From 6a83756fb49fd0d23c9ecf19bf9f01260ba2232f Mon Sep 17 00:00:00 2001 From: Igor Rzegocki Date: Fri, 15 Sep 2023 20:32:15 +0200 Subject: [PATCH] support for auth forwarding proxy --- README.md | 3 +++ tubearchivist/config/settings.py | 14 +++++++++++++- tubearchivist/home/src/ta/auth.py | 10 ++++++++++ tubearchivist/home/urls.py | 22 +++++++++++++++++----- 4 files changed, 43 insertions(+), 6 deletions(-) create mode 100644 tubearchivist/home/src/ta/auth.py diff --git a/README.md b/README.md index 4756258..49445a2 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,9 @@ Take a look at the example [docker-compose.yml](https://github.com/tubearchivist | TZ | Set your timezone for the scheduler | Required | | TA_PORT | Overwrite Nginx port | Optional | | TA_UWSGI_PORT | Overwrite container internal uwsgi port | Optional | +| TA_ENABLE_AUTH_PROXY | Enables support for forwarding auth in reverse proxies | [Read more](https://docs.tubearchivist.com/configuration/forward-auth/) | +| TA_AUTH_PROXY_USERNAME_HEADER | Header containing username to log in | Optional | +| TA_AUTH_PROXY_LOGOUT_URL | Logout URL for forwarded auth | Opttional | | ES_URL | URL That ElasticSearch runs on | Optional | | ES_DISABLE_VERIFY_SSL | Disable ElasticSearch SSL certificate verification | Optional | | ES_SNAPSHOT_DIR | Custom path where elastic search stores snapshots for master/data nodes | Optional | diff --git a/tubearchivist/config/settings.py b/tubearchivist/config/settings.py index 5629453..0e69cab 100644 --- a/tubearchivist/config/settings.py +++ b/tubearchivist/config/settings.py @@ -175,7 +175,6 @@ if bool(environ.get("TA_LDAP")): ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER, } - global AUTHENTICATION_BACKENDS AUTHENTICATION_BACKENDS = ("django_auth_ldap.backend.LDAPBackend",) # Database @@ -211,6 +210,19 @@ AUTH_PASSWORD_VALIDATORS = [ AUTH_USER_MODEL = "home.Account" +# Forward-auth authentication +if bool(environ.get("TA_ENABLE_AUTH_PROXY")): + TA_AUTH_PROXY_USERNAME_HEADER = ( + environ.get("TA_AUTH_PROXY_USERNAME_HEADER") or "HTTP_REMOTE_USER" + ) + TA_AUTH_PROXY_LOGOUT_URL = environ.get("TA_AUTH_PROXY_LOGOUT_URL") + + MIDDLEWARE.append("home.src.ta.auth.HttpRemoteUserMiddleware") + + AUTHENTICATION_BACKENDS = ( + "django.contrib.auth.backends.RemoteUserBackend", + ) + # Internationalization # https://docs.djangoproject.com/en/3.2/topics/i18n/ diff --git a/tubearchivist/home/src/ta/auth.py b/tubearchivist/home/src/ta/auth.py new file mode 100644 index 0000000..0567db1 --- /dev/null +++ b/tubearchivist/home/src/ta/auth.py @@ -0,0 +1,10 @@ +from django.conf import settings +from django.contrib.auth.middleware import PersistentRemoteUserMiddleware + + +class HttpRemoteUserMiddleware(PersistentRemoteUserMiddleware): + """This class allows authentication via HTTP_REMOTE_USER which is set for + example by certain SSO applications. + """ + + header = settings.TA_AUTH_PROXY_USERNAME_HEADER diff --git a/tubearchivist/home/urls.py b/tubearchivist/home/urls.py index 614c29b..2c2388c 100644 --- a/tubearchivist/home/urls.py +++ b/tubearchivist/home/urls.py @@ -3,18 +3,30 @@ from django.conf import settings from django.contrib.auth.decorators import login_required from django.contrib.auth.views import LogoutView +from django.shortcuts import redirect from django.urls import path from home import views -urlpatterns = [ - path("", login_required(views.HomeView.as_view()), name="home"), - path("login/", views.LoginView.as_view(), name="login"), - path( +if hasattr(settings, "TA_AUTH_PROXY_LOGOUT_URL"): + logout_path = path( + "logout/", + lambda request: redirect( + settings.TA_AUTH_PROXY_LOGOUT_URL, permanent=False + ), + name="logout", + ) +else: + logout_path = path( "logout/", LogoutView.as_view(), {"next_page": settings.LOGOUT_REDIRECT_URL}, name="logout", - ), + ) + +urlpatterns = [ + path("", login_required(views.HomeView.as_view()), name="home"), + path("login/", views.LoginView.as_view(), name="login"), + logout_path, path("about/", views.AboutView.as_view(), name="about"), path( "downloads/",