issue2550837 - New option for web auth (also http header passing)

Implement experimental support to allow tracker to use an alternate
authentication variable replacing ROUNDUP_USER. Also add -I option to
roundup-server to whitelist HTTP headers that should be passed through
to the tracker.

Author: rouilj

CHANGES.txt

@@ -178,6 +178,10 @@ Features:
   translations from https://sourceforge.net/p/roundup/code/merge-requests/3/
   (John Rouillard. DE translations by Tobias Herp.)
 - send_message now allows setting authid to set source of email. (John Rouillard)
+- issue2550837 - New option for web auth (also http header passing).
+  Allow admin to configure authentication header replacing the default
+  REMOTE_USER. Also allow arbitrary headers to be passed to the
+  tracker when using roundup-serverbhind a proxy.
 
 2020-07-13 2.0.0
 

doc/admin_guide.txt

@@ -208,7 +208,8 @@ Roundup identifies users in a number of ways:
    Authentication or cookie authentication. If you are running the web
    server (roundup-server) through another HTTP server (eg. apache or IIS)
    then that server may require HTTP Basic Authentication, and it will pass
-   the ``REMOTE_USER`` variable through to Roundup. If this variable is not
+   the ``REMOTE_USER`` variable (or variable defined using
+   http_auth_header) through to Roundup. If this variable is not
    present, then Roundup defaults to using its own cookie-based login
    mechanism.
 2. In email messages handled by roundup-mailgw, users are identified by the
@@ -228,6 +229,47 @@ Email Registration
 More information about how to customise your tracker's security settings
 may be found in the `customisation documentation`_.
 
+Configuring Authentication Header/Variable
+------------------------------------------
+
+The front end server running roundup can perform the user
+authentication. It pass the authenticated username to the backend in a
+variable. By default roundup looks for the ``REMOTE_USER`` variable
+This can be changed by setting the parameter ``http_auth_header`` in the
+``[web]`` section of the tracker's ``config.ini`` file. If the value
+is unset (the default) the REMOTE_USER variable is used.
+
+If you are running roundup using ``roundup-server`` behind a proxy
+that authenticates the user you need to configure ``roundup-server`` to
+pass the proper header to the tracker. By default ``roundup-server``
+looks for the ``REMOTE_USER`` header for the authenticated user.  You
+can copy an arbitrary header variable to the tracker using the ``-I``
+option to roundup-server (or the equivalent option in the
+roundup-server config file).
+
+For example to use the ``uid_variable`` header, two configuration
+changes are needed: First configure ``roundup-server`` to pass the
+header to the tracker using::
+
+  roundup-server -I uid_variable ....
+
+note that the header is passed exactly as supplied by the upstream
+server. It is **not** prefixed with ``HTTP_`` like other headers since
+you are explicitly whitelisting the header. Multiple comma separated
+headers can be passed to the ``-I`` option. These could be used in a
+detector or other tracker extensions, but only one header can be used
+by the tracker as an authentication header.
+
+To make the tracker honor the new variable changing the tracker
+``config.ini`` to read::
+
+  [web]
+  ...
+  http_auth_header = uid_variable
+
+At the time this is written, support is experimental. If you use it
+you should notify the roundup maintainers using the roundup-users
+mailing list.
 
 Tasks
 =====

doc/upgrading.txt

@@ -109,6 +109,47 @@ install setuptools.  Use the version packgaged by your OS vendor.  If
 your OS vendor doesn't supply setuptools use ``pip install
 setuptools``. (You may need pip3 rather than pip if using python3.)
 
+Define Authentication Header
+----------------------------
+
+The front end server running roundup can perform the user
+authentication. It pass the authenticated username to the backend in a
+variable. By default roundup looks for the ``REMOTE_USER`` variable
+This can be changed by setting the parameter ``http_auth_header`` in the
+``[web]`` section of the tracker's ``config.ini`` file. If the value
+is unset (the default) the REMOTE_USER variable is used.
+
+If you are running roundup using ``roundup-server`` behind a proxy
+that authenticates the user you need to configure ``roundup-server`` to
+pass the proper header to the tracker. By default ``roundup-server``
+looks for the ``REMOTE_USER`` header for the authenticated user.  You
+can copy an arbitrary header variable to the tracker using the ``-I``
+option to roundup-server (or the equivalent option in the
+roundup-server config file).
+
+For example to use the ``uid_variable`` header, two configuration
+changes are needed: First configure ``roundup-server`` to pass the
+header to the tracker using::
+
+  roundup-server -I uid_variable ....
+
+note that the header is passed exactly as supplied by the upstream
+server. It is **not** prefixed with ``HTTP_`` like other headers since
+you are explicitly whitelisting the header. Multiple comma separated
+headers can be passed to the ``-I`` option. These could be used in a
+detector or other tracker extensions, but only one header can be used
+by the tracker as an authentication header.
+
+To make the tracker honor the new variable changing the tracker
+``config.ini`` to read::
+
+  [web]
+  ...
+  http_auth_header = uid_variable
+
+At the time this is written, support is experimental. If you use it
+you should notify the roundup maintainers using the roundup-users
+mailing list.
 
 Classname Format Enforced
 -------------------------

roundup/cgi/client.py

@@ -997,17 +997,18 @@ def determine_user(self):
         user = None
         # first up, try http authorization if enabled
         cfg = self.instance.config
+        remote_user_header = cfg.WEB_HTTP_AUTH_HEADER or 'REMOTE_USER'
         if cfg.WEB_COOKIE_TAKES_PRECEDENCE:
             user = self.session_api.get('user')
             if user:
                 # update session lifetime datestamp
                 self.session_api.update()
-                if 'REMOTE_USER' in self.env:
-                    del self.env['REMOTE_USER']
+                if remote_user_header in self.env:
+                    del self.env[remote_user_header]
         if not user and cfg.WEB_HTTP_AUTH:
-            if 'REMOTE_USER' in self.env:
+            if remote_user_header in self.env:
                 # we have external auth (e.g. by Apache)
-                user = self.env['REMOTE_USER']
+                user = self.env[remote_user_header]
                 if cfg.WEB_HTTP_AUTH_CONVERT_REALM_TO_LOWERCASE and '@' in user:
                     u, d = user.split ('@', 1)
                     user = '@'.join ((u, d.lower()))

roundup/configuration.py

@@ -836,10 +836,16 @@ def str2value(self, value):
             "trust *all* users uploading content to your tracker."),
         (BooleanOption, 'http_auth', "yes",
             "Whether to use HTTP Basic Authentication, if present.\n"
-            "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n"
+            "Roundup will use either the REMOTE_USER (the value set \n"
+            "by http_auth_header) or HTTP_AUTHORIZATION\n"
             "variables supplied by your web server (in that order).\n"
             "Set this option to 'no' if you do not wish to use HTTP Basic\n"
             "Authentication in your web interface."),
+        (Option, "http_auth_header", "",
+            "The HTTP header that holds the user authentication information.\n"
+            "If empty (default) the REMOTE_USER header is used.\n"
+            "This is used when the upstream HTTP server authenticates\n"
+            "the user and passes the username using this HTTP header."),
         (BooleanOption, 'http_auth_convert_realm_to_lowercase', "no",
             "If usernames consist of a name and a domain/realm part of\n"
             "the form user@realm and we're using REMOTE_USER for\n"

roundup/scripts/roundup_server.py

@@ -406,6 +406,12 @@ def inner_run_cgi(self):
         if co:
             env['HTTP_COOKIE'] = ', '.join(co)
         env['HTTP_AUTHORIZATION'] = self.headers.get('authorization')
+        # self.CONFIG['INCLUDE_HEADERS'] is a list.
+        for h in self.CONFIG['INCLUDE_HEADERS']:
+            env[h] = self.headers.get(h, None)
+            # if header is MISSING
+            if env[h] is None:
+                del(env[h])
         env['SCRIPT_NAME'] = ''
         env['SERVER_NAME'] = self.server.server_name
         env['SERVER_PORT'] = str(self.server.server_port)
@@ -626,6 +632,12 @@ class ServerConfig(configuration.Config):
             (configuration.NullableFilePathOption, "pem", "",
                 "PEM file used for SSL. A temporary self-signed certificate\n"
                 "will be used if left blank."),
+            (configuration.WordListOption, "include_headers", "",
+                "Comma separated list of extra headers that should\n"
+                "be copied into the CGI environment.\n"
+                "E.G. if you want to acces the REMOTE_USER and\n"
+                "X-Proxy-User headers in the back end,\n"
+                "set to the value REMOTE_USER,X-Proxy-User."),
         )),
         ("trackers", (), "Roundup trackers to serve.\n"
             "Each option in this section defines single Roundup tracker.\n"
@@ -650,6 +662,7 @@ class ServerConfig(configuration.Config):
         "loghttpvialogger": 'L',
         "ssl": "s",
         "pem": "e:",
+        "include_headers": "I:",
     }
 
     def __init__(self, config_file=None):
@@ -864,6 +877,7 @@ def usage(message=''):
                connections, defaults to localhost, use 0.0.0.0 to bind
                to all network interfaces
  -p <port>     set the port to listen on (default: %(port)s)
+ -I <header1[,header2]*> list of headers to pass to the backend
  -l <fname>    log to the file indicated by fname instead of stderr/stdout
  -N            log client machine names instead of IP addresses (much slower)
  -i <fname>    set tracker index template