Allow to specify the type of remote authentication

mdellweg · mdellweg · commit d29d56e25d10 · 2024-06-04T22:07:50.000+02:00
When configuring remote authentication (by the reverse proxy), one should be able to augment the openAPI security specification accordingly. fixes pulp#5437
diff --git a/.github/template_gitref b/.github/template_gitref
@@ -1 +1 @@
-2021.08.26-337-g7c7a09a
+2021.08.26-338-g2237db8
diff --git a/.github/workflows/scripts/before_script.sh b/.github/workflows/scripts/before_script.sh
@@ -36,12 +36,6 @@ tail -v -n +1 .ci/ansible/Containerfile
 cmd_prefix bash -c "echo '%wheel        ALL=(ALL)       NOPASSWD: ALL' > /etc/sudoers.d/nopasswd"
 cmd_prefix bash -c "usermod -a -G wheel pulp"
 
-SCENARIOS=("pulp" "performance" "azure" "gcp" "s3" "generate-bindings" "lowerbounds")
-if [[ " ${SCENARIOS[*]} " =~ " ${TEST} " ]]; then
-  # Many functional tests require these
-  cmd_prefix dnf install -yq lsof which
-fi
-
 if [[ "${REDIS_DISABLED:-false}" == true ]]; then
   cmd_prefix bash -c "s6-rc -d change redis"
   echo "The Redis service was disabled for $TEST"
diff --git a/.github/workflows/scripts/install.sh b/.github/workflows/scripts/install.sh
@@ -126,7 +126,7 @@ if [ "$TEST" = "azure" ]; then
       - ./azurite:/etc/pulp\
     command: "azurite-blob --blobHost 0.0.0.0 --cert /etc/pulp/azcert.pem --key /etc/pulp/azkey.pem"' vars/main.yaml
   sed -i -e '$a azure_test: true\
-pulp_scenario_settings: {"domain_enabled": true}\
+pulp_scenario_settings: {"domain_enabled": true, "rest_framework__default_authentication_classes": "@merge pulpcore.app.authentication.PulpRemoteUserAuthentication"}\
 pulp_scenario_env: {"otel_bsp_max_export_batch_size": 1, "otel_bsp_max_queue_size": 1, "otel_exporter_otlp_endpoint": "http://localhost:4318", "otel_exporter_otlp_protocol": "http/protobuf", "otel_metric_export_interval": 800, "pulp_otel_enabled": "true"}\
 ' vars/main.yaml
 fi
diff --git a/CHANGES/.TEMPLATE.rst b/CHANGES/.TEMPLATE.rst
diff --git a/CHANGES/5437.feature b/CHANGES/5437.feature
@@ -0,0 +1,2 @@
+Add ability to configure the openapi schema for remote user authentication via `REMOTE_USER_OPENAPI_SECURITY_SCHEME`.
+It defaults to "mutualTLS" for cert based authentication.
diff --git a/pulpcore/app/settings.py b/pulpcore/app/settings.py
@@ -264,6 +264,7 @@
 TMPFILE_PROTECTION_TIME = 0
 
 REMOTE_USER_ENVIRON_NAME = "REMOTE_USER"
+REMOTE_USER_OPENAPI_SECURITY_SCHEME = {"type": "mutualTLS"}
 
 AUTHENTICATION_JSON_HEADER = ""
 AUTHENTICATION_JSON_HEADER_JQ_FILTER = ""
diff --git a/pulpcore/openapi/__init__.py b/pulpcore/openapi/__init__.py
@@ -521,6 +521,14 @@ def get_schema(self, request=None, public=False):
         return normalize_result_object(result)
 
 
+class PulpRemoteUserAuthenticationScheme(OpenApiAuthenticationExtension):
+    target_class = "pulpcore.app.authentication.PulpRemoteUserAuthentication"
+    name = "RemoteUserAuthentication"
+
+    def get_security_definition(self, auto_schema):
+        return settings.REMOTE_USER_OPENAPI_SECURITY_SCHEME
+
+
 class JSONHeaderRemoteAuthenticationScheme(OpenApiAuthenticationExtension):
     target_class = "pulpcore.app.authentication.JSONHeaderRemoteAuthentication"
     name = "json_header_remote_authentication"
diff --git a/pulpcore/tests/functional/api/test_auth.py b/pulpcore/tests/functional/api/test_auth.py
@@ -14,6 +14,11 @@
 
 
 @pytest.mark.parallel
+@pytest.mark.skipif(
+    "rest_framework.authentication.BasicAuthentication"
+    not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"],
+    reason="Test can't run unless BasicAuthentication is enabled",
+)
 def test_base_auth_success(pulpcore_bindings, pulp_admin_user):
     """Perform HTTP basic authentication with valid credentials.
 
@@ -27,6 +32,11 @@ def test_base_auth_success(pulpcore_bindings, pulp_admin_user):
 
 
 @pytest.mark.parallel
+@pytest.mark.skipif(
+    "rest_framework.authentication.BasicAuthentication"
+    not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"],
+    reason="Test can't run unless BasicAuthentication is enabled",
+)
 def test_base_auth_failure(pulpcore_bindings, invalid_user):
     """Perform HTTP basic authentication with invalid credentials.
 
@@ -44,6 +54,11 @@ def test_base_auth_failure(pulpcore_bindings, invalid_user):
 
 
 @pytest.mark.parallel
+@pytest.mark.skipif(
+    "rest_framework.authentication.BasicAuthentication"
+    not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"],
+    reason="Test can't run unless BasicAuthentication is enabled",
+)
 def test_base_auth_required(pulpcore_bindings, anonymous_user):
     """Perform HTTP basic authentication with no credentials.
 
@@ -63,7 +78,7 @@ def test_base_auth_required(pulpcore_bindings, anonymous_user):
 @pytest.mark.parallel
 @pytest.mark.skipif(
     "django.contrib.auth.backends.RemoteUserBackend" not in settings.AUTHENTICATION_BACKENDS
-    and "pulpcore.app.authentication.JSONHeaderRemoteAuthentication"
+    or "pulpcore.app.authentication.JSONHeaderRemoteAuthentication"
     not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"],
     reason="Test can't run unless RemoteUserBackend and JSONHeaderRemoteAuthentication are enabled",
 )
@@ -86,7 +101,7 @@ def test_jq_header_remote_auth(pulpcore_bindings, anonymous_user):
 @pytest.mark.parallel
 @pytest.mark.skipif(
     "django.contrib.auth.backends.RemoteUserBackend" not in settings.AUTHENTICATION_BACKENDS
-    and "pulpcore.app.authentication.JSONHeaderRemoteAuthentication"
+    or "pulpcore.app.authentication.JSONHeaderRemoteAuthentication"
     not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"],
     reason="Test can't run unless RemoteUserBackend and JSONHeaderRemoteAuthentication are enabled",
 )
@@ -115,7 +130,7 @@ def test_jq_header_remote_auth_denied_by_wrong_header(pulpcore_bindings, anonymo
 @pytest.mark.parallel
 @pytest.mark.skipif(
     "django.contrib.auth.backends.RemoteUserBackend" not in settings.AUTHENTICATION_BACKENDS
-    and "pulpcore.app.authentication.JSONHeaderRemoteAuthentication"
+    or "pulpcore.app.authentication.JSONHeaderRemoteAuthentication"
     not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"],
     reason="Test can't run unless RemoteUserBackend and JSONHeaderRemoteAuthentication are enabled",
 )
diff --git a/pulpcore/tests/functional/api/test_openapi_schema.py b/pulpcore/tests/functional/api/test_openapi_schema.py
@@ -88,12 +88,26 @@ def test_no_dup_operation_ids(pulp_openapi_schema):
     assert len(dup_ids) == 0, f"Duplicate operationIds found: {dup_ids}"
 
 
+@pytest.mark.parallel
+def test_remote_user_auth_security_scheme(pulp_settings, pulp_openapi_schema):
+    if (
+        "pulpcore.app.authentication.PulpRemoteUserAuthentication"
+        not in pulp_settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
+    ):
+        pytest.skip("Test can't run unless PulpRemoteUserAuthentication is enabled.")
+
+    expected_security_scheme = pulp_settings.REMOTE_USER_OPENAPI_SECURITY_SCHEME
+    security_schemes = pulp_openapi_schema["components"]["securitySchemes"]
+
+    assert security_schemes["remote_user_authentication"] == expected_security_scheme
+
+
 @pytest.mark.parallel
 def test_external_auth_on_security_scheme(pulp_settings, pulp_openapi_schema):
     if (
         "django.contrib.auth.backends.RemoteUserBackend"
         not in pulp_settings.AUTHENTICATION_BACKENDS
-        and "pulpcore.app.authentication.JSONHeaderRemoteAuthentication"
+        or "pulpcore.app.authentication.JSONHeaderRemoteAuthentication"
         not in pulp_settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
     ):
         pytest.skip(
diff --git a/staging_docs/admin/learn/settings.md b/staging_docs/admin/learn/settings.md
@@ -272,8 +272,8 @@ Defaults to `30` seconds.
 
 ### REMOTE_USER_ENVIRON_NAME
 
-The name of the WSGI environment variable to read for `webserver authentication
-<webserver-authentication>`.
+The name of the WSGI environment variable to read for `webserver authentication <webserver-authentication>`.
+It is only used with the `PulpRemoteUserAuthentication` authentication class.
 
 !!! warning
     Configuring this has serious security implications. See the [Django warning at the end of this
@@ -283,6 +283,14 @@ Defaults to `'REMOTE_USER'`.
 
 
 
+### REMOTE_USER_OPENAPI_SECURITY_SCHEME
+
+A JSON object representing the security scheme advertised for the `PulpRemoteUserAuthentication` authentication class.
+
+Defaults to `{"type": "mutualTLS"}`, which represents x509 certificate based authentication.
+
+
+
 ### ALLOWED_IMPORT_PATHS
 
 One or more real filesystem paths that Remotes with filesystem paths can import from. For example
diff --git a/template_config.yml b/template_config.yml
@@ -71,6 +71,7 @@ pulp_settings:
   upload_protection_time: 10
 pulp_settings_azure:
   domain_enabled: true
+  rest_framework__default_authentication_classes: '@merge pulpcore.app.authentication.PulpRemoteUserAuthentication'
 pulp_settings_gcp: null
 pulp_settings_s3:
   authentication_backends: '@merge django.contrib.auth.backends.RemoteUserBackend'

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-2021.08.26-337-g7c7a09a`
	`1`	`+2021.08.26-338-g2237db8`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Add ability to configure the openapi schema for remote user authentication via `REMOTE_USER_OPENAPI_SECURITY_SCHEME`.
	`2`	`+It defaults to "mutualTLS" for cert based authentication.`