diff --git a/docs/configuration.rst b/docs/configuration.rst index e26180382..7ffab20d7 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -192,7 +192,17 @@ PAPERLESS_ENABLE_HTTP_REMOTE_USER= applications. Defaults to `false` which disables this feature. - + +PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME= + If `PAPERLESS_ENABLE_HTTP_REMOTE_USER` is enabled, this property allows to + customize the name of the HTTP header from which the authenticated username + is extracted. Values are in terms of + [HttpRequest.META](https://docs.djangoproject.com/en/3.1/ref/request-response/#django.http.HttpRequest.META). + Thus, the configured value must start with `HTTP_` followed by the + normalized actual header name. + + Defaults to `HTTP_REMOTE_USER`. + .. _configuration-ocr: OCR settings diff --git a/src/documents/tests/test_auth.py b/src/documents/tests/test_auth.py new file mode 100644 index 000000000..82b586f7b --- /dev/null +++ b/src/documents/tests/test_auth.py @@ -0,0 +1,66 @@ +from django.contrib.auth.models import User +from django.test import override_settings, Client, modify_settings, TestCase + + +class TestRemoteUserAuthentication(TestCase): + + def test_no_remote_user_auth(self): + client = Client() + + response = client.get("/api/documents/") + self.assertEqual(response.status_code, 401) + + response = client.get("/api/documents/", HTTP_REMOTE_USER="someone") + self.assertEqual(response.status_code, 401) + + response = client.get("/api/documents/", HTTP_X_FORWARDED_USER="someone") + self.assertEqual(response.status_code, 401) + + @modify_settings( + MIDDLEWARE={ + 'append': 'paperless.auth.HttpRemoteUserMiddleware' + }, + AUTHENTICATION_BACKENDS={ + 'prepend': 'django.contrib.auth.backends.RemoteUserBackend' + } + ) + def test_standard_remote_user_auth(self): + client = Client() + + response = client.get("/api/documents/") + self.assertEqual(response.status_code, 401) + + response = client.get("/api/documents/", HTTP_X_FORWARDED_USER="someone") + self.assertEqual(response.status_code, 401) + + self.assertFalse(User.objects.filter(username="someone").exists()) + + response = client.get("/api/documents/", HTTP_REMOTE_USER="someone") + self.assertEqual(response.status_code, 200) + + self.assertTrue(User.objects.filter(username="someone").exists()) + + @modify_settings( + MIDDLEWARE={ + 'append': 'paperless.auth.HttpRemoteUserMiddleware' + }, + AUTHENTICATION_BACKENDS={ + 'prepend': 'django.contrib.auth.backends.RemoteUserBackend' + } + ) + @override_settings(HTTP_REMOTE_USER_HEADER_NAME="HTTP_X_FORWARDED_USER") + def test_custom_remote_user_auth(self): + client = Client() + + response = client.get("/api/documents/") + self.assertEqual(response.status_code, 401) + + response = client.get("/api/documents/", HTTP_REMOTE_USER="someone") + self.assertEqual(response.status_code, 401) + + self.assertFalse(User.objects.filter(username="someone").exists()) + + response = client.get("/api/documents/", HTTP_X_FORWARDED_USER="someone") + self.assertEqual(response.status_code, 200) + + self.assertTrue(User.objects.filter(username="someone").exists()) diff --git a/src/paperless/auth.py b/src/paperless/auth.py index cd717e56b..3bc6344cd 100644 --- a/src/paperless/auth.py +++ b/src/paperless/auth.py @@ -33,5 +33,4 @@ class HttpRemoteUserMiddleware(RemoteUserMiddleware): """ This class allows authentication via HTTP_REMOTE_USER which is set for example by certain SSO applications. """ - - header = 'HTTP_REMOTE_USER' + header = settings.HTTP_REMOTE_USER_HEADER_NAME diff --git a/src/paperless/settings.py b/src/paperless/settings.py index 8cc12c1ff..3330da19c 100644 --- a/src/paperless/settings.py +++ b/src/paperless/settings.py @@ -189,6 +189,7 @@ if AUTO_LOGIN_USERNAME: MIDDLEWARE.insert(_index+1, 'paperless.auth.AutoLoginMiddleware') ENABLE_HTTP_REMOTE_USER = __get_boolean("PAPERLESS_ENABLE_HTTP_REMOTE_USER") +HTTP_REMOTE_USER_HEADER_NAME = os.getenv("PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME", "HTTP_REMOTE_USER") if ENABLE_HTTP_REMOTE_USER: MIDDLEWARE.append(