PR for #329 optional basic auth disable (#330)

* #293 fix: remove ESRI headers before populating auth headers * #329 optionally disable basic auth with GHC_BASIC_AUTH_DISABLE * #329 commit to trigger travis
geopython · Sep 1, 2020 · 0483ae6 · 0483ae6
1 parent 8d207e5
commit 0483ae6
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -32,6 +32,7 @@ ENV LC_ALL="en_US.UTF-8" \
 	GHC_ADMIN_EMAIL='you@example.com' \
 	GHC_RUNNER_IN_WEBAPP=False \
 	GHC_REQUIRE_WEBAPP_AUTH=False \
+	GHC_BASIC_AUTH_DISABLED=False \
 	GHC_LOG_LEVEL=30 \
 	GHC_LOG_FORMAT='%(asctime)s - %(name)s - %(levelname)s - %(message)s' \
 	GHC_NOTIFICATIONS_EMAIL='you2@example.com,them@example.com' \

diff --git a/GeoHealthCheck/app.py b/GeoHealthCheck/app.py
@@ -158,7 +158,7 @@ def load_user_from_request(request):
     # Inspiration: https://flask-login.readthedocs.io
     #              /en/latest/#custom-login-using-request-loader
     basic_auth_val = request.headers.get('Authorization')
-    if basic_auth_val:
+    if basic_auth_val and CONFIG['GHC_BASIC_AUTH_DISABLED'] is False:
         basic_auth_val = basic_auth_val.replace('Basic ', '', 1)
         authenticated = False
         try:

diff --git a/GeoHealthCheck/config_main.py b/GeoHealthCheck/config_main.py
@@ -50,6 +50,7 @@
 GHC_SITE_URL = 'http://host'
 GHC_RUNNER_IN_WEBAPP = True
 GHC_REQUIRE_WEBAPP_AUTH = False
+GHC_BASIC_AUTH_DISABLED = False
 # 10=DEBUG 20=INFO 30=WARN(ING) 40=ERROR 50=FATAL/CRITICAL
 GHC_LOG_LEVEL = 30
 GHC_LOG_FORMAT = '%(asctime)s - %(name)s - %(levelname)s - %(message)s'

diff --git a/docker/config_site.py b/docker/config_site.py
@@ -57,6 +57,7 @@ def str2bool(v):
 GHC_SITE_URL = os.environ['GHC_SITE_URL']
 GHC_RUNNER_IN_WEBAPP = str2bool(os.environ['GHC_RUNNER_IN_WEBAPP'])
 GHC_REQUIRE_WEBAPP_AUTH = str2bool(os.environ['GHC_REQUIRE_WEBAPP_AUTH'])
+GHC_BASIC_AUTH_DISABLED = str2bool(os.environ['GHC_BASIC_AUTH_DISABLED'])
 GHC_LOG_LEVEL = int(os.environ['GHC_LOG_LEVEL'])
 GHC_LOG_FORMAT = os.environ['GHC_LOG_FORMAT']
 

diff --git a/docs/config.rst b/docs/config.rst
@@ -33,6 +33,7 @@ The configuration options are:
 - **GHC_PROBE_DEFAULTS**: Default `Probe` class to assign on "add" per Resource-type
 - **GHC_METADATA_CACHE_SECS**: metadata, "Capabilities Docs", cache expiry time, default 900 secs, -1 to disable
 - **GHC_REQUIRE_WEBAPP_AUTH**: require authentication (login or Basic Auth) to access GHC webapp and APIs (default: ``False``)
+- **GHC_BASIC_AUTH_DISABLED**: disable Basic Authentication to access GHC webapp and APIs (default: ``False``), see below when to set to `True`
 - **GHC_RUNNER_IN_WEBAPP**: should the GHC Runner Daemon be run in webapp (default: ``True``), more below
 - **GHC_LOG_LEVEL**: logging level: 10=DEBUG 20=INFO 30=WARN(ING) 40=ERROR 50=FATAL/CRITICAL (default: 30, WARNING)
 - **GHC_MAP**: default map settings
@@ -201,3 +202,8 @@ the login screen. Initially only the ``admin`` user will be able to login, but i
 and allow additional users by registering these within the ``admin`` login session.
 Note that password reset is still enabled. For remote REST API calls standard HTTP Basic
 Authentication (via the HTTP `Authentication` request header) can be used.
+
+In some cases where an external web- or proxy server provides HTTP Basic Authentication, a conflict may
+arise when GHC also checks the `Authorization` HTTP header used for the external Basic Auth. In those
+cases GHC Basic Auth checking can be disabled using the **GHC_BASIC_AUTH_DISABLED** to `True`.
+TODO: provide API Token auth to allow both external Basic Auth and GHC API auth.