hub: switch to kerberos auth

Switch to kerberos aut and also ship ssl.conf, adapted to serve at localhost and the fqdn, instead of creating it via sed.
2020-09-05 16:29:46 +02:00 · 2020-09-05 16:29:46 +02:00 · 63355fe0a4
commit 63355fe0a4
parent 5d59084ddb
4 changed files with 91 additions and 14 deletions
--- a/container/hub/Dockerfile
+++ b/container/hub/Dockerfile
@ -1,6 +1,7 @@
 FROM quay.io/osbuild/koji:v1

 COPY container/hub/hub.conf /etc/koji-hub/hub.conf
+COPY container/hub/ssl.conf /etc/httpd/conf.d/ssl.conf
 COPY plugins/hub/osbuild.py /usr/lib/koji-hub-plugins/
 COPY container/hub/run-hub.sh /app/run-hub.sh

--- a/container/hub/hub.conf
+++ b/container/hub/hub.conf
@ -15,8 +15,10 @@ KojiDebug = On
 KojiTraceback = extended

 ## Kerberos
-AuthPrincipal = host/kojihub@LOCAL
+AuthPrincipal = koji@LOCAL
 AuthKeytab = /share/koji.keytab
+HostPrincipalFormat = compile/%s@LOCAL
+ProxyPrincipals = koji@LOCAL

 ##  SSL client certificate auth configuration  ##
 DNUsernameComponent = CN
@ -32,4 +34,4 @@ NotifyOnSuccess = False

 ## Plugins
 PluginPath = /usr/lib/koji-hub-plugins
-Plugins = osbuild
+Plugins = osbuild
--- a/container/hub/run-hub.sh
+++ b/container/hub/run-hub.sh
@ -16,21 +16,15 @@ sed -i -e "s|LogLevel warn|LogLevel debug|" /etc/httpd/conf/httpd.conf

 tee -a /etc/httpd/conf.d/kojihub.conf <<END
 <Location /kojihub/ssllogin>
-         SSLVerifyClient require
-         SSLVerifyDepth  10
-         SSLOptions +StdEnvVars
+        AuthType GSSAPI
+        GssapiSSLonly Off
+        GssapiLocalName Off
+        AuthName "GSSAPI Single Sign On Login"
+        GssapiCredStore keytab:/share/koji.keytab
+        Require valid-user
 </Location>
 END

-sed -i  -e "s|^SSLCertificateFile.*|SSLCertificateFile /etc/pki/koji/certs/kojihub.crt|" \
-        -e "s|^SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/pki/koji/private/kojihub.key|" \
-        -e "s|^#SSLCertificateChainFile.*|SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt|" \
-        -e "s|^#SSLCACertificateFile.*|SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt|" \
-	-e "s|^#SSLVerifyDepth.*|SSLVerifyDepth 1|" \
-        -e "s|LogLevel warn|LogLevel debug|" \
-        -e "s|^#ServerName.*|ServerName localhost|" \
-        /etc/httpd/conf.d/ssl.conf
-
 sed -i  -e "s|^#ServerName.*|ServerName localhost|" \
        /etc/httpd/conf/httpd.conf

--- a/container/hub/ssl.conf
+++ b/container/hub/ssl.conf
@ -0,0 +1,80 @@
+Listen 443 https
+
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+SSLCryptoDevice builtin
+
+## SSL Virtual Host Context
+# localhost
+<VirtualHost _default_:443>
+ServerName localhost
+
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel debug
+
+
+SSLEngine on
+SSLHonorCipherOrder on
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+SSLCertificateFile /share/crt.pem
+SSLCertificateKeyFile /share/key.pem
+SSLCertificateChainFile /share/ca-crt.pem
+SSLCACertificateFile /share/ca-crt.pem
+SSLVerifyDepth 1
+
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+
+# Full Qualified Domain Name, org.osbuild.koji.koji
+<VirtualHost _default_:443>
+ServerName org.osbuild.koji.koji
+
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel debug
+
+SSLEngine on
+SSLHonorCipherOrder on
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+SSLCertificateFile /share/crt-fqdn.pem
+SSLCertificateKeyFile /share/key.pem
+SSLCertificateChainFile /share/ca-crt.pem
+SSLCACertificateFile /share/ca-crt.pem
+SSLVerifyDepth 1
+
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>