diff --git a/manifests/apache.pp b/manifests/apache.pp index 93365721..64848982 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -44,6 +44,16 @@ # Pulp has a default for remote header. Here it's ensured that the end user # can't send that header to spoof users. $remote_user_environ_header = $pulpcore::remote_user_environ_name.regsubst(/^HTTP_/, '') + + $api_default_request_headers = [ + "unset ${remote_user_environ_header}", + "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN", + ] + + $api_additional_request_headers = $pulpcore::api_client_auth_cn_map.map |String $cn, String $pulp_user| { + "set ${remote_user_environ_header} \"${pulp_user}\" \"expr=%{SSL_CLIENT_S_DN_CN} == '${cn}'\"" + } + $api_directory = { 'path' => $api_path, 'provider' => 'location', @@ -53,10 +63,7 @@ 'params' => $api_proxy_params, }, ], - 'request_headers' => [ - "unset ${remote_user_environ_header}", - "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN", - ], + 'request_headers' => $api_default_request_headers + $api_additional_request_headers, } # Static content is served by the whitenoise application. SELinux prevents diff --git a/manifests/init.pp b/manifests/init.pp index a3c96859..6c624297 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -152,6 +152,9 @@ # @param api_service_worker_timeout # Timeout in seconds of the pulpcore-api gunicorn workers. # +# @param api_client_auth_cn_map +# Mapping of certificate common name and Pulp user to authenticate to Pulp API. +# # @example Default configuration # include pulpcore # @@ -200,6 +203,7 @@ Integer[0] $api_service_worker_count = 1, Integer[0] $content_service_worker_timeout = 90, Integer[0] $api_service_worker_timeout = 90, + Hash[String[1], String[1]] $api_client_auth_cn_map = {}, ) { $settings_file = "${config_dir}/settings.py" diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb index 1a5268fe..585e0db7 100644 --- a/spec/classes/pulpcore_spec.rb +++ b/spec/classes/pulpcore_spec.rb @@ -428,6 +428,51 @@ is_expected.to contain_service("pulpcore-worker@1.service").with_ensure(false) end end + + context 'with API client auth common names' do + let :params do + { + 'api_client_auth_cn_map': {'foreman.example.com' => 'admin'} + } + end + + it do + is_expected.to contain_apache__vhost('pulpcore-https') + .with_directories([ + { + 'provider' => 'Directory', + 'path' => '/var/lib/pulp/pulpcore_static', + 'options' => ['-Indexes', '-FollowSymLinks'], + 'allow_override' => ['None'], + }, + { + 'path' => '/pulp/content', + 'provider' => 'location', + 'proxy_pass' => [{ + 'url' => 'unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/content', + 'params' => {'timeout' => '600', 'disablereuse' => 'on'}, + }], + 'request_headers' => [ + 'unset X-CLIENT-CERT', + 'set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT', + ], + }, + { + 'path' => '/pulp/api/v3', + 'provider' => 'location', + 'proxy_pass' => [{ + 'url' => 'unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3', + 'params' => {'timeout' => '600'}, + }], + 'request_headers' => [ + 'unset REMOTE_USER', + 'set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN', + 'set REMOTE_USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == \'foreman.example.com\'"', + ], + } + ]) + end + end end end end