From 07e2fddf838e61bbf2f48a3284fe2c55fa632668 Mon Sep 17 00:00:00 2001
From: Cody Scott <cody.j.b.scott@gmail.com>
Date: Thu, 9 Mar 2017 11:46:36 -0500
Subject: [PATCH] Working!!!

---
 README.md        | 10 ++++++----
 authenticator.py | 10 ++--------
 curl.md          | 18 ++++++++++++++++++
 nginx.conf       | 20 +++++++++++++++-----
 service.py       |  1 -
 5 files changed, 41 insertions(+), 18 deletions(-)
 create mode 100644 curl.md

diff --git a/README.md b/README.md
index da09f9c..1053a5b 100644
--- a/README.md
+++ b/README.md
@@ -21,10 +21,12 @@ When you login to the auth service it will provide an auth token which will be u
 
 ## Adding a new service
 
-Add the nginx config to run the service locally on an available port.
-Configure the new service to authenticate via `REMOTE_USER`.
-Add the required headers for the service to `authenticator.py`
-Restart `nginx`.
+- Add the nginx config to run the service locally on an available port.
+
+- Configure the new service to authenticate via `REMOTE_USER` or
+add the required headers for the service to `authenticator.py` and `nginx.conf`.
+
+- Restart `nginx` to reload the nginx configuration.
 
 ## Running
 
diff --git a/authenticator.py b/authenticator.py
index e84c2c1..b77807b 100644
--- a/authenticator.py
+++ b/authenticator.py
@@ -36,12 +36,9 @@ def ValidUser(user, password):
 @app.route('/', methods=['GET'])
 def authenticate():
     token = request.cookies.get('token')
-    print(token)
     if token is None:
         abort(401)
     username, password = DecodeToken(token)
-    print(username)
-    print(password)
     if ValidUser(username, password) is not None:
         # Add headers to be authenticated with services
         resp = make_response()
@@ -54,10 +51,8 @@ def authenticate():
 @app.route('/login', methods=['GET', 'POST'])
 def login():
     target = request.headers.get('X-Original-URI', '')
-    print 'Target: ' + target
     form = LoginForm(target = target)
     if form.validate_on_submit():
-        print 'inside'
         username = form.login.data
         password = form.password.data
         target = form.target.data
@@ -65,11 +60,10 @@ def login():
         if auth_token:
             resp = make_response(redirect(target))
             resp.set_cookie('token', auth_token)
-            print "before target"
-            print target
             resp.headers['Location'] = target
+            resp.headers['REMOTE_USER'] = username
+            resp.headers['X-WEBAUTH-USER'] = username
             return resp
-
     return render_template('login.html', form=form)
 
 
diff --git a/curl.md b/curl.md
new file mode 100644
index 0000000..118504d
--- /dev/null
+++ b/curl.md
@@ -0,0 +1,18 @@
+This was used to debug the example application.
+
+```shell
+$ curl -v -c cookies.txt -b cookies.txt http://$IP_ADDRESS:8081
+$ ls
+cookies.txt
+$ cat cookies.txt
+# Netscape HTTP Cookie File
+# https://curl.haxx.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+#HttpOnly_192.168.1.107 FALSE   /       FALSE   0       session eyJjc3JmX3Rva2VuIjp7IiBiIjoiTkdRMVlXTXdaREF5WlRVNU9
+
+$ # Token taken from the csrf_token input html tag from the response from the first request
+$ curl -v -c cookies.txt -b cookies.txt -d "login=admin&password=admin&target=''&csrf_token=1489077789##47a42db39383c6d615267f3e93a9341b2a1b49b5" http://$IP_ADDRESS:8081/login
+
+$
+```
diff --git a/nginx.conf b/nginx.conf
index 2f2f4ed..a0ff4cc 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -20,8 +20,18 @@ http {
 
         # Protected application
         location / {
+            # Requests must be authenticated
             auth_request /auth-proxy;
 
+            # Relay the REMOTE_USER and X-WEBAUTH-USER headers
+            # From the response of the authentication request
+            # To the service
+            auth_request_set $remoteUser $upstream_http_REMOTE_USER;
+            proxy_set_header REMOTE_USER $remoteUser;
+
+            auth_request_set $xWebauthUser $upstream_http_X_WEBAUTH_USER;
+            proxy_set_header X-WEBAUTH-USER $xWebauthUser;
+
             # redirect 401 and 403 to login form
             error_page 401 403 =200 /login;
 
@@ -29,20 +39,20 @@ http {
         }
 
         location /login {
-            #proxy_pass http://authenticator/login;
-            proxy_pass http://127.0.0.1:8000/login;
+            proxy_pass http://authenticator/login;
+            proxy_set_header Host $host:$server_port;
             proxy_set_header X-Original-URI $request_uri;
         }
 
-        location = /auth-proxy {
+        location /auth-proxy {
             internal;
 
             # The authenticator listens on port 8000, as set
             # in authenticator.py.
-            #proxy_pass http://authenticator/;
-            proxy_pass http://127.0.0.1:8000/;
+            proxy_pass http://authenticator/;
 
             proxy_pass_request_body off;
+            proxy_set_header Host $host:$server_port;
             proxy_set_header Content-Length "";
             # Login service returns a redirect to the original URI
             # and sets the cookie for the authenticator
diff --git a/service.py b/service.py
index dd46c42..0e55a0e 100644
--- a/service.py
+++ b/service.py
@@ -8,7 +8,6 @@
 @app.route('/', methods=["GET"])
 def home():
     remote_user = request.headers.get('REMOTE_USER')
-    print(remote_user)
     return "Hello {}, this is the service.".format(remote_user)