Allow forcing basic auth challenge via REQUESTAUTH param

Author: manisandro

README.md

@@ -241,6 +241,11 @@ Example:
   },
 ```
 
+To force the `qwc-ogc-service` to return a `401 Unauthorized` response if not authenticated, pass `REQUIREAUTH=1` to the `WMS` or `WFS` request args, example:
+```
+http://qwc-ogc-service/<service>?SERVICE=WMS&REQUEST=GetCapabilities&REQUIREAUTH=1
+```
+
 ### Marker params
 
 The OGC service supports specifying marker parameters to insert a SLD styled marker into GetMap requests via QGIS Server `HIGHLIGHT_SYMBOL` and `HIGHLIGHT_GEOM`. To use this feature, provide a SLD template and parameter definitions in the ogc service config, for example:

src/ogc_service.py

@@ -5,7 +5,7 @@
 from xml.etree import ElementTree
 from xml.sax.saxutils import escape as xml_escape
 
-from flask import abort, Response, stream_with_context, url_for, current_app
+from flask import abort, Response, stream_with_context, url_for, current_app, make_response
 import requests
 
 from qwc_services_core.permissions_reader import PermissionsReader
@@ -84,6 +84,14 @@ def request(self, identity, method, service_name, params, data):
         # normalize parameter keys to upper case
         params = {k.upper(): v for k, v in params.items()}
 
+        # Check if basic auth challenge should be sent
+        require_auth = params.get('REQUIREAUTH', '').lower() in ["1", "true"]
+        if not identity and require_auth:
+            # Return WWW-Authenticate header, e.g. for browser password prompt
+            response = make_response("Unauthorized", 401)
+            response.headers["WWW-Authenticate"] = 'Basic realm="Login Required"'
+            return response
+
         # Inject identity parameter if configured
         if self.qgis_server_identity_parameter is not None:
             parameter_name = self.qgis_server_identity_parameter.upper()

src/server.py

@@ -70,9 +70,6 @@ def get_identity_or_auth(ogc_service):
                     json_resp = json.loads(resp.text)
                     app.logger.debug(json_resp)
                     return json_resp.get('identity')
-            # Return WWW-Authenticate header, e.g. for browser password prompt
-            # raise Unauthorized(
-            #     www_authenticate='Basic realm="Login Required"')
     return identity
 
 
@@ -124,6 +121,7 @@ class OGC(Resource):
     @api.param('REQUEST', 'Request', default='GetCapabilities')
     @api.param('VERSION', 'Version', default='1.1.1')
     @api.param('filename', 'Output file name')
+    @api.param('REQUIREAUTH', 'Whether to send a 401 Unauthorized response if not authenticated')
     @optional_auth
     def get(self, service_name):
         """OGC service request
@@ -136,7 +134,7 @@ def get(self, service_name):
         response = ogc_service.request(
             identity, 'GET', service_name, request.args, None)
 
-        filename = request.values.get('filename')
+        filename = request.args.get('filename')
         if filename:
             response.headers['content-disposition'] = 'attachment; filename=' + filename
 
@@ -146,6 +144,7 @@ def get(self, service_name):
     @api.param('SERVICE', 'Service', _in='formData', default='WMS')
     @api.param('REQUEST', 'Request', _in='formData', default='GetCapabilities')
     @api.param('VERSION', 'Version', _in='formData', default='1.1.1')
+    @api.param('REQUIREAUTH', 'Whether to send a 401 Unauthorized response if not authenticated')
     @api.param('filename', 'Output file name')
     @optional_auth
     def post(self, service_name):

src/wms_handler.py

@@ -167,7 +167,7 @@ def filter_response(self, request, response, params, permissions):
         :param obj permissions: OGC service permission
         """
         if request in ['GETCAPABILITIES', 'GETPROJECTSETTINGS']:
-            return self.__filter_getcapabilities(response, permissions)
+            return self.__filter_getcapabilities(response, permissions, params)
         elif request == 'GETFEATUREINFO':
             return self.__filter_getfeatureinfo(response, permissions)
         else:
@@ -267,12 +267,13 @@ def __rewrite_external_wms_url(self, layer, params):
             lambda name: name in permitted_layers, ext_layers
         )))
 
-    def __filter_getcapabilities(self, response, permissions):
+    def __filter_getcapabilities(self, response, permissions, params):
         """Return WMS GetCapabilities or GetProjectSettings filtered by
         permissions.
 
         :param requests.Response response: Response object
         :param obj permissions: OGC service permissions
+        :param obj params: Request parameters
         """
         xml = response.text
         # Strip control characters
@@ -318,15 +319,15 @@ def __filter_getcapabilities(self, response, permissions):
                 online_resources += root.findall('.//%sGetPrint//%sOnlineResource' % (np, np), ns)
                 online_resources += root.findall('.//%sLegendURL//%sOnlineResource' % (np, np), ns)
 
-                self.__update_online_resources(online_resources, service_url, xlinkns)
+                self.__update_online_resources(online_resources, service_url, xlinkns, params)
 
             info_url = permissions['online_resources'].get('feature_info')
             if info_url:
                 # override GetFeatureInfo OnlineResources
                 online_resources = root.findall(
                     './/%sGetFeatureInfo//%sOnlineResource' % (np, np), ns
                 )
-                self.__update_online_resources(online_resources, info_url, xlinkns)
+                self.__update_online_resources(online_resources, info_url, xlinkns, params)
 
             legend_url = permissions['online_resources'].get('legend')
             if legend_url:
@@ -338,7 +339,7 @@ def __filter_getcapabilities(self, response, permissions):
                     './/{%s}GetLegendGraphic//%sOnlineResource' % (sldns, np),
                     ns
                 )
-                self.__update_online_resources(online_resources, legend_url, xlinkns)
+                self.__update_online_resources(online_resources, legend_url, xlinkns, params)
 
                 # HACK: Inject LegendURL for group layers (which are missing LegendURL)
                 # Pending proper upstream QGIS server fix
@@ -480,12 +481,13 @@ def __filter_getcapabilities(self, response, permissions):
             status=response.status_code
         )
 
-    def __update_online_resources(self, elements, new_url, xlinkns):
+    def __update_online_resources(self, elements, new_url, xlinkns, params):
         """Update OnlineResource URLs.
 
         :param list(Element) elements: List of OnlineResource elements
         :param str new_url: New OnlineResource URL
         :param str xlinkns: XML namespace for OnlineResource href
+        :param obj params: Request parameters
         """
 
         qgis_server_url_parts = urlparse(self.qgis_server_url)
@@ -501,15 +503,15 @@ def __update_online_resources(self, elements, new_url, xlinkns):
             if new_url.startswith("/"):
                 new_url = request.host_url.rstrip("/") + new_url
 
-            if url_parts.query or "?" in old_url:
-                # Drop MAP query parameter, it is never useful for services served through qwc-qgis-server
-                query = parse_qsl(url_parts.query)
-                query = list(filter(lambda kv: kv[0].lower() != "map", query))
-                # querystring = urlencode(query, doseq=True)
-                querystring = "&".join(map(lambda kv: f"{kv[0]}={quote(kv[1], safe=' /')}", query))
-                online_resource.set('{%s}href' % xlinkns, new_url.removesuffix("?") + "?" + querystring)
-            else:
-                online_resource.set('{%s}href' % xlinkns, new_url)
+            # Drop MAP query parameter, it is never useful for services served through qwc-qgis-server
+            query = parse_qsl(url_parts.query)
+            query = list(filter(lambda kv: kv[0].lower() != "map", query))
+            query = list(filter(lambda kv: kv[0].lower() != "requireauth", query))
+            if params.get('REQUIREAUTH'):
+                query.append(('REQUIREAUTH', params['REQUIREAUTH']))
+            # querystring = urlencode(query, doseq=True)
+            querystring = "&".join(map(lambda kv: f"{kv[0]}={quote(kv[1], safe=' /')}", query))
+            online_resource.set('{%s}href' % xlinkns, new_url.removesuffix("?") + "?" + querystring)
 
 
     def __filter_getfeatureinfo(self, response, permissions):