htdigest module feature request

[smacz42]

ISSUE TYPE

• Feature Request

COMPONENT NAME

htdigest

ANSIBLE VERSION

ansible 2.2.1.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = Default w/o overrides

OS / ENVIRONMENT

Control: Arch Linux
Remote: CentOS 7

SUMMARY

When setting up an Apache (httpd) Digest authentication service, the client is unable to connect and is returned a 500 error. The logs state:

[<date>] [auth_digest:error] [pid <httpd-pid>] [client <ip-addr>:<port>] AH01780: need AuthName: /gitlist/ansible-role-common/info/refs
[<date>] [auth_digest:error] [pid <httpd-pid>] [client <ip-addr>:<port>] AH01780: need AuthName: /gitlist/ansible-role-common/info/refs

HOW THE FEATURE WOULD BE USED

gitlist_htdigest:
    - { name: test, password: hqq3Dw2UXEd9, realm: 'git repo' }
    - { name: test, password: 2n66nboz72Ha, realm: 'git repo'}

- name: (gitlist_config) [3/5] Template htpasswd is deployed
  htdigest:
    create: yes
    crypt_scheme: sha256_crypt
    name: "{{ item.name }}"
    password: "{{ item.password }}"
    realm: "{{ item.realm }}"
    path: /srv/.htpasswd
    state: present
    owner: apache
    group: apache
    mode: 640
  with_items: "{{ gitlist_htdigest }}"

Apache 2.4 config

SetEnv GIT_PROJECT_ROOT /srv/repos
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
<If "%{QUERY_STRING} == 'service=git-receive-pack' || %{REQUEST_URI} == '/git-receive-pack$'" >
    AuthType Digest
    AuthUserFile /srv/.htdigest
    Require valid-user
</If>

EXPECTED RESULTS

There should be a field for AuthName, as it is apparently required by Apache's AuthType system:

To implement authentication, you must also use the AuthName and Require directives.
--Apache Core Features - AuthType Directive

At least it is required for AuthType Digest.

UPSTREAM

The same library that is used for htpasswd can be used for this proposed htdigest, just using HtdigestFile instead of HtpasswdFile.

[smacz42]

Temporary work-around is to create a template and apply filters - but it only works for md5 for the time being.

tasks/main.yml

- name: (gitlist_config) [3/5] Template htdigest is deployed
  template:
    src: ../templates/htdigest.j2
    dest: /srv/.htdigest
    owner: apache
    group: apache
    mode: 0400

files/httpd.conf

[...]
<If "%{QUERY_STRING} == 'service=git-receive-pack' || %{REQUEST_URI} == '/git-receive-pack$'" >
    AuthType Digest
    AuthName: git
    AuthUserFile /srv/.htdigest
    Require valid-user
</If>
[...]

htdigest.j2

{% for user in gitlist_htdigest %}
{{ user.name }}:{{ user.realm }}:{{ user.password }}
{% endfor %}

defaults/main.yml

vault_gitlist_htdigest:
    - name: smacz
      realm: git
      password: "{{ 'smacz:git:hqq3Dw2UXEd9'|hash('md5') }}"
    - name: test
      realm: git
      password: "{{ 'test:git:2n66nboz72Ha'|hash('md5') }}"

[samdoran]

Closing per above solution to use template.