Project

Profile

Help

Issue #5955

using cert auth throws an error: {"detail":"CSRF Failed: CSRF token missing or incorrect."}

Added by jsherril@redhat.com about 2 months ago. Updated about 1 month ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Severity:
2. Medium
Version:
Platform Release:
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Katello-P1
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:
Sprint 64

Description

This was working but after updating my pulp installation it stopped working (i suspect its related to some sort of dependency, but i'm not sure).

# curl  https://`hostname`/pulp/api/v3/repositories/file/file/   --cert /etc/pki/katello/certs/pulp-client.crt  --key /etc/pki/katello/private/pulp-client.key   -d '{"name":"foo"}' 
{"detail":"CSRF Failed: CSRF token missing or incorrect."}

Using user/name pass works fine.

I have the following snippet in my webserver:

<Location /pulp/api/v3/>
RequestHeader set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN
</Location>

and the following in my settings.py:

REMOTE_USER_ENVIRON_NAME = "HTTP_REMOTE_USER"

ssl.conf (2.71 KB) jsherril@redhat.com, 01/10/2020 05:09 PM ssl.conf
certs.tar (220 KB) jsherril@redhat.com, 01/10/2020 05:15 PM certs.tar

Associated revisions

Revision 1ae65bde View on GitHub
Added by bmbouter about 1 month ago

REMOTE_USER auth shouldn't trigger csrf rejects

Move all authentication fully to DRF. We were incorrectly configuring webserver auth support in django and not DRF. This ports the setting REMOTE_USER_ENVIRON_NAME to work with DRF instead of Django.

It adjusts the settings.py so there are removal claims even though this will likely go into a z-release. It's an important FYI for the user.

https://pulp.plan.io/issues/5955 closes #5955

Revision 9935b943 View on GitHub
Added by bmbouter about 1 month ago

REMOTE_USER auth shouldn't trigger csrf rejects

Move all authentication fully to DRF. We were incorrectly configuring webserver auth support in django and not DRF. This ports the setting REMOTE_USER_ENVIRON_NAME to work with DRF instead of Django.

It adjusts the settings.py so there are removal claims even though this will likely go into a z-release. It's an important FYI for the user.

https://pulp.plan.io/issues/5955 closes #5955

(cherry picked from commit 1ae65bde73d649ac778357608a5ea84d48fd2096)

Revision f5550cef View on GitHub
Added by bmbouter about 1 month ago

REMOTE_USER auth shouldn't trigger csrf rejects

Move all authentication fully to DRF. We were incorrectly configuring webserver auth support in django and not DRF. This ports the setting REMOTE_USER_ENVIRON_NAME to work with DRF instead of Django.

It adjusts the settings.py so there are removal claims even though this will likely go into a z-release. It's an important FYI for the user.

https://pulp.plan.io/issues/5955 closes #5955

(cherry picked from commit 1ae65bde73d649ac778357608a5ea84d48fd2096)

History

#1 Updated by jsherril@redhat.com about 2 months ago

  • Tags Katello-P1 added

#2 Updated by daviddavis about 2 months ago

  • Triaged changed from No to Yes
  • Sprint set to Sprint 64

Per triage

#3 Updated by jsherril@redhat.com about 2 months ago

reproduced on pulp_lift with just:

pulp3-sandbox-centos7

and the attached apache config

#4 Updated by jsherril@redhat.com about 2 months ago

After pulplifting:

1. yum install -y httpd mod_ssl
2. change 'Listen 80' to 81 in /etc/httpd/conf/httpd.conf
3. Drop ssl.conf from this issue into /etc/httpd/conf.d/ (replacing the existing ssl.conf
4. add "127.0.0.1 devel.balmora.example.com" to /etc/hosts
5. run 'hostname devel.balmora.example.com" to set a hostname which matches the certs
6. extract the included tarball to /etc/pki/katello/ (so /etc/pki/katello/certs/pulp-client.crt should exist)
7. chown apache /etc/pki/katello -R
8. add to /etc/pulp/settings.py REMOTE_USER_ENVIRON_NAME = "HTTP_REMOTE_USER"
9. systemctl restart pulpcore-api
10. systemctl start httpd
11. run:

curl https://`hostname`/pulp/api/v3/repositories/file/file/ --cert /etc/pki/katello/certs/pulp-client.crt --key /etc/pki/katello/private/pulp-client.key -d '{"name":"foo"}' -k

if i didn't forget any steps you should get:

{"detail":"CSRF Failed: CSRF token missing or incorrect."}

#6 Updated by bmbouter about 2 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter

I was able to reproduce the issue, so I'll take as ASSIGNED.

#7 Updated by bmbouter about 1 month ago

  • Status changed from ASSIGNED to POST

#8 Updated by bmbouter about 1 month ago

  • Status changed from POST to MODIFIED

#11 Updated by bmbouter about 1 month ago

  • Sprint/Milestone set to 3.0.1

#12 Updated by bmbouter about 1 month ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF