Issue #5955
closed
using cert auth throws an error: {"detail":"CSRF Failed: CSRF token missing or incorrect."}
Status:
CLOSED - CURRENTRELEASE
Description
This was working but after updating my pulp installation it stopped working (i suspect its related to some sort of dependency, but i'm not sure).
# curl https://`hostname`/pulp/api/v3/repositories/file/file/ --cert /etc/pki/katello/certs/pulp-client.crt --key /etc/pki/katello/private/pulp-client.key -d '{"name":"foo"}'
{"detail":"CSRF Failed: CSRF token missing or incorrect."}
Using user/name pass works fine.
I have the following snippet in my webserver:
<Location /pulp/api/v3/>
RequestHeader set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN
</Location>
and the following in my settings.py:
REMOTE_USER_ENVIRON_NAME = "HTTP_REMOTE_USER"
Files
- Triaged changed from No to Yes
- Sprint set to Sprint 64
reproduced on pulp_lift with just:
pulp3-sandbox-centos7
and the attached apache config
After pulplifting:
1. yum install -y httpd mod_ssl
2. change 'Listen 80' to 81 in /etc/httpd/conf/httpd.conf
3. Drop ssl.conf from this issue into /etc/httpd/conf.d/ (replacing the existing ssl.conf
4. add "127.0.0.1 devel.balmora.example.com" to /etc/hosts
5. run 'hostname devel.balmora.example.com" to set a hostname which matches the certs
6. extract the included tarball to /etc/pki/katello/ (so /etc/pki/katello/certs/pulp-client.crt should exist)
7. chown apache /etc/pki/katello -R
8. add to /etc/pulp/settings.py REMOTE_USER_ENVIRON_NAME = "HTTP_REMOTE_USER"
9. systemctl restart pulpcore-api
10. systemctl start httpd
11. run:
curl https://`hostname`/pulp/api/v3/repositories/file/file/ --cert /etc/pki/katello/certs/pulp-client.crt --key /etc/pki/katello/private/pulp-client.key -d '{"name":"foo"}' -k
if i didn't forget any steps you should get:
{"detail":"CSRF Failed: CSRF token missing or incorrect."}
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
I was able to reproduce the issue, so I'll take as ASSIGNED.
- Status changed from ASSIGNED to POST
- Status changed from POST to MODIFIED
- Sprint/Milestone set to 3.0.1
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
- Tags Katello added
- Tags deleted (
Katello-P1)
Also available in: Atom
PDF
.
REMOTE_USER auth shouldn't trigger csrf rejects
Move all authentication fully to DRF. We were incorrectly configuring webserver auth support in django and not DRF. This ports the setting
REMOTE_USER_ENVIRON_NAMEto work with DRF instead of Django.It adjusts the settings.py so there are removal claims even though this will likely go into a z-release. It's an important FYI for the user.
https://pulp.plan.io/issues/5955 closes #5955