From c00d308fef9b17a3bf7e42dce31616698277c87a Mon Sep 17 00:00:00 2001 From: Ferry Boender Date: Tue, 25 Apr 2017 08:06:36 +0200 Subject: [PATCH] Allow pre-auth through REMOTE_USER header Pre-auth looks at the REMOTE_USER header and if it is set, Scriptform performs no validation of the password and just assumes the username is correct. This allows pre-authentication from a front-end such as Apache for HTAUTH, LDAP, OpenID / SSO, etc. --- README.md | 7 ++++--- doc/MANUAL.md | 25 +++++++++++++++++++++++++ src/webapp.py | 12 +++++++++--- 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index e056f9a..b54e3ca 100644 --- a/README.md +++ b/README.md @@ -218,15 +218,16 @@ them in the local directory. To run ScriptForm in the foreground, specify the `-f` option. -If you're going to use basic authentication, you can generate a password for -your user with the `--generate-pw` option: +If you're going to use built-in basic authentication, you can generate a +password for your user with the `--generate-pw` option: $ scriptform --generate-pw Password: Repeat password: 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae -You can paste the generated password into the password field. For more +You can paste the generated password into the password field. You can also use +an Apache (or other webserver) frontend for authentication. For more information, see the User Manual. ## Documentation diff --git a/doc/MANUAL.md b/doc/MANUAL.md index e9a8883..bafb9ee 100644 --- a/doc/MANUAL.md +++ b/doc/MANUAL.md @@ -51,6 +51,7 @@ This is the manual for version %%VERSION%%. - [Passwords](#users_passwords) - [Form limiting](#users_formlimit) - [Security considerations](#users_security) + - [Pre-authentication with Apache](#users_preauth) 1. [Form customization](#cust) - [Custom CSS](#cust_css) 1. [Security](#security) @@ -1221,7 +1222,31 @@ For an example, see the [beginning of this chapter](#users). *does* support HTTPS, such as Apache. For more information on that, see the "Invocations" chapter. +### Pre-authentication with Apache +If you're running behind Apache or another webserver, you can use +features in Apache to do the authentication for you. This allows you to use +LDAP or OpenID (SSO) authentication. + +You must pass the `REMOTE_USER` header (not environment variable!) to +Scriptform to get this working. For example, in Apache: + + RequestHeader set REMOTE_USER %{REMOTE_USER}s + + Redirect permanent /scriptform /scriptform/ + ProxyPass /scriptform/ http://localhost:8081/ + ProxyPassReverse /scriptform/ http://localhost:8081/ + + + AuthType Basic + AuthName "Restricted Files" + AuthBasicProvider file + AuthUserFile "/var/www/users" + Require valid-user + + +If such a header is seen, Scriptform won't perform validation of the password +and just assumes the username is correct. ## Form customization diff --git a/src/webapp.py b/src/webapp.py index a794fa7..6476e6d 100644 --- a/src/webapp.py +++ b/src/webapp.py @@ -181,13 +181,19 @@ class ScriptFormWebApp(RequestHandler): def auth(self): """ Verify that the user is authenticated. This is required if the form - definition contains a 'users' field. Returns the username if the user - is validated or None if no validation is required.. Otherwise, raises a - 401 HTTP back to the client. + definition contains a 'users' field (unless pre-auth from a front-end + such as Apache is used). Returns the username if the user is validated + or None if no validation is required. Otherwise, raises a 401 HTTP + back to the client. """ form_config = self.scriptform.get_form_config() username = None + # Allow pre-auth from e.g. Apache htauth + if 'REMOTE_USER' in self.headers: + username = self.headers.get('REMOTE_USER') + return self.headers.get('REMOTE_USER') + # If a 'users' element was present in the form configuration file, the # user must be authenticated. if form_config.users: