copr: mod_auth_gssapi support for kerberos auth in Copr

2021-07-01 10:05:43 +02:00 · 2021-07-01 10:05:43 +02:00 · ffee619673
commit ffee619673
parent 688ff267e4
4 changed files with 29 additions and 0 deletions
--- a/inventory/group_vars/copr_front_aws
+++ b/inventory/group_vars/copr_front_aws
@ -30,3 +30,5 @@ copr_pagure_events:
 copr_messaging_queue: "a9b74258-21c6-4e79-ba65-9e858dc84a2b"

 copr_fe_homedir: /usr/share/copr/coprs_frontend
+
+copr_kerberos_auth_enabled: false
--- a/inventory/group_vars/copr_front_dev_aws
+++ b/inventory/group_vars/copr_front_dev_aws
@ -33,3 +33,5 @@ copr_pagure_events:
 copr_messaging_queue: "c8e11df7-e863-4ca4-99b9-d37c6663c7f7"

 copr_fe_homedir: /usr/share/copr/coprs_frontend
+
+copr_kerberos_auth_enabled: true
--- a/roles/copr/frontend/templates/copr.conf
+++ b/roles/copr/frontend/templates/copr.conf
@ -54,6 +54,16 @@ WTF_CSRF_ENABLED = True
 # send emails when user's perms change in project?
 SEND_EMAILS = True

+{% if copr_kerberos_auth_enabled %}
+KRB5_LOGIN = {
+    'FEDORAPROJECT': {
+        'URI': "fedoraproject",
+        'log_text': "krb5-login",
+        'email_domain': "fedoraproject.org",
+    }
+}
+{% endif %}
+
 PUBLIC_COPR_HOSTNAME = "{{ copr_frontend_public_hostname }}"

 # When running the website through apache,
@ -142,3 +152,8 @@ PAGURE_EVENTS = {
 # Increase build timeout to 48h
 # Requested by lantw44 for chromium
 MAX_BUILD_TIMEOUT = 172800
+{% if copr_kerberos_auth_enabled %}
+API_GSSAPI_AUTH = True
+{% else %}
+API_GSSAPI_AUTH = False
+{% endif %}
--- a/roles/copr/frontend/templates/httpd/coprs.conf
+++ b/roles/copr/frontend/templates/httpd/coprs.conf
@ -105,6 +105,16 @@ WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>

+{% if copr_kerberos_auth_enabled %}
+    <LocationMatch /(krb5_login/fedoraproject|api_3/(build/(delete|create|cancel)|module|package/(add|edit|reset|build|delete)|project/permissions|project-chroot/edit|project/(add|edit|fork|delete)|webhook|auth-check))/*>
+        AuthType GSSAPI
+        AuthName "Fedoraproject GSSAPI/krb5 Credentials"
+        GssapiBasicAuthMech krb5
+        GssapiCredStore keytab:/etc/httpd/conf.d/copr-frontend-http-api.keytab
+        Require valid-user
+    </LocationMatch>
+{% endif %}
+
    RewriteEngine on
    RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301]
    RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301]