From 1f06cdbfcb26321b66884ccb4be4a998b40d752b Mon Sep 17 00:00:00 2001 From: Oliver Gorwits Date: Mon, 3 Oct 2016 18:02:06 +0100 Subject: [PATCH] Add validate_remote_user setting to check proxied users are known --- Netdisco/Changes | 6 ++++++ Netdisco/lib/App/Netdisco/Manual/Configuration.pod | 13 +++++++++++++ Netdisco/lib/App/Netdisco/Web/Auth/Provider/DBIC.pm | 3 ++- Netdisco/lib/App/Netdisco/Web/AuthN.pm | 9 +++++++++ 4 files changed, 30 insertions(+), 1 deletion(-) diff --git a/Netdisco/Changes b/Netdisco/Changes index 2d2ae6fb..6f0be58c 100644 --- a/Netdisco/Changes +++ b/Netdisco/Changes @@ -1,3 +1,9 @@ +2.034001 + + [NEW FEATURES] + + * Add validate_remote_user setting to check proxied users are known + 2.034000 - 2016-10-03 [NEW FEATURES] diff --git a/Netdisco/lib/App/Netdisco/Manual/Configuration.pod b/Netdisco/lib/App/Netdisco/Manual/Configuration.pod index da0dc9c6..5b56050a 100644 --- a/Netdisco/lib/App/Netdisco/Manual/Configuration.pod +++ b/Netdisco/lib/App/Netdisco/Manual/Configuration.pod @@ -162,6 +162,19 @@ to Netdisco in the C HTTP Header. For example with Apache: When running securely (https), replace C<< "%{REMOTE_USER}e" >> with C<< "%{REMOTE_USER}s" >>. +=head3 C + +Value: Boolean. Default: C. + +Enable this to check that remote users (usernames that come from a frontend +proxy server) also exist in the Netdisco Users database. No password check is +made. + +This can be useful when you have web login or single sign-on on the frontend +web server, but also want to limit to a set of known users in Netdisco. You +can still load those users into the database in Netdisco and enable this +setting to check any proxied access can be mapped to a known user. + =head3 C Value: Settings Tree. Default: None. diff --git a/Netdisco/lib/App/Netdisco/Web/Auth/Provider/DBIC.pm b/Netdisco/lib/App/Netdisco/Web/Auth/Provider/DBIC.pm index d59f527a..4eed0b37 100644 --- a/Netdisco/lib/App/Netdisco/Web/Auth/Provider/DBIC.pm +++ b/Netdisco/lib/App/Netdisco/Web/Auth/Provider/DBIC.pm @@ -42,7 +42,8 @@ sub get_user_details { # each of these settings permits no user in the database # so create a pseudo user entry instead - if (not $user and (setting('trust_remote_user') + if (not $user and not setting('validate_remote_user') + and (setting('trust_remote_user') or setting('trust_x_remote_user') or setting('no_auth'))) { $user = $database->resultset($users_table) diff --git a/Netdisco/lib/App/Netdisco/Web/AuthN.pm b/Netdisco/lib/App/Netdisco/Web/AuthN.pm index ca761d44..9e91e114 100644 --- a/Netdisco/lib/App/Netdisco/Web/AuthN.pm +++ b/Netdisco/lib/App/Netdisco/Web/AuthN.pm @@ -8,12 +8,18 @@ hook 'before' => sub { params->{return_url} ||= ((request->path ne uri_for('/')->path) ? request->uri : uri_for('/inventory')->path); + # from the internals of Dancer::Plugin::Auth::Extensible + my $provider = Dancer::Plugin::Auth::Extensible::auth_provider('users'); + if (! session('logged_in_user') && request->path ne uri_for('/login')->path) { if (setting('trust_x_remote_user') and scalar request->header('X-REMOTE_USER') and length scalar request->header('X-REMOTE_USER')) { (my $user = scalar request->header('X-REMOTE_USER')) =~ s/@[^@]*$//; + return if setting('validate_remote_user') + and not $provider->get_user_details($user); + session(logged_in_user => $user); session(logged_in_user_realm => 'users'); } @@ -22,6 +28,9 @@ hook 'before' => sub { and length $ENV{REMOTE_USER}) { (my $user = $ENV{REMOTE_USER}) =~ s/@[^@]*$//; + return if setting('validate_remote_user') + and not $provider->get_user_details($user); + session(logged_in_user => $user); session(logged_in_user_realm => 'users'); }