From 2a62e03cbe95009ec3b6612c3aaede6ded690587 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Tue, 1 Mar 2022 15:07:19 -0800 Subject: [PATCH] authx_civicrm_enable - Don't enable `Authorization:` headers if there's plausible conflict Some deployments may have two layers of authorization: (1) A generic/site-wide HTTP basic check (perhaps to prevent search-engines from finding the site; perhaps enforced by a reverse proxy) (2) A Civi or CMS credential (eg session-cookie, ?_authx, or X-Civi-Auth:) Authx sits in layer 2. It should enable HTTP `Authorization:` handling if-and-only-if there is NOT a pre-existing `Authorization:` mechanism. To test this, I enabled the extension over APIv3 REST -- with/without a superfluous header: ``` curl -X POST -d 'entity=Extension&action=enable&json=%7B%22keys%22%3A%22authx%22%7D&api_key=FIXME_USER_KEY&key=FIXME_SITE_KEY' \ 'http://dmaster.127.0.0.1.nip.io:8001/sites/all/modules/civicrm/extern/rest.php' curl -X POST -H 'Authorization: Bearer superfluous' -d 'entity=Extension&action=enable&json=%7B%22keys%22%3A%22authx%22%7D&api_key=FIXME_USER_KEY&key=FIXME_SITE_KEY' \ 'http://dmaster.127.0.0.1.nip.io:8001/sites/all/modules/civicrm/extern/rest.php' ``` --- ext/authx/authx.php | 8 ++++++++ ext/authx/settings/authx.setting.php | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ext/authx/authx.php b/ext/authx/authx.php index ff3958a870..01642b67da 100644 --- a/ext/authx/authx.php +++ b/ext/authx/authx.php @@ -138,6 +138,7 @@ function authx_civicrm_config(&$config) { */ function authx_civicrm_install() { _authx_civix_civicrm_install(); + } /** @@ -165,6 +166,13 @@ function authx_civicrm_uninstall() { */ function authx_civicrm_enable() { _authx_civix_civicrm_enable(); + // If the system is already using HTTP `Authorization:` headers before installation/re-activation, then + // it's probably an extra/independent layer of security. + // Only activate support for `Authorization:` if this looks like a clean/amenable environment. + // @link https://github.com/civicrm/civicrm-core/pull/22837 + if (empty($_SERVER['HTTP_AUTHORIZATION']) && NULL === Civi::settings()->getExplicit('authx_header_cred')) { + Civi::settings()->set('authx_header_cred', ['jwt', 'api_key']); + } } /** diff --git a/ext/authx/settings/authx.setting.php b/ext/authx/settings/authx.setting.php index 67d20f82a2..6beacd6722 100644 --- a/ext/authx/settings/authx.setting.php +++ b/ext/authx/settings/authx.setting.php @@ -94,7 +94,7 @@ $_authx_settings = function() { $s['authx_legacyrest_cred']['default'] = ['jwt', 'api_key']; $s['authx_legacyrest_user']['default'] = 'require'; $s['authx_param_cred']['default'] = ['jwt', 'api_key']; - $s['authx_header_cred']['default'] = ['jwt', 'api_key']; + $s['authx_header_cred']['default'] = []; /* @see \authx_civicrm_install() */ $s['authx_xheader_cred']['default'] = ['jwt', 'api_key']; $s['authx_pipe_cred']['default'] = ['jwt', 'api_key']; -- 2.25.1