From dc952c063206d11504085ddea966f121e796a04c Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Thu, 18 Mar 2021 15:37:22 +0100 Subject: [PATCH 1/8] API calls authorized with HTTP header This mod allows API calls to be authorized with HTTP header when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled. Without it user authenticated by reverse proxy is able to access gitea UI but not API which is inconsistent. Author-Change-Id: IB#1107572 --- routers/api/v1/api.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 9c21107a2892c..4c8426cbebe06 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -197,6 +197,10 @@ func reqToken() func(ctx *context.APIContext) { return } if ctx.IsSigned { + // Don't require token if already authenticated by reverse proxy. + if setting.Service.EnableReverseProxyAuth { + return + } ctx.RequireCSRF() return } From 0a51fd538682c2e336c83711bdb0f0c51ea00ac5 Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Thu, 18 Mar 2021 17:22:30 +0100 Subject: [PATCH 2/8] Fixed API calls authorized with HTTP header Only reqBasicAuth is modified to allow reverse proxy auth as alternative and reqToken is left untouched. Fixes: dc952c063206d11504085ddea966f121e796a04c Author-Change-Id: IB#1107572 --- routers/api/v1/api.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 4c8426cbebe06..59fe7879e25b3 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -21,7 +21,7 @@ // - text/html // // Security: -// - BasicAuth : +// - BasicOrReverseProxyAuth : // - Token : // - AccessToken : // - AuthorizationHeaderToken : @@ -30,8 +30,9 @@ // - TOTPHeader : // // SecurityDefinitions: -// BasicAuth: -// type: basic +// BasicOrReverseProxyAuth: +// type: basicOrReverseProxy +// description: Basic auth or rexerse proxy auth using HTTP header. // Token: // type: apiKey // name: token @@ -59,7 +60,7 @@ // type: apiKey // name: X-GITEA-OTP // in: header -// description: Must be used in combination with BasicAuth if two-factor authentication is enabled. +// description: Must be used in combination with BasicOrReverseProxyAuth if two-factor authentication is enabled. // // swagger:meta package v1 @@ -197,10 +198,6 @@ func reqToken() func(ctx *context.APIContext) { return } if ctx.IsSigned { - // Don't require token if already authenticated by reverse proxy. - if setting.Service.EnableReverseProxyAuth { - return - } ctx.RequireCSRF() return } @@ -208,10 +205,13 @@ func reqToken() func(ctx *context.APIContext) { } } -func reqBasicAuth() func(ctx *context.APIContext) { +func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) { return func(ctx *context.APIContext) { + if ctx.IsSigned && setting.Service.EnableReverseProxyAuth { + return + } if !ctx.Context.IsBasicAuth { - ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "basic auth required") + ctx.Error(http.StatusUnauthorized, "reqBasicOrRevProxyAuth", "auth required") return } ctx.CheckForOTP() @@ -611,7 +611,7 @@ func Routes() *web.Route { m.Combo("").Get(user.ListAccessTokens). Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken) m.Combo("/{id}").Delete(user.DeleteAccessToken) - }, reqBasicAuth()) + }, reqBasicOrRevProxyAuth()) }) }) From d7f281534ebca47a98ce939223bc46f40c8e159b Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Fri, 30 Apr 2021 08:33:19 +0200 Subject: [PATCH 3/8] Reverse proxy API auth separated in docs Related: https://github.com/go-gitea/gitea/pull/15119#discussion_r621322127 Author-Change-Id: IB#1107572 --- routers/api/v1/api.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 233a0461aff2b..adf43b12ea4e8 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -21,7 +21,8 @@ // - text/html // // Security: -// - BasicOrReverseProxyAuth : +// - BasicAuth : +// - ReverseProxyAuth : // - Token : // - AccessToken : // - AuthorizationHeaderToken : @@ -30,9 +31,11 @@ // - TOTPHeader : // // SecurityDefinitions: -// BasicOrReverseProxyAuth: -// type: basicOrReverseProxy -// description: Basic auth or rexerse proxy auth using HTTP header. +// BasicAuth: +// type: basic +// ReverseProxyAuth: +// type: reverseProxy +// description: Reverse proxy auth using HTTP header. // Token: // type: apiKey // name: token From dcdc8ee1f410d262857a27c1f3608db398bd9b28 Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Fri, 30 Apr 2021 08:46:51 +0200 Subject: [PATCH 4/8] Reverse proxy API auth separated in docs Related: https://github.com/go-gitea/gitea/pull/15119#discussion_r621322127 Author-Change-Id: IB#1107572 --- routers/api/v1/api.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index adf43b12ea4e8..a160b1d1fe1b8 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -63,7 +63,7 @@ // type: apiKey // name: X-GITEA-OTP // in: header -// description: Must be used in combination with BasicOrReverseProxyAuth if two-factor authentication is enabled. +// description: Must be used in combination with BasicAuth if two-factor authentication is enabled. // // swagger:meta package v1 From 38dd9e4f3be6e552d2dd5e8394000752332f1b66 Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Fri, 30 Apr 2021 18:49:35 +0200 Subject: [PATCH 5/8] Reverse proxy API auth separated Related: https://github.com/go-gitea/gitea/pull/15119#discussion_r621322127 Author-Change-Id: IB#1107572 --- templates/swagger/v1_json.tmpl | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index d44583b816843..708520e496aa4 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -17058,6 +17058,10 @@ "BasicAuth": { "type": "basic" }, + "ReverseProxyAuth": { + "description": "Reverse proxy auth using HTTP header.", + "type": "reverseProxy" + }, "SudoHeader": { "description": "Sudo API request as the user provided as the key. Admin privileges are required.", "type": "apiKey", @@ -17086,6 +17090,9 @@ { "BasicAuth": [] }, + { + "ReverseProxyAuth": [] + }, { "Token": [] }, From 1b45775c893f74a5d208d9e67fabdf6f225fd68f Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Fri, 25 Jun 2021 11:46:26 +0200 Subject: [PATCH 6/8] ReverseProxyAuth removed from swagger ReverseProxyAuth removed from swagger as in upstream's suggestion. Related: https://github.com/go-gitea/gitea/pull/15119#pullrequestreview-692180940 Author-Change-Id: IB#1107572 --- routers/api/v1/api.go | 4 ---- templates/swagger/v1_json.tmpl | 7 ------- 2 files changed, 11 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index a160b1d1fe1b8..2831ec06849f6 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -22,7 +22,6 @@ // // Security: // - BasicAuth : -// - ReverseProxyAuth : // - Token : // - AccessToken : // - AuthorizationHeaderToken : @@ -33,9 +32,6 @@ // SecurityDefinitions: // BasicAuth: // type: basic -// ReverseProxyAuth: -// type: reverseProxy -// description: Reverse proxy auth using HTTP header. // Token: // type: apiKey // name: token diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index 708520e496aa4..d44583b816843 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -17058,10 +17058,6 @@ "BasicAuth": { "type": "basic" }, - "ReverseProxyAuth": { - "description": "Reverse proxy auth using HTTP header.", - "type": "reverseProxy" - }, "SudoHeader": { "description": "Sudo API request as the user provided as the key. Admin privileges are required.", "type": "apiKey", @@ -17090,9 +17086,6 @@ { "BasicAuth": [] }, - { - "ReverseProxyAuth": [] - }, { "Token": [] }, From 4bb60af58ae48e668eff16777bee2106d5ac3282 Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Fri, 25 Jun 2021 17:18:40 +0200 Subject: [PATCH 7/8] ReverseProxyAuth API authorization fixed Related: https://github.com/go-gitea/gitea/pull/15119#issuecomment-868465099 Author-Change-Id: IB#1107572 --- routers/api/v1/api.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 2831ec06849f6..40547ddfa9766 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -214,10 +214,15 @@ func reqExploreSignIn() func(ctx *context.APIContext) { func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) { return func(ctx *context.APIContext) { - if ctx.IsSigned && setting.Service.EnableReverseProxyAuth { - return + authorized := false + if ctx.IsSigned { + if ctx.Context.IsBasicAuth { + authorized = true + } else if setting.Service.EnableReverseProxyAuth && ctx.Data["AuthedMethod"].(string) == new(auth.ReverseProxy).Name() { + authorized = true + } } - if !ctx.Context.IsBasicAuth { + if !authorized { ctx.Error(http.StatusUnauthorized, "reqBasicOrRevProxyAuth", "auth required") return } From d23ef1bf8c5f8130e56185c46b747a9381f784f2 Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Fri, 25 Jun 2021 17:44:28 +0200 Subject: [PATCH 8/8] ReverseProxyAuth API authorization fixed Related: https://github.com/go-gitea/gitea/pull/15119#issuecomment-868465099 Author-Change-Id: IB#1107572 --- routers/api/v1/api.go | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 40547ddfa9766..521ea8c553bb1 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -214,15 +214,10 @@ func reqExploreSignIn() func(ctx *context.APIContext) { func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) { return func(ctx *context.APIContext) { - authorized := false - if ctx.IsSigned { - if ctx.Context.IsBasicAuth { - authorized = true - } else if setting.Service.EnableReverseProxyAuth && ctx.Data["AuthedMethod"].(string) == new(auth.ReverseProxy).Name() { - authorized = true - } + if ctx.IsSigned && setting.Service.EnableReverseProxyAuth && ctx.Data["AuthedMethod"].(string) == new(auth.ReverseProxy).Name() { + return } - if !authorized { + if !ctx.Context.IsBasicAuth { ctx.Error(http.StatusUnauthorized, "reqBasicOrRevProxyAuth", "auth required") return }