fix(backend): Pangolin-Standard-Header (Remote-User + X-Pangolin-Token) als SSO-Pfad#96
Conversation
…n) als SSO-Pfad Refs #96 Implementiert den Pangolin-Standard für SSO-Header-Authentifizierung analog Hangar: - Remote-User (konfigurierbar via PRINTER_HUB_SSO_USER_HEADER) als User-Header - X-Pangolin-Token (konfigurierbar via PRINTER_HUB_SSO_TRUST_HEADER) als Trust-Token - PRINTER_HUB_SSO_TRUST_TOKEN muss gesetzt sein, sonst ist der Pfad deaktiviert (sicherer Default) - Rückwärtskompatibilität: X-Pangolin-User wird weiterhin ohne Trust-Token akzeptiert - 6 neue Tests (TDD: RED→GREEN), 876 Tests grün insgesamt
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 33543112 | Triggered | Generic High Entropy Secret | 3f7e830 | backend/tests/unit/auth/test_dependencies.py | View secret |
| 33543112 | Triggered | Generic High Entropy Secret | f0d77cf | backend/tests/unit/auth/test_dependencies.py | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
There was a problem hiding this comment.
Pull request overview
Diese PR behebt die SSO-Header-Inkompatibilität mit Pangolin, indem das Backend neben dem Legacy-Header X-Pangolin-User nun auch den Pangolin-Standardpfad Remote-User + X-Pangolin-Token (mit Trust-Token-Verifikation) unterstützt und über neue Settings konfigurierbar macht.
Changes:
- Neue Settings für SSO-Header-Namen und Trust-Token (
sso_user_header,sso_trust_header,sso_trust_token) inkl..env.example-Dokumentation. - Auth-Dependency erweitert: Standard-Headers + Trust-Token-Verifikation (plus Legacy-Fallback
X-Pangolin-User). - 6 neue Unit-Tests für den Standardpfad, Fehlerszenarien und konfigurierbare Header-Namen.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| backend/app/config.py | Fügt neue Settings zur SSO-Header-/Trust-Token-Konfiguration hinzu. |
| backend/app/auth/dependencies.py | Implementiert den neuen Pangolin-Standard-SSO-Pfad mit Trust-Token sowie Legacy-Fallback. |
| backend/.env.example | Dokumentiert neue Env-Variablen für den SSO-Standardpfad. |
| backend/tests/unit/auth/test_dependencies.py | Ergänzt Unit-Tests für den neuen Standardpfad und dessen Konfiguration. |
| # gesetzt ist UND der Header-Wert exakt übereinstimmt. | ||
| # Leer lassen = SSO via Remote-User deaktiviert (Standard: deaktiviert). | ||
| # | ||
| # Konfiguration in Pangolin Resource (labels.strausmann.cloud): |
| trust_token = settings.sso_trust_token | ||
| if trust_token: | ||
| user_header = settings.sso_user_header | ||
| trust_header = settings.sso_trust_header | ||
| user_value = request.headers.get(user_header, "") | ||
| token_value = request.headers.get(trust_header, "") | ||
| if user_value and token_value == trust_token: | ||
| return True |
| sso_user_header: str = "Remote-User" | ||
| sso_trust_header: str = "X-Pangolin-Token" | ||
| sso_trust_token: str = "" # leer = SSO via Remote-User deaktiviert |
| # -------------------------------------------------------------------------- | ||
| # Path 2b: Pangolin-Standard-Headers (Remote-User + X-Pangolin-Token) | ||
| # -------------------------------------------------------------------------- |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! Dieser Pull Request implementiert eine sicherere SSO-Authentifizierungsmethode zwischen dem Pangolin-Reverse-Proxy und dem Backend. Durch die Einführung eines statischen Trust-Tokens wird die Integrität der übermittelten Benutzerinformationen sichergestellt, während gleichzeitig die Abwärtskompatibilität für bestehende interne Aufrufe gewahrt bleibt. Die Konfiguration erfolgt über neue Umgebungsvariablen, was eine flexible Anpassung an verschiedene Deployment-Umgebungen ermöglicht. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
- SIM103: Legacy-SSO-Pfad nutzt jetzt `return bool(...)` statt if/return-True/return-False - F401: `import app.models` (ungenutzt) aus allen Test-Hilfsfunktionen entfernt - E501: Zwei überlange Zeilen in Test-Docstrings und Assert-Message gekürzt - .env.example: `labels.strausmann.cloud` aus Kommentar entfernt (Privacy-Scan-Treffer) Refs #96
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #96 +/- ##
==========================================
- Coverage 89.92% 89.89% -0.03%
==========================================
Files 89 89
Lines 4008 4019 +11
Branches 343 345 +2
==========================================
+ Hits 3604 3613 +9
- Misses 315 317 +2
Partials 89 89
... and 1 file with indirect coverage changes
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces standard Pangolin-SSO header authentication using Remote-User and a configurable X-Pangolin-Token trust token, while maintaining backwards compatibility with the legacy X-Pangolin-User header. It updates configuration settings, dependency resolution, and adds comprehensive unit tests. Feedback recommends replacing a real domain name in .env.example with a placeholder to comply with privacy guidelines, defining the trust token as a SecretStr to prevent accidental log exposure, and utilizing secrets.compare_digest during token validation to mitigate timing attacks.
| # gesetzt ist UND der Header-Wert exakt übereinstimmt. | ||
| # Leer lassen = SSO via Remote-User deaktiviert (Standard: deaktiviert). | ||
| # | ||
| # Konfiguration in Pangolin Resource (Header-Injection): |
There was a problem hiding this comment.
According to the repository style guide, real hostnames, domains, or PII must not be hardcoded to prevent the maintainer's network from being deducible. Please use an example.com placeholder instead of labels.strausmann.cloud.
# Konfiguration in Pangolin Resource (labels.example.com):
References
- Flag any hardcoded LAN IPs, real hostnames, real domains, real tokens, or PII. The maintainer's network must not be deducible from this repository. (link)
| # übereinstimmt. Ein leeres sso_trust_token deaktiviert diesen Pfad. | ||
| sso_user_header: str = "Remote-User" | ||
| sso_trust_header: str = "X-Pangolin-Token" | ||
| sso_trust_token: str = "" # leer = SSO via Remote-User deaktiviert |
There was a problem hiding this comment.
To prevent the sensitive trust token from being accidentally leaked in logs, console output, or error traces, it should be defined as a SecretStr instead of a plain str, matching the pattern used for other API keys in this class.
| sso_trust_token: str = "" # leer = SSO via Remote-User deaktiviert | |
| sso_trust_token: SecretStr = SecretStr("") # leer = SSO via Remote-User deaktiviert |
| trust_token = settings.sso_trust_token | ||
| if trust_token: | ||
| user_header = settings.sso_user_header | ||
| trust_header = settings.sso_trust_header | ||
| user_value = request.headers.get(user_header, "") | ||
| token_value = request.headers.get(trust_header, "") | ||
| if user_value and token_value == trust_token: | ||
| return True |
There was a problem hiding this comment.
To improve security, we should:
- Use
secrets.compare_digestto prevent timing attacks when validating the trust token. - Retrieve the token value using
.get_secret_value()sincesso_trust_tokenshould be configured as aSecretStrto prevent accidental exposure in logs.
| trust_token = settings.sso_trust_token | |
| if trust_token: | |
| user_header = settings.sso_user_header | |
| trust_header = settings.sso_trust_header | |
| user_value = request.headers.get(user_header, "") | |
| token_value = request.headers.get(trust_header, "") | |
| if user_value and token_value == trust_token: | |
| return True | |
| trust_token = settings.sso_trust_token.get_secret_value() | |
| if trust_token: | |
| user_header = settings.sso_user_header | |
| trust_header = settings.sso_trust_header | |
| user_value = request.headers.get(user_header, "") | |
| token_value = request.headers.get(trust_header, "") | |
| import secrets | |
| if user_value and secrets.compare_digest(token_value, trust_token): | |
| return True |
Summary
Behebt die SSO-Header-Inkompatibilität zwischen Pangolin und dem label-printer-hub Backend. Das Backend erwartete bisher
X-Pangolin-User, aber Pangolin sendet nach dem StandardRemote-User+X-Pangolin-Token(Trust-Token für Verifikation) — identisch mit der Hangar-Implementierung.Contributor License Agreement (CLA)
By opening this pull request you affirm that you have read and agree to the
project's Contributor License Agreement for the contribution(s)
included here.
Linked issue
Refs #96
Type of change
Hardware tested on
Test coverage
876 tests pass, 6 neue Tests hinzugefügt (TDD: RED→GREEN)
Checklist
feat(...): ...etc.)Migration / breaking change notes
Keine Breaking Change. Neue Env-Vars haben sichere Defaults:
PRINTER_HUB_SSO_USER_HEADER(default:Remote-User)PRINTER_HUB_SSO_TRUST_HEADER(default:X-Pangolin-Token)PRINTER_HUB_SSO_TRUST_TOKEN(default:""= SSO via Remote-User deaktiviert)Legacy
X-Pangolin-Userwird weiterhin ohne Trust-Token akzeptiert (Rückwärtskompatibilität für PR #95 Frontend-Forwarding).Änderungen
backend/app/config.pyDrei neue Settings:
sso_user_header— konfigurierbarer User-Header (default:Remote-User)sso_trust_header— konfigurierbarer Trust-Header (default:X-Pangolin-Token)sso_trust_token— statischer Trust-Token (leer = Pfad deaktiviert, sicherer Default)backend/app/auth/dependencies.py_has_pangolin_sso_session()erweitert:Remote-User+X-Pangolin-Tokenmit Trust-Token-VerifikationX-Pangolin-User(kein Trust-Token nötig, Rückwärtskompatibilität)backend/.env.exampleDokumentation der neuen SSO-Variablen mit Konfigurationshinweisen.
backend/tests/unit/auth/test_dependencies.py6 neue Tests:
test_sso_session_with_remote_user_and_trust_token— Hauptpfad → 200test_sso_session_remote_user_without_trust_token— kein Token → 401test_sso_session_trust_token_wrong_value— falscher Token → 401test_sso_no_trust_token_configured_rejects_remote_user— leeres Token = disabled → 401test_sso_backwards_compat_x_pangolin_user— Legacy-Header → 200test_sso_configurable_header_names— benutzerdefinierte Header-Namen → 200