135/netdisco
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add validate_remote_user setting to check proxied users are known

Browse Source
This commit is contained in:
Oliver Gorwits
2016-10-03 18:02:06 +01:00
parent 13af48bffa
commit 1f06cdbfcb
4 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Netdisco/Changes
View File

@@ -1,3 +1,9 @@
2.034001
[NEW FEATURES]
* Add validate_remote_user setting to check proxied users are known
2.034000 - 2016-10-03 2.034000 - 2016-10-03
[NEW FEATURES] [NEW FEATURES]

13
Netdisco/lib/App/Netdisco/Manual/Configuration.pod
View File

@@ -162,6 +162,19 @@ to Netdisco in the C<X-REMOTE_USER> HTTP Header. For example with Apache:
When running securely (https), replace C<< "%{REMOTE_USER}e" >> with C<< When running securely (https), replace C<< "%{REMOTE_USER}e" >> with C<<
"%{REMOTE_USER}s" >>. "%{REMOTE_USER}s" >>.
=head3 C<validate_remote_user>
Value: Boolean. Default: C<false>.
Enable this to check that remote users (usernames that come from a frontend
proxy server) also exist in the Netdisco Users database. No password check is
made.
This can be useful when you have web login or single sign-on on the frontend
web server, but also want to limit to a set of known users in Netdisco. You
can still load those users into the database in Netdisco and enable this
setting to check any proxied access can be mapped to a known user.
=head3 C<ldap> =head3 C<ldap>
Value: Settings Tree. Default: None. Value: Settings Tree. Default: None.

3
Netdisco/lib/App/Netdisco/Web/Auth/Provider/DBIC.pm
View File

@@ -42,7 +42,8 @@ sub get_user_details {
# each of these settings permits no user in the database # each of these settings permits no user in the database
# so create a pseudo user entry instead # so create a pseudo user entry instead
if (not $user and (setting('trust_remote_user') if (not $user and not setting('validate_remote_user')
and (setting('trust_remote_user')
or setting('trust_x_remote_user') or setting('trust_x_remote_user')
or setting('no_auth'))) { or setting('no_auth'))) {
$user = $database->resultset($users_table) $user = $database->resultset($users_table)

9
Netdisco/lib/App/Netdisco/Web/AuthN.pm
View File

@@ -8,12 +8,18 @@ hook 'before' => sub {
params->{return_url} ||= ((request->path ne uri_for('/')->path) params->{return_url} ||= ((request->path ne uri_for('/')->path)
? request->uri : uri_for('/inventory')->path); ? request->uri : uri_for('/inventory')->path);
# from the internals of Dancer::Plugin::Auth::Extensible
my $provider = Dancer::Plugin::Auth::Extensible::auth_provider('users');
if (! session('logged_in_user') && request->path ne uri_for('/login')->path) { if (! session('logged_in_user') && request->path ne uri_for('/login')->path) {
if (setting('trust_x_remote_user') if (setting('trust_x_remote_user')
and scalar request->header('X-REMOTE_USER') and scalar request->header('X-REMOTE_USER')
and length scalar request->header('X-REMOTE_USER')) { and length scalar request->header('X-REMOTE_USER')) {
(my $user = scalar request->header('X-REMOTE_USER')) =~ s/@[^@]*$//; (my $user = scalar request->header('X-REMOTE_USER')) =~ s/@[^@]*$//;
return if setting('validate_remote_user')
and not $provider->get_user_details($user);
session(logged_in_user => $user); session(logged_in_user => $user);
session(logged_in_user_realm => 'users'); session(logged_in_user_realm => 'users');
} }
@@ -22,6 +28,9 @@ hook 'before' => sub {
and length $ENV{REMOTE_USER}) { and length $ENV{REMOTE_USER}) {
(my $user = $ENV{REMOTE_USER}) =~ s/@[^@]*$//; (my $user = $ENV{REMOTE_USER}) =~ s/@[^@]*$//;
return if setting('validate_remote_user')
and not $provider->get_user_details($user);
session(logged_in_user => $user); session(logged_in_user => $user);
session(logged_in_user_realm => 'users'); session(logged_in_user_realm => 'users');
} }