738762 - SSLVerifyClient for apache+thin

subscription-manager uses ssl client certs for authorization. Setting apache to provide the verification and send appropriate header to thin.
daviddavis · Sep 16, 2011 · 4c1e2ac · 4c1e2ac
1 parent 5c43c53
commit 4c1e2ac
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/puppet/modules/katello/templates/etc/httpd/conf.d/katello.conf.erb b/puppet/modules/katello/templates/etc/httpd/conf.d/katello.conf.erb
@@ -9,6 +9,7 @@ NameVirtualHost *:443
   SSLEngine On
   SSLCertificateFile <%= scope.lookupvar("katello::params::ssl_certificate_file") %>
   SSLCertificateKeyFile <%= scope.lookupvar("katello::params::ssl_certificate_key_file") %>
+  SSLCaCertificateFile /etc/candlepin/certs/candlepin-ca.crt
   ProxyPreserveHost Off
   RequestHeader set X_FORWARDED_PROTO 'https'
 
@@ -35,6 +36,11 @@ NameVirtualHost *:443
   ProxyPassReverse /katello/images !
   ProxyPassReverse /katello/fonts !
 
+  <Location /katello>
+    RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
+    SSLVerifyClient optional
+    SSLVerifyDepth 2
+  </Location>
 </VirtualHost>
 
 NameVirtualHost *:80

diff --git a/src/config/initializers/warden.rb b/src/config/initializers/warden.rb
@@ -87,13 +87,25 @@ def valid?
   end
 
   def authenticate!
-    return fail('No ssl client certificate, skipping ssl-certificate authentication') if request.env['SSL_CLIENT_CERT'].blank?
-
-    consumer_cert = OpenSSL::X509::Certificate.new(request.env['SSL_CLIENT_CERT'])
+    ssl_client_cert = client_cert_from_request
+    return fail('No ssl client certificate, skipping ssl-certificate authentication') if ssl_client_cert.blank?
+    consumer_cert = OpenSSL::X509::Certificate.new(ssl_client_cert)
     u = CpConsumerUser.new(:uuid => uuid(consumer_cert), :username => uuid(consumer_cert))
     success!(u)
   end
 
+  def client_cert_from_request
+    cert = request.env['SSL_CLIENT_CERT'] || request.env['HTTP_SSL_CLIENT_CERT']
+    return nil if cert.blank? || cert == "(null)"
+    # apache does not preserve new lines in cert file - work-around:
+    if cert.include?("-----BEGIN CERTIFICATE----- ")
+      cert = cert.to_s.gsub("-----BEGIN CERTIFICATE----- ","").gsub(" -----END CERTIFICATE-----","")
+      cert.gsub!(" ","\n")
+      cert = "-----BEGIN CERTIFICATE-----\n#{cert}-----END CERTIFICATE-----\n"
+    end
+    return cert
+  end
+
   def uuid(cert)
     drop_cn_prefix_from_subject(cert.subject.to_s)
   end