Bug 1410253
| Summary: | Expose websocket authorization headers through the node proxy | ||
|---|---|---|---|
| Product: | OpenShift Online | Reporter: | Timothy Williams <tiwillia> |
| Component: | Routing | Assignee: | Timothy Williams <tiwillia> |
| Status: | CLOSED EOL | QA Contact: | zhaozhanqi <zzhao> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.x | CC: | abhgupta, aos-bugs |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-03-22 22:53:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The referenced PR was merged at that time. |
Description of problem: The websocket protocol RFC6455 allows the http basic auth 'authorization' header: 12. The request MAY include any other header fields, for example, cookies [RFC6265] and/or authentication-related header fields such as the |Authorization| header field [RFC2616], which are processed according to documents that define them. Additionally, On page 19, RFC6455 also says: 1. If the status code received from the server is not 101, the client handles the response per HTTP [RFC2616] procedures. In particular, the client might perform authentication if it receives a 401 status code; the server might redirect the client using a 3xx status code (but clients are not required to follow them), etc. Otherwise, proceed as follows. The node-web-proxy currently does not pass the 'authorization' header for websocket connections. How reproducible: Always Steps to Reproduce: 1. Deploy a nodejs-0.10 app using the following quickstart: # rhc app-create wstest nodejs-0.10 --from-code=https://github.com/tiwillia/openshift-nodejs-http-and-websocket-example The quickstart has been modified to log the websocket request headers when a connection is made. 2. Use the `wscat` tool, provided through npm, to create a connection and pass authorization parameters to the nodejs application: # npm install wscat # wscat --auth "user:pass" --connect ws://wstest-namespace.dev.rhcloud.com:8000 3. Check the logs of the application after the connection is made with `rhc tail`. The authorization header should be included in the list received by the websocket server. Actual results: Below is an example output from the logs of the sample application: New connection: { connection: 'Upgrade', upgrade: 'websocket', host: '127.1.244.1:8080', 'sec-websocket-version': '13', 'sec-websocket-key': 'MTMtMTQ4MzU2NzYzNTgxMA==', 'user-agent': 'undefined', 'x-forwarded-for': '0.0.0.0', 'x-client-ip': '0.0.0.0', 'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits' } Note the lack of an 'authorization' header in the list. Expected results: New connection: { connection: 'Upgrade', upgrade: 'websocket', host: '127.1.244.1:8080', 'sec-websocket-version': '13', 'sec-websocket-key': 'MTMtMTQ4MzU2NzYzNTgxMA==', 'user-agent': 'undefined', 'x-forwarded-for': '0.0.0.0', 'x-client-ip': '0.0.0.0', authorization: 'Basic dGl0cmJhbGxz', 'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits' } Note the 'authorization' header in the list. Additional info: This should be fixed with https://github.com/openshift/origin-server/pull/6444