From d15e182de8a09cf47dd4d2f2dcec39cf274d739f Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Wed, 23 Nov 2016 21:33:01 +0000
Subject: [PATCH] Cert auth to staging koji is now history

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/koji_hub/templates/kojihub.conf.j2 | 45 ++++++++++++------------
 1 file changed, 22 insertions(+), 23 deletions(-)

diff --git a/roles/koji_hub/templates/kojihub.conf.j2 b/roles/koji_hub/templates/kojihub.conf.j2
index d88b69733c..4a512b9cba 100644
--- a/roles/koji_hub/templates/kojihub.conf.j2
+++ b/roles/koji_hub/templates/kojihub.conf.j2
@@ -24,39 +24,38 @@ Alias /kojifiles "/mnt/koji/"
 </Directory>
 {% endif %}
 
+{% if env == "production" %}
 SSLVerifyClient optional
+{% endif %}
 <Location /kojihub/ssllogin>
 {% if env == "production" %}
          SSLVerifyClient require
          SSLVerifyDepth  10
          SSLOptions +StdEnvVars
-{% else %}
-     SSLVerifyClient optional
-	 SSLVerifyDepth 1
-	 SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
-
-	 AuthType GSSAPI
-	 GssapiSSLonly On
-     GssapiLocalName On
-	 AuthName "GSSAPI Single Sign On Login"
-	 GssapiCredStore keytab:/etc/koji-hub-http.keytab
 
 	 # This complicated ACL stuff is to support both SSL and kerb auth at the same time
 	 # To be killed on December 12th, 2016, after which "Require valid-user" remains
-	 SetEnvIfExpr "%{SSL_CLIENT_S_DN_O} == 'Fedora Project'" cert_s_o_valid
-	 SetEnvIfExpr "%{SSL_CLIENT_S_DN_OU} == 'Fedora User Cert'" cert_s_ou_valid
-	 SetEnvIfExpr "%{SSL_CLIENT_I_DN_O} == 'Fedora Project'" cert_i_o_valid
-	 SetEnvIfExpr "%{SSL_CLIENT_I_DN_OU} == 'Fedora Project CA'" cert_i_ou_valid
+	 #SetEnvIfExpr "%{SSL_CLIENT_S_DN_O} == 'Fedora Project'" cert_s_o_valid
+	 #SetEnvIfExpr "%{SSL_CLIENT_S_DN_OU} == 'Fedora User Cert'" cert_s_ou_valid
+	 #SetEnvIfExpr "%{SSL_CLIENT_I_DN_O} == 'Fedora Project'" cert_i_o_valid
+	 #SetEnvIfExpr "%{SSL_CLIENT_I_DN_OU} == 'Fedora Project CA'" cert_i_ou_valid
+	 #<RequireAny>
+	#	<RequireAll>
+	#		Require env cert_s_o_valid
+	#		Require env cert_s_ou_valid
+	#		Require env cert_i_o_valid
+	#		Require env cert_i_ou_valid
+	#	</RequireAll>
+	#	Require valid-user
+	# </RequireAny>
 
-	 <RequireAny>
-		<RequireAll>
-			Require env cert_s_o_valid
-			Require env cert_s_ou_valid
-			Require env cert_i_o_valid
-			Require env cert_i_ou_valid
-		</RequireAll>
-		Require valid-user
-	 </RequireAny>
+{% else %}
+	 AuthType GSSAPI
+	 GssapiSSLonly On
+         GssapiLocalName On
+	 AuthName "GSSAPI Single Sign On Login"
+	 GssapiCredStore keytab:/etc/koji-hub-http.keytab
+	 Require valid-user
 {% endif %}
 </Location>