[jira] [Resolved] (COUCHDB-1320) OAuth authentication doesn't work with VHost entry
[ https://issues.apache.org/jira/browse/COUCHDB-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Filipe Manana resolved COUCHDB-1320. Resolution: Fixed Fix Version/s: 1.2 Assignee: Filipe Manana (was: Benoit Chesneau) Fix applied to master and 1.2.x OAuth authentication doesn't work with VHost entry -- Key: COUCHDB-1320 URL: https://issues.apache.org/jira/browse/COUCHDB-1320 Project: CouchDB Issue Type: Bug Components: HTTP Interface Affects Versions: 1.1 Environment: Ubuntu Reporter: Martin Higham Assignee: Filipe Manana Fix For: 1.2 Attachments: Fix-OAuth-that-broke-with-vhost.patch, fdmanana-0001-Fix-OAuth-authentication-with-VHosts-URL-rewriting.patch If you have a vhost entry that modifies the path (such as my host.com = /mainDB/_design/main/_rewrite ) trying to authenticate a request to this host using OAuth fails. couch_httpd_oauth uses the modified path rather than the original x-couchdb-vhost-path when calculating the signature. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
Re: [2/2] git commit: Fix OAuth authentication with VHosts + URL rewriting
what is the point of wariting in the process registry? On Sat, Dec 10, 2011 at 9:03 PM, fdman...@apache.org wrote: Fix OAuth authentication with VHosts + URL rewriting The OAuth handler was not getting the right path (the one the client used to compute its OAuth signature) to verify the client's signature. The right path is the one from before doing the VHost dispatch. Secondly, after the OAuth handler succeeds, the rewriter kicks in and calls couch_httpd:handle_request_int/5 with a new mochiweb request which contains the rewritten patch. This will cause all the authentication handlers to run again, which makes the OAuth handler fail this second time because it gets a rewritten patch. COUCHDB-1320 Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/b86fa1f6 Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/b86fa1f6 Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/b86fa1f6 Branch: refs/heads/1.2.x Commit: b86fa1f6bedee9d441bf4cac53c2794a60c69216 Parents: 25754ac Author: Filipe David Borba Manana fdman...@apache.org Authored: Sat Dec 10 19:05:52 2011 + Committer: Filipe David Borba Manana fdman...@apache.org Committed: Sat Dec 10 19:40:37 2011 + -- src/couchdb/couch_httpd.erl | 3 +- src/couchdb/couch_httpd_oauth.erl | 11 +++- src/couchdb/couch_httpd_rewrite.erl | 4 +- test/etap/160-vhosts.t | 89 +- 4 files changed, 102 insertions(+), 5 deletions(-) -- http://git-wip-us.apache.org/repos/asf/couchdb/blob/b86fa1f6/src/couchdb/couch_httpd.erl -- diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl index 11b0bca..2d4c38d 100644 --- a/src/couchdb/couch_httpd.erl +++ b/src/couchdb/couch_httpd.erl @@ -298,7 +298,8 @@ handle_request_int(MochiReq, DefaultFun, db_url_handlers = DbUrlHandlers, design_url_handlers = DesignUrlHandlers, default_fun = DefaultFun, - url_handlers = UrlHandlers + url_handlers = UrlHandlers, + user_ctx = erlang:erase(pre_rewrite_user_ctx) }, HandlerFun = couch_util:dict_find(HandlerKey, UrlHandlers, DefaultFun), http://git-wip-us.apache.org/repos/asf/couchdb/blob/b86fa1f6/src/couchdb/couch_httpd_oauth.erl -- diff --git a/src/couchdb/couch_httpd_oauth.erl b/src/couchdb/couch_httpd_oauth.erl index 4d58a88..65304a3 100644 --- a/src/couchdb/couch_httpd_oauth.erl +++ b/src/couchdb/couch_httpd_oauth.erl @@ -133,8 +133,15 @@ serve_oauth(#httpd{mochi_req=MochiReq}=Req, Fun, FailSilently) - % get requested path RequestedPath = case MochiReq:get_header_value(x-couchdb-requested-path) of - undefined - MochiReq:get(raw_path); - RequestedPath0 - RequestedPath0 + undefined - + case MochiReq:get_header_value(x-couchdb-vhost-path) of + undefined - + MochiReq:get(raw_path); + VHostPath - + VHostPath + end; + RequestedPath0 - + RequestedPath0 end, {_, QueryString, _} = mochiweb_util:urlsplit_path(RequestedPath), http://git-wip-us.apache.org/repos/asf/couchdb/blob/b86fa1f6/src/couchdb/couch_httpd_rewrite.erl -- diff --git a/src/couchdb/couch_httpd_rewrite.erl b/src/couchdb/couch_httpd_rewrite.erl index bf93478..c8cab85 100644 --- a/src/couchdb/couch_httpd_rewrite.erl +++ b/src/couchdb/couch_httpd_rewrite.erl @@ -187,8 +187,10 @@ handle_rewrite_req(#httpd{ db_url_handlers = DbUrlHandlers, design_url_handlers = DesignUrlHandlers, default_fun = DefaultFun, - url_handlers = UrlHandlers + url_handlers = UrlHandlers, + user_ctx = UserCtx } = Req, + erlang:put(pre_rewrite_user_ctx, UserCtx), couch_httpd:handle_request_int(MochiReq1, DefaultFun, UrlHandlers, DbUrlHandlers, DesignUrlHandlers) end. http://git-wip-us.apache.org/repos/asf/couchdb/blob/b86fa1f6/test/etap/160-vhosts.t -- diff --git a/test/etap/160-vhosts.t b/test/etap/160-vhosts.t index e959f74..0b239a1 100755 --- a/test/etap/160-vhosts.t +++ b/test/etap/160-vhosts.t @@ -52,7 +52,7 @@ admin_user_ctx() - {user_ctx, #user_ctx{roles=[_admin]}}. main(_) - test_util:init_code_path(), - etap:plan(15), + etap:plan(18), case (catch test()) of ok - etap:end_tests(); @@ -135,9 +135,11 @@
Re: [2/2] git commit: Fix OAuth authentication with VHosts + URL rewriting
On Sat, Dec 10, 2011 at 8:08 PM, Benoit Chesneau bchesn...@gmail.com wrote: what is the point of wariting in the process registry? To make it simple, not adding a new handle_request_int clause to couch_httpd or a new entry point. On Sat, Dec 10, 2011 at 9:03 PM, fdman...@apache.org wrote: Fix OAuth authentication with VHosts + URL rewriting The OAuth handler was not getting the right path (the one the client used to compute its OAuth signature) to verify the client's signature. The right path is the one from before doing the VHost dispatch. Secondly, after the OAuth handler succeeds, the rewriter kicks in and calls couch_httpd:handle_request_int/5 with a new mochiweb request which contains the rewritten patch. This will cause all the authentication handlers to run again, which makes the OAuth handler fail this second time because it gets a rewritten patch. COUCHDB-1320 Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/b86fa1f6 Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/b86fa1f6 Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/b86fa1f6 Branch: refs/heads/1.2.x Commit: b86fa1f6bedee9d441bf4cac53c2794a60c69216 Parents: 25754ac Author: Filipe David Borba Manana fdman...@apache.org Authored: Sat Dec 10 19:05:52 2011 + Committer: Filipe David Borba Manana fdman...@apache.org Committed: Sat Dec 10 19:40:37 2011 + -- src/couchdb/couch_httpd.erl | 3 +- src/couchdb/couch_httpd_oauth.erl | 11 +++- src/couchdb/couch_httpd_rewrite.erl | 4 +- test/etap/160-vhosts.t | 89 +- 4 files changed, 102 insertions(+), 5 deletions(-) -- http://git-wip-us.apache.org/repos/asf/couchdb/blob/b86fa1f6/src/couchdb/couch_httpd.erl -- diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl index 11b0bca..2d4c38d 100644 --- a/src/couchdb/couch_httpd.erl +++ b/src/couchdb/couch_httpd.erl @@ -298,7 +298,8 @@ handle_request_int(MochiReq, DefaultFun, db_url_handlers = DbUrlHandlers, design_url_handlers = DesignUrlHandlers, default_fun = DefaultFun, - url_handlers = UrlHandlers + url_handlers = UrlHandlers, + user_ctx = erlang:erase(pre_rewrite_user_ctx) }, HandlerFun = couch_util:dict_find(HandlerKey, UrlHandlers, DefaultFun), http://git-wip-us.apache.org/repos/asf/couchdb/blob/b86fa1f6/src/couchdb/couch_httpd_oauth.erl -- diff --git a/src/couchdb/couch_httpd_oauth.erl b/src/couchdb/couch_httpd_oauth.erl index 4d58a88..65304a3 100644 --- a/src/couchdb/couch_httpd_oauth.erl +++ b/src/couchdb/couch_httpd_oauth.erl @@ -133,8 +133,15 @@ serve_oauth(#httpd{mochi_req=MochiReq}=Req, Fun, FailSilently) - % get requested path RequestedPath = case MochiReq:get_header_value(x-couchdb-requested-path) of - undefined - MochiReq:get(raw_path); - RequestedPath0 - RequestedPath0 + undefined - + case MochiReq:get_header_value(x-couchdb-vhost-path) of + undefined - + MochiReq:get(raw_path); + VHostPath - + VHostPath + end; + RequestedPath0 - + RequestedPath0 end, {_, QueryString, _} = mochiweb_util:urlsplit_path(RequestedPath), http://git-wip-us.apache.org/repos/asf/couchdb/blob/b86fa1f6/src/couchdb/couch_httpd_rewrite.erl -- diff --git a/src/couchdb/couch_httpd_rewrite.erl b/src/couchdb/couch_httpd_rewrite.erl index bf93478..c8cab85 100644 --- a/src/couchdb/couch_httpd_rewrite.erl +++ b/src/couchdb/couch_httpd_rewrite.erl @@ -187,8 +187,10 @@ handle_rewrite_req(#httpd{ db_url_handlers = DbUrlHandlers, design_url_handlers = DesignUrlHandlers, default_fun = DefaultFun, - url_handlers = UrlHandlers + url_handlers = UrlHandlers, + user_ctx = UserCtx } = Req, + erlang:put(pre_rewrite_user_ctx, UserCtx), couch_httpd:handle_request_int(MochiReq1, DefaultFun, UrlHandlers, DbUrlHandlers, DesignUrlHandlers) end. http://git-wip-us.apache.org/repos/asf/couchdb/blob/b86fa1f6/test/etap/160-vhosts.t -- diff --git a/test/etap/160-vhosts.t b/test/etap/160-vhosts.t index e959f74..0b239a1 100755 --- a/test/etap/160-vhosts.t +++ b/test/etap/160-vhosts.t @@ -52,7 +52,7 @@ admin_user_ctx() - {user_ctx, #user_ctx{roles=[_admin]}}.
[jira] [Commented] (COUCHDB-1320) OAuth authentication doesn't work with VHost entry
[ https://issues.apache.org/jira/browse/COUCHDB-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13166968#comment-13166968 ] Benoit Chesneau commented on COUCHDB-1320: -- I don't remember to have time to review it though I like email bump sometimes. Also I don't see why a registry process is used here? What is the reason? Why x-couchdb-vhost-path couldn't have been used for the oauth calculation ? - benoît On Sat, Dec 10, 2011 at 9:05 PM, Filipe Manana (Resolved) (JIRA) OAuth authentication doesn't work with VHost entry -- Key: COUCHDB-1320 URL: https://issues.apache.org/jira/browse/COUCHDB-1320 Project: CouchDB Issue Type: Bug Components: HTTP Interface Affects Versions: 1.1 Environment: Ubuntu Reporter: Martin Higham Assignee: Filipe Manana Fix For: 1.2 Attachments: Fix-OAuth-that-broke-with-vhost.patch, fdmanana-0001-Fix-OAuth-authentication-with-VHosts-URL-rewriting.patch If you have a vhost entry that modifies the path (such as my host.com = /mainDB/_design/main/_rewrite ) trying to authenticate a request to this host using OAuth fails. couch_httpd_oauth uses the modified path rather than the original x-couchdb-vhost-path when calculating the signature. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
Re: [jira] [Commented] (COUCHDB-1320) OAuth authentication doesn't work with VHost entry
On Sat, Dec 10, 2011 at 9:19 PM, Benoit Chesneau (Commented) (JIRA) j...@apache.org wrote: [ https://issues.apache.org/jira/browse/COUCHDB-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13166968#comment-13166968 ] Benoit Chesneau commented on COUCHDB-1320: -- I don't remember to have time to review it though I like email bump sometimes. Also I don't see why a registry process is used here? What is the reason? Saw your answer. Why x-couchdb-vhost-path couldn't have been used for the oauth calculation ?$ nm . I am just confused by the the user_ctx thing I think. Sound really overkill. - benoît
[jira] [Commented] (COUCHDB-1320) OAuth authentication doesn't work with VHost entry
[ https://issues.apache.org/jira/browse/COUCHDB-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13166972#comment-13166972 ] Filipe Manana commented on COUCHDB-1320: Why x-couchdb-vhost-path couldn't have been used for the oauth calculation ? Not understanding your question. The changes I made to couch_httpd_oauth.erl make use of the header x-couchdb-vhost-path to compute the OAuth signature. nm . I am just confused by the the user_ctx thing I think. Sound really overkill. Overkill in which sense? What's important is passing a user_ctx to the 2nd (post rewrite resolution) couch_httpd:handle_request_int call, so that it doesn't run all the auth handlers again. About using the process dictionary versus a new couch_httpd:handle_request_int function with an extra argument (UserCtx), I don't see any of them overkill compared to the other. OAuth authentication doesn't work with VHost entry -- Key: COUCHDB-1320 URL: https://issues.apache.org/jira/browse/COUCHDB-1320 Project: CouchDB Issue Type: Bug Components: HTTP Interface Affects Versions: 1.1 Environment: Ubuntu Reporter: Martin Higham Assignee: Filipe Manana Fix For: 1.2 Attachments: Fix-OAuth-that-broke-with-vhost.patch, fdmanana-0001-Fix-OAuth-authentication-with-VHosts-URL-rewriting.patch If you have a vhost entry that modifies the path (such as my host.com = /mainDB/_design/main/_rewrite ) trying to authenticate a request to this host using OAuth fails. couch_httpd_oauth uses the modified path rather than the original x-couchdb-vhost-path when calculating the signature. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (COUCHDB-1357) Authentication failure after updating password in user document
[ https://issues.apache.org/jira/browse/COUCHDB-1357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13166981#comment-13166981 ] Filipe Manana commented on COUCHDB-1357: Pete, your scenario makes sense. It will cause all database process to be killed (couch_server dies). Authentication failure after updating password in user document --- Key: COUCHDB-1357 URL: https://issues.apache.org/jira/browse/COUCHDB-1357 Project: CouchDB Issue Type: Bug Affects Versions: 1.1.1 Reporter: Filipe Manana Attachments: 0001-Let-the-credentials-cache-daemon-crash-if-_users-db-.patch From the report at the users mailing list: http://s.apache.org/9OG Seems like after updating the password in a user doc, the user is not able to login with the new password unless Couch is restarted. Sounds like a caching issue. The only case of getting the cache consistent with the _users database content is if the _users database processes crash and after the crash user documents are updated. The cache daemon is ignoring the database crash. The following patch updates the daemon to monitor the _users database and crash (letting the supervisor restart it) if the database process crashes. Etap test included. This might be related to COUCHDB-1212. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-1357) Authentication failure after updating password in user document
[ https://issues.apache.org/jira/browse/COUCHDB-1357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Filipe Manana updated COUCHDB-1357: --- Attachment: 0001-Clear-credentials-cache-if-_users-db-crashes.patch Updated patch to deal with the case where the auth database is modified during run time. When this happens the new database process most be monitored. Also updated the tests to be more comprehensive. Authentication failure after updating password in user document --- Key: COUCHDB-1357 URL: https://issues.apache.org/jira/browse/COUCHDB-1357 Project: CouchDB Issue Type: Bug Affects Versions: 1.1.1 Reporter: Filipe Manana Attachments: 0001-Clear-credentials-cache-if-_users-db-crashes.patch, 0001-Let-the-credentials-cache-daemon-crash-if-_users-db-.patch From the report at the users mailing list: http://s.apache.org/9OG Seems like after updating the password in a user doc, the user is not able to login with the new password unless Couch is restarted. Sounds like a caching issue. The only case of getting the cache consistent with the _users database content is if the _users database processes crash and after the crash user documents are updated. The cache daemon is ignoring the database crash. The following patch updates the daemon to monitor the _users database and crash (letting the supervisor restart it) if the database process crashes. Etap test included. This might be related to COUCHDB-1212. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira