Issue #5955: using cert auth throws an error: {"detail":"CSRF Failed: CSRF token missing or incorrect."} - Pulp

Actions

Send by e-mail Copy link

Issue #5955

closed

using cert auth throws an error: {"detail":"CSRF Failed: CSRF token missing or incorrect."}

Added by jsherril@redhat.com almost 5 years ago. Updated over 4 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

bmbouter

Category:

Sprint/Milestone:

3.0.1

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Platform Release:

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Katello

Sprint:

Sprint 64

Quarter:

Description

This was working but after updating my pulp installation it stopped working (i suspect its related to some sort of dependency, but i'm not sure).

# curl  https://`hostname`/pulp/api/v3/repositories/file/file/   --cert /etc/pki/katello/certs/pulp-client.crt  --key /etc/pki/katello/private/pulp-client.key   -d '{"name":"foo"}' 
{"detail":"CSRF Failed: CSRF token missing or incorrect."}

Using user/name pass works fine.

I have the following snippet in my webserver:

<Location /pulp/api/v3/>
RequestHeader set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN
</Location>

and the following in my settings.py:

REMOTE_USER_ENVIRON_NAME = "HTTP_REMOTE_USER"

Files

Download all files

ssl.conf (2.71 KB) ssl.conf		jsherril@redhat.com, 01/10/2020 05:09 PM
certs.tar (220 KB) certs.tar		jsherril@redhat.com, 01/10/2020 05:15 PM

Actions

Copy link

Updated by jsherril@redhat.com almost 5 years ago

Tags Katello-P1 added

Actions

Copy link

Updated by daviddavis almost 5 years ago

Triaged changed from No to Yes
Sprint set to Sprint 64

Per triage

Actions

Copy link

Updated by jsherril@redhat.com almost 5 years ago

File ssl.conf ssl.conf added

reproduced on pulp_lift with just:

pulp3-sandbox-centos7

and the attached apache config

Actions

Copy link

Updated by jsherril@redhat.com almost 5 years ago

After pulplifting:

1. yum install -y httpd mod_ssl
2. change 'Listen 80' to 81 in /etc/httpd/conf/httpd.conf
3. Drop ssl.conf from this issue into /etc/httpd/conf.d/ (replacing the existing ssl.conf
4. add "127.0.0.1 devel.balmora.example.com" to /etc/hosts
5. run 'hostname devel.balmora.example.com" to set a hostname which matches the certs
6. extract the included tarball to /etc/pki/katello/ (so /etc/pki/katello/certs/pulp-client.crt should exist)
7. chown apache /etc/pki/katello -R
8. add to /etc/pulp/settings.py REMOTE_USER_ENVIRON_NAME = "HTTP_REMOTE_USER"
9. systemctl restart pulpcore-api
10. systemctl start httpd
11. run:

curl https://`hostname`/pulp/api/v3/repositories/file/file/ --cert /etc/pki/katello/certs/pulp-client.crt --key /etc/pki/katello/private/pulp-client.key -d '{"name":"foo"}' -k

if i didn't forget any steps you should get:

{"detail":"CSRF Failed: CSRF token missing or incorrect."}

Actions

Copy link

Updated by jsherril@redhat.com almost 5 years ago

File certs.tar certs.tar added

Actions

Copy link

Updated by bmbouter almost 5 years ago

Status changed from NEW to ASSIGNED
Assignee set to bmbouter

I was able to reproduce the issue, so I'll take as ASSIGNED.

Added by bmbouter almost 5 years ago

Revision 1ae65bde | View on GitHub

REMOTE_USER auth shouldn't trigger csrf rejects

Move all authentication fully to DRF. We were incorrectly configuring webserver auth support in django and not DRF. This ports the setting REMOTE_USER_ENVIRON_NAME to work with DRF instead of Django.

It adjusts the settings.py so there are removal claims even though this will likely go into a z-release. It's an important FYI for the user.

https://pulp.plan.io/issues/5955 closes #5955

Actions

Copy link