From 7b56ad9dad620cb359b128e83b7a5aa49067dacb Mon Sep 17 00:00:00 2001
From: Michael Shamoon <4887959+nikonratm@users.noreply.github.com>
Date: Sun, 3 Jan 2021 00:37:19 -0800
Subject: [PATCH 1/2] Allow authentication via HTTP_REMOTE_USER

---
 docs/configuration.rst    | 18 ++++++++++++------
 paperless.conf.example    |  1 +
 src/paperless/auth.py     | 19 +++++++++++++++++++
 src/paperless/settings.py |  7 +++++++
 4 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 5ccb80b3a..c72027574 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -162,6 +162,12 @@ PAPERLESS_COOKIE_PREFIX=<str>
 
     Defaults to ``""``, which does not alter the cookie names.
 
+PAPERLESS_ENABLE_HTTP_REMOTE_USER=<bool>
+    Allows authentication via HTTP_REMOTE_USER which is used by some SSO
+    applications.
+
+    Defaults to `false` which disables this feature.
+
 .. _configuration-ocr:
 
 OCR settings
@@ -210,20 +216,20 @@ PAPERLESS_OCR_MODE=<mode>
         into images and puts the OCRed text on top. This works for all documents,
         however, the resulting document may be significantly larger and text
         won't appear as sharp when zoomed in.
-    
+
     The default is ``skip``, which only performs OCR when necessary and always
     creates archived documents.
 
 PAPERLESS_OCR_OUTPUT_TYPE=<type>
     Specify the the type of PDF documents that paperless should produce.
-    
+
     *   ``pdf``: Modify the PDF document as little as possible.
     *   ``pdfa``: Convert PDF documents into PDF/A-2b documents, which is a
         subset of the entire PDF specification and meant for storing
         documents long term.
     *   ``pdfa-1``, ``pdfa-2``, ``pdfa-3`` to specify the exact version of
         PDF/A you wish to use.
-    
+
     If not specified, ``pdfa`` is used. Remember that paperless also keeps
     the original input file as well as the archived version.
 
@@ -275,9 +281,9 @@ PAPERLESS_OCR_USER_ARG=<json>
 
     .. code:: json
 
-        {"deskew": true, "optimize": 3, "unpaper_args": "--pre-rotate 90"}    
-    
-    
+        {"deskew": true, "optimize": 3, "unpaper_args": "--pre-rotate 90"}
+
+
 Software tweaks
 ###############
 
diff --git a/paperless.conf.example b/paperless.conf.example
index 139453cf3..c55b7f5f4 100644
--- a/paperless.conf.example
+++ b/paperless.conf.example
@@ -31,6 +31,7 @@
 #PAPERLESS_STATIC_URL=/static/
 #PAPERLESS_AUTO_LOGIN_USERNAME=
 #PAPERLESS_COOKIE_PREFIX=
+#PAPERLESS_ENABLE_HTTP_REMOTE_USER=false
 
 # OCR settings
 
diff --git a/src/paperless/auth.py b/src/paperless/auth.py
index ece5d0eba..d92dc7671 100644
--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@@ -2,6 +2,7 @@ from django.conf import settings
 from django.contrib.auth.models import User
 from django.utils.deprecation import MiddlewareMixin
 from rest_framework import authentication
+from rest_framework import exceptions
 
 
 class AutoLoginMiddleware(MiddlewareMixin):
@@ -26,3 +27,21 @@ class AngularApiAuthenticationOverride(authentication.BaseAuthentication):
             return (user, None)
         else:
             return None
+
+
+class HttpRemoteUserAuthentication(authentication.BaseAuthentication):
+    """ This class allows authentication via HTTP_REMOTE_USER which is set for
+        example by certain SSO applications.
+    """
+
+    def authenticate(self, request):
+        username = request.META.get('HTTP_REMOTE_USER')
+        if not username:
+            return None
+
+        try:
+            user = User.objects.get(username=username)
+        except User.DoesNotExist:
+            raise exceptions.AuthenticationFailed('No such user')
+
+        return (user, None)
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index 5af1be85e..f522c4c0b 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -112,6 +112,13 @@ if DEBUG:
         'paperless.auth.AngularApiAuthenticationOverride'
     )
 
+ENABLE_HTTP_REMOTE_USER = __get_boolean("PAPERLESS_ENABLE_HTTP_REMOTE_USER")
+
+if ENABLE_HTTP_REMOTE_USER:
+    REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'].append(
+        'paperless.auth.HttpRemoteUserAuthentication'
+    )
+
 MIDDLEWARE = [
     'django.middleware.security.SecurityMiddleware',
     'whitenoise.middleware.WhiteNoiseMiddleware',

From 426ad30a52a5326d808ab1ba242d97ab85cc9d4d Mon Sep 17 00:00:00 2001
From: Michael Shamoon <4887959+nikonratm@users.noreply.github.com>
Date: Sun, 3 Jan 2021 21:21:39 -0800
Subject: [PATCH 2/2] Refactor to extend RemoteUserMiddleware & add
 authentication for Django

---
 src/paperless/auth.py     | 16 +++-------------
 src/paperless/settings.py | 21 ++++++++++++++-------
 2 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/src/paperless/auth.py b/src/paperless/auth.py
index d92dc7671..cd717e56b 100644
--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@@ -2,7 +2,7 @@ from django.conf import settings
 from django.contrib.auth.models import User
 from django.utils.deprecation import MiddlewareMixin
 from rest_framework import authentication
-from rest_framework import exceptions
+from django.contrib.auth.middleware import RemoteUserMiddleware
 
 
 class AutoLoginMiddleware(MiddlewareMixin):
@@ -29,19 +29,9 @@ class AngularApiAuthenticationOverride(authentication.BaseAuthentication):
             return None
 
 
-class HttpRemoteUserAuthentication(authentication.BaseAuthentication):
+class HttpRemoteUserMiddleware(RemoteUserMiddleware):
     """ This class allows authentication via HTTP_REMOTE_USER which is set for
         example by certain SSO applications.
     """
 
-    def authenticate(self, request):
-        username = request.META.get('HTTP_REMOTE_USER')
-        if not username:
-            return None
-
-        try:
-            user = User.objects.get(username=username)
-        except User.DoesNotExist:
-            raise exceptions.AuthenticationFailed('No such user')
-
-        return (user, None)
+    header = 'HTTP_REMOTE_USER'
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index dd0d4a7d9..afbc667e0 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -115,13 +115,6 @@ if DEBUG:
         'paperless.auth.AngularApiAuthenticationOverride'
     )
 
-ENABLE_HTTP_REMOTE_USER = __get_boolean("PAPERLESS_ENABLE_HTTP_REMOTE_USER")
-
-if ENABLE_HTTP_REMOTE_USER:
-    REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'].append(
-        'paperless.auth.HttpRemoteUserAuthentication'
-    )
-
 MIDDLEWARE = [
     'django.middleware.security.SecurityMiddleware',
     'whitenoise.middleware.WhiteNoiseMiddleware',
@@ -135,6 +128,20 @@ MIDDLEWARE = [
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 ]
 
+ENABLE_HTTP_REMOTE_USER = __get_boolean("PAPERLESS_ENABLE_HTTP_REMOTE_USER")
+
+if ENABLE_HTTP_REMOTE_USER:
+    MIDDLEWARE.append(
+        'paperless.auth.HttpRemoteUserMiddleware'
+    )
+    AUTHENTICATION_BACKENDS = [
+        'django.contrib.auth.backends.RemoteUserBackend',
+        'django.contrib.auth.backends.ModelBackend'
+    ]
+    REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'].append(
+        'rest_framework.authentication.RemoteUserAuthentication'
+    )
+
 ROOT_URLCONF = 'paperless.urls'
 
 FORCE_SCRIPT_NAME = os.getenv("PAPERLESS_FORCE_SCRIPT_NAME")