Fixes #30535 - Set HTTP headers for proxy requests

theforeman · Oct 8, 2020 · 46f3c79 · 46f3c79
1 parent e3bf011
commit 46f3c79
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp
@@ -196,6 +196,11 @@
         'set SSL_CLIENT_S_DN ""',
         'set SSL_CLIENT_CERT ""',
         'set SSL_CLIENT_VERIFY ""',
+        'unset REMOTE_USER',
+        'unset REMOTE_USER_EMAIL',
+        'unset REMOTE_USER_FIRSTNAME',
+        'unset REMOTE_USER_LASTNAME',
+        'unset REMOTE_USER_USER_GROUPS',
       ],
       'proxy_pass'          => {
         'no_proxy_uris' => $proxy_no_proxy_uris,
@@ -219,6 +224,11 @@
         'set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"',
         'set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"',
         'set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"',
+        'unset REMOTE_USER',
+        'unset REMOTE_USER_EMAIL',
+        'unset REMOTE_USER_FIRSTNAME',
+        'unset REMOTE_USER_LASTNAME',
+        'unset REMOTE_USER_USER_GROUPS',
       ],
     }
 

diff --git a/spec/classes/foreman_config_apache_spec.rb b/spec/classes/foreman_config_apache_spec.rb
@@ -219,7 +219,12 @@
                   'set X_FORWARDED_PROTO "http"',
                   'set SSL_CLIENT_S_DN ""',
                   'set SSL_CLIENT_CERT ""',
-                  'set SSL_CLIENT_VERIFY ""'
+                  'set SSL_CLIENT_VERIFY ""',
+                  'unset REMOTE_USER',
+                  'unset REMOTE_USER_EMAIL',
+                  'unset REMOTE_USER_FIRSTNAME',
+                  'unset REMOTE_USER_LASTNAME',
+                  'unset REMOTE_USER_USER_GROUPS'
                 ])
                 .with_proxy_pass(
                   "no_proxy_uris" => ['/pulp', '/pulp2', '/streamer', '/pub', '/icons'],
@@ -245,7 +250,12 @@
                   'set X_FORWARDED_PROTO "https"',
                   'set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"',
                   'set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"',
-                  'set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"'
+                  'set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"',
+                  'unset REMOTE_USER',
+                  'unset REMOTE_USER_EMAIL',
+                  'unset REMOTE_USER_FIRSTNAME',
+                  'unset REMOTE_USER_LASTNAME',
+                  'unset REMOTE_USER_USER_GROUPS'
                 ])
                 .with_ssl_proxyengine(true)
                 .with_proxy_pass(

diff --git a/templates/lookup_identity.conf.erb b/templates/lookup_identity.conf.erb
@@ -3,6 +3,14 @@
   LookupUserAttr email REMOTE_USER_EMAIL
   LookupUserAttr firstname REMOTE_USER_FIRSTNAME
   LookupUserAttr lastname REMOTE_USER_LASTNAME
+  LookupUserGroups REMOTE_USER_GROUPS :
   LookupUserGroupsIter REMOTE_USER_GROUP
+
+  # Set headers for proxy requests
+  RequestHeader set REMOTE_USER %{REMOTE_USER}e
+  RequestHeader set REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
+  RequestHeader set REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
+  RequestHeader set REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
+  RequestHeader set REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
 </LocationMatch>