-
Notifications
You must be signed in to change notification settings - Fork 999
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[15.10] Checks for api_key before checking for header from SSO. #1801
[15.10] Checks for api_key before checking for header from SSO. #1801
Conversation
…e NoneType issue discovered in galaxyproject#972.
return self.app( environ, start_response ) | ||
elif self.config_secret_header is not None: | ||
gxSecretIsNone = environ.get('HTTP_GX_SECRET') is None | ||
if gxSecretIsNone or not safe_str_cmp(environ.get('HTTP_GX_SECRET'), self.config_secret_header): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An easier way to fix the NoneType
problem is:
if not safe_str_cmp(environ.get('HTTP_GX_SECRET', ''), self.config_secret_header):
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 for this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @nsoranzo I like it.
# Check for API key before checking for header | ||
return self.app( environ, start_response ) | ||
elif self.config_secret_header is not None: | ||
if not safe_str_cmp(environ.get('HTTP_GX_SECRET',''), self.config_secret_header): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are missing a space between 'HTTP_GX_SECRET' and ''.
@galaxybot test this |
This works for me, but can someone else with a testbed for this verify? |
Will test as soon as I'm free |
Ping me if I haven't done this in 48h, @dannon |
@erasche Ping (per your request). |
@galaxybot test this |
@martenson Tests will continue to fail against 15.10 I think; this one needs manual validation. |
@dannon correct, I missed the target branch, poor Jenkins :/ |
@dannon testing now. Thanks for reminder :) |
@erasche Thanks! |
👍 from me |
Hooray, thanks. |
[15.10] Checks for api_key before checking for header from SSO.
(and thanks @MatthewRalston for the patience with this one) |
Thanks everyone. @golharam ping. |
This PR was merged without a milestone attached. |
This pull request addresses an issue #972 found when using the Galaxy API and bioblend when also using an SSO. The principle issue was that SSO headers are checked before API keys are authenticated. This led to API/bioblend requests failing, as no headers are passed through bioblend. The solution was to check if the request was API-related before headers are checked; API-key validation is done downstream of this process. In the process, another issue was found when Galaxy receives no headers (i.e. accessing the port directly: http://server.example.com:1234, instead of the appropriate url http://galaxy.example.com). When no headers are passed, the
Remoteuser
class comparesNone
to the GX_SECRET defined in the config. The received error is reported below. This is also handled by this patch.