Radicale icon indicating copy to clipboard operation
Radicale copied to clipboard

Published 20 hours ago verified publisher icon Kozea

http authentication not disabled when using --auth-type=http_x_remote_user

Open grunlab opened this issue 4 years ago • 10 comments

Use case:

I'm trying to configure radicale this way:

  • single user usage (user=adrien)
  • basic auth managed at reverse proxy level with user name forwarded to radicale once authentication done.
  • disable login/passwd prompt at radicale level <-- this is my issue ... see below

Radicale is running into a docker container deployed on top of a kubernetes cluster. Traefik is used as edge router to access the apps running into the cluster.

Radicale config:

python3 -m radicale --server-hosts=0.0.0.0:5232 --auth-type=http_x_remote_user --storage-filesystem-folder=/mnt/collections --logging-level=info

Authentication type set to http_x_remote_user in order to:

  • get the authenticated user name from X-Remote-User header set by Treafik
  • disable the http authentication at radicale level

Traefik config:

  • Middleware basicAuth radicale-basic-auth configured to manage login/password at Traefik level + forward authenticated user name to radicale with X-Remote-User header:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: radicale-basic-auth
  namespace: radicale-p
spec:
  basicAuth:
    secret: radicale-basic-auth
    headerField: X-Remote-User
  • IngressRoute configured to access radicale app into the cluster with radicale-basic-auth middleware activated:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: radicale
  namespace: radicale-p
spec:
  entryPoints:
    - https
  routes:
  - match: Host(`<my_url>`)
    kind: Rule
    services:
    - name: radicale
      port: 80
    middlewares:
      - name: radicale-basic-auth
  tls:
    certResolver: default

Expected result:

  • Open the app url --> get Traefik login/passwd prompt : OK
  • Check radicale logs to see if user name adrien has been correctly forwarded by traefik to the app --> OK 
kubectl logs radicale-7856dd6fcd-hs76h -f
[2020-11-05 22:24:42 +0100] [1] [INFO] Loaded default config
[2020-11-05 22:24:42 +0100] [1] [INFO] Skipped missing config file '/etc/radicale/config'
[2020-11-05 22:24:42 +0100] [1] [INFO] Skipped missing config file '/home/k8s/.config/radicale/config'
[2020-11-05 22:24:42 +0100] [1] [INFO] Loaded arguments
[2020-11-05 22:24:42 +0100] [1] [INFO] Starting Radicale
[2020-11-05 22:24:42 +0100] [1] [INFO] auth type is 'radicale.auth.http_x_remote_user'
[2020-11-05 22:24:42 +0100] [1] [INFO] storage type is 'radicale.storage.multifilesystem'
[2020-11-05 22:24:42 +0100] [1] [INFO] rights type is 'radicale.rights.owner_only'
[2020-11-05 22:24:42 +0100] [1] [INFO] web type is 'radicale.web.internal'
[2020-11-05 22:24:42 +0100] [1] [INFO] Listening on '[0.0.0.0]:5232'
[2020-11-05 22:24:42 +0100] [1] [INFO] Radicale server ready
[2020-11-05 22:24:55 +0100] [1/Thread-7] [INFO] GET request for '/' received from '10.44.0.0' (forwarded by 10.36.0.0) using 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0'
[2020-11-05 22:24:55 +0100] [1/Thread-7] [INFO] Successful login: 'adrien'
[2020-11-05 22:24:55 +0100] [1/Thread-7] [INFO] GET response status for '/' in 0.062 seconds: 302 Found
[2020-11-05 22:24:55 +0100] [1/Thread-8] [INFO] GET request for '/.web' received from '10.44.0.0' (forwarded by 10.36.0.0) using 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0'
[2020-11-05 22:24:55 +0100] [1/Thread-8] [INFO] Successful login: 'adrien'
[2020-11-05 22:24:55 +0100] [1/Thread-8] [INFO] GET response status for '/.web' in 0.033 seconds: 302 Found
[2020-11-05 22:24:55 +0100] [1/Thread-9] [INFO] GET request for '/.web/css/main.css' received from '10.44.0.0' (forwarded by 10.36.0.0) using 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0'
[2020-11-05 22:24:55 +0100] [1/Thread-9] [INFO] Successful login: 'adrien'
[2020-11-05 22:24:55 +0100] [1/Thread-9] [INFO] GET response status for '/.web/css/main.css' in 0.040 seconds: 200 OK
  • check radicale collections if adrien folder exist --> OK 
kubectl exec -ti radicale-7856dd6fcd-hs76h -- ls -l /mnt/collections/collection-root
total 4
drwxr-xr-x 2 k8s k8s 4096 nov.   5 21:12 adrien
  • http authentication disabled at radicale level --> KO ... I'm no able to get the radicale login/passwd prompt disabled !

Did i missed something into the configuration or is there a bug somewhere !?

Thank you for your support

grunlab avatar Nov 05 '20 21:11 grunlab

I also ran into this problem. I worked around it by just curl-ing the CalDAV and CardDAV commands.

aerusso avatar Dec 26 '20 21:12 aerusso

Same case here as detailed by @grunlab.

jtorrex avatar Jan 24 '21 02:01 jtorrex

Seems like you can log in with any username and password. And even though it says "logged in as xyz", the effective user is always the one from X-Remote-User. No security issue here but confusing UX.

timakro avatar Aug 16 '21 09:08 timakro

Yes, confusing GUI.

chris2fr avatar Oct 08 '22 13:10 chris2fr

Agreed, some thing happens here. User seems logged, but web ui requires another login (useless). Works tough. Just confusing and ugly.

gardiol avatar Jan 11 '24 14:01 gardiol