[Fixes #13990] Basic auth is not fully propagated into the WMS Service

[mattiagiupponi]

ref #13990

Checklist

Reviewing is a process done by project maintainers, mostly on a volunteer basis. We try to keep the overhead as small as possible and appreciate if you help us to do so by completing the following items. Feel free to ask in a comment if you have troubles with any of them.

For all pull requests:

• Confirm you have read the contribution guidelines
• You have sent a Contribution Licence Agreement (CLA) as necessary (not required for small changes, e.g., fixing typos in the documentation)
• Make sure the first PR targets the master branch, eventual backports will be managed later. This can be ignored if the PR is fixing an issue that only happens in a specific branch, but not in newer ones.

The following are required only for core and extension modules (they are welcomed, but not required, for contrib modules):

• There is a ticket in https://github.com/GeoNode/geonode/issues describing the issue/improvement/feature (a notable exemption is, changes not visible to end-users)
• The issue connected to the PR must have Labels and Milestone assigned
• PR for bug fixes and small new features are presented as a single commit
• PR title must be in the form "[Fixes #<issue_number>] Title of the PR"
• New unit tests have been added covering the changes, unless there is an explanation on why the tests are not necessary/implemented

Submitting the PR does not require you to check all items, but by the time it gets merged, they should be either satisfied or inapplicable.

[gemini-code-assist]

Summary of Changes

Hello @mattiagiupponi, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request fixes an issue where basic authentication was not fully propagated into the WMS service. It replaces direct instantiation of WebMapService with the use of get_service_handler to ensure authentication credentials are used. Additionally, it adds cache deletion when a service is removed.

Highlights

• Basic Authentication Propagation: Ensures that basic authentication credentials are fully propagated into the WMS service, addressing issue Basic auth is not fully propagated into the WMS Service #13990.
• Service Handler Utilization: Replaces direct WebMapService instantiation with get_service_handler to properly handle authentication.
• Cache Management: Adds cache deletion when a service is removed to prevent stale data.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• geonode/harvesting/harvesters/wms.py
  • Replaced direct WebMapService instantiation with get_service_handler for WMS operations.
• geonode/services/serviceprocessors/wms.py
  • Modified parsed_service property to use get_service_handler for proper authentication.
• geonode/services/views.py
  • Modified _get_service_handler to pass username and password to get_service_handler.
  • Added cache deletion for service base_url upon service removal.

Activity

• The PR addresses issue Basic auth is not fully propagated into the WMS Service #13990 related to basic authentication propagation in the WMS service.
• The changes involve modifications to harvesters, service processors, and views to ensure proper handling of authentication credentials.
• Cache deletion was added upon service removal.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to propagate basic authentication credentials for WMS services. While the changes correctly pass credentials in WmsServiceHandler and _get_service_handler, it introduces a potential Denial of Service (DoS) vulnerability. Unconditionally calling service.get_password() in two locations can lead to a 500 Internal Server Error for services without a configured password, as the underlying model method does not handle None values. Additionally, credentials are not passed in one area of the WMS harvester, which could affect protected services, and there's a minor opportunity to simplify some new cache-clearing logic.

[gemini-code-assist]

The get_service_handler is called here without authentication credentials. The PR's goal is to propagate basic auth, but this seems to be a place where it's not fully propagated. If the WMS service at url requires basic authentication, this call will fail to retrieve the operations.

To address this, get_wms_operations should be updated to accept username and password and pass them to get_service_handler. This would also require updating the callers of get_wms_operations to provide these credentials if they are available.