never set REMOTE_USER to the value of SSL_CLIENT_S_DN_CN

We only deploy a single user in Pulp: admin And we do not give out certs with CN=admin, so there is no point in trying to obtain the REMOTE_USER from the CN.
theforeman · Oct 8, 2024 · 1b4215e · 1b4215e
1 parent 83d5f44
commit 1b4215e
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 11 deletions.
diff --git a/manifests/apache.pp b/manifests/apache.pp
@@ -50,7 +50,6 @@
   $api_default_request_headers = [
     "unset ${remote_user_environ_header}",
     "unset ${remote_user_environ_header_underscore}",
-    "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
   ]
 
   $api_additional_request_headers = $pulpcore::api_client_auth_cn_map.map |String $cn, String $pulp_user| {

diff --git a/manifests/plugin/container.pp b/manifests/plugin/container.pp
@@ -9,12 +9,6 @@
   String $location_prefix = '/pulpcore_registry',
   String $registry_version_path = '/v2/',
 ) {
-  # This is like pulpcore::apache's value, but slightly different
-  $api_default_request_headers = [
-    "unset ${pulpcore::apache::remote_user_environ_header}",
-    "unset ${pulpcore::apache::remote_user_environ_header_underscore}",
-  ]
-
   $context = {
     'directories' => [
       {
@@ -25,7 +19,7 @@
             'url' => "${pulpcore::apache::api_base_url}${registry_version_path}",
           },
         ],
-        'request_headers' => $api_default_request_headers + $pulpcore::apache::api_additional_request_headers,
+        'request_headers' => $pulpcore::apache::api_default_request_headers + $pulpcore::apache::api_additional_request_headers,
       },
     ],
     'proxy_pass'  => [

diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb
@@ -133,7 +133,6 @@
                 'request_headers' => [
                   'unset REMOTE-USER',
                   'unset REMOTE_USER',
-                  'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
                 ],
               }
             ])
@@ -359,7 +358,6 @@
   <Location "/pulp/api/v3">
     RequestHeader unset REMOTE-USER
     RequestHeader unset REMOTE_USER
-    RequestHeader set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
     ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3 timeout=600
     ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3
   </Location>
@@ -524,7 +522,6 @@
                 'request_headers' => [
                   'unset REMOTE-USER',
                   'unset REMOTE_USER',
-                  'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
                   'set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == \'foreman.example.com\'"',
                 ],
               }