fix(auth): Zope root logout Basic auth assumptions

rpatterson · rpatterson · commit defb5df4c2d3 · 2021-12-28T14:06:25.000-08:00
See also [the PAS issue](zopefoundation/Products.PluggableAuthService#107 (comment)).
diff --git a/setup.py b/setup.py
@@ -84,6 +84,7 @@ def read(filename):
         "plone.schema >= 1.2.1",  # new/fixed json field
         "PyJWT",
         "pytz",
+        "collective.monkeypatcher",
     ],
     extras_require={"test": TEST_REQUIRES},
     entry_points="""
diff --git a/src/plone/restapi/configure.zcml b/src/plone/restapi/configure.zcml
@@ -91,6 +91,7 @@
   <include package=".deserializer" />
   <include package=".types" />
   <include package=".search" />
+  <include package=".pas" />
 
   <include package=".upgrades" />
 
diff --git a/src/plone/restapi/pas/__init__.py b/src/plone/restapi/pas/__init__.py
@@ -0,0 +1,22 @@
+"""
+A JWT token authentication plugin for PluggableAuthService.
+"""
+
+from App import Management
+from Products import PluggableAuthService  # noqa, Ensure PAS patch in place
+
+
+_orig_manage_zmi_logout = Management.Navigation.manage_zmi_logout
+
+
+# BBB: Maybe remove depending on the outcome of the PAS issue:
+# https://github.com/zopefoundation/Products.PluggableAuthService/issues/107#issue-1090137890
+def manage_zmi_logout(self, REQUEST, RESPONSE):
+    """
+    Logout the current ZMI user without re-challenging for login credentials.
+    """
+    _orig_manage_zmi_logout(self, REQUEST, RESPONSE)
+
+    # Undo the HTTP `Authorization: Basic ...` assumptions
+    RESPONSE.deleteHeader("WWW-Authenticate")
+    RESPONSE.setStatus(200)
diff --git a/src/plone/restapi/pas/configure.zcml b/src/plone/restapi/pas/configure.zcml
@@ -0,0 +1,17 @@
+<configure
+    xmlns="http://namespaces.zope.org/zope"
+    xmlns:monkey="http://namespaces.plone.org/monkey"
+    xmlns:zcml="http://namespaces.zope.org/zcml"
+    i18n_domain="plone.volto"
+    >
+
+  <include package="collective.monkeypatcher" />
+
+  <monkey:patch
+      original="manage_zmi_logout"
+      replacement=".manage_zmi_logout"
+      class="App.Management.Navigation"
+      description="Patch ZMI logout to remove Basic auth assumptions"
+      />
+
+</configure>
diff --git a/src/plone/restapi/tests/test_functional_auth.py b/src/plone/restapi/tests/test_functional_auth.py
@@ -382,6 +382,21 @@ def test_root_zmi_logout_expires_api_token(self):
         logout_link = browser.getLink(url="manage_zmi_logout")
         logout_link.click()
         browser.raiseHttpErrors = True
+        self.assertEqual(
+            browser.headers["Status"].lower(),
+            "200 ok",
+            "Wrong Zope root `/acl_users` logout response status",
+        )
+        self.assertEqual(
+            browser.url,
+            self.app.absolute_url() + "/manage_zmi_logout",
+            "Wrong Zope root `/acl_users` logout response URL",
+        )
+        self.assertIn(
+            "You have been logged out",
+            browser.contents,
+            "Zope root `/acl_users` logout response missing confirmation message",
+        )
         self.assertNotIn(
             "__ac",
             browser.cookies,
