lib/http: disable automatic authentication skipping for unix sockets

Disabling the authentication for unix sockets makes it impossible to use `rclone serve` behind a proxy that that communicates with rclone via a unix socket. Re-enabling the authentication should not have any effect on most users of unix sockets as they do not set authentication up with a unix socket anyway.
2024-11-07 09:04:52 +01:00 · 2024-10-10 14:42:42 -03:00 · 2024-10-10 14:42:42 -03:00 · 29fd894189
commit 29fd894189
parent 175aa07cdd
4 changed files with 80 additions and 51 deletions
--- a/lib/http/context.go
+++ b/lib/http/context.go
@ -36,12 +36,6 @@ func IsAuthenticated(r *http.Request) bool {
 	return false
 }

-// IsUnixSocket checks if the request was received on a unix socket, used to skip auth & CORS
-func IsUnixSocket(r *http.Request) bool {
-	v, _ := r.Context().Value(ctxKeyUnixSock).(bool)
-	return v
-}
-
 // PublicURL returns the URL defined in NewBaseContext, used for logging & CORS
 func PublicURL(r *http.Request) string {
 	v, _ := r.Context().Value(ctxKeyPublicURL).(string)
--- a/lib/http/middleware.go
+++ b/lib/http/middleware.go
@ -57,11 +57,6 @@ func NewLoggedBasicAuthenticator(realm string, secrets goauth.SecretProvider) *L
 func basicAuth(authenticator *LoggedBasicAuth) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// skip auth for unix socket
-			if IsUnixSocket(r) {
-				next.ServeHTTP(w, r)
-				return
-			}
 			// skip auth for CORS preflight
 			if r.Method == "OPTIONS" {
 				next.ServeHTTP(w, r)
@ -123,11 +118,6 @@ func MiddlewareAuthBasic(user, pass, realm, salt string) Middleware {
 func MiddlewareAuthCustom(fn CustomAuthFn, realm string, userFromContext bool) Middleware {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// skip auth for unix socket
-			if IsUnixSocket(r) {
-				next.ServeHTTP(w, r)
-				return
-			}
 			// skip auth for CORS preflight
 			if r.Method == "OPTIONS" {
 				next.ServeHTTP(w, r)
@ -175,11 +165,6 @@ func MiddlewareCORS(allowOrigin string) Middleware {

 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// skip cors for unix sockets
-			if IsUnixSocket(r) {
-				next.ServeHTTP(w, r)
-				return
-			}

 			if allowOrigin != "" {
 				w.Header().Add("Access-Control-Allow-Origin", allowOrigin)
--- a/lib/http/server.go
+++ b/lib/http/server.go
@ -39,8 +39,7 @@ If you set ` + "`--{{ .Prefix }}addr`" + ` to listen on a public or LAN accessib
 then using Authentication is advised - see the next section for info.

 You can use a unix socket by setting the url to ` + "`unix:///path/to/socket`" + `
-or just by using an absolute path name. Note that unix sockets bypass the
-authentication - this is expected to be done with file system permissions.
+or just by using an absolute path name.

 ` + "`--{{ .Prefix }}addr`" + ` may be repeated to listen on multiple IPs/ports/sockets.
 Socket activation, described further below, can also be used to accomplish the same.
--- a/lib/http/server_test.go
+++ b/lib/http/server_test.go
@ -3,6 +3,7 @@ package http
 import (
 	"context"
 	"crypto/tls"
+	"fmt"
 	"io"
 	"net"
 	"net/http"
@ -63,20 +64,66 @@ func testReadTestdataFile(t *testing.T, path string) []byte {
 }

 func TestNewServerUnix(t *testing.T) {
-	ctx := context.Background()
-
 	tempDir := t.TempDir()
 	path := filepath.Join(tempDir, "rclone.sock")

-	cfg := DefaultCfg()
-	cfg.ListenAddr = []string{path}
-
-	auth := AuthConfig{
+	servers := []struct {
+		name   string
+		status int
+		result string
+		cfg    Config
+		auth   AuthConfig
+		user   string
+		pass   string
+	}{
+		{
+			name:   "ServerWithoutAuth/NoCreds",
+			status: http.StatusOK,
+			result: "hello world",
+			cfg: Config{
+				ListenAddr: []string{path},
+			},
+		}, {
+			name:   "ServerWithAuth/NoCreds",
+			status: http.StatusUnauthorized,
+			cfg: Config{
+				ListenAddr: []string{path},
+			},
+			auth: AuthConfig{
 				BasicUser: "test",
 				BasicPass: "test",
+			},
+		}, {
+			name:   "ServerWithAuth/GoodCreds",
+			status: http.StatusOK,
+			result: "hello world",
+			cfg: Config{
+				ListenAddr: []string{path},
+			},
+			auth: AuthConfig{
+				BasicUser: "test",
+				BasicPass: "test",
+			},
+			user: "test",
+			pass: "test",
+		}, {
+			name:   "ServerWithAuth/BadCreds",
+			status: http.StatusUnauthorized,
+			cfg: Config{
+				ListenAddr: []string{path},
+			},
+			auth: AuthConfig{
+				BasicUser: "test",
+				BasicPass: "test",
+			},
+			user: "testBAD",
+			pass: "testBAD",
+		},
 	}

-	s, err := NewServer(ctx, WithConfig(cfg), WithAuth(auth))
+	for _, ss := range servers {
+		t.Run(ss.name, func(t *testing.T) {
+			s, err := NewServer(context.Background(), WithConfig(ss.cfg), WithAuth(ss.auth))
 			require.NoError(t, err)
 			defer func() {
 				require.NoError(t, s.Shutdown())
@ -86,23 +133,27 @@ func TestNewServerUnix(t *testing.T) {

 			require.Empty(t, s.URLs(), "unix socket should not appear in URLs")

-	expected := []byte("hello world")
-	s.Router().Mount("/", testEchoHandler(expected))
+			s.Router().Mount("/", testEchoHandler([]byte(ss.result)))
 			s.Serve()

 			client := testNewHTTPClientUnix(path)
 			req, err := http.NewRequest("GET", "http://unix", nil)
 			require.NoError(t, err)

+			req.SetBasicAuth(ss.user, ss.pass)
+
 			resp, err := client.Do(req)
 			require.NoError(t, err)
+			defer func() {
+				_ = resp.Body.Close()
+			}()

-	testExpectRespBody(t, resp, expected)
+			require.Equal(t, ss.status, resp.StatusCode, fmt.Sprintf("should return status %d", ss.status))

-	require.Equal(t, http.StatusOK, resp.StatusCode, "unix sockets should ignore auth")
-
-	for _, key := range _testCORSHeaderKeys {
-		require.NotContains(t, resp.Header, key, "unix sockets should not be sent CORS headers")
+			if ss.result != "" {
+				testExpectRespBody(t, resp, []byte(ss.result))
+			}
+		})
 	}
 }