From 6fad69aca70495dd3baf5dde559be8bf3924b2cc Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 14 Oct 2016 20:35:59 +0000 Subject: [PATCH] Allow GSSAPI for lookaside Signed-off-by: Patrick Uiterwijk --- roles/distgit/files/dist-git-upload.cgi | 3 ++ roles/distgit/tasks/main.yml | 9 +++++ roles/distgit/templates/lookaside-upload.conf | 33 +++++++++++-------- 3 files changed, 32 insertions(+), 13 deletions(-) diff --git a/roles/distgit/files/dist-git-upload.cgi b/roles/distgit/files/dist-git-upload.cgi index 2b000a6ec3..7f7ba315a2 100644 --- a/roles/distgit/files/dist-git-upload.cgi +++ b/roles/distgit/files/dist-git-upload.cgi @@ -100,6 +100,9 @@ def main(): os.umask(002) username = os.environ.get('SSL_CLIENT_S_DN_CN', None) + gssname = os.environ.get('GSS_NAME', None) + if gssname and '@' in gssname and not username: + username = gssname.partition('@')[0] if not check_auth(username): send_error('You must connect with a valid certificate and be in the ' '%s group to upload.' % PACKAGER_GROUP, diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index dd9ca73699..66824b3aea 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -29,6 +29,15 @@ notify: - reload httpd +- name: install the keytab + copy: src="{{ private }}/files/keytabs/{{env}}/pkgs" + dest=/etc/httpd.keytab + owner=apache + group=apache + mode=0600 + notify: + - reload httpd + - name: allow httpd to access the files on NFS seboolean: name=httpd_use_nfs state=yes persistent=yes diff --git a/roles/distgit/templates/lookaside-upload.conf b/roles/distgit/templates/lookaside-upload.conf index 8c812b4ec2..0f385cf757 100644 --- a/roles/distgit/templates/lookaside-upload.conf +++ b/roles/distgit/templates/lookaside-upload.conf @@ -43,12 +43,6 @@ SSLCryptoDevice builtin SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate - # require that the client auth cert was created by us and signed by us - SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \ - and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \ - and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \ - and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" ) @@ -60,13 +54,26 @@ SSLCryptoDevice builtin SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate - # require that the access comes from internal or that - # the client auth cert was created by us and signed by us - SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \ - and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \ - and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \ - and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" ) + + AuthType GSSAPI + GssapiSSLonly On + AuthName "GSSAPI Single Sign On Login" + GssapiCredStore keytab:/etc/httpd.keytab + + SetEnvIfExpr "%{SSL_CLIENT_S_DN_O} == 'Fedora Project'" cert_s_o_valid + SetEnvIfExpr "%{SSL_CLIENT_S_DN_OU} == 'Fedora User Cert'" cert_s_ou_valid + SetEnvIfExpr "%{SSL_CLIENT_I_DN_O} == 'Fedora Project'" cert_i_o_valid + SetEnvIfExpr "%{SSL_CLIENT_I_DN_OU} == 'Fedora Project CA'" cert_i_ou_valid + + + + Require env cert_s_o_valid + Require env cert_s_ou_valid + Require env cert_i_o_valid + Require env cert_i_ou_valid + + Require valid-user +