diff --git a/doc/annotated_wsgidav.conf b/doc/annotated_wsgidav.conf index 6851730f..26f9e4f9 100644 --- a/doc/annotated_wsgidav.conf +++ b/doc/annotated_wsgidav.conf @@ -244,6 +244,10 @@ acceptbasic = True # Allow basic authentication, True or False acceptdigest = True # Allow digest authentication, True or False defaultdigest = True # True (default digest) or False (default basic) +# Enter the name of a header field that will be accepted as authorized user. +# Including quotes, for example: trusted_auth_header = "REMOTE_USER" +trusted_auth_header = None + #=============================================================================== # Domain Controller diff --git a/tests/wsgidav-client-test.conf b/tests/wsgidav-client-test.conf index 3c334f99..ec93bc86 100644 --- a/tests/wsgidav-client-test.conf +++ b/tests/wsgidav-client-test.conf @@ -195,6 +195,7 @@ addShare("dav", "~/wsgidav_test") acceptbasic = True # Allow basic authentication, True or False acceptdigest = True # Allow digest authentication, True or False defaultdigest = True # True (default digest) or False (default basic) +trusted_auth_header = None #=============================================================================== diff --git a/wsgidav.conf b/wsgidav.conf index a1371814..9321cc66 100644 --- a/wsgidav.conf +++ b/wsgidav.conf @@ -114,6 +114,9 @@ acceptbasic = True # Allow basic authentication, True or False acceptdigest = True # Allow digest authentication, True or False defaultdigest = True # True (default digest) or False (default basic) +# Enter the name of a header field that will be accepted as authorized user. +# Including quotes, for example: trusted_auth_header = "REMOTE_USER" +trusted_auth_header = None #domaincontroller = # Uncomment this line to specify your own domain controller # Default: wsgidav.domain_controller, which uses the USERS diff --git a/wsgidav.conf.sample b/wsgidav.conf.sample index 1a162521..a82af73f 100644 --- a/wsgidav.conf.sample +++ b/wsgidav.conf.sample @@ -144,6 +144,9 @@ acceptbasic = True # Allow basic authentication, True or False acceptdigest = True # Allow digest authentication, True or False defaultdigest = True # True (default digest) or False (default basic) +# Enter the name of a header field that will be accepted as authorized user. +# Including quotes, for example: trusted_auth_header = "REMOTE_USER" +trusted_auth_header = None #domaincontroller = # Uncomment this line to specify your own domain controller # Default: wsgidav.domain_controller, which uses the USERS diff --git a/wsgidav/http_authenticator.py b/wsgidav/http_authenticator.py index fc7a4498..ef4f5568 100644 --- a/wsgidav/http_authenticator.py +++ b/wsgidav/http_authenticator.py @@ -146,6 +146,7 @@ def __init__(self, application, config): self._acceptbasic = config.get("acceptbasic", True) self._acceptdigest = config.get("acceptdigest", True) self._defaultdigest = config.get("defaultdigest", True) + self._trusted_auth_header = config.get("trusted_auth_header", None) self._noncedict = dict([]) self._headerparser = re.compile(r"([\w]+)=([^,]*),") @@ -183,6 +184,14 @@ def __call__(self, environ, start_response): environ["http_authenticator.username"] = "" return self._application(environ, start_response) + if self._trusted_auth_header and environ.get(self._trusted_auth_header): + # accept a username that was injected by a trusted upstream server + _logger.debug("Accept trusted username %s='%s'for realm '%s'" + % (self._trusted_auth_header, environ.get(self._trusted_auth_header), realmname)) + environ["http_authenticator.realm"] = realmname + environ["http_authenticator.username"] = environ.get(self._trusted_auth_header) + return self._application(environ, start_response) + if "HTTP_AUTHORIZATION" in environ: authheader = environ["HTTP_AUTHORIZATION"] authmatch = self._headermethod.search(authheader) diff --git a/wsgidav/wsgidav_app.py b/wsgidav/wsgidav_app.py index 8be720ea..ff2ac867 100644 --- a/wsgidav/wsgidav_app.py +++ b/wsgidav/wsgidav_app.py @@ -88,6 +88,7 @@ "acceptbasic": True, # Allow basic authentication, True or False "acceptdigest": True, # Allow digest authentication, True or False "defaultdigest": True, # True (default digest) or False (default basic) + "trusted_auth_header": None, # Name of a header field that will be accepted as authorized user # Error printer options "catchall": False,