From 97f3c214e80ed4a030f88737ac1febf67a672423 Mon Sep 17 00:00:00 2001 From: Simon Taddiken Date: Tue, 2 Mar 2021 09:07:42 +0100 Subject: [PATCH 1/3] Add the possibility to customize the remote user header name Inspired by the discussion here https://github.com/jonaswinkler/paperless-ng/discussions/639#discussion-3242017 it is worthwhile to be able to customize the header name that is used for authentication as its name is not really standardized. --- docs/configuration.rst | 12 +++++++++++- src/paperless/auth.py | 3 +-- src/paperless/settings.py | 1 + 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/docs/configuration.rst b/docs/configuration.rst index e26180382..d182d589d 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -192,7 +192,17 @@ PAPERLESS_ENABLE_HTTP_REMOTE_USER= applications. Defaults to `false` which disables this feature. - + +PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME= + If `PAPERLESS_ENABLE_HTTP_REMOTE_USER` is enabled, this property allows to + customize the name of the HTTP header from which the username is extracted. + Values are in terms of + [HttpRequest.META](https://docs.djangoproject.com/en/3.1/ref/request-response/#django.http.HttpRequest.META). + Thus, the configured value must start with `HTTP_` followed by the + normalized actual header name. + + Defaults to `HTTP_REMOTE_USER`. + .. _configuration-ocr: OCR settings diff --git a/src/paperless/auth.py b/src/paperless/auth.py index cd717e56b..3bc6344cd 100644 --- a/src/paperless/auth.py +++ b/src/paperless/auth.py @@ -33,5 +33,4 @@ class HttpRemoteUserMiddleware(RemoteUserMiddleware): """ This class allows authentication via HTTP_REMOTE_USER which is set for example by certain SSO applications. """ - - header = 'HTTP_REMOTE_USER' + header = settings.HTTP_REMOTE_USER_HEADER_NAME diff --git a/src/paperless/settings.py b/src/paperless/settings.py index 8cc12c1ff..3330da19c 100644 --- a/src/paperless/settings.py +++ b/src/paperless/settings.py @@ -189,6 +189,7 @@ if AUTO_LOGIN_USERNAME: MIDDLEWARE.insert(_index+1, 'paperless.auth.AutoLoginMiddleware') ENABLE_HTTP_REMOTE_USER = __get_boolean("PAPERLESS_ENABLE_HTTP_REMOTE_USER") +HTTP_REMOTE_USER_HEADER_NAME = os.getenv("PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME", "HTTP_REMOTE_USER") if ENABLE_HTTP_REMOTE_USER: MIDDLEWARE.append( From 72ebe7df58313b2dfe861f3557ae44e280d48374 Mon Sep 17 00:00:00 2001 From: Simon Taddiken Date: Tue, 2 Mar 2021 10:21:50 +0100 Subject: [PATCH 2/3] Improve documentation --- docs/configuration.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/configuration.rst b/docs/configuration.rst index d182d589d..7ffab20d7 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -193,10 +193,10 @@ PAPERLESS_ENABLE_HTTP_REMOTE_USER= Defaults to `false` which disables this feature. -PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME= +PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME= If `PAPERLESS_ENABLE_HTTP_REMOTE_USER` is enabled, this property allows to - customize the name of the HTTP header from which the username is extracted. - Values are in terms of + customize the name of the HTTP header from which the authenticated username + is extracted. Values are in terms of [HttpRequest.META](https://docs.djangoproject.com/en/3.1/ref/request-response/#django.http.HttpRequest.META). Thus, the configured value must start with `HTTP_` followed by the normalized actual header name. From c7abdb61e889ed928efa0a917d56a1c4a8655f4f Mon Sep 17 00:00:00 2001 From: jonaswinkler <17569239+jonaswinkler@users.noreply.github.com> Date: Tue, 2 Mar 2021 23:19:06 +0100 Subject: [PATCH 3/3] added remote user auth test --- src/documents/tests/test_auth.py | 66 ++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 src/documents/tests/test_auth.py diff --git a/src/documents/tests/test_auth.py b/src/documents/tests/test_auth.py new file mode 100644 index 000000000..82b586f7b --- /dev/null +++ b/src/documents/tests/test_auth.py @@ -0,0 +1,66 @@ +from django.contrib.auth.models import User +from django.test import override_settings, Client, modify_settings, TestCase + + +class TestRemoteUserAuthentication(TestCase): + + def test_no_remote_user_auth(self): + client = Client() + + response = client.get("/api/documents/") + self.assertEqual(response.status_code, 401) + + response = client.get("/api/documents/", HTTP_REMOTE_USER="someone") + self.assertEqual(response.status_code, 401) + + response = client.get("/api/documents/", HTTP_X_FORWARDED_USER="someone") + self.assertEqual(response.status_code, 401) + + @modify_settings( + MIDDLEWARE={ + 'append': 'paperless.auth.HttpRemoteUserMiddleware' + }, + AUTHENTICATION_BACKENDS={ + 'prepend': 'django.contrib.auth.backends.RemoteUserBackend' + } + ) + def test_standard_remote_user_auth(self): + client = Client() + + response = client.get("/api/documents/") + self.assertEqual(response.status_code, 401) + + response = client.get("/api/documents/", HTTP_X_FORWARDED_USER="someone") + self.assertEqual(response.status_code, 401) + + self.assertFalse(User.objects.filter(username="someone").exists()) + + response = client.get("/api/documents/", HTTP_REMOTE_USER="someone") + self.assertEqual(response.status_code, 200) + + self.assertTrue(User.objects.filter(username="someone").exists()) + + @modify_settings( + MIDDLEWARE={ + 'append': 'paperless.auth.HttpRemoteUserMiddleware' + }, + AUTHENTICATION_BACKENDS={ + 'prepend': 'django.contrib.auth.backends.RemoteUserBackend' + } + ) + @override_settings(HTTP_REMOTE_USER_HEADER_NAME="HTTP_X_FORWARDED_USER") + def test_custom_remote_user_auth(self): + client = Client() + + response = client.get("/api/documents/") + self.assertEqual(response.status_code, 401) + + response = client.get("/api/documents/", HTTP_REMOTE_USER="someone") + self.assertEqual(response.status_code, 401) + + self.assertFalse(User.objects.filter(username="someone").exists()) + + response = client.get("/api/documents/", HTTP_X_FORWARDED_USER="someone") + self.assertEqual(response.status_code, 200) + + self.assertTrue(User.objects.filter(username="someone").exists())