Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

always compare CNs as downcase #364

Merged
merged 1 commit into from
Dec 18, 2024
Merged

always compare CNs as downcase #364

merged 1 commit into from
Dec 18, 2024

Conversation

evgeni
Copy link
Member

@evgeni evgeni commented Dec 17, 2024

Sometimes people end up with certificates that have uppercase letters in
the CN, but pass lowercase in the auth map.

@@ -53,7 +53,7 @@
]

$api_additional_request_headers = $pulpcore::api_client_auth_cn_map.map |String $cn, String $pulp_user| {
"set ${remote_user_environ_header} \"${pulp_user}\" \"expr=%{SSL_CLIENT_S_DN_CN} == '${cn}'\""
"set ${remote_user_environ_header} \"${pulp_user}\" \"expr=%{tolower:SSL_CLIENT_S_DN_CN} == '${cn.downcase}'\""
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks interesting. That code only looks correct for content proxies, not Foreman itself.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

container gateway is a proxy-only feature :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yesterday I looked at the same problem and came to the same solution, just didn't have time to test it.

@evgeni
Copy link
Member Author

evgeni commented Dec 17, 2024

The problem is that in our Puppet code we (mostly) use the networking.fqdn fact, which will return whatever the system thinks about itself:

# facter networking.fqdn
centos9-STREAM.tanso.example.com

However, in some places we use hostname -f output, which will under certain circumstances DO SOMETHING COMPLETELY DIFFERENT:

# hostname -f
centos9-stream.tanso.example.com

The circumstances being /etc/hosts (or DNS, I guess?) containing a different casing of the name:

# grep centos /etc/hosts 
127.0.1.1 centos9-StrEam.tanso.example.com centos9-stream

# hostname -f
centos9-StrEam.tanso.example.com

Now, if you have a system that thinks it's MACHINE.example.com and got a cert with CN=MACHINE.example.com but you use --foreman-proxy-trusted-hosts machine.example.com when setting up a proxy using that machine as the server… You're gonna have a bad time.

@evgeni evgeni force-pushed the downcase branch 2 times, most recently from 116c7d6 to a3f0786 Compare December 17, 2024 11:53
@ekohl ekohl added the Bug Something isn't working label Dec 17, 2024
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm debating a Redmine issue for proper bug tracking.

@evgeni
Copy link
Member Author

evgeni commented Dec 17, 2024

I'm debating a Redmine issue for proper bug tracking.

I can certainly create one, sure.

Should we also try to fix up the installer to use networking.fqdn if possible?

@evgeni
Copy link
Member Author

evgeni commented Dec 17, 2024

FWIW, the "uppercase letter in fqdn" should be guarded by checks/hostname.rb in the installer, but old certs might still exist 🙈

@ekohl
Copy link
Member

ekohl commented Dec 17, 2024

Should we also try to fix up the installer to use networking.fqdn if possible?

Probably a good idea.

FWIW, the "uppercase letter in fqdn" should be guarded by checks/hostname.rb in the installer, but old certs might still exist 🙈

I still see that check as a workaround for known and unknown bugs. Ideally we'll fix cases like these over time and drop the check.

Sometimes people end up with certificates that have uppercase letters in
the CN, but pass lowercase in the auth map.
@evgeni evgeni enabled auto-merge (rebase) December 18, 2024 07:41
@evgeni evgeni merged commit 6466a17 into master Dec 18, 2024
23 checks passed
@evgeni evgeni deleted the downcase branch December 18, 2024 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants