From 25262baeaaeafde516b6b83ddfa8f6c17f8b8bed Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Thu, 25 Jul 2024 12:15:00 +0200 Subject: [PATCH 1/2] Convert Apache IPA authentication template to EPP This moves the IPA authentication from 4 separate ERB files to a single EPP file. This gives better guarantees because of data types. It's also easier to maintain a single file that gives the complete overview of the feature. It's moved to foreman::config::apache together with the inclusion of required modules. This does make the http_keytab variable a bit uglier. --- manifests/config.pp | 20 +------ manifests/config/apache.pp | 14 +++++ templates/apache_ipa_authentication.epp | 69 ++++++++++++++++++++++++ templates/auth_gssapi.conf.erb | 14 ----- templates/external_auth_api.conf.erb | 28 ---------- templates/intercept_form_submit.conf.erb | 7 --- templates/lookup_identity.conf.erb | 15 ------ 7 files changed, 84 insertions(+), 83 deletions(-) create mode 100644 templates/apache_ipa_authentication.epp delete mode 100644 templates/auth_gssapi.conf.erb delete mode 100644 templates/external_auth_api.conf.erb delete mode 100644 templates/intercept_form_submit.conf.erb delete mode 100644 templates/lookup_identity.conf.erb diff --git a/manifests/config.pp b/manifests/config.pp index 5007126f7..9c8849cee 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -207,7 +207,7 @@ content => template('foreman/pam_service.erb'), } - $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab") + $http_keytab = $foreman::config::apache::http_keytab exec { 'ipa-getkeytab': command => "/bin/echo Get keytab \ @@ -222,24 +222,6 @@ mode => '0600', } - $gssapi_local_name = bool2str($foreman::gssapi_local_name, 'On', 'Off') - - foreman::config::apache::fragment { 'intercept_form_submit': - ssl_content => template('foreman/intercept_form_submit.conf.erb'), - } - - foreman::config::apache::fragment { 'lookup_identity': - ssl_content => template('foreman/lookup_identity.conf.erb'), - } - - foreman::config::apache::fragment { 'auth_gssapi': - ssl_content => template('foreman/auth_gssapi.conf.erb'), - } - - foreman::config::apache::fragment { 'external_auth_api': - ssl_content => template('foreman/external_auth_api.conf.erb'), - } - if $foreman::ipa_manage_sssd { $sssd = pick(fact('foreman_sssd'), {}) $sssd_services = join(unique(pick($sssd['services'], []) + ['ifp']), ', ') diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp index 56f5059bc..ad07a7d72 100644 --- a/manifests/config/apache.pp +++ b/manifests/config/apache.pp @@ -238,6 +238,20 @@ include apache::mod::intercept_form_submit include apache::mod::lookup_identity include apache::mod::auth_gssapi + + # This is also used in manifests::config + $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab") + + $external_auth_context = { + 'pam_service' => $foreman::pam_service, + 'keytab' => $foreman::http_keytab, + 'gssapi_local_name' => $foreman::gssapi_local_name, + 'ipa_authentication_api' => $foreman::ipa_authentication_api, + } + + foreman::config::apache::fragment { 'intercept_form_submit': + ssl_content => epp('foreman/apache_ipa_authentication.epp', $external_auth_context), + } } elsif $keycloak { include apache::mod::auth_openidc diff --git a/templates/apache_ipa_authentication.epp b/templates/apache_ipa_authentication.epp new file mode 100644 index 000000000..30b845527 --- /dev/null +++ b/templates/apache_ipa_authentication.epp @@ -0,0 +1,69 @@ +<%| + String[1] $pam_service, + Stdlib::Absolutepath $keytab, + Boolean $gssapi_local_name, + Boolean $ipa_authentication_api, +-%> + + + InterceptFormPAMService <%= $pam_service %> + InterceptFormLogin login[login] + InterceptFormPassword login[password] + + + + LookupUserAttr email REMOTE_USER_EMAIL + LookupUserAttr firstname REMOTE_USER_FIRSTNAME + LookupUserAttr lastname REMOTE_USER_LASTNAME + LookupUserGroups REMOTE_USER_GROUPS : + LookupUserGroupsIter REMOTE_USER_GROUP + + # Set headers for proxy requests + RequestHeader set REMOTE_USER %{REMOTE_USER}e + RequestHeader set REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e + RequestHeader set REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e + RequestHeader set REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e + RequestHeader set REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e + + + + SSLRequireSSL + AuthType GSSAPI + AuthName "GSSAPI Single Sign On Login" + GssapiCredStore keytab:<%= $keytab %> + GssapiSSLonly On + GssapiLocalName <%= $gssapi_local_name %> + # require valid-user + require pam-account <%= $pam_service %> + ErrorDocument 401 'Kerberos authentication did not pass.' + # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087 + ErrorDocument 500 'Kerberos authentication did not pass.' + + + + SSLRequireSSL + <% if $ipa_authentication_api -%> + + AuthType Basic + AuthName "PAM Authentication" + AuthBasicProvider PAM + AuthPAMService <%= $pam_service %> + + + AuthType GSSAPI + AuthName "GSSAPI Single Sign On Login" + GssapiCredStore keytab:<%= $keytab %> + GssapiSSLonly On + GssapiLocalName <%= apache::bool2httpd($gssapi_local_name) %> + + <% else -%> + AuthType Basic + AuthName "PAM Authentication" + AuthBasicProvider PAM + AuthPAMService <%= $pam_service %> + <% end -%> + require pam-account <%= $pam_service %> + ErrorDocument 401 '{ "error": "External authentication did not pass." }' + # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087 + ErrorDocument 500 '{ "error": "External authentication did not pass." }' + diff --git a/templates/auth_gssapi.conf.erb b/templates/auth_gssapi.conf.erb deleted file mode 100644 index 790d57ef0..000000000 --- a/templates/auth_gssapi.conf.erb +++ /dev/null @@ -1,14 +0,0 @@ - - - SSLRequireSSL - AuthType GSSAPI - AuthName "GSSAPI Single Sign On Login" - GssapiCredStore keytab:<%= @http_keytab %> - GssapiSSLonly On - GssapiLocalName <%= @gssapi_local_name %> - # require valid-user - require pam-account <%= scope.lookupvar('foreman::pam_service') %> - ErrorDocument 401 'Kerberos authentication did not pass.' - # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087 - ErrorDocument 500 'Kerberos authentication did not pass.' - diff --git a/templates/external_auth_api.conf.erb b/templates/external_auth_api.conf.erb deleted file mode 100644 index 3b73b8315..000000000 --- a/templates/external_auth_api.conf.erb +++ /dev/null @@ -1,28 +0,0 @@ - - - SSLRequireSSL - <% if scope.lookupvar('foreman::ipa_authentication_api') %> - - AuthType Basic - AuthName "PAM Authentication" - AuthBasicProvider PAM - AuthPAMService <%= scope.lookupvar('foreman::pam_service') %> - - - AuthType GSSAPI - AuthName "GSSAPI Single Sign On Login" - GssapiCredStore keytab:<%= @http_keytab %> - GssapiSSLonly On - GssapiLocalName <%= @gssapi_local_name %> - - <% else %> - AuthType Basic - AuthName "PAM Authentication" - AuthBasicProvider PAM - AuthPAMService <%= scope.lookupvar('foreman::pam_service') %> - <% end %> - require pam-account <%= scope.lookupvar('foreman::pam_service') %> - ErrorDocument 401 '{ "error": "External authentication did not pass." }' - # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087 - ErrorDocument 500 '{ "error": "External authentication did not pass." }' - diff --git a/templates/intercept_form_submit.conf.erb b/templates/intercept_form_submit.conf.erb deleted file mode 100644 index a540c83d5..000000000 --- a/templates/intercept_form_submit.conf.erb +++ /dev/null @@ -1,7 +0,0 @@ - - - InterceptFormPAMService <%= scope.lookupvar('::foreman::pam_service') %> - InterceptFormLogin login[login] - InterceptFormPassword login[password] - - diff --git a/templates/lookup_identity.conf.erb b/templates/lookup_identity.conf.erb deleted file mode 100644 index d0abf34e7..000000000 --- a/templates/lookup_identity.conf.erb +++ /dev/null @@ -1,15 +0,0 @@ - - - LookupUserAttr email REMOTE_USER_EMAIL - LookupUserAttr firstname REMOTE_USER_FIRSTNAME - LookupUserAttr lastname REMOTE_USER_LASTNAME - LookupUserGroups REMOTE_USER_GROUPS : - LookupUserGroupsIter REMOTE_USER_GROUP - - # Set headers for proxy requests - RequestHeader set REMOTE_USER %{REMOTE_USER}e - RequestHeader set REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e - RequestHeader set REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e - RequestHeader set REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e - RequestHeader set REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e - From f7eb19f2dc1e5b37773c2617a03b2dde9a3c5ff9 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Thu, 25 Jul 2024 12:21:07 +0200 Subject: [PATCH 2/2] Move sssd service definition to avoid duplication The ipa_manage_sssd block already existed and now the service lives together with the config file management. --- manifests/config.pp | 14 ++++++-------- templates/apache_ipa_authentication.epp | 8 ++++---- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 9c8849cee..bce395188 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -191,14 +191,6 @@ } } - if $foreman::ipa_manage_sssd { - service { 'sssd': - ensure => running, - enable => true, - require => Package['sssd-dbus'], - } - } - file { "/etc/pam.d/${foreman::pam_service}": ensure => file, owner => root, @@ -246,6 +238,12 @@ changes => $sssd_changes, notify => Service['sssd'], } + + service { 'sssd': + ensure => running, + enable => true, + require => Package['sssd-dbus'], + } } foreman::settings_fragment { 'authorize_login_delegation.yaml': diff --git a/templates/apache_ipa_authentication.epp b/templates/apache_ipa_authentication.epp index 30b845527..131893314 100644 --- a/templates/apache_ipa_authentication.epp +++ b/templates/apache_ipa_authentication.epp @@ -3,7 +3,7 @@ Stdlib::Absolutepath $keytab, Boolean $gssapi_local_name, Boolean $ipa_authentication_api, --%> +|-%> InterceptFormPAMService <%= $pam_service %> @@ -42,7 +42,7 @@ SSLRequireSSL - <% if $ipa_authentication_api -%> + <% if $ipa_authentication_api { -%> AuthType Basic AuthName "PAM Authentication" @@ -56,12 +56,12 @@ GssapiSSLonly On GssapiLocalName <%= apache::bool2httpd($gssapi_local_name) %> - <% else -%> + <% } else { -%> AuthType Basic AuthName "PAM Authentication" AuthBasicProvider PAM AuthPAMService <%= $pam_service %> - <% end -%> + <% } -%> require pam-account <%= $pam_service %> ErrorDocument 401 '{ "error": "External authentication did not pass." }' # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087