From: Francis Dupont Date: Fri, 29 Aug 2025 21:22:42 +0000 (+0200) Subject: [#4070] Added basic-auth-user-file X-Git-Tag: Kea-3.1.2~81 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8417c245b2dd6a69f28dc76cb411860964498955;p=thirdparty%2Fkea.git [#4070] Added basic-auth-user-file --- diff --git a/changelog_unreleased/4070-add-basic-auth-user-file-option-to-high-availability-parameters b/changelog_unreleased/4070-add-basic-auth-user-file-option-to-high-availability-parameters new file mode 100644 index 0000000000..21398549df --- /dev/null +++ b/changelog_unreleased/4070-add-basic-auth-user-file-option-to-high-availability-parameters @@ -0,0 +1,6 @@ +[func] fdupont + Added the "basic-auth-user-file" parameter to the HA + hook library to provide the user ID which is part of + the secret used by the basic HTTP auth from a file + instead in clear in the configuration. + (Gitlab #4070) diff --git a/doc/sphinx/arm/hooks-ha.rst b/doc/sphinx/arm/hooks-ha.rst index 86ecd1d962..bfeda44ba3 100644 --- a/doc/sphinx/arm/hooks-ha.rst +++ b/doc/sphinx/arm/hooks-ha.rst @@ -915,6 +915,10 @@ list: not specified or specified as an empty string, no authentication header is added to HTTP transactions. It must not contain the colon (:) character. +- ``basic-auth-user-file`` - is an alternatibe to ``basic-auth-user``: + instead of presenting the user ID in the configuration file it is specified + in the file indicated by this parameter. + - ``basic-auth-password`` - specifies the password for basic HTTP authentication. This parameter is ignored when the user ID is not specified or is empty. The password is optional; if not specified, an empty password is diff --git a/src/hooks/dhcp/high_availability/ha_config_parser.cc b/src/hooks/dhcp/high_availability/ha_config_parser.cc index 42ef1da067..0ec7242d4e 100644 --- a/src/hooks/dhcp/high_availability/ha_config_parser.cc +++ b/src/hooks/dhcp/high_availability/ha_config_parser.cc @@ -321,8 +321,31 @@ HAConfigParser::parseOne(const HAConfigMapperPtr& config_storage, } // Basic HTTP authentication user. + std::string user; + bool do_auth = false; if (p->contains("basic-auth-user")) { - std::string user = getString(p, "basic-auth-user"); + if (p->contains("basic-auth-user-file")) { + isc_throw(dhcp::DhcpConfigError, "only one of " + << "basic-auth-user and " + << "basic-auth-user-file parameter can be " + << "configured in peer '" + << cfg->getName() << "'"); + } + user = getString(p, "basic-auth-user"); + do_auth = true; + } + if (p->contains("basic-auth-user-file")) { + std::string user_file = + getString(p, "basic-auth-user-file"); + try { + user = util::file::getContent(user_file); + do_auth = true; + } catch (const std::exception& ex) { + isc_throw(dhcp::DhcpConfigError, "bad user file in peer '" + << cfg->getName() << "': " << ex.what()); + } + } + if (do_auth) { BasicHttpAuthPtr& auth = cfg->getBasicAuth(); try { if (!user.empty()) { diff --git a/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc b/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc index 29f3bb8b56..0ccb6861c4 100644 --- a/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc +++ b/src/hooks/dhcp/high_availability/tests/ha_config_unittest.cc @@ -360,7 +360,8 @@ TEST_F(HAConfigTest, configurePassiveBackup) { " {" " \"name\": \"server3\"," " \"url\": \"http://127.0.0.1:8082/\"," - " \"basic-auth-user\": \"keatest\"," + " \"basic-auth-user-file\": \"" + TEST_HTTP_DIR "/hiddenu\"," " \"basic-auth-password-file\": \"" TEST_HTTP_DIR "/hiddenp\"," " \"role\": \"backup\""