theforeman · ekohl · Jul 25, 2024 · Jul 25, 2024
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -191,14 +191,6 @@
         }
       }
 
-      if $foreman::ipa_manage_sssd {
-        service { 'sssd':
-          ensure  => running,
-          enable  => true,
-          require => Package['sssd-dbus'],
-        }
-      }
-
       file { "/etc/pam.d/${foreman::pam_service}":
         ensure  => file,
         owner   => root,
@@ -207,7 +199,7 @@
         content => template('foreman/pam_service.erb'),
       }
 
-      $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab")
+      $http_keytab = $foreman::config::apache::http_keytab
 
       exec { 'ipa-getkeytab':
         command => "/bin/echo Get keytab \
@@ -222,24 +214,6 @@
         mode   => '0600',
       }
 
-      $gssapi_local_name = bool2str($foreman::gssapi_local_name, 'On', 'Off')
-
-      foreman::config::apache::fragment { 'intercept_form_submit':
-        ssl_content => template('foreman/intercept_form_submit.conf.erb'),
-      }
-
-      foreman::config::apache::fragment { 'lookup_identity':
-        ssl_content => template('foreman/lookup_identity.conf.erb'),
-      }
-
-      foreman::config::apache::fragment { 'auth_gssapi':
-        ssl_content => template('foreman/auth_gssapi.conf.erb'),
-      }
-
-      foreman::config::apache::fragment { 'external_auth_api':
-        ssl_content => template('foreman/external_auth_api.conf.erb'),
-      }
-
       if $foreman::ipa_manage_sssd {
         $sssd = pick(fact('foreman_sssd'), {})
         $sssd_services = join(unique(pick($sssd['services'], []) + ['ifp']), ', ')
@@ -264,6 +238,12 @@
           changes => $sssd_changes,
           notify  => Service['sssd'],
         }
+
+        service { 'sssd':
+          ensure  => running,
+          enable  => true,
+          require => Package['sssd-dbus'],
+        }
       }
 
       foreman::settings_fragment { 'authorize_login_delegation.yaml':

diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp
@@ -238,6 +238,20 @@
     include apache::mod::intercept_form_submit
     include apache::mod::lookup_identity
     include apache::mod::auth_gssapi
+
+    # This is also used in manifests::config
+    $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab")
+
+    $external_auth_context = {
+      'pam_service'            => $foreman::pam_service,
+      'keytab'                 => $foreman::http_keytab,
+      'gssapi_local_name'      => $foreman::gssapi_local_name,
+      'ipa_authentication_api' => $foreman::ipa_authentication_api,
+    }
+
+    foreman::config::apache::fragment { 'intercept_form_submit':
+      ssl_content => epp('foreman/apache_ipa_authentication.epp', $external_auth_context),
+    }
   } elsif $keycloak {
     include apache::mod::auth_openidc
 

diff --git a/templates/apache_ipa_authentication.epp b/templates/apache_ipa_authentication.epp
@@ -0,0 +1,69 @@
+<%|
+  String[1] $pam_service,
+  Stdlib::Absolutepath $keytab,
+  Boolean $gssapi_local_name,
+  Boolean $ipa_authentication_api,
+|-%>
+
+<Location /users/login>
+  InterceptFormPAMService <%= $pam_service %>
+  InterceptFormLogin login[login]
+  InterceptFormPassword login[password]
+</Location>
+
+<LocationMatch ^(/api(/v2)?)?/users/(ext)?login/?$>
+  LookupUserAttr email REMOTE_USER_EMAIL
+  LookupUserAttr firstname REMOTE_USER_FIRSTNAME
+  LookupUserAttr lastname REMOTE_USER_LASTNAME
+  LookupUserGroups REMOTE_USER_GROUPS :
+  LookupUserGroupsIter REMOTE_USER_GROUP
+
+  # Set headers for proxy requests
+  RequestHeader set REMOTE_USER %{REMOTE_USER}e
+  RequestHeader set REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
+  RequestHeader set REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
+  RequestHeader set REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
+  RequestHeader set REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
+</LocationMatch>
+
+<LocationMatch ^/users/extlogin/?$>
+  SSLRequireSSL
+  AuthType GSSAPI
+  AuthName "GSSAPI Single Sign On Login"
+  GssapiCredStore keytab:<%= $keytab %>
+  GssapiSSLonly On
+  GssapiLocalName <%= $gssapi_local_name %>
+  # require valid-user
+  require pam-account <%= $pam_service %>
+  ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
+  # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
+  ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
+</LocationMatch>
+
+<LocationMatch ^/api(/v2)?/users/extlogin/?$>
+  SSLRequireSSL
+  <% if $ipa_authentication_api { -%>
+  <If "%{HTTP:Authorization} =~ /^Basic/">
+    AuthType Basic
+    AuthName "PAM Authentication"
+    AuthBasicProvider PAM
+    AuthPAMService <%= $pam_service %>
+  </If>
+  <Else>
+    AuthType GSSAPI
+    AuthName "GSSAPI Single Sign On Login"
+    GssapiCredStore keytab:<%= $keytab %>
+    GssapiSSLonly On
+    GssapiLocalName <%= apache::bool2httpd($gssapi_local_name) %>
+  </Else>
+  <% } else { -%>
+  AuthType Basic
+  AuthName "PAM Authentication"
+  AuthBasicProvider PAM
+  AuthPAMService <%= $pam_service %>
+  <% } -%>
+  require pam-account <%= $pam_service %>
+  ErrorDocument 401 '{ "error": "External authentication did not pass." }'
+  # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
+  ErrorDocument 500 '{ "error": "External authentication did not pass." }'
+</LocationMatch>
diff --git a/templates/auth_gssapi.conf.erb b/templates/auth_gssapi.conf.erb
diff --git a/templates/external_auth_api.conf.erb b/templates/external_auth_api.conf.erb
diff --git a/templates/intercept_form_submit.conf.erb b/templates/intercept_form_submit.conf.erb
diff --git a/templates/lookup_identity.conf.erb b/templates/lookup_identity.conf.erb