From 63355fe0a420be130ea9598e3562a4284c1345f4 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Sat, 5 Sep 2020 16:29:46 +0200
Subject: [PATCH] hub: switch to kerberos auth

Switch to kerberos aut and also ship ssl.conf, adapted to serve
at localhost and the fqdn, instead of creating it via sed.
---
 container/hub/Dockerfile |  1 +
 container/hub/hub.conf   |  6 ++-
 container/hub/run-hub.sh | 18 +++------
 container/hub/ssl.conf   | 80 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 91 insertions(+), 14 deletions(-)
 create mode 100644 container/hub/ssl.conf

diff --git a/container/hub/Dockerfile b/container/hub/Dockerfile
index fc31e80..ffac99e 100644
--- a/container/hub/Dockerfile
+++ b/container/hub/Dockerfile
@@ -1,6 +1,7 @@
 FROM quay.io/osbuild/koji:v1
 
 COPY container/hub/hub.conf /etc/koji-hub/hub.conf
+COPY container/hub/ssl.conf /etc/httpd/conf.d/ssl.conf
 COPY plugins/hub/osbuild.py /usr/lib/koji-hub-plugins/
 COPY container/hub/run-hub.sh /app/run-hub.sh
 
diff --git a/container/hub/hub.conf b/container/hub/hub.conf
index 24be50a..51093ed 100644
--- a/container/hub/hub.conf
+++ b/container/hub/hub.conf
@@ -15,8 +15,10 @@ KojiDebug = On
 KojiTraceback = extended
 
 ## Kerberos
-AuthPrincipal = host/kojihub@LOCAL
+AuthPrincipal = koji@LOCAL
 AuthKeytab = /share/koji.keytab
+HostPrincipalFormat = compile/%s@LOCAL
+ProxyPrincipals = koji@LOCAL
 
 ##  SSL client certificate auth configuration  ##
 DNUsernameComponent = CN
@@ -32,4 +34,4 @@ NotifyOnSuccess = False
 
 ## Plugins
 PluginPath = /usr/lib/koji-hub-plugins
-Plugins = osbuild
\ No newline at end of file
+Plugins = osbuild
diff --git a/container/hub/run-hub.sh b/container/hub/run-hub.sh
index 6b71cf9..fcc97a7 100755
--- a/container/hub/run-hub.sh
+++ b/container/hub/run-hub.sh
@@ -16,21 +16,15 @@ sed -i -e "s|LogLevel warn|LogLevel debug|" /etc/httpd/conf/httpd.conf
 
 tee -a /etc/httpd/conf.d/kojihub.conf <<END
 <Location /kojihub/ssllogin>
-         SSLVerifyClient require
-         SSLVerifyDepth  10
-         SSLOptions +StdEnvVars
+        AuthType GSSAPI
+        GssapiSSLonly Off
+        GssapiLocalName Off
+        AuthName "GSSAPI Single Sign On Login"
+        GssapiCredStore keytab:/share/koji.keytab
+        Require valid-user
 </Location>
 END
 
-sed -i  -e "s|^SSLCertificateFile.*|SSLCertificateFile /etc/pki/koji/certs/kojihub.crt|" \
-        -e "s|^SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/pki/koji/private/kojihub.key|" \
-        -e "s|^#SSLCertificateChainFile.*|SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt|" \
-        -e "s|^#SSLCACertificateFile.*|SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt|" \
-	-e "s|^#SSLVerifyDepth.*|SSLVerifyDepth 1|" \
-        -e "s|LogLevel warn|LogLevel debug|" \
-        -e "s|^#ServerName.*|ServerName localhost|" \
-        /etc/httpd/conf.d/ssl.conf
-
 sed -i  -e "s|^#ServerName.*|ServerName localhost|" \
         /etc/httpd/conf/httpd.conf
 
diff --git a/container/hub/ssl.conf b/container/hub/ssl.conf
new file mode 100644
index 0000000..1504207
--- /dev/null
+++ b/container/hub/ssl.conf
@@ -0,0 +1,80 @@
+Listen 443 https
+
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+SSLCryptoDevice builtin
+
+## SSL Virtual Host Context
+# localhost
+<VirtualHost _default_:443>
+ServerName localhost
+
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel debug
+
+
+SSLEngine on
+SSLHonorCipherOrder on
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+SSLCertificateFile /share/crt.pem
+SSLCertificateKeyFile /share/key.pem
+SSLCertificateChainFile /share/ca-crt.pem
+SSLCACertificateFile /share/ca-crt.pem
+SSLVerifyDepth 1
+
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+
+# Full Qualified Domain Name, org.osbuild.koji.koji
+<VirtualHost _default_:443>
+ServerName org.osbuild.koji.koji
+
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel debug
+
+SSLEngine on
+SSLHonorCipherOrder on
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+SSLCertificateFile /share/crt-fqdn.pem
+SSLCertificateKeyFile /share/key.pem
+SSLCertificateChainFile /share/ca-crt.pem
+SSLCACertificateFile /share/ca-crt.pem
+SSLVerifyDepth 1
+
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>