patch: authorize using Remote-User: header

[srl@…]

for ​obscure reasons, my tracd-behind-proxypass wasn't able to authorize the usual way.

This patch will make trac trust the 'Remote-User:' header, even if the adaptor (CGI/etc) didn't otherwise set the remote_user field.

This probably should be a configuration option as it would otherwise have security implications but is perfect for our use - apache LDAP-based authentication. I'm aware of ​LdapPlugin but this seemed simpler and with broader implications (could work for other authentication types, kerberos etc).

[srl@…]

auth-from-header.patch

[cboos]

Thanks for the patch. Would you mind adding that configuration option? This would be also the place to briefly document why you would need to set up such option.

The test could also be written if not remote_user and req.get_header('Remote-User'):, I suppose that would be slightly more efficient.

[srl@…]

better patch with option

[Steven R. Loomis <srl@…>]

The better patch here automatically logs you in if present (instead of requiring you to click login), and has a configuration option.

[Carsten Klein <carsten.klein@…>]

Why not make this an implementation of the IAuthenticator extension point interface?

E.g.

class MyRemoteUserAuthenticator(IAuthenticator):

    obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false', 
 	       """Whether the 'Remote-User:' HTTP header is to be trusted for user logins 
 	        (''since ??.??').""") 

    def authenticate(self, req):
        if self.obey_remote_user_header and req.get_header('Remote-User'): 
 	    return req.get_header('Remote-User') 
        return None

That way we can keep trac free of the change that would likely raise security issues, and you are free to deploy your plugin to all the trac installations that you have.

[Steven R. Loomis <srl@…>]

Carsten,

That's a great idea. I'll do that and post a link here, thanks.

-Steven

[cboos]

I suppose the code in comment:3 is enough then (could be placed in a single file plugin).

[lkraav <leho@…>]

i'm trying to do the same thing: basic auth on <Location> mod_proxy forwarded to tracd. unfortunately tracd doesn't seem to take this auth info no matter which way i try. tried:

• with project/plugins/remote-user-auth.py

  from trac.config import BoolOption
  from trac.web.api import IAuthenticator
  
  class MyRemoteUserAuthenticator(IAuthenticator):
  
      obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false', 
   	       """Whether the 'Remote-User:' HTTP header is to be trusted for user logins 
   	        (''since ??.??').""") 
  
      def authenticate(self, req):
          if self.obey_remote_user_header and req.get_header('Remote-User'): 
   	    return req.get_header('Remote-User') 
          return None
  

• without project/plugins/remote-user-auth.py
• tracd with —basic-auth="*,htpasswd,My Proxy Realm"
• tracd without —basic-auth
• with ​rewriterule

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e

• without rewriterule

what am i missing?

[lkraav <leho@…>]

Solved, written up at wiki:TracStandalone?action=diff&version=90&old_version=89

[guidod-2007-@…]

Very good - it did solve my problem as well.

I have transformed the script into a setuptools Trac plugin that can be packaged and installed just like any other trac-hack. Along with polishing the documentation it is now ready - download at

​https://bitbucket.org/guidod/trac-proxy-auth

[lkraav <leho@…>]

so i'm wondering what it would take for this ticket to reach fixed?