Merge branch 'master' into update/orquesta

StackStorm · Nov 11, 2023 · cbd0ee0 · cbd0ee0
2 parents e1b0938 + 32a243a
commit cbd0ee0
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 2 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -6,7 +6,8 @@ in development
 
 Fixed
 ~~~~~
-* Update orquesta to v1.6.0 to fix outdated dependencies (security). #6050
+* Additional fixes for st2 client auth when proxy auth mode enabled #6049
+  Contributed by @floatingstatic
 
 * Fix issue with linux pack actions failed to run remotely due to incorrect python shebang. #5983 #6042
   Contributed by Ronnie Hoffmann (@ZoeLeah Schwarz IT KG)
@@ -26,9 +27,11 @@ Fixed
 
 * Update cryptography 3.4.7 -> 39.0.1, pyOpenSSL 21.0.0 -> 23.1.0, paramiko 2.10.5 -> 2.11.0 (security). #6055
 
-* Bumped `eventlet` to `0.33.3` and `gunicorn` to `21.2.0` to fix `RecursionError` bug in setting `SSLContext` `minimum_version` property. #6061
+* Bumped `eventlet` to `0.33.3` and `gunicorn` to `21.2.0` to fix `RecursionError` bug in setting `SSLContext` `minimum_version` property. (security) #6061
   Contributed by @jk464
 
+* Update orquesta to v1.6.0 to fix outdated dependencies (security). #6050
+
 Added
 ~~~~~
 

diff --git a/st2auth/st2auth/handlers.py b/st2auth/st2auth/handlers.py
@@ -130,6 +130,25 @@ def handle_auth(
         remote_addr = headers.get("x-forwarded-for", remote_addr)
         extra = {"remote_addr": remote_addr}
 
+        # Needed to support st2client which does not connect via st2web
+        if authorization and not remote_user:
+            try:
+                auth_value = base64.b64decode(authorization[1])
+            except Exception:
+                LOG.audit("Invalid authorization header", extra=extra)
+                abort_request()
+                return
+
+            split = auth_value.split(b":", 1)
+            if len(split) != 2:
+                LOG.audit("Invalid authorization header", extra=extra)
+                abort_request()
+                return
+
+            remote_user = split[0]
+            if six.PY3 and isinstance(remote_user, six.binary_type):
+                remote_user = remote_user.decode("utf-8")
+
         if remote_user:
             ttl = getattr(request, "ttl", None)
             username = self._get_username_for_request(remote_user, request)

diff --git a/st2auth/tests/unit/test_handlers.py b/st2auth/tests/unit/test_handlers.py
@@ -48,6 +48,31 @@ def test_proxy_handler(self):
         )
         self.assertEqual(token.user, "test_proxy_handler")
 
+    def test_proxy_handler_no_remote_user(self):
+        h = handlers.ProxyAuthHandler()
+        request = {}
+        token = h.handle_auth(
+            request,
+            headers={},
+            remote_addr=None,
+            remote_user=None,
+            authorization=("basic", DUMMY_CREDS),
+        )
+        self.assertEqual(token.user, "auser")
+
+    def test_proxy_handler_bad_auth(self):
+        h = handlers.ProxyAuthHandler()
+        request = {}
+
+        with self.assertRaises(exc.HTTPUnauthorized):
+            h.handle_auth(
+                request,
+                headers={},
+                remote_addr=None,
+                remote_user=None,
+                authorization=None,
+            )
+
     def test_standalone_bad_auth_type(self):
         h = handlers.StandaloneAuthHandler()
         request = {}