(dev/core#3416) authx - If Authorization: header is disabled, then ignore it.
#22837
Conversation
|
(Standard links)
|
|
Relatedly (but not necessarily a blocker)... if someone has these 2 layers of authorization, and if they enable On the flip side, if we change the default to I have maybe an emotional attachment to the simplicity of supporting standard HTTP auth by default, but realistically -- we don't actually support it out-of-the-box right now (user/pass support is opt-in b/c the security community's general enthusiasm for it is a bit weak). So maybe it's not really worth trying to support the standard as the default mode... In which case it would make sense to change the default to |
|
Hi @totten , Many thanks for this PR. Re the default for Thinking aloud now... Or perhaps when the extension is enabled, it could check for the presence of the |
|
Messaging would be great - but we'd probably have to add some new mechanism (akin to The idea of setting |
|
Hi Tim, The code for setting authx_header_cred during installation worked well in my testing, where I enabled the extension through the UI with an Authorization header vs through cv. A possible small edge case that doesn't seem very important: if the extension has previously been installed & configured and then uninstalled, its settings remain. If While testing, I ran across an issue with the default for |
|
I've also ran into this scenario with some work on a site behind basic auth. Just wanted to confirm that applying the patch has resolved this issue, thanks for the patch! |
|
civibot, test this please |
|
I opened a Gitlab issue for this before this PR was pointed out to me: https://lab.civicrm.org/dev/core/-/issues/3416 |
totten
changed the title
Authorization: header is disabled, then ignore it.Authorization: header is disabled, then ignore it.
ext/authx/authx.php
Outdated
| if (empty($_SERVER['HTTP_AUTHORIZATION']) && !Civi::settings()->getExplicit('authx_header_cred')) { | ||
| Civi::settings()->set('authx_header_cred', ['jwt', 'api_key']); |
There was a problem hiding this comment.
(@davejenx) If
authx_header_credhad been explicitly set to an empty array and then the extension is re-enabled from cli (
Ah, I see what you're saying. getExplicit('authx_header_cred') could return NULL or [] (ie "not explicitly set" or "empty leftover from previous installation*). Both are FALSE-ish.
I'm a little torn:
- The intent of this line is "if it's not explicitly set, then set it". That would be better reflected by checking
NULL === Civi::settings()->getExplict(...). - There's a bigger issue around
disable/uninstall/settings. Comparingdisable/uninstall, a major goal ofuninstallis to wipe the slate clean -- uninstall should wipe the settings. But I think it's quite rare for anyone to implementhook_uninstalland cleanup old settings.
If there was a general fix for uninstall/settings, then this conditional wouldn't matter.
I think maybe I erred in putting this under hook_install. Rather, hook_enable is probably a better fit. (To wit: This check should run for both new/clean-installs and existing/dirty re-activations. And it should be a NULL check.)
There was a problem hiding this comment.
I'll rebase/revise/r-run a couple of those edge-cases for the install-logic. After that, I'll add merge ready (since the main logic worked for @davejenx and @MattTrim1)
…ored completely. This means that the request is effectively anonymous -- the same as it would be if you had not sent an `Authorization:` header.
…ons with other tests
…'s plausible conflict
Some deployments may have two layers of authorization:
(1) A generic/site-wide HTTP basic check (perhaps to prevent search-engines
from finding the site; perhaps enforced by a reverse proxy)
(2) A Civi or CMS credential (eg session-cookie, ?_authx, or X-Civi-Auth:)
Authx sits in layer 2. It should enable HTTP `Authorization:` handling
if-and-only-if there is NOT a pre-existing `Authorization:` mechanism.
To test this, I enabled the extension over APIv3 REST -- with/without a superfluous header:
```
curl -X POST -d 'entity=Extension&action=enable&json=%7B%22keys%22%3A%22authx%22%7D&api_key=FIXME_USER_KEY&key=FIXME_SITE_KEY' \
'http://dmaster.127.0.0.1.nip.io:8001/sites/all/modules/civicrm/extern/rest.php'
curl -X POST -H 'Authorization: Bearer superfluous' -d 'entity=Extension&action=enable&json=%7B%22keys%22%3A%22authx%22%7D&api_key=FIXME_USER_KEY&key=FIXME_SITE_KEY' \
'http://dmaster.127.0.0.1.nip.io:8001/sites/all/modules/civicrm/extern/rest.php'
```
totten
force-pushed
the
master-authx-ignore-header
branch
from
f666d01
to
2a62e03
Compare
|
Rebased. Retested. |
totten
added
merge ready
|
jenkins retest this please. Disk issue? Warning: file_get_contents(/home/jenkins/bknix-dfl/build/core-22837-1fyax/web/sites/all/modules/civicrm/sql/test_data.mysql): Failed to open stream |
I think the cleanup job kicked in a bit too early and deleted the job while it was running. |
|
It looks like this may still be an issue in 5.57.0. Using Cloudways with Digital Ocean, when creating a Staging instance, they set a Basic Auth username/password by default for the site. After authentication to the site through the Basic Auth piece, the main WordPress site worked but the CiviCRM part returned Since AuthX is required by civiimport, org.civicrm.afform, and org.civicrm.afform_admin and Form Builder and Form Core seem to be the forward direction for Civi, it makes it a little difficult to simply disable the AuthX extension. |
|
@composerjk Yeah, I agree that disabling authx probably isn't a long-term resolution. But within I'm not familiar with Cloudways, but you mention "creating a staging instance". Is the issue like this?
FWIW, for a specific site/one-off fix, you might address by either:
Of course, it's better if we can find a more general resolution... |
|
Thanks, @totten! That's helpful. I'm just testing Cloudways, at the moment, for our nonprofit to see if it might be a reasonable hosting option. I believe your description of the "creating a staging instance" is probably similar to what they do behind the scenes for the 1-click create staging feature. I can choose to disable the Basic Auth option, but seemed like it was worth reporting. The I hadn't yet configured any aspect of If we go with Cloudways, I will likely suggest having an option to add some notes when the staging server is created to remind folk to access appropriate URLs to reset caches and paths. Or an option to have some commands run on the server after creation to do so. Cloudways is mostly a layer on top of other cloud services; in this case, managing a Digital Ocean droplet, I believe. |
|
Just flagging I'm still seeing this as well and the cv vset authx_header_cred=[] works. Note error message observed on CiviCRM screens is "HTTP 401 Invalid credential" - just to make finding this again easier! |
Overview
Suppose a deployment has two layers of authorization:
?_authx, orX-Civi-Auth:)You would want to configure
authxto ignore layer (1)'sAuthorization:header -- while still checking some other layer (2) credential (eg?_authx=Bearer+ASDF). In this case, you would configureauthxto disable header support (egauthx_header_cred=[]).This PR is based on the problem+solution reported by @davejenx via Mattermost. It adds test-coverage.
Before
You can configure
authx_header_cred=[], but requests are rejected because it still evaluates theAuthorization:header.After
It only evaluates
Authorization:if it's enabled. If it's disabled, then it's ignored.