never set REMOTE_USER to the value of SSL_CLIENT_S_DN_CN

We only deploy a single user in Pulp: admin And we do not give out certs with CN=admin, so there is no point in trying to obtain the REMOTE_USER from the CN.
theforeman · Oct 8, 2024 · b2d793a · b2d793a
1 parent 83d5f44
commit b2d793a
Show file tree

Hide file tree

Showing 5 changed files with 4 additions and 12 deletions.
diff --git a/manifests/apache.pp b/manifests/apache.pp
@@ -50,7 +50,6 @@
   $api_default_request_headers = [
     "unset ${remote_user_environ_header}",
     "unset ${remote_user_environ_header_underscore}",
-    "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
   ]
 
   $api_additional_request_headers = $pulpcore::api_client_auth_cn_map.map |String $cn, String $pulp_user| {

diff --git a/manifests/plugin/container.pp b/manifests/plugin/container.pp
@@ -9,12 +9,6 @@
   String $location_prefix = '/pulpcore_registry',
   String $registry_version_path = '/v2/',
 ) {
-  # This is like pulpcore::apache's value, but slightly different
-  $api_default_request_headers = [
-    "unset ${pulpcore::apache::remote_user_environ_header}",
-    "unset ${pulpcore::apache::remote_user_environ_header_underscore}",
-  ]
-
   $context = {
     'directories' => [
       {
@@ -25,7 +19,7 @@
             'url' => "${pulpcore::apache::api_base_url}${registry_version_path}",
           },
         ],
-        'request_headers' => $api_default_request_headers + $pulpcore::apache::api_additional_request_headers,
+        'request_headers' => $pulpcore::apache::api_default_request_headers + $pulpcore::apache::api_additional_request_headers,
       },
     ],
     'proxy_pass'  => [

diff --git a/spec/acceptance/hieradata/common.yaml b/spec/acceptance/hieradata/common.yaml
@@ -4,3 +4,5 @@ pulpcore::apache_https_cert: '/etc/pulpcore-certs/ca-cert.pem'
 pulpcore::apache_https_key: '/etc/pulpcore-certs/ca-key.pem'
 pulpcore::apache_https_ca: '/etc/pulpcore-certs/ca-cert.pem'
 pulpcore::database::always_run_migrations: false
+pulpcore::api_client_auth_cn_map:
+  "%{facts.networking.fqdn}": "admin"
diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb
@@ -133,7 +133,6 @@
                 'request_headers' => [
                   'unset REMOTE-USER',
                   'unset REMOTE_USER',
-                  'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
                 ],
               }
             ])
@@ -359,7 +358,6 @@
   <Location "/pulp/api/v3">
     RequestHeader unset REMOTE-USER
     RequestHeader unset REMOTE_USER
-    RequestHeader set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
     ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3 timeout=600
     ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3
   </Location>
@@ -524,7 +522,6 @@
                 'request_headers' => [
                   'unset REMOTE-USER',
                   'unset REMOTE_USER',
-                  'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
                   'set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == \'foreman.example.com\'"',
                 ],
               }

diff --git a/spec/setup_acceptance_node.pp b/spec/setup_acceptance_node.pp
@@ -34,7 +34,7 @@
   umask     => '0022',
 }
 -> exec { 'Generate CSR':
-  command   => "openssl req -nodes -new -newkey rsa:2048 -subj '/CN=admin' -out '${client_csr}' -keyout '${client_key}'",
+  command   => "openssl req -nodes -new -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']}' -addext 'subjectAltName = DNS:${facts['networking']['fqdn']}' -out '${client_csr}' -keyout '${client_key}'",
   path      => ['/bin', '/usr/bin'],
   creates   => $client_csr,
   logoutput => 'on_failure',