Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct container plugin apache header rewrite #356

Merged
merged 1 commit into from
Sep 4, 2024

Conversation

ekohl
Copy link
Member

@ekohl ekohl commented Sep 3, 2024

In 5b6d088 it was assumed that $api_default_request_headers was the same, but it was slightly different. This corrects it and adds tests, which should have been added in the first place. These tests pass prior to the application and after, making sure there's no change.

Fixes: 5b6d088 ("Reuse headers from pulpcore::apache class")

In 5b6d088 it was assumed that `$api_default_request_headers` was
the same, but it was slightly different. This corrects it and adds
tests, which should have been added in the first place. These tests pass
prior to the application and after, making sure there's no change.

Fixes: 5b6d088 ("Reuse headers from pulpcore::apache class")
@@ -9,6 +9,11 @@
String $location_prefix = '/pulpcore_registry',
String $registry_version_path = '/v2/',
) {
# This is like pulpcore::apache's value, but slightly different
$api_default_request_headers = [
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need this?

https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader says

set
The request header is set, replacing any previous header with this name

So while the content of the file is changed, the behavior should not?

(Unless the cn map is empty)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CN map contains "if" expressions. My understanding is the first line 100% certain clears it. Then IF the cert's CN equals something, it sets the header.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, so the flow is:

  • use unset to remove any header by that name, wherever it comes from
  • use set to set it to the CN (if there is a CN!)
  • use set to set it to admin (if the expression matches, resetting a possibly previously set CN-based name)

I honestly see no reason (ever) to set the CN-based remote user, as such user just doesn't exist in Pulp (in our deployment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was added in #186 #105, but I don't really see a reason for it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My vote: don't add this complexity (same variable name, different values) back in, it's confusing as hell.
Do the releases we need to do.

Drop CN-stuff in an 11.x

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we then include 11.x in the upcoming releases? I'd actually feel more comfortable if we only had the explicit unset and explicit mapping.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure…

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fwiw, I tested the current (two-set) config with theforeman/forklift#1853 and it pushes containers fine, so 🤷‍♀️

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm leaning to merging this now as is because it keeps it minimal and then resolve it properly in the next release cycle.

@ekohl ekohl merged commit 935ddee into theforeman:master Sep 4, 2024
23 checks passed
@ekohl ekohl deleted the correct-header-reuse branch September 4, 2024 09:41
@ekohl ekohl added Bug Something isn't working skip-changelog labels Sep 4, 2024
@ekohl
Copy link
Member Author

ekohl commented Sep 4, 2024

Skipping per #358 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Something isn't working skip-changelog
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants