Allow GSSAPI for lookaside

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2016-10-14 20:35:59 +00:00 · 2016-10-14 20:35:59 +00:00 · 6fad69aca7
commit 6fad69aca7
parent b276b02103
3 changed files with 32 additions and 13 deletions
--- a/roles/distgit/files/dist-git-upload.cgi
+++ b/roles/distgit/files/dist-git-upload.cgi
@ -100,6 +100,9 @@ def main():
    os.umask(002)

    username = os.environ.get('SSL_CLIENT_S_DN_CN', None)
+    gssname = os.environ.get('GSS_NAME', None)
+    if gssname and '@' in gssname and not username:
+        username = gssname.partition('@')[0]
    if not check_auth(username):
        send_error('You must connect with a valid certificate and be in the '
                   '%s group to upload.' % PACKAGER_GROUP,
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@ -29,6 +29,15 @@
  notify:
  - reload httpd

+- name: install the keytab
+  copy: src="{{ private }}/files/keytabs/{{env}}/pkgs"
+        dest=/etc/httpd.keytab
+        owner=apache
+        group=apache
+        mode=0600
+  notify:
+  - reload httpd
+
 - name: allow httpd to access the files on NFS
  seboolean: name=httpd_use_nfs state=yes persistent=yes

--- a/roles/distgit/templates/lookaside-upload.conf
+++ b/roles/distgit/templates/lookaside-upload.conf
@ -43,12 +43,6 @@ SSLCryptoDevice builtin
       SSLVerifyClient optional
       SSLVerifyDepth 1
       SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
-        # require that the client auth cert was created by us and signed by us
-       SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-                  and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
-                  and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
-                  and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
-                  and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
   </Directory>

   <Location /repo/pkgs/upload.cgi>
@ -60,13 +54,26 @@ SSLCryptoDevice builtin
       SSLVerifyClient optional
       SSLVerifyDepth 1
       SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
-       # require that the access comes from internal or that
-       # the client auth cert was created by us and signed by us
-       SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-                  and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
-                  and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
-                  and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
-                  and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
+
+       AuthType GSSAPI
+       GssapiSSLonly On
+       AuthName "GSSAPI Single Sign On Login"
+       GssapiCredStore keytab:/etc/httpd.keytab
+
+       SetEnvIfExpr "%{SSL_CLIENT_S_DN_O} == 'Fedora Project'" cert_s_o_valid
+       SetEnvIfExpr "%{SSL_CLIENT_S_DN_OU} == 'Fedora User Cert'" cert_s_ou_valid
+       SetEnvIfExpr "%{SSL_CLIENT_I_DN_O} == 'Fedora Project'" cert_i_o_valid
+       SetEnvIfExpr "%{SSL_CLIENT_I_DN_OU} == 'Fedora Project CA'" cert_i_ou_valid
+
+       <RequireAny>
+           <RequireAll>
+               Require env cert_s_o_valid
+               Require env cert_s_ou_valid
+               Require env cert_i_o_valid
+               Require env cert_i_ou_valid
+           </RequireAll>
+           Require valid-user
+       </RequireAny>
    </Location>

 </VirtualHost>