Fix federated shared items authorization

2021-08-05 13:43:21 +01:00 · 2021-08-05 13:43:21 +01:00 · 5f10fc9a61
parent 0f71fae658
commit 5f10fc9a61
3 changed files with 31 additions and 16 deletions
--- a/daemon.py
+++ b/daemon.py
@ -10818,18 +10818,18 @@ class PubServer(BaseHTTPRequestHandler):
            catalogAuthorized = authorized
            if not catalogAuthorized:
                if self.server.debug:
-                    print('Catalog access is not authorized. Checking' +
-                          'Authorization header')
-                # basic auth access to shared items catalog
+                    print('Catalog access is not authorized. ' +
+                          'Checking Authorization header')
+                # Check the authorization token
                if self.headers.get('Origin') and \
                   self.headers.get('Authorization'):
                    permittedDomains = \
                        self.server.sharedItemsFederatedDomains
                    sharedItemTokens = self.server.sharedItemFederationTokens
-                    originDomain = self.headers.get('Origin')
                    if authorizeSharedItems(permittedDomains,
                                            self.server.baseDir,
-                                            originDomain,
+                                            self.headers['Origin'],
+                                            callingDomain,
                                            self.headers['Authorization'],
                                            self.server.debug,
                                            sharedItemTokens):
@ -10838,12 +10838,8 @@ class PubServer(BaseHTTPRequestHandler):
                        print('Authorization token refused for ' +
                              'shared items federation')
                elif self.server.debug:
-                    if not self.headers.get('Origin'):
-                        print('No Origin header is available for ' +
-                              'shared items federation')
-                    else:
-                        print('No Authorization header is available for ' +
-                              'shared items federation')
+                    print('No Authorization header is available for ' +
+                          'shared items federation')
            # show shared items catalog for federation
            if self._hasAccept(callingDomain) and catalogAuthorized:
                catalogType = 'json'
--- a/shares.py
+++ b/shares.py
@ -1178,6 +1178,7 @@ def createSharedItemFederationToken(baseDir: str,
 def authorizeSharedItems(sharedItemsFederatedDomains: [],
                         baseDir: str,
                         originDomainFull: str,
+                         callingDomainFull: str,
                         authHeader: str,
                         debug: bool,
                         tokensJson: {} = None) -> bool:
@ -1189,7 +1190,8 @@ def authorizeSharedItems(sharedItemsFederatedDomains: [],
    if originDomainFull not in sharedItemsFederatedDomains:
        if debug:
            print(originDomainFull +
-                  ' is not in the shared items federation list')
+                  ' is not in the shared items federation list ' +
+                  str(sharedItemsFederatedDomains))
        return False
    if 'Basic ' in authHeader:
        if debug:
@ -1216,16 +1218,16 @@ def authorizeSharedItems(sharedItemsFederatedDomains: [],
        tokensJson = loadJson(tokensFilename, 1, 2)
    if not tokensJson:
        return False
-    if not tokensJson.get(originDomainFull):
+    if not tokensJson.get(callingDomainFull):
        if debug:
            print('DEBUG: shared item federation token ' +
-                  'check failed for ' + originDomainFull)
+                  'check failed for ' + callingDomainFull)
        return False
-    if not constantTimeStringCheck(tokensJson[originDomainFull],
+    if not constantTimeStringCheck(tokensJson[callingDomainFull],
                                   providedToken):
        if debug:
            print('DEBUG: shared item federation token ' +
-                  'mismatch for ' + originDomainFull)
+                  'mismatch for ' + callingDomainFull)
        return False
    return True

--- a/tests.py
+++ b/tests.py
@ -1660,6 +1660,21 @@ def testSharedItemsFederation():
    print('Bob tokens')
    pprint(bobTokens)

+    print('\n\n*********************************************************')
+    print('Alice can read the federated shared items catalog of Bob')
+    headers = {
+        'Origin': aliceAddress,
+        'Authorization': bobTokens[bobAddress],
+        'host': bobAddress,
+        'Accept': 'application/json'
+    }
+    url = httpPrefix + '://' + bobAddress + '/catalog'
+    catalogJson = getJson(sessionAlice, url, headers, None, True)
+    assert catalogJson
+    pprint(catalogJson)
+    assert 'DFC:supplies' in catalogJson
+    assert len(catalogJson.get('DFC:supplies')) == 3
+
    # stop the servers
    thrAlice.kill()
    thrAlice.join()
@ -5099,9 +5114,11 @@ def _testAuthorizeSharedItems():
    assert len(tokensJson['cat.domain']) >= 64
    assert len(tokensJson['birb.domain']) == 0
    assert not authorizeSharedItems(sharedItemsFederatedDomains, None,
+                                    'birb.domain',
                                    'cat.domain', 'M' * 86,
                                    False, tokensJson)
    assert authorizeSharedItems(sharedItemsFederatedDomains, None,
+                                'birb.domain',
                                'cat.domain', tokensJson['cat.domain'],
                                False, tokensJson)
    tokensJson = \