From 5da9c009db66509db68342268ffe179e92598457 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Mon, 9 Oct 2023 15:32:08 +0200 Subject: [PATCH] auth interceptor: Default to empty credentials chain When running with ocis, all external http-authentication is handled by the proxy service. So the reva auth middleware should not try to do any basic or bearer auth. Related ocis ticket: https://github.com/owncloud/ocis/issues/6692 --- changelog/unreleased/fix-auth-allow-empty-cred-chain.md | 8 ++++++++ internal/http/interceptors/auth/auth.go | 4 ---- tests/oc-integration-tests/drone/frontend-global.toml | 3 +++ tests/oc-integration-tests/drone/frontend.toml | 3 +++ tests/oc-integration-tests/local/frontend.toml | 3 +++ 5 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 changelog/unreleased/fix-auth-allow-empty-cred-chain.md diff --git a/changelog/unreleased/fix-auth-allow-empty-cred-chain.md b/changelog/unreleased/fix-auth-allow-empty-cred-chain.md new file mode 100644 index 0000000000..995c9130a6 --- /dev/null +++ b/changelog/unreleased/fix-auth-allow-empty-cred-chain.md @@ -0,0 +1,8 @@ +Bugfix: Allow an empty credentials chain in the auth middleware + +When running with ocis, all external http-authentication is handled by the proxy +service. So the reva auth middleware should not try to do any basic or +bearer auth. + +https://github.com/cs3org/reva/pull/4241 +https://github.com/owncloud/ocis/issues/6692 diff --git a/internal/http/interceptors/auth/auth.go b/internal/http/interceptors/auth/auth.go index 14027fc348..800fe8408e 100644 --- a/internal/http/interceptors/auth/auth.go +++ b/internal/http/interceptors/auth/auth.go @@ -109,10 +109,6 @@ func New(m map[string]interface{}, unprotected []string, tp trace.TracerProvider conf.TokenManager = "jwt" } - if len(conf.CredentialChain) == 0 { - conf.CredentialChain = []string{"basic", "bearer"} - } - if conf.CredentialsByUserAgent == nil { conf.CredentialsByUserAgent = map[string]string{} } diff --git a/tests/oc-integration-tests/drone/frontend-global.toml b/tests/oc-integration-tests/drone/frontend-global.toml index d8e158e63e..6fd2e2bc72 100644 --- a/tests/oc-integration-tests/drone/frontend-global.toml +++ b/tests/oc-integration-tests/drone/frontend-global.toml @@ -15,6 +15,9 @@ address = "0.0.0.0:20180" [http.middlewares.cors] allow_credentials = true +[http.middlewares.auth] +credential_chain = ["basic"] + [http.services.ocdav] # serve ocdav on the root path prefix = "" diff --git a/tests/oc-integration-tests/drone/frontend.toml b/tests/oc-integration-tests/drone/frontend.toml index a0225c90e9..07679cf736 100644 --- a/tests/oc-integration-tests/drone/frontend.toml +++ b/tests/oc-integration-tests/drone/frontend.toml @@ -16,6 +16,9 @@ address = "0.0.0.0:20080" [http.middlewares.cors] allow_credentials = true +[http.middlewares.auth] +credential_chain = ["basic"] + [http.services.ocdav] # serve ocdav on the root path prefix = "" diff --git a/tests/oc-integration-tests/local/frontend.toml b/tests/oc-integration-tests/local/frontend.toml index 3da4d5bacf..86071204f9 100644 --- a/tests/oc-integration-tests/local/frontend.toml +++ b/tests/oc-integration-tests/local/frontend.toml @@ -23,6 +23,9 @@ address = "0.0.0.0:20080" [http.middlewares.cors] allow_credentials = true +[http.middlewares.auth] +credential_chain = ["basic"] + [http.services.ocdav] # serve ocdav on the root path prefix = ""