Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
W
webdav-auth
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container registry
Model registry
Operate
Environments
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
ai3
tools
webdav-auth
Commits
8ab4e056
Commit
8ab4e056
authored
2 years ago
by
ale
Browse files
Options
Downloads
Patches
Plain Diff
Improve README
parent
2155516e
No related branches found
No related tags found
No related merge requests found
Pipeline
#38966
passed
2 years ago
Stage: test
Stage: build
Stage: release
Changes
1
Pipelines
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
README.md
+43
-3
43 additions, 3 deletions
README.md
with
43 additions
and
3 deletions
README.md
+
43
−
3
View file @
8ab4e056
webdav-auth
webdav-auth
===
===
The authentication server bridges the
[
users-dav
](
https://git.autistici.org/ai3/docker/apache2-users-dav
)
The authentication server bridges the
container (which runs the
[
webdav-server
](
https://git.autistici.org/ai3/tools/webdav-server
)
component)
[
users-dav
](
https://git.autistici.org/ai3/docker/apache2-users-dav
)
and the local
[
auth-server
](
https://git.autistici.org/id/auth
)
.
container (which runs the
[
webdav-server
](
https://git.autistici.org/ai3/tools/webdav-server
)
component) and the local
[
auth-server
](
https://git.autistici.org/id/auth
)
.
It runs as a system-level daemon.
It runs as a system-level daemon.
There are two issues with the way DAV authentication works in A/I:
*
*authentication*
: are username and password correct?
*
*authorization*
: can the user access this particular DAV path?
This is quite complicated by the fact that the DAV server process runs
in an isolated and untrusted container[^1], and we did not want to
just grant arbitrary LDAP access to anything in there. So we split the
authentication off to a process that runs
*outside*
the container, and
devised a simple restricted API just for the DAV server to talk to it
(safely, over a UNIX socket).
Here's how the process works in detail:
*
when a DAV request comes in, Apache spawns a DAV server running with
the appropriate user ID;
*
when the DAV server starts, it fetches the list of DAV accounts
associated with the user ID it is running as, and configures HTTP
handlers for those paths only;
*
on every DAV request, an authentication check is performed on the
provided username/password, verifying also that the username appears
in the list of DAV accounts associated with the current user ID.
Authorization is thusly provided by binding user IDs to specific DAV
accounts. The overall process is a bit convoluted, but it's convenient
to rely on Apache (specifically fcgid + suexec) to manage the setuid
processes.
The authentication server does not trust the DAV server, which is why
the user ID is not a request parameter but it is instead obtained by
looking at the
*peer*
of the UNIX socket connection.
[
^1
]:
This
used to be the case when we ran DAV and the users' PHP
processes in the same environment, now that they are completely
separate containers we could revisit this design decision.
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
