projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4570ea1)
authx_civicrm_enable - Don't enable `Authorization:` headers if there's plausible...
authorTim Otten <totten@civicrm.org>
Tue, 1 Mar 2022 23:07:19 +0000 (15:07 -0800)
committerTim Otten <totten@civicrm.org>
Tue, 26 Apr 2022 00:48:55 +0000 (17:48 -0700)
Some deployments may have two layers of authorization:

(1) A generic/site-wide HTTP basic check (perhaps to prevent search-engines
    from finding the site; perhaps enforced by a reverse proxy)
(2) A Civi or CMS credential (eg session-cookie, ?_authx, or X-Civi-Auth:)

Authx sits in layer 2.  It should enable HTTP `Authorization:` handling
if-and-only-if there is NOT a pre-existing `Authorization:` mechanism.

To test this, I enabled the extension over APIv3 REST -- with/without a superfluous header:

```
curl -X POST -d 'entity=Extension&action=enable&json=%7B%22keys%22%3A%22authx%22%7D&api_key=FIXME_USER_KEY&key=FIXME_SITE_KEY' \
  'http://dmaster.127.0.0.1.nip.io:8001/sites/all/modules/civicrm/extern/rest.php'

curl -X POST -H 'Authorization: Bearer superfluous' -d 'entity=Extension&action=enable&json=%7B%22keys%22%3A%22authx%22%7D&api_key=FIXME_USER_KEY&key=FIXME_SITE_KEY' \
  'http://dmaster.127.0.0.1.nip.io:8001/sites/all/modules/civicrm/extern/rest.php'
```

ext/authx/authx.php patch | blob | blame | history
ext/authx/settings/authx.setting.php patch | blob | blame | history

diff --git a/ext/authx/authx.php b/ext/authx/authx.php
index ff3958a87007bfe2429644486c715d777b5b0302..01642b67da4756b9fa0f84fe18b3ffa2efc44365 100644 (file)
--- a/ext/authx/authx.php
+++ b/ext/authx/authx.php
@@ -138,6 +138,7 @@ function authx_civicrm_config(&$config) {
  */
 function authx_civicrm_install() {
   _authx_civix_civicrm_install();
+
 }
 
 /**
@@ -165,6 +166,13 @@ function authx_civicrm_uninstall() {
  */
 function authx_civicrm_enable() {
   _authx_civix_civicrm_enable();
+  // If the system is already using HTTP `Authorization:` headers before installation/re-activation, then
+  // it's probably an extra/independent layer of security.
+  // Only activate support for `Authorization:` if this looks like a clean/amenable environment.
+  // @link https://github.com/civicrm/civicrm-core/pull/22837
+  if (empty($_SERVER['HTTP_AUTHORIZATION']) && NULL === Civi::settings()->getExplicit('authx_header_cred')) {
+    Civi::settings()->set('authx_header_cred', ['jwt', 'api_key']);
+  }
 }
 
 /**
diff --git a/ext/authx/settings/authx.setting.php b/ext/authx/settings/authx.setting.php
index 67d20f82a27c4642de9191b33227bbc25dd52e17..6beacd67223dada960910af26f7781bcb5853057 100644 (file)
--- a/ext/authx/settings/authx.setting.php
+++ b/ext/authx/settings/authx.setting.php
@@ -94,7 +94,7 @@ $_authx_settings = function() {
   $s['authx_legacyrest_cred']['default'] = ['jwt', 'api_key'];
   $s['authx_legacyrest_user']['default'] = 'require';
   $s['authx_param_cred']['default'] = ['jwt', 'api_key'];
-  $s['authx_header_cred']['default'] = ['jwt', 'api_key'];
+  $s['authx_header_cred']['default'] = []; /* @see \authx_civicrm_install() */
   $s['authx_xheader_cred']['default'] = ['jwt', 'api_key'];
   $s['authx_pipe_cred']['default'] = ['jwt', 'api_key'];