From 2cba4e96085ca9b24b0aac5c0d2b19b41208e974 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Tue, 8 Oct 2024 09:07:31 +0200 Subject: [PATCH] never set REMOTE_USER to the value of SSL_CLIENT_S_DN_CN We only deploy a single user in Pulp: admin And we do not give out certs with CN=admin, so there is no point in trying to obtain the REMOTE_USER from the CN. --- manifests/apache.pp | 1 - manifests/plugin/container.pp | 8 +------- spec/acceptance/hieradata/common.yaml | 2 ++ spec/classes/pulpcore_spec.rb | 3 --- spec/setup_acceptance_node.pp | 4 ++-- 5 files changed, 5 insertions(+), 13 deletions(-) diff --git a/manifests/apache.pp b/manifests/apache.pp index 04b7669..b3fec56 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -50,7 +50,6 @@ $api_default_request_headers = [ "unset ${remote_user_environ_header}", "unset ${remote_user_environ_header_underscore}", - "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN", ] $api_additional_request_headers = $pulpcore::api_client_auth_cn_map.map |String $cn, String $pulp_user| { diff --git a/manifests/plugin/container.pp b/manifests/plugin/container.pp index 21d0bea..c1587ae 100644 --- a/manifests/plugin/container.pp +++ b/manifests/plugin/container.pp @@ -9,12 +9,6 @@ String $location_prefix = '/pulpcore_registry', String $registry_version_path = '/v2/', ) { - # This is like pulpcore::apache's value, but slightly different - $api_default_request_headers = [ - "unset ${pulpcore::apache::remote_user_environ_header}", - "unset ${pulpcore::apache::remote_user_environ_header_underscore}", - ] - $context = { 'directories' => [ { @@ -25,7 +19,7 @@ 'url' => "${pulpcore::apache::api_base_url}${registry_version_path}", }, ], - 'request_headers' => $api_default_request_headers + $pulpcore::apache::api_additional_request_headers, + 'request_headers' => $pulpcore::apache::api_default_request_headers + $pulpcore::apache::api_additional_request_headers, }, ], 'proxy_pass' => [ diff --git a/spec/acceptance/hieradata/common.yaml b/spec/acceptance/hieradata/common.yaml index 411c62f..7eaf83b 100644 --- a/spec/acceptance/hieradata/common.yaml +++ b/spec/acceptance/hieradata/common.yaml @@ -4,3 +4,5 @@ pulpcore::apache_https_cert: '/etc/pulpcore-certs/ca-cert.pem' pulpcore::apache_https_key: '/etc/pulpcore-certs/ca-key.pem' pulpcore::apache_https_ca: '/etc/pulpcore-certs/ca-cert.pem' pulpcore::database::always_run_migrations: false +pulpcore::api_client_auth_cn_map: + "%{facts.networking.fqdn}": "admin" diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb index 1bede87..4822c8f 100644 --- a/spec/classes/pulpcore_spec.rb +++ b/spec/classes/pulpcore_spec.rb @@ -133,7 +133,6 @@ 'request_headers' => [ 'unset REMOTE-USER', 'unset REMOTE_USER', - 'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN', ], } ]) @@ -359,7 +358,6 @@ RequestHeader unset REMOTE-USER RequestHeader unset REMOTE_USER - RequestHeader set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3 timeout=600 ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3 @@ -524,7 +522,6 @@ 'request_headers' => [ 'unset REMOTE-USER', 'unset REMOTE_USER', - 'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN', 'set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == \'foreman.example.com\'"', ], } diff --git a/spec/setup_acceptance_node.pp b/spec/setup_acceptance_node.pp index 71f576c..53c2694 100644 --- a/spec/setup_acceptance_node.pp +++ b/spec/setup_acceptance_node.pp @@ -34,14 +34,14 @@ umask => '0022', } -> exec { 'Generate CSR': - command => "openssl req -nodes -new -newkey rsa:2048 -subj '/CN=admin' -out '${client_csr}' -keyout '${client_key}'", + command => "openssl req -nodes -new -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']}' -addext 'subjectAltName = DNS:${facts['networking']['fqdn']}' -out '${client_csr}' -keyout '${client_key}'", path => ['/bin', '/usr/bin'], creates => $client_csr, logoutput => 'on_failure', umask => '0022', } -> exec { 'Sign CSR': - command => "openssl x509 -req -days 360 -in '${client_csr}' -CA '${ca_cert}' -CAkey '${ca_key}' -CAcreateserial -out '${client_cert}'", + command => "openssl x509 -req -days 360 -in '${client_csr}' -CA '${ca_cert}' -CAkey '${ca_key}' -CAcreateserial -out '${client_cert}' -extfile <(echo 'subjectAltName = DNS:${facts['networking']['fqdn']}')", path => ['/bin', '/usr/bin'], creates => $client_cert, logoutput => 'on_failure',