diff --git a/manifests/apache.pp b/manifests/apache.pp index 0848198d..04b76692 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -43,10 +43,13 @@ # Pulp has a default for remote header. Here it's ensured that the end user # can't send that header to spoof users. - $remote_user_environ_header = $pulpcore::remote_user_environ_name.regsubst(/^HTTP_/, '') + # The logic is only sufficient for headers with at most one underscore! + $remote_user_environ_header_underscore = $pulpcore::remote_user_environ_name.regsubst(/^HTTP_/, '') + $remote_user_environ_header = $remote_user_environ_header_underscore.regsubst('_', '-') $api_default_request_headers = [ "unset ${remote_user_environ_header}", + "unset ${remote_user_environ_header_underscore}", "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN", ] diff --git a/manifests/plugin/container.pp b/manifests/plugin/container.pp index 037193ac..21d0bead 100644 --- a/manifests/plugin/container.pp +++ b/manifests/plugin/container.pp @@ -12,6 +12,7 @@ # This is like pulpcore::apache's value, but slightly different $api_default_request_headers = [ "unset ${pulpcore::apache::remote_user_environ_header}", + "unset ${pulpcore::apache::remote_user_environ_header_underscore}", ] $context = { diff --git a/spec/classes/plugin_container_spec.rb b/spec/classes/plugin_container_spec.rb index bd321339..fc307265 100644 --- a/spec/classes/plugin_container_spec.rb +++ b/spec/classes/plugin_container_spec.rb @@ -4,23 +4,25 @@ on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) { os_facts } - let(:pre_condition) { 'include pulpcore' } + context "with default params" do + let(:pre_condition) { 'include pulpcore' } - it 'configures the plugin' do - is_expected.to compile.with_all_deps - is_expected.to contain_pulpcore__plugin('container') - .that_subscribes_to('Class[Pulpcore::Install]') - .that_notifies(['Class[Pulpcore::Database]', 'Class[Pulpcore::Service]']) - is_expected.to contain_package('pulpcore-plugin(container)') - is_expected.to contain_concat__fragment('plugin-container').with_content("\n# container plugin settings\nTOKEN_AUTH_DISABLED=True") - is_expected.to contain_pulpcore__apache__fragment('plugin-container') - is_expected.not_to contain_apache__vhost__fragment('pulpcore-http-plugin-container') - is_expected.to contain_apache__vhost__fragment('pulpcore-https-plugin-container') - .with_vhost('pulpcore-https') - .with_priority('10') - .with_content(< + RequestHeader unset REMOTE-USER RequestHeader unset REMOTE_USER ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/ ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/ @@ -29,6 +31,36 @@ ProxyPass /pulp/container/ unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/container/ ProxyPassReverse /pulp/container/ unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/container/ APACHE_CONFIG + end + end + + context 'with API client auth common names' do + let(:pre_condition) do + <<~PUPPET + class {'pulpcore': + api_client_auth_cn_map => {'foreman.example.com' => 'admin'} + } + PUPPET + end + it 'configures the plugin' do + is_expected.to compile.with_all_deps + is_expected.to contain_apache__vhost__fragment('pulpcore-https-plugin-container') + .with_vhost('pulpcore-https') + .with_priority('10') + .with_content(< + RequestHeader unset REMOTE-USER + RequestHeader unset REMOTE_USER + RequestHeader set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == 'foreman.example.com'" + ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/ + ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/ + + + ProxyPass /pulp/container/ unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/container/ + ProxyPassReverse /pulp/container/ unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/container/ +APACHE_CONFIG + end end end end diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb index ef58af16..1bede87c 100644 --- a/spec/classes/pulpcore_spec.rb +++ b/spec/classes/pulpcore_spec.rb @@ -131,8 +131,9 @@ 'params' => {'timeout' => '600'}, }], 'request_headers' => [ + 'unset REMOTE-USER', 'unset REMOTE_USER', - 'set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN', + 'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN', ], } ]) @@ -356,8 +357,9 @@ + RequestHeader unset REMOTE-USER RequestHeader unset REMOTE_USER - RequestHeader set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN + RequestHeader set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3 timeout=600 ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3 @@ -520,9 +522,10 @@ 'params' => {'timeout' => '600'}, }], 'request_headers' => [ + 'unset REMOTE-USER', 'unset REMOTE_USER', - 'set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN', - 'set REMOTE_USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == \'foreman.example.com\'"', + 'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN', + 'set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == \'foreman.example.com\'"', ], } ]) diff --git a/spec/support/acceptance/examples.rb b/spec/support/acceptance/examples.rb index 3d7b4bef..48fcd4b3 100644 --- a/spec/support/acceptance/examples.rb +++ b/spec/support/acceptance/examples.rb @@ -72,6 +72,18 @@ its(:exit_status) { is_expected.to eq 0 } end + describe curl_command("https://#{host_inventory['fqdn']}/pulp/api/v3/users/", cacert: "#{certdir}/ca-cert.pem", headers: {'remote-user': 'admin'}) do + its(:response_code) { is_expected.to eq(403) } + its(:body) { is_expected.to contain('Authentication credentials were not provided.') } + its(:exit_status) { is_expected.to eq 0 } + end + + describe curl_command("https://#{host_inventory['fqdn']}/pulp/api/v3/users/", cacert: "#{certdir}/ca-cert.pem", headers: {'remote_user': 'admin'}) do + its(:response_code) { is_expected.to eq(403) } + its(:body) { is_expected.to contain('Authentication credentials were not provided.') } + its(:exit_status) { is_expected.to eq 0 } + end + describe curl_command("https://#{host_inventory['fqdn']}/pulp/api/v3/users/", cacert: "#{certdir}/ca-cert.pem", key: "#{certdir}/client-key.pem", cert: "#{certdir}/client-cert.pem") do its(:response_code) { is_expected.to eq(200) }