Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy accepts basic auth requests even when PROXY_ENABLE_BASIC_AUTH is false #2466

Closed
refs opened this issue Sep 2, 2021 · 3 comments · Fixed by #2719
Closed

Proxy accepts basic auth requests even when PROXY_ENABLE_BASIC_AUTH is false #2466

refs opened this issue Sep 2, 2021 · 3 comments · Fixed by #2719
Labels
Type:Bug

Comments

@refs
Copy link
Member

refs commented Sep 2, 2021

While testing we came across that the flag PROXY_ENABLE_BASIC_AUTH is not needed, and the proxy lets requests to go through that are unauthenticated only for Reva to handle the authentication. The question is if we fix this in oCIS or in Reva.

Steps to reproduce

  1. checkout oCIS master
  2. cd ocis && make clean build
  3. bin/ocis server
  4. url -k 'https://localhost:9200/remote.php/webdav/' -X PROPFIND -u einstein:relativity -v

Expected result

proxy returns 401

Actual result

proxy lets the request through only for reva to authenticate it

A hint that triggers Reva to resolve this authentication request is the fact that it is aware of the Www-Authenticate header:

~/code/refs/reva master
❯ curl -k 'https://localhost:9200/remote.php/webdav/' -X PROPFIND -v
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=Acme Corp; CN=OCIS
*  start date: Aug 19 08:07:34 2021 GMT
*  expire date: Aug 19 08:07:34 2022 GMT
*  issuer: O=Acme Corp; CN=OCIS
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> PROPFIND /remote.php/webdav/ HTTP/1.1
> Host: localhost:9200
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 0
< Date: Thu, 02 Sep 2021 14:44:48 GMT
< Www-Authenticate: Basic realm="localhost:9200"
< Www-Authenticate: Bearer realm="localhost:9200"
<
* Connection #0 to host localhost left intact
* Closing connection 0
@refs refs added the Type:Bug label Sep 2, 2021
@refs
Copy link
Member Author

refs commented Sep 2, 2021

The question is, where do we want to solve this, or, get to the bottom of why do we have this inconsistency.

cc @wkloucek

@refs refs changed the title Proxy accepts basic auth requests Proxy accepts basic auth requests even when PROXY_ENABLE_BASIC_AUTH is false Sep 2, 2021
@wkloucek
Copy link
Contributor

Couldn't reproduce it anymore on latest master... Seems to be fixed in #2528?

curl -k 'https://ocis.ocis-traefik.latest.owncloud.works/remote.php/webdav/' -X PROPFIND -u einstein:relativity -v

*   Trying 188.34.207.175:443...
* Connected to ocis.ocis-traefik.latest.owncloud.works (188.34.207.175) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=ocis.ocis-traefik.latest.owncloud.works
*  start date: Aug 21 14:03:44 2021 GMT
*  expire date: Nov 19 14:03:43 2021 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user 'einstein'
* Using Stream ID: 1 (easy handle 0x559e291749a0)
> PROPFIND /remote.php/webdav/ HTTP/2
> Host: ocis.ocis-traefik.latest.owncloud.works
> authorization: Basic ZWluc3RlaW46cmVsYXRpdml0eQ==
> user-agent: curl/7.79.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 401 
< date: Thu, 30 Sep 2021 05:40:14 GMT
< content-length: 0
< 
* Connection #0 to host ocis.ocis-traefik.latest.owncloud.works left intact

@wkloucek
Copy link
Contributor

with latest master I can use basic auth again without explicitly enabling it:

curl -k 'https://ocis.ocis-traefik.latest.owncloud.works/remote.php/webdav/' -X PROPFIND -u einstein:relativity -v
*   Trying 188.34.207.175:443...
* Connected to ocis.ocis-traefik.latest.owncloud.works (188.34.207.175) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=ocis.ocis-traefik.latest.owncloud.works
*  start date: Aug 21 14:03:44 2021 GMT
*  expire date: Nov 19 14:03:43 2021 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user 'einstein'
* Using Stream ID: 1 (easy handle 0x559e019a29a0)
> PROPFIND /remote.php/webdav/ HTTP/2
> Host: ocis.ocis-traefik.latest.owncloud.works
> authorization: Basic ZWluc3RlaW46cmVsYXRpdml0eQ==
> user-agent: curl/7.79.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 207 
< access-control-allow-origin: *
< access-control-expose-headers: Tus-Resumable, Tus-Version, Tus-Extension
< content-security-policy: default-src 'none';
< content-type: application/xml; charset=utf-8
< date: Mon, 11 Oct 2021 15:16:36 GMT
< dav: 1, 3, extended-mkcol
< tus-extension: creation,creation-with-upload
< tus-resumable: 1.0.0
< tus-version: 1.0.0
< vary: Origin
< x-access-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXZhIiwiZXhwIjoxNjM0MDUxNzk2LCJpYXQiOjE2MzM5NjUzOTYsImlzcyI6Imh0dHBzOi8vb2Npcy5vY2lzLXRyYWVmaWsubGF0ZXN0Lm93bmNsb3VkLndvcmtzIiwidXNlciI6eyJpZCI6eyJpZHAiOiJodHRwczovL29jaXMub2Npcy10cmFlZmlrLmxhdGVzdC5vd25jbG91ZC53b3JrcyIsIm9wYXF1ZV9pZCI6IjRjNTEwYWRhLWM4NmItNDgxNS04ODIwLTQyY2RmODJjM2Q1MSIsInR5cGUiOjF9LCJ1c2VybmFtZSI6ImVpbnN0ZWluIiwibWFpbCI6ImVpbnN0ZWluQGV4YW1wbGUub3JnIiwiZGlzcGxheV9uYW1lIjoiQWxiZXJ0IEVpbnN0ZWluIiwidWlkX251bWJlciI6MjAwMDAsImdpZF9udW1iZXIiOjMwMDAwfSwic2NvcGUiOnsidXNlciI6eyJyZXNvdXJjZSI6eyJkZWNvZGVyIjoianNvbiIsInZhbHVlIjoiZXlKd1lYUm9Jam9pTHlKOSJ9LCJyb2xlIjoxfX19.DNb_KPKrZuA4bb2dfLophekDub8gdrLnFL1L8FGLoi8
< x-content-type-options: nosniff
< x-download-options: noopen
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-robots-tag: none
< x-xss-protection: 1; mode=block
< content-length: 796
< 
* Connection #0 to host ocis.ocis-traefik.latest.owncloud.works left intact
<?xml version="1.0" encoding="utf-8"?><d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns"><d:response><d:href>/remote.php/webdav/</d:href><d:propstat><d:prop><oc:id>MTI4NGQyMzgtYWE5Mi00MmNlLWJkYzQtMGIwMDAwMDA5MTU3OjEzYzZlZGUwLTJmOWEtNDQyNi1hMjgyLTJiZmQ1ZTI1NTZjOQ==</oc:id><oc:fileid>MTI4NGQyMzgtYWE5Mi00MmNlLWJkYzQtMGIwMDAwMDA5MTU3OjEzYzZlZGUwLTJmOWEtNDQyNi1hMjgyLTJiZmQ1ZTI1NTZjOQ==</oc:fileid><d:getetag>&#34;7b8fc72b17d832dfbdfb070a9b59d460&#34;</d:getetag><oc:permissions>RDNVCK</oc:permissions><d:resourcetype><d:collection/></d:resourcetype><oc:size>0</oc:size><d:getlastmodified>Mon, 11 Oct 2021 14:09:32 GMT</d:getlastmodified><oc:favorite>0</oc:favorite></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response></d:multistatus>%

@C0rby C0rby mentioned this issue Nov 2, 2021
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type:Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix basic auth configuration owncloud/ocis
2 participants
@refs @wkloucek