Ensure disabling BasicAuth skips Basic Authentication check.

Presently, disabling BasicAuth in the pgo.yaml configuration file would
not actually disable the HTTP Basic Authentication from occuring, as
the check against authorization headers provided by the HTTP requests
would still be scanned.

This ensures this check is skipped when BasicAuth is set to `"false"`.

However, skipping Basic Authentication does not skip authorization, as
the Operator heavily leverages RBAC checks, and as such, a valid username
is required at all times even if BasicAuth is skipped. As such, this fix
only solves one type of error, i.e. the case where no HTTP Authorization
headers are sent to the Operator apiserver. And by "fix," I mean it just
moves the failure from the authentication check to the authorization
check.

Issue: [ch6162]

Author: Jonathan S. Katz

apiserver/root.go

@@ -313,19 +313,35 @@ func GetNamespace(clientset *kubernetes.Clientset, username, requestedNS string)
 	return requestedNS, errors.New("requested Namespace was not found to be in the list of Namespaces being watched.")
 }
 
+// Authn performs HTTP Basic Authentication against a user if "BasicAuth" is set
+// to "true" (which it is by default).
+//
+// ...it also performs Authorization (Authz) against the user that is attempting
+// to authenticate, and as such, to truly "authenticate/authorize," one needs
+// at least a valid Operator User account.
 func Authn(perm string, w http.ResponseWriter, r *http.Request) (string, error) {
 	var err error
 	w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 
+	// Need to run the HTTP library `BasicAuth` even if `BasicAuth == false`, as
+	// this function currently encapsulates authorization as well, and this is
+	// the call where we get the username to check the RBAC settings
 	username, password, authOK := r.BasicAuth()
 	if AuditFlag {
 		log.Infof("[audit] %s username=[%s] method=[%s] ip=[%s] ok=[%t] ", perm, username, r.Method, r.RemoteAddr, authOK)
 	}
 
-	log.Debugf("Authentication Attempt %s username=[%s]", perm, username)
-	if authOK == false {
-		http.Error(w, "Not authorized", 401)
-		return "", errors.New("Not Authorized")
+	// Check to see if this user is authenticated
+	// If BasicAuth is "disabled", skip the authentication; o/w/ check if the
+	// authentication passed
+	if !BasicAuth {
+		log.Debugf("BasicAuth disabled, Skipping Authentication %s username=[%s]", perm, username)
+	} else {
+		log.Debugf("Authentication Attempt %s username=[%s]", perm, username)
+		if !authOK {
+			http.Error(w, "Not Authorized. Basic Authentication credentials must be provided according to RFC 7617, Section 2.", 401)
+			return "", errors.New("Not Authorized: Credentials do not comply with RFC 7617")
+		}
 	}
 
 	if !BasicAuthCheck(username, password) {

hugo/content/Configuration/pgo-yaml-configuration.md

@@ -14,7 +14,7 @@ The *pgo.yaml* file is broken into major sections as described below:
 
 | Setting |Definition  |
 |---|---|
-|BasicAuth        | if set to *true* will enable Basic Authentication
+|BasicAuth        | If set to `"true"` will enable Basic Authentication. If set to `"false"`, will allow a valid Operator user to successfully authenticate regardless of the value of the password provided for Basic Authentication. Defaults to `"true".`
 |PrimaryNodeLabel        |newly created primary deployments will specify this node label if specified, unless you override it using the --node-label command line flag, if not set, no node label is specifed
 |ReplicaNodeLabel        |newly created replica deployments will specify this node label if specified, unless you override it using the --node-label command line flag, if not set, no node label is specifed
 |CCPImagePrefix        |newly created containers will be based on this image prefix (e.g. crunchydata), update this if you require a custom image prefix