never set REMOTE_USER to the value of SSL_CLIENT_S_DN_CN

We only deploy a single user in Pulp: admin And we do not give out certs with CN=admin, so there is no point in trying to obtain the REMOTE_USER from the CN.
theforeman · Oct 17, 2024 · ddfa49f · ddfa49f
1 parent d75c952
commit ddfa49f
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 16 deletions.
diff --git a/manifests/apache.pp b/manifests/apache.pp
@@ -50,7 +50,6 @@
   $api_default_request_headers = [
     "unset ${remote_user_environ_header}",
     "unset ${remote_user_environ_header_underscore}",
-    "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
   ]
 
   $api_additional_request_headers = $pulpcore::api_client_auth_cn_map.map |String $cn, String $pulp_user| {

diff --git a/manifests/plugin/container.pp b/manifests/plugin/container.pp
@@ -9,12 +9,6 @@
   String $location_prefix = '/pulpcore_registry',
   String $registry_version_path = '/v2/',
 ) {
-  # This is like pulpcore::apache's value, but slightly different
-  $api_default_request_headers = [
-    "unset ${pulpcore::apache::remote_user_environ_header}",
-    "unset ${pulpcore::apache::remote_user_environ_header_underscore}",
-  ]
-
   $context = {
     'directories' => [
       {
@@ -25,7 +19,7 @@
             'url' => "${pulpcore::apache::api_base_url}${registry_version_path}",
           },
         ],
-        'request_headers' => $api_default_request_headers + $pulpcore::apache::api_additional_request_headers,
+        'request_headers' => $pulpcore::apache::api_default_request_headers + $pulpcore::apache::api_additional_request_headers,
       },
     ],
     'proxy_pass'  => [

diff --git a/spec/acceptance/hieradata/common.yaml b/spec/acceptance/hieradata/common.yaml
@@ -1,6 +1,8 @@
 ---
 apache::default_mods: false
-pulpcore::apache_https_cert: '/etc/pulpcore-certs/ca-cert.pem'
-pulpcore::apache_https_key: '/etc/pulpcore-certs/ca-key.pem'
+pulpcore::apache_https_cert: '/etc/pulpcore-certs/client-cert.pem'
+pulpcore::apache_https_key: '/etc/pulpcore-certs/client-key.pem'
 pulpcore::apache_https_ca: '/etc/pulpcore-certs/ca-cert.pem'
 pulpcore::database::always_run_migrations: false
+pulpcore::api_client_auth_cn_map:
+  "%{facts.networking.fqdn}": "admin"
diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb
@@ -133,7 +133,6 @@
                 'request_headers' => [
                   'unset REMOTE-USER',
                   'unset REMOTE_USER',
-                  'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
                 ],
               }
             ])
@@ -359,7 +358,6 @@
   <Location "/pulp/api/v3">
     RequestHeader unset REMOTE-USER
     RequestHeader unset REMOTE_USER
-    RequestHeader set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
     ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3 timeout=600
     ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3
   </Location>
@@ -524,7 +522,6 @@
                 'request_headers' => [
                   'unset REMOTE-USER',
                   'unset REMOTE_USER',
-                  'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
                   'set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == \'foreman.example.com\'"',
                 ],
               }

diff --git a/spec/setup_acceptance_node.pp b/spec/setup_acceptance_node.pp
@@ -18,8 +18,9 @@
 $client_csr = "${directory}/client-csr.pem"
 $client_cert = "${directory}/client-cert.pem"
 $client_key = "${directory}/client-key.pem"
+$client_ext = "${directory}/client-ext"
 
-$ca_cmd = "openssl req -nodes -x509 -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']}' -addext 'subjectAltName = DNS:${facts['networking']['fqdn']}' -keyout '${ca_key}' -out '${ca_cert}' -days 365"
+$ca_cmd = "openssl req -nodes -x509 -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']} CA' -keyout '${ca_key}' -out '${ca_cert}' -days 365"
 
 exec { 'Create certificate directory':
   command => "mkdir -p ${directory}",
@@ -34,14 +35,21 @@
   umask     => '0022',
 }
 -> exec { 'Generate CSR':
-  command   => "openssl req -nodes -new -newkey rsa:2048 -subj '/CN=admin' -out '${client_csr}' -keyout '${client_key}'",
+  command   => "openssl req -nodes -new -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']}' -addext 'subjectAltName = DNS:${facts['networking']['fqdn']}' -out '${client_csr}' -keyout '${client_key}'",
   path      => ['/bin', '/usr/bin'],
   creates   => $client_csr,
   logoutput => 'on_failure',
   umask     => '0022',
 }
+-> exec { 'Create extfile':
+  command   => "echo 'subjectAltName = DNS:${facts['networking']['fqdn']}' > '${client_ext}'",
+  path      => ['/bin', '/usr/bin'],
+  creates   => $client_ext,
+  logoutput => 'on_failure',
+  umask     => '0022',
+}
 -> exec { 'Sign CSR':
-  command   => "openssl x509 -req -days 360 -in '${client_csr}' -CA '${ca_cert}' -CAkey '${ca_key}' -CAcreateserial -out '${client_cert}'",
+  command   => "openssl x509 -req -days 360 -in '${client_csr}' -CA '${ca_cert}' -CAkey '${ca_key}' -CAcreateserial -out '${client_cert}' -extfile '${client_ext}'",
   path      => ['/bin', '/usr/bin'],
   creates   => $client_cert,
   logoutput => 'on_failure',