Edgewall Software
Modify

Opened 4 years ago

Closed 4 years ago

Last modified 23 months ago

#9206 closed enhancement (worksforme)

patch: authorize using Remote-User: header

Reported by: srl@… Owned by:
Priority: normal Milestone:
Component: web frontend Version: 0.11-stable
Severity: normal Keywords:
Cc:
Release Notes:
API Changes:

Description

for obscure reasons, my tracd-behind-proxypass wasn't able to authorize the usual way.

This patch will make trac trust the 'Remote-User:' header, even if the adaptor (CGI/etc) didn't otherwise set the remote_user field.

This probably should be a configuration option as it would otherwise have security implications but is perfect for our use - apache LDAP-based authentication. I'm aware of LdapPlugin but this seemed simpler and with broader implications (could work for other authentication types, kerberos etc).

Attachments (2)

auth-from-header.patch (1.1 KB) - added by srl@… 4 years ago.
auth-from-header.patch
9206-remoteuser.patch (911 bytes) - added by srl@… 4 years ago.
better patch with option

Download all attachments as: .zip

Change History (11)

Changed 4 years ago by srl@…

auth-from-header.patch

comment:1 Changed 4 years ago by cboos

  • Milestone set to next-minor-0.12.x

Thanks for the patch. Would you mind adding that configuration option? This would be also the place to briefly document why you would need to set up such option.

The test could also be written if not remote_user and req.get_header('Remote-User'):, I suppose that would be slightly more efficient.

Changed 4 years ago by srl@…

better patch with option

comment:2 Changed 4 years ago by Steven R. Loomis <srl@…>

The better patch here automatically logs you in if present (instead of requiring you to click login), and has a configuration option.

comment:3 Changed 4 years ago by Carsten Klein <carsten.klein@…>

Why not make this an implementation of the IAuthenticator extension point interface?

E.g.

class MyRemoteUserAuthenticator(IAuthenticator):

    obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false', 
 	       """Whether the 'Remote-User:' HTTP header is to be trusted for user logins 
 	        (''since ??.??').""") 

    def authenticate(self, req):
        if self.obey_remote_user_header and req.get_header('Remote-User'): 
 	    return req.get_header('Remote-User') 
        return None

That way we can keep trac free of the change that would likely raise security issues, and you are free to deploy your plugin to all the trac installations that you have.

comment:4 Changed 4 years ago by Steven R. Loomis <srl@…>

Carsten,

That's a great idea. I'll do that and post a link here, thanks.

-Steven

comment:5 Changed 4 years ago by cboos

  • Milestone next-minor-0.12.x deleted
  • Resolution set to worksforme
  • Status changed from new to closed

I suppose the code in comment:3 is enough then (could be placed in a single file plugin).

comment:6 Changed 3 years ago by lkraav <leho@…>

i'm trying to do the same thing: basic auth on <Location> mod_proxy forwarded to tracd. unfortunately tracd doesn't seem to take this auth info no matter which way i try. tried:

  • with project/plugins/remote-user-auth.py
    from trac.config import BoolOption
    from trac.web.api import IAuthenticator
    
    class MyRemoteUserAuthenticator(IAuthenticator):
    
        obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false', 
     	       """Whether the 'Remote-User:' HTTP header is to be trusted for user logins 
     	        (''since ??.??').""") 
    
        def authenticate(self, req):
            if self.obey_remote_user_header and req.get_header('Remote-User'): 
     	    return req.get_header('Remote-User') 
            return None
    
  • without project/plugins/remote-user-auth.py
  • tracd with —basic-auth="*,htpasswd,My Proxy Realm"
  • tracd without —basic-auth
  • with rewriterule
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e
  • without rewriterule

what am i missing?

comment:7 Changed 3 years ago by lkraav <leho@…>

comment:8 Changed 3 years ago by guidod-2007-@…

Very good - it did solve my problem as well.

I have transformed the script into a setuptools Trac plugin that can be packaged and installed just like any other trac-hack. Along with polishing the documentation it is now ready - download at

https://bitbucket.org/guidod/trac-proxy-auth

comment:9 Changed 23 months ago by lkraav <leho@…>

so i'm wondering what it would take for this ticket to reach fixed?

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none) to the specified user.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.