Refs #32383: Configurable client certificate authentication to Pulp

Allows a user supplied mapping of certificate CN to Pulp user name. If this is present, set the REMOTE_USER to a Pulp user defined in the parameter to pass along to Pulp. This changes from having to generate a client certificate with a valid user (e.g. admin) as the CN to allowing to use a client certificate generated with a more standard CN (e.g. FQDN) and act as a user in Pulp suppplied to the parameter.
theforeman · Apr 30, 2021 · 377f2e0 · 377f2e0
1 parent 5462f34
commit 377f2e0
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 4 deletions.
diff --git a/manifests/apache.pp b/manifests/apache.pp
@@ -44,6 +44,16 @@
   # Pulp has a default for remote header. Here it's ensured that the end user
   # can't send that header to spoof users.
   $remote_user_environ_header = $pulpcore::remote_user_environ_name.regsubst(/^HTTP_/, '')
+
+  $api_default_request_headers = [
+    "unset ${remote_user_environ_header}",
+    "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
+  ]
+
+  $api_additional_request_headers = $pulpcore::api_client_auth_cn_map.map |String $cn, String $pulp_user| {
+    "set ${remote_user_environ_header} \"${pulp_user}\" \"expr=%{SSL_CLIENT_S_DN_CN} == '${cn}'\""
+  }
+
   $api_directory = {
     'path'            => $api_path,
     'provider'        => 'location',
@@ -53,10 +63,7 @@
         'params' => $api_proxy_params,
       },
     ],
-    'request_headers' => [
-      "unset ${remote_user_environ_header}",
-      "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
-    ],
+    'request_headers' => concat($api_default_request_headers, $api_additional_request_headers),
   }
 
   # Static content is served by the whitenoise application. SELinux prevents

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -152,6 +152,9 @@
 # @param api_service_worker_timeout
 #   Timeout in seconds of the pulpcore-api gunicorn workers.
 #
+# @param api_client_auth_cn_map
+#   Mapping of certificate common name and Pulp user to authenticate to Pulp API.
+#
 # @example Default configuration
 #   include pulpcore
 #
@@ -200,6 +203,7 @@
   Integer[0] $api_service_worker_count = 1,
   Integer[0] $content_service_worker_timeout = 90,
   Integer[0] $api_service_worker_timeout = 90,
+  Optional[Hash] $api_client_auth_cn_map = {},
 ) {
   $settings_file = "${config_dir}/settings.py"
 

diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb
@@ -428,6 +428,51 @@
           is_expected.to contain_service("pulpcore-worker@1.service").with_ensure(false)
         end
       end
+
+      context 'with API client auth common names' do
+        let :params do
+          {
+            'api_client_auth_cn_map': {'foreman.example.com' => 'admin'}
+          }
+        end
+
+        it do
+          is_expected.to contain_apache__vhost('pulpcore-https')
+            .with_directories([
+              {
+                'provider'       => 'Directory',
+                'path'           => '/var/lib/pulp/pulpcore_static',
+                'options'        => ['-Indexes', '-FollowSymLinks'],
+                'allow_override' => ['None'],
+              },
+              {
+                'path'            => '/pulp/content',
+                'provider'        => 'location',
+                'proxy_pass'      => [{
+                  'url'    => 'unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/content',
+                  'params' => {'timeout' => '600', 'disablereuse' => 'on'},
+                }],
+                'request_headers' => [
+                  'unset X-CLIENT-CERT',
+                  'set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT',
+                ],
+              },
+              {
+                'path'            => '/pulp/api/v3',
+                'provider'        => 'location',
+                'proxy_pass'      => [{
+                  'url'    => 'unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3',
+                  'params' => {'timeout' => '600'},
+                }],
+                'request_headers' => [
+                  'unset REMOTE_USER',
+                  'set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
+                  'set REMOTE_USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == \'foreman.example.com\'"',
+                ],
+              }
+            ])
+        end
+      end
     end
   end
 end