Fixes #30535 - Set HTTP headers for proxy requests

theforeman · Aug 21, 2020 · cc2d829 · cc2d829
1 parent e3bf011
commit cc2d829
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/templates/auth_kerb.conf.erb b/templates/auth_kerb.conf.erb
@@ -10,6 +10,17 @@
   KrbLocalUserMapping On
   # require valid-user
   require pam-account <%= scope.lookupvar('::foreman::pam_service') %>
+  # Set headers for proxy requests
+  RewriteRule .* - [E=HTTP_REMOTE_USER:%{REMOTE_USER}]
+  RequestHeader set REMOTE_USER %{REMOTE_USER}e
+  RewriteRule .* - [E=HTTP_REMOTE_USER_EMAIL:%{REMOTE_USER_EMAIL}]
+  RequestHeader set REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
+  RewriteRule .* - [E=HTTP_REMOTE_USER_FIRSTNAME:%{REMOTE_USER_FIRSTNAME}]
+  RequestHeader set REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
+  RewriteRule .* - [E=HTTP_REMOTE_USER_LASTNAME:%{REMOTE_USER_LASTNAME}]
+  RequestHeader set REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
+  RewriteRule .* - [E=HTTP_REMOTE_USER_GROUPS:%{REMOTE_USER_GROUPS}]
+  RequestHeader set REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
   ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
   # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
   ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'

diff --git a/templates/lookup_identity.conf.erb b/templates/lookup_identity.conf.erb
@@ -3,6 +3,7 @@
   LookupUserAttr email REMOTE_USER_EMAIL
   LookupUserAttr firstname REMOTE_USER_FIRSTNAME
   LookupUserAttr lastname REMOTE_USER_LASTNAME
+  LookupUserGroups REMOTE_USER_GROUPS :
   LookupUserGroupsIter REMOTE_USER_GROUP
 </LocationMatch>