Closed Bug 739863 Opened 13 years ago Closed 12 years ago

server-full doesn't look up userid if hosted behind apache auth

Categories

(Cloud Services Graveyard :: Server: Sync, defect)

x86
Linux
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: rfkelly, Assigned: rfkelly)

References

(Depends on 1 open bug)

Details

(Whiteboard: [qa?])

Attachments

(2 files)

If an instance of server-full is hosted behind apache, and apache is set up with do its own authentication, then server-full breaks. It appears to that server-core will accept the REMOTE_USER variable forwarded by apache, but not look up the corresponding userid in the auth database. This results in request.user["userid"] equal to None and all kinds of hilarious database-level errors. This may be worth a fix in server-core, and at the very least needs documenting as a known issue with workaround. We should also put sanity-checks in server-storage so that a userid of None never makes it down to the database.
Whiteboard: [qa?]
Another use was bitten by this last week. I think the most sensible thing to do is to error out if REMOTE_USER is provided by the webserver - it indicates that some other authentication mechanism is also active on this url space, and that's very unlikely to work properly.
Attachment #698501 - Flags: review?(telliott)
So, after working through this with Ryan, I think that there's a client problem, so I'm adding Nick and Richard. In order for us to get the REMOTE_USER variable set before auth, it means that apache has had to go through basic-auth. However, we're using basic auth, so we should be consuming the same header as apache and reaching the same place. That was clearly not the case, based on the reported bug - the basic-auth header used the user's username, not a hash of their email. Here is my best guess as to what happens: Client sends a perfectly normal sync request, with hash and password Apache (pre-sync) does a basic-auth lookup. However, it's not using our auth db, so it gets a bad username/password and returns a standard 401. Firefox gets back a basic-auth request and overrides sync with a cached value in password manager, returning the request with that instead. That passes apache basic-auth, so REMOTE_USER is set and we receive it. Boom There's obviously a server bug that needs to be fixed - if there's not a numeric userid we shouldn't get that far - but I think we should be poking at client as well, since the above is the only explanation I've got. If it was a malformed header (two sets of basic auth credentials), it shouldn't go away when apache basic-auth is turned off.
I seem to recall that user mentioning in passing that they had logged in to their site in Firefox. Necko will certainly use stored credentials: Bug 646628.
Depends on: 646628
Attachment #698501 - Flags: review?(telliott) → review+
Committed in http://hg.mozilla.org/services/server-core/rev/de19cb96e1f1 Is it worth trying to anything more about this on the server side? AFAICT this is the only place that a non-numeric userid might sneak into the system.
*sigh* this patch breaks the metlog testcases in server-storage, since they use REMOTE_USER to circumvent authentication in the tests. Should be a straightforward fix, but it can wait until I'm back from leave...
Assignee: nobody → rfkelly
NOTE TO SELF: I have disabled server-storage in jenkins until I get this fixed, this bug must not be closed until it's re-enabled
This fixes the server-storage tests now that environ["REMOTE_USER"] is not supported.
Attachment #704774 - Flags: review?(rmiller)
Attachment #704774 - Flags: review?(rmiller) → review+
Committed in http://hg.mozilla.org/services/server-storage/rev/a5d73030e7d1 Jenkins re-enabled for server-storage. Tests passing. Let the good times roll. I don't think there's any more we can do server-side to mitigate this issue, so closing the bug.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: