From 5f10fc9a61f4fcc45a599ab79685cdb4c7fcf701 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Thu, 5 Aug 2021 13:43:21 +0100
Subject: [PATCH] Fix federated shared items authorization

---
 daemon.py | 18 +++++++-----------
 shares.py | 12 +++++++-----
 tests.py  | 17 +++++++++++++++++
 3 files changed, 31 insertions(+), 16 deletions(-)

diff --git a/daemon.py b/daemon.py
index c059f14ce..b13fb092b 100644
--- a/daemon.py
+++ b/daemon.py
@@ -10818,18 +10818,18 @@ class PubServer(BaseHTTPRequestHandler):
             catalogAuthorized = authorized
             if not catalogAuthorized:
                 if self.server.debug:
-                    print('Catalog access is not authorized. Checking' +
-                          'Authorization header')
-                # basic auth access to shared items catalog
+                    print('Catalog access is not authorized. ' +
+                          'Checking Authorization header')
+                # Check the authorization token
                 if self.headers.get('Origin') and \
                    self.headers.get('Authorization'):
                     permittedDomains = \
                         self.server.sharedItemsFederatedDomains
                     sharedItemTokens = self.server.sharedItemFederationTokens
-                    originDomain = self.headers.get('Origin')
                     if authorizeSharedItems(permittedDomains,
                                             self.server.baseDir,
-                                            originDomain,
+                                            self.headers['Origin'],
+                                            callingDomain,
                                             self.headers['Authorization'],
                                             self.server.debug,
                                             sharedItemTokens):
@@ -10838,12 +10838,8 @@ class PubServer(BaseHTTPRequestHandler):
                         print('Authorization token refused for ' +
                               'shared items federation')
                 elif self.server.debug:
-                    if not self.headers.get('Origin'):
-                        print('No Origin header is available for ' +
-                              'shared items federation')
-                    else:
-                        print('No Authorization header is available for ' +
-                              'shared items federation')
+                    print('No Authorization header is available for ' +
+                          'shared items federation')
             # show shared items catalog for federation
             if self._hasAccept(callingDomain) and catalogAuthorized:
                 catalogType = 'json'
diff --git a/shares.py b/shares.py
index 4f35c980f..f6251703c 100644
--- a/shares.py
+++ b/shares.py
@@ -1178,6 +1178,7 @@ def createSharedItemFederationToken(baseDir: str,
 def authorizeSharedItems(sharedItemsFederatedDomains: [],
                          baseDir: str,
                          originDomainFull: str,
+                         callingDomainFull: str,
                          authHeader: str,
                          debug: bool,
                          tokensJson: {} = None) -> bool:
@@ -1189,7 +1190,8 @@ def authorizeSharedItems(sharedItemsFederatedDomains: [],
     if originDomainFull not in sharedItemsFederatedDomains:
         if debug:
             print(originDomainFull +
-                  ' is not in the shared items federation list')
+                  ' is not in the shared items federation list ' +
+                  str(sharedItemsFederatedDomains))
         return False
     if 'Basic ' in authHeader:
         if debug:
@@ -1216,16 +1218,16 @@ def authorizeSharedItems(sharedItemsFederatedDomains: [],
         tokensJson = loadJson(tokensFilename, 1, 2)
     if not tokensJson:
         return False
-    if not tokensJson.get(originDomainFull):
+    if not tokensJson.get(callingDomainFull):
         if debug:
             print('DEBUG: shared item federation token ' +
-                  'check failed for ' + originDomainFull)
+                  'check failed for ' + callingDomainFull)
         return False
-    if not constantTimeStringCheck(tokensJson[originDomainFull],
+    if not constantTimeStringCheck(tokensJson[callingDomainFull],
                                    providedToken):
         if debug:
             print('DEBUG: shared item federation token ' +
-                  'mismatch for ' + originDomainFull)
+                  'mismatch for ' + callingDomainFull)
         return False
     return True
 
diff --git a/tests.py b/tests.py
index f30b984de..e26dc2c29 100644
--- a/tests.py
+++ b/tests.py
@@ -1660,6 +1660,21 @@ def testSharedItemsFederation():
     print('Bob tokens')
     pprint(bobTokens)
 
+    print('\n\n*********************************************************')
+    print('Alice can read the federated shared items catalog of Bob')
+    headers = {
+        'Origin': aliceAddress,
+        'Authorization': bobTokens[bobAddress],
+        'host': bobAddress,
+        'Accept': 'application/json'
+    }
+    url = httpPrefix + '://' + bobAddress + '/catalog'
+    catalogJson = getJson(sessionAlice, url, headers, None, True)
+    assert catalogJson
+    pprint(catalogJson)
+    assert 'DFC:supplies' in catalogJson
+    assert len(catalogJson.get('DFC:supplies')) == 3
+
     # stop the servers
     thrAlice.kill()
     thrAlice.join()
@@ -5099,9 +5114,11 @@ def _testAuthorizeSharedItems():
     assert len(tokensJson['cat.domain']) >= 64
     assert len(tokensJson['birb.domain']) == 0
     assert not authorizeSharedItems(sharedItemsFederatedDomains, None,
+                                    'birb.domain',
                                     'cat.domain', 'M' * 86,
                                     False, tokensJson)
     assert authorizeSharedItems(sharedItemsFederatedDomains, None,
+                                'birb.domain',
                                 'cat.domain', tokensJson['cat.domain'],
                                 False, tokensJson)
     tokensJson = \