sweep: #6445 Only use X- headers if /WebApp/Balancer is defined

chrisburr · web-flow · commit 24388876d81a · 2022-10-21T09:39:11.000Z
diff --git a/src/DIRAC/Core/Tornado/Server/private/BaseRequestHandler.py b/src/DIRAC/Core/Tornado/Server/private/BaseRequestHandler.py
@@ -728,13 +728,17 @@ def _authzSSL(self):
             # If 'IOStream' object has no attribute 'get_ssl_certificate'
             derCert = None
 
+        # Boolean whether we are behind a balancer and can trust headers
+        balancer = gConfig.getValue("/WebApp/Balancer", "none") != "none"
+
         # Get client certificate as pem
         if derCert:
             chainAsText = derCert.as_pem().decode("ascii")
             # Read all certificate chain
             chainAsText += "".join([cert.as_pem().decode("ascii") for cert in self.request.get_ssl_certificate_chain()])
-        elif self.request.headers.get("X-Ssl_client_verify") == "SUCCESS" and self.request.headers.get("X-SSL-CERT"):
-            chainAsText = unquote(self.request.headers.get("X-SSL-CERT"))
+        elif balancer:
+            if self.request.headers.get("X-Ssl_client_verify") == "SUCCESS" and self.request.headers.get("X-SSL-CERT"):
+                chainAsText = unquote(self.request.headers.get("X-SSL-CERT"))
         else:
             return S_ERROR(DErrno.ECERTFIND, "Valid certificate not found.")
 
