Showing with 95 additions and 22 deletions.

+12 −0 CHANGELOG.md

+4 −1 manifests/apache.pp

+3 −5 manifests/plugin/container.pp

+1 −1 metadata.json

+56 −11 spec/classes/plugin_container_spec.rb

+7 −4 spec/classes/pulpcore_spec.rb

+12 −0 spec/support/acceptance/examples.rb
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,17 @@
 # Changelog
 
+## [10.4.0](https://github.com/theforeman/puppet-pulpcore/tree/10.4.0) (2024-09-04)
+
+[Full Changelog](https://github.com/theforeman/puppet-pulpcore/compare/10.3.0...10.4.0)
+
+**Implemented enhancements:**
+
+- Reuse headers from pulpcore::apache class [\#354](https://github.com/theforeman/puppet-pulpcore/pull/354) ([ekohl](https://github.com/ekohl))
+
+**Fixed bugs:**
+
+- Don't use underscores in HTTP headers [\#357](https://github.com/theforeman/puppet-pulpcore/pull/357) ([evgeni](https://github.com/evgeni))
+
 ## [10.3.0](https://github.com/theforeman/puppet-pulpcore/tree/10.3.0) (2024-08-14)
 
 [Full Changelog](https://github.com/theforeman/puppet-pulpcore/compare/10.2.0...10.3.0)

diff --git a/manifests/apache.pp b/manifests/apache.pp
@@ -43,10 +43,13 @@
 
   # Pulp has a default for remote header. Here it's ensured that the end user
   # can't send that header to spoof users.
-  $remote_user_environ_header = $pulpcore::remote_user_environ_name.regsubst(/^HTTP_/, '')
+  # The logic is only sufficient for headers with at most one underscore!
+  $remote_user_environ_header_underscore = $pulpcore::remote_user_environ_name.regsubst(/^HTTP_/, '')
+  $remote_user_environ_header = $remote_user_environ_header_underscore.regsubst('_', '-')
 
   $api_default_request_headers = [
     "unset ${remote_user_environ_header}",
+    "unset ${remote_user_environ_header_underscore}",
     "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
   ]
 

diff --git a/manifests/plugin/container.pp b/manifests/plugin/container.pp
@@ -9,14 +9,12 @@
   String $location_prefix = '/pulpcore_registry',
   String $registry_version_path = '/v2/',
 ) {
+  # This is like pulpcore::apache's value, but slightly different
   $api_default_request_headers = [
     "unset ${pulpcore::apache::remote_user_environ_header}",
+    "unset ${pulpcore::apache::remote_user_environ_header_underscore}",
   ]
 
-  $api_additional_request_headers = $pulpcore::api_client_auth_cn_map.map |String $cn, String $pulp_user| {
-    "set ${pulpcore::apache::remote_user_environ_header} \"${pulp_user}\" \"expr=%{SSL_CLIENT_S_DN_CN} == '${cn}'\""
-  }
-
   $context = {
     'directories' => [
       {
@@ -27,7 +25,7 @@
             'url' => "${pulpcore::apache::api_base_url}${registry_version_path}",
           },
         ],
-        'request_headers' => $api_default_request_headers + $api_additional_request_headers,
+        'request_headers' => $api_default_request_headers + $pulpcore::apache::api_additional_request_headers,
       },
     ],
     'proxy_pass'  => [

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "theforeman-pulpcore",
-  "version": "10.3.0",
+  "version": "10.4.0",
   "author": "theforeman",
   "summary": "Installs next generation Pulp server",
   "license": "GPL-3.0-or-later",

diff --git a/spec/classes/plugin_container_spec.rb b/spec/classes/plugin_container_spec.rb
@@ -4,18 +4,63 @@
   on_supported_os.each do |os, os_facts|
     context "on #{os}" do
       let(:facts) { os_facts }
-      let(:pre_condition) { 'include pulpcore' }
+      context "with default params" do
+        let(:pre_condition) { 'include pulpcore' }
 
-      it 'configures the plugin' do
-        is_expected.to compile.with_all_deps
-        is_expected.to contain_pulpcore__plugin('container')
-          .that_subscribes_to('Class[Pulpcore::Install]')
-          .that_notifies(['Class[Pulpcore::Database]', 'Class[Pulpcore::Service]'])
-        is_expected.to contain_package('pulpcore-plugin(container)')
-        is_expected.to contain_concat__fragment('plugin-container').with_content("\n# container plugin settings\nTOKEN_AUTH_DISABLED=True")
-        is_expected.to contain_pulpcore__apache__fragment('plugin-container')
-        is_expected.not_to contain_apache__vhost__fragment('pulpcore-http-plugin-container')
-        is_expected.to contain_apache__vhost__fragment('pulpcore-https-plugin-container')
+        it 'configures the plugin' do
+          is_expected.to compile.with_all_deps
+          is_expected.to contain_pulpcore__plugin('container')
+            .that_subscribes_to('Class[Pulpcore::Install]')
+            .that_notifies(['Class[Pulpcore::Database]', 'Class[Pulpcore::Service]'])
+          is_expected.to contain_package('pulpcore-plugin(container)')
+          is_expected.to contain_concat__fragment('plugin-container').with_content("\n# container plugin settings\nTOKEN_AUTH_DISABLED=True")
+          is_expected.to contain_pulpcore__apache__fragment('plugin-container')
+          is_expected.not_to contain_apache__vhost__fragment('pulpcore-http-plugin-container')
+          is_expected.to contain_apache__vhost__fragment('pulpcore-https-plugin-container')
+            .with_vhost('pulpcore-https')
+            .with_priority('10')
+            .with_content(<<APACHE_CONFIG)
+
+  <Location "/pulpcore_registry/v2/">
+    RequestHeader unset REMOTE-USER
+    RequestHeader unset REMOTE_USER
+    ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/
+    ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/
+  </Location>
+
+  ProxyPass /pulp/container/ unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/container/
+  ProxyPassReverse /pulp/container/ unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/container/
+APACHE_CONFIG
+        end
+      end
+
+      context 'with API client auth common names' do
+        let(:pre_condition) do
+          <<~PUPPET
+          class {'pulpcore':
+            api_client_auth_cn_map => {'foreman.example.com' => 'admin'}
+          }
+          PUPPET
+        end
+        it 'configures the plugin' do
+          is_expected.to compile.with_all_deps
+          is_expected.to contain_apache__vhost__fragment('pulpcore-https-plugin-container')
+            .with_vhost('pulpcore-https')
+            .with_priority('10')
+            .with_content(<<APACHE_CONFIG)
+
+  <Location "/pulpcore_registry/v2/">
+    RequestHeader unset REMOTE-USER
+    RequestHeader unset REMOTE_USER
+    RequestHeader set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == 'foreman.example.com'"
+    ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/
+    ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/
+  </Location>
+
+  ProxyPass /pulp/container/ unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/container/
+  ProxyPassReverse /pulp/container/ unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/container/
+APACHE_CONFIG
+        end
       end
     end
   end

diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb
@@ -131,8 +131,9 @@
                   'params' => {'timeout' => '600'},
                 }],
                 'request_headers' => [
+                  'unset REMOTE-USER',
                   'unset REMOTE_USER',
-                  'set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
+                  'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
                 ],
               }
             ])
@@ -356,8 +357,9 @@
   </Location>
 
   <Location "/pulp/api/v3">
+    RequestHeader unset REMOTE-USER
     RequestHeader unset REMOTE_USER
-    RequestHeader set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
+    RequestHeader set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
     ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3 timeout=600
     ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/pulp/api/v3
   </Location>
@@ -520,9 +522,10 @@
                   'params' => {'timeout' => '600'},
                 }],
                 'request_headers' => [
+                  'unset REMOTE-USER',
                   'unset REMOTE_USER',
-                  'set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
-                  'set REMOTE_USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == \'foreman.example.com\'"',
+                  'set REMOTE-USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN',
+                  'set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == \'foreman.example.com\'"',
                 ],
               }
             ])

diff --git a/spec/support/acceptance/examples.rb b/spec/support/acceptance/examples.rb
@@ -72,6 +72,18 @@
     its(:exit_status) { is_expected.to eq 0 }
   end
 
+  describe curl_command("https://#{host_inventory['fqdn']}/pulp/api/v3/users/", cacert: "#{certdir}/ca-cert.pem", headers: {'remote-user': 'admin'}) do
+    its(:response_code) { is_expected.to eq(403) }
+    its(:body) { is_expected.to contain('Authentication credentials were not provided.') }
+    its(:exit_status) { is_expected.to eq 0 }
+  end
+
+  describe curl_command("https://#{host_inventory['fqdn']}/pulp/api/v3/users/", cacert: "#{certdir}/ca-cert.pem", headers: {'remote_user': 'admin'}) do
+    its(:response_code) { is_expected.to eq(403) }
+    its(:body) { is_expected.to contain('Authentication credentials were not provided.') }
+    its(:exit_status) { is_expected.to eq 0 }
+  end
+
   describe curl_command("https://#{host_inventory['fqdn']}/pulp/api/v3/users/",
                         cacert: "#{certdir}/ca-cert.pem", key: "#{certdir}/client-key.pem", cert: "#{certdir}/client-cert.pem") do
     its(:response_code) { is_expected.to eq(200) }