against_basic_auth_spoofing"] = False + # Next: portal related # No need to keep apps that aren't supposed to be displayed in portal if not perm_info.get("show_tile", False):