Add validate_remote_user setting to check proxied users are known

2016-10-03 18:02:06 +01:00
parent 13af48bffa
commit 1f06cdbfcb
4 changed files with 30 additions and 1 deletions
--- a/Netdisco/Changes
+++ b/Netdisco/Changes
@@ -1,3 +1,9 @@
+2.034001
+
+  [NEW FEATURES]
+
+  * Add validate_remote_user setting to check proxied users are known
+
 2.034000 - 2016-10-03

  [NEW FEATURES]
--- a/Netdisco/lib/App/Netdisco/Manual/Configuration.pod
+++ b/Netdisco/lib/App/Netdisco/Manual/Configuration.pod
@@ -162,6 +162,19 @@ to Netdisco in the C<X-REMOTE_USER> HTTP Header. For example with Apache:
 When running securely (https), replace C<< "%{REMOTE_USER}e" >> with C<<
 "%{REMOTE_USER}s" >>.

+=head3 C<validate_remote_user>
+
+Value: Boolean. Default: C<false>.
+
+Enable this to check that remote users (usernames that come from a frontend
+proxy server) also exist in the Netdisco Users database. No password check is
+made.
+
+This can be useful when you have web login or single sign-on on the frontend
+web server, but also want to limit to a set of known users in Netdisco. You
+can still load those users into the database in Netdisco and enable this
+setting to check any proxied access can be mapped to a known user.
+
 =head3 C<ldap>

 Value: Settings Tree. Default: None.
--- a/Netdisco/lib/App/Netdisco/Web/Auth/Provider/DBIC.pm
+++ b/Netdisco/lib/App/Netdisco/Web/Auth/Provider/DBIC.pm
@@ -42,7 +42,8 @@ sub get_user_details {

    # each of these settings permits no user in the database
    # so create a pseudo user entry instead
-    if (not $user and (setting('trust_remote_user')
+    if (not $user and not setting('validate_remote_user')
+                  and (setting('trust_remote_user')
                    or setting('trust_x_remote_user')
                    or setting('no_auth'))) {
        $user = $database->resultset($users_table)
--- a/Netdisco/lib/App/Netdisco/Web/AuthN.pm
+++ b/Netdisco/lib/App/Netdisco/Web/AuthN.pm
@@ -8,12 +8,18 @@ hook 'before' => sub {
    params->{return_url} ||= ((request->path ne uri_for('/')->path)
      ? request->uri : uri_for('/inventory')->path);

+    # from the internals of Dancer::Plugin::Auth::Extensible
+    my $provider = Dancer::Plugin::Auth::Extensible::auth_provider('users');
+
    if (! session('logged_in_user') && request->path ne uri_for('/login')->path) {
        if (setting('trust_x_remote_user')
          and scalar request->header('X-REMOTE_USER')
          and length scalar request->header('X-REMOTE_USER')) {

            (my $user = scalar request->header('X-REMOTE_USER')) =~ s/@[^@]*$//;
+            return if setting('validate_remote_user')
+              and not $provider->get_user_details($user);
+
            session(logged_in_user => $user);
            session(logged_in_user_realm => 'users');
        }
@@ -22,6 +28,9 @@ hook 'before' => sub {
          and length  $ENV{REMOTE_USER}) {

            (my $user = $ENV{REMOTE_USER}) =~ s/@[^@]*$//;
+            return if setting('validate_remote_user')
+              and not $provider->get_user_details($user);
+
            session(logged_in_user => $user);
            session(logged_in_user_realm => 'users');
        }