wsgi: add peer UNIX credential to a non-standard environment variable #37
Signed-off-by: Balazs Scheidler email@example.com
It adds the UNIX UID of a unix domain socket that connects to our HTTP service over socket.
peer credentials are not available to apps even if they bind to a unix domain socket
I've added a non-standard _REMOTE_UID value to environ, that is available to apps. I've originally did this patch to an older version of cherrypy and this is a forward port.
I've attempted to fix automatic tests, but the ones in circle ci seems to be an infrastructure problem. The rest of the tests were green.
I'd be really grateful about the feature, especially the naming of the environment variable. I'd like to deploy something like this in production, and I'd like to use a name that will match the 'official' one.
@@ Coverage Diff @@ ## master #37 +/- ## ========================================== - Coverage 66.42% 65.97% -0.45% ========================================== Files 17 17 Lines 2847 2942 +95 ========================================== + Hits 1891 1941 +50 - Misses 956 1001 +45
Sorry for being silent for so long. I think I came up with a proper solution now.
It's bypassed through an adapter in CherryPy to Server instance in cheroot and then it pre-populates it into connections. WSGI env tries to get this data from connection and it succeeds when enabled and supported by the runtime.
Option in CherryPy would be
Do you mind taking another round of testing and finish this with me?
Signed-off-by: Balazs Scheidler <firstname.lastname@example.org>
This patch enables SO_PEERCRED based authentication into the NNX REST server, by adding the _REMOTE_UID to the environment, which then can be used to base authentication on. A similar patch was submitted to CherryPy upstream, here: cherrypy/cheroot#37 Signed-off-by: Balazs Scheidler <email@example.com>
PR #37 by @bazsi: Implement PEERCRED lookup over UNIX-socket HTTP connection. * Discover connected process' PID/UID/GID * Respect server switches: ``peercreds_enabled`` and ``peercreds_resolve_enabled`` * ``get_peer_creds`` and ``resolve_peer_creds`` methods on connection * ``peer_pid``, ``peer_uid``, ``peer_gid``, ``peer_user`` and ``peer_group`` properties on connection * ``X_REMOTE_PID``, ``X_REMOTE_UID``, ``X_REMOTE_GID``, ``X_REMOTE_USER`` (``REMOTE_USER``) and ``X_REMOTE_GROUP`` WSGI environment variables when enabled and supported * Per-connection caching to reduce lookup cost
This patch enables SO_PEERCRED based authentication into the NNX REST server, by adding the X_REMOTE_UID to the environment, which then can be used to base authentication on. A similar patch was submitted to CherryPy upstream, here: cherrypy/cheroot#37 The original version of this patch came from our balabit-os-7.0/python3-cherrypy8 package. The corresponding commit ids are: * c8e7fb9d998391e39778f39707e0e3f0819cec02, * cd022ff48d2abcb999d890eef4347b13d943eabd