Refs #32383: Configurable client certificate authentication to Pulp

Require a client certificate to be presented with a CN that matches the supplied auth CN. If this is present, set the REMOTE_USER to a Pulp user defined in the parameter to pass along to Pulp. This changes from having to generate a client certificate with a valid user (e.g. admin) as the CN to allowing to use a client certificate generated with a more standard CN (e.g. FQDN) and act as a user in Pulp suppplied to the parameter. This maintains the default configuration of expecting admin and mapping that to admin.
theforeman · Apr 28, 2021 · 2bcccb2 · 2bcccb2
1 parent 5462f34
commit 2bcccb2
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 3 deletions.
diff --git a/manifests/apache.pp b/manifests/apache.pp
@@ -55,7 +55,12 @@
     ],
     'request_headers' => [
       "unset ${remote_user_environ_header}",
-      "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
+    ],
+    'ifs' => [
+      {
+        'condition'  => "%{SSL_CLIENT_S_DN_CN} == \"${pulpcore::api_client_auth_cn_map['cn']}\"",
+        'consequent' => "set ${remote_user_environ_header} \"${pulpcore::api_client_auth_cn_map['pulp_user']}\"",
+      },
     ],
   }
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -152,6 +152,9 @@
 # @param api_service_worker_timeout
 #   Timeout in seconds of the pulpcore-api gunicorn workers.
 #
+# @param api_client_auth_cn_map
+#   Mapping of certificate common name and Pulp user to authenticate to Pulp API.
+#
 # @example Default configuration
 #   include pulpcore
 #
@@ -200,6 +203,7 @@
   Integer[0] $api_service_worker_count = 1,
   Integer[0] $content_service_worker_timeout = 90,
   Integer[0] $api_service_worker_timeout = 90,
+  Hash $api_client_auth_cn_map = {'cn' => 'admin', 'pulp_user' => 'admin'},
 ) {
   $settings_file = "${config_dir}/settings.py"
 

diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb
@@ -103,8 +103,13 @@
                 }],
                 'request_headers' => [
                   'unset REMOTE_USER',
-                  'set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
                 ],
+                'ifs' => [
+                  {
+                    'condition'  => '%{SSL_CLIENT_S_DN_CN} == "admin"',
+                    'consequent' => 'set REMOTE_USER "admin"',
+                  }
+                ]
               }
             ])
             .with_proxy_pass([
@@ -302,7 +307,9 @@
 
   <Location "/pulp/api/v3">
     RequestHeader unset REMOTE_USER
-    RequestHeader set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
+    <If "%{SSL_CLIENT_S_DN_CN} == "admin"">
+     set REMOTE_USER "admin"
+    </If>
     ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3 timeout=600
     ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3
   </Location>

diff --git a/templates/apache-fragment.epp b/templates/apache-fragment.epp
@@ -5,6 +5,7 @@
     Optional[options] => Array[String[1]],
     Optional[allow_override] => Array[String[1]],
     Optional[request_headers] => Array[String[1]],
+    Optional[ifs] => Array[Hash],
     Optional[proxy_pass] => Array[Struct[{
       url => String[1],
       Optional[params] => Hash[String, Variant[String, Integer]],
@@ -36,6 +37,13 @@
     RequestHeader <%= $request_statement %>
     <%-   } -%>
     <%- } -%>
+    <%- if $directory['ifs'] { -%>
+    <%-   $directory['ifs'].each |$if_statement| { -%>
+    <If "<%= $if_statement['condition'] %>">
+     <%= $if_statement['consequent'] %>
+    </If>
+    <%-   } -%>
+    <%- } -%>
     <%- if $directory['proxy_pass'] and $provider in ['Location', 'LocationMatch'] { -%>
     <%-   $directory['proxy_pass'].each |$proxy| { -%>
     ProxyPass <%= $proxy['url'] -%>