From ba52074bb5c95bf30c226b59a8d58f28c06dc539 Mon Sep 17 00:00:00 2001 From: Tiago Salvado <9038083+tiagosalvado10@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:14:52 +0100 Subject: [PATCH] [MNT-24682] Kerberos: do not add authorization header (#10320) * [MNT-24682] Prevent Authorization header from being added with basic auth when Kerberos is enabled * [MNT-24682] Add unit test --- .../auth/basic-auth/basic-alfresco-auth.service.ts | 6 +++++- .../auth/services/authentication.service.spec.ts | 13 ++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/core/src/lib/auth/basic-auth/basic-alfresco-auth.service.ts b/lib/core/src/lib/auth/basic-auth/basic-alfresco-auth.service.ts index d401edfd07..30fb401ad1 100644 --- a/lib/core/src/lib/auth/basic-auth/basic-alfresco-auth.service.ts +++ b/lib/core/src/lib/auth/basic-auth/basic-alfresco-auth.service.ts @@ -347,6 +347,10 @@ export class BasicAlfrescoAuthService extends BaseAuthenticationService { } private addBasicAuth(requestUrl: string, header: HttpHeaders): HttpHeaders { + if (this.isKerberosEnabled()) { + return header; + } + const ticket = this.getTicketEcmBase64(requestUrl); if (!ticket) { @@ -366,7 +370,7 @@ export class BasicAlfrescoAuthService extends BaseAuthenticationService { * @param requestUrl the request url * @returns The ticket or `null` if none was found */ - private getTicketEcmBase64(requestUrl: string): string | null { + getTicketEcmBase64(requestUrl: string): string | null { let ticket = null; const contextRootBpm = this.appConfig.get(AppConfigValues.CONTEXTROOTBPM) || 'activiti-app'; diff --git a/lib/core/src/lib/auth/services/authentication.service.spec.ts b/lib/core/src/lib/auth/services/authentication.service.spec.ts index 8c1950e8c6..09a4abfc8e 100644 --- a/lib/core/src/lib/auth/services/authentication.service.spec.ts +++ b/lib/core/src/lib/auth/services/authentication.service.spec.ts @@ -21,7 +21,7 @@ import { CookieService } from '../../common/services/cookie.service'; import { AppConfigService } from '../../app-config/app-config.service'; import { BasicAlfrescoAuthService } from '../basic-auth/basic-alfresco-auth.service'; import { AuthModule } from '../oidc/auth.module'; -import { HttpClientModule } from '@angular/common/http'; +import { HttpClientModule, HttpHeaders } from '@angular/common/http'; import { CookieServiceMock } from '../../mock'; import { AppConfigServiceMock } from '../../common'; import { OidcAuthenticationService } from '../oidc/oidc-authentication.service'; @@ -39,6 +39,7 @@ xdescribe('AuthenticationService', () => { let appConfigService: AppConfigService; let cookie: CookieService; let oidcAuthenticationService: OidcAuthenticationService; + let headers: HttpHeaders; beforeEach(() => { TestBed.configureTestingModule({ @@ -80,6 +81,7 @@ xdescribe('AuthenticationService', () => { beforeEach(() => { appConfigService.config.providers = 'ALL'; appConfigService.config.auth = { withCredentials: true }; + headers = new HttpHeaders(); }); it('should emit login event for kerberos', (done) => { @@ -107,6 +109,15 @@ xdescribe('AuthenticationService', () => { spyOn(basicAlfrescoAuthService, 'isKerberosEnabled').and.returnValue(true); expect(authService.isKerberosEnabled()).toEqual(true); }); + + it('should not add Authorization header if kerberos is enabled', () => { + const url = 'some-url'; + spyOn(basicAlfrescoAuthService, 'isKerberosEnabled').and.returnValue(true); + spyOn(basicAlfrescoAuthService, 'getTicketEcmBase64').and.returnValue('some-ticket'); + headers = basicAlfrescoAuthService.getAuthHeaders(url, headers); + expect(headers.get('Authorization')).toBeNull(); + expect(basicAlfrescoAuthService.getTicketEcmBase64).not.toHaveBeenCalled(); + }); }); describe('when the setting is ECM', () => {