Feature #12401
closed
Add support for client certificate authentication.
Description
We make heavy use of certificate authentication and I've set up a foreman server to only allow certificate authentication. Unfortunately the cli only allows basic user authentication and therefore can't be used to change foreman settings on the command line.
Updated by Joe Mader over 7 years ago
Our shop does the same (requires client certs at the httpd level on the Foreman server), so hammer is consequently "broken" in favor of this security practice.
Updated by Tomáš Strachota over 7 years ago
- Category set to Hammer core
- Target version set to 115
Updated by Robert Frank over 7 years ago
- Related to Bug #12400: Missing option to enable verification of the server certificate. added
Updated by Robert Frank over 7 years ago
I've had a go at implementing it a while back in case anyone is interested:
https://github.com/rwf14f/hammer-cli-foreman/tree/server_client_cert_auth
It requires the changes in
https://github.com/rwf14f/hammer-cli-foreman/tree/server_verify_a
and
https://github.com/rwf14f/hammer-cli/tree/restclient_parameter_passing_a
for it to work (or the *_b branches).
I'm not sure whether it's still working at all though.
Updated by Tomáš Strachota over 7 years ago
Nice! There were some changes in apipie-bindings and hammer and authentication very recently. That unfortunately means you will need to backport your patch. On the other hand it should make it easier to implement. I think you can leave off the hammer-cli part now.
It should be just matter of implementing another authenticator, like here:
https://github.com/theforeman/hammer-cli-foreman/blob/master/lib/hammer_cli_foreman/api/interactive_basic_auth.rb
and then modifying the foreman api connection:
https://github.com/theforeman/hammer-cli-foreman/blob/master/lib/hammer_cli_foreman/api/connection.rb
Updated by Robert Frank over 7 years ago
Unfortunately, you can't use those authenticators to implement SSL authentication because SSL is set up before they are called. The authenticators only have access to the http request object (Net::HTTP::Get) and not the actual http object (Net::HTTP) which would be required to modify any SSL options (see transmit method in RestClient's request.rb).
Currently, you have to pass the SSL options to the apipie-bindings API using its options hash which is not supported by the current hammer-cli implementation.
Updated by Robert Frank over 7 years ago
Looking at this again makes me wonder whether support for additional SSL options should be added to hammer-cli itself instead of the Foreman module.
Updated by Robert Frank over 7 years ago
I've had a go at adding the ssl options to hammer-cli itself and it works for me:
Updated by Tomáš Strachota over 7 years ago
Cool, would you mind opening a pull request?
Updated by Robert Frank over 7 years ago
Updated by Tomáš Strachota over 7 years ago
- Status changed from New to Ready For Testing
- Assignee set to Robert Frank
- Pull request https://github.com/theforeman/hammer-cli/pull/230 added
Updated by Tomáš Strachota about 7 years ago
- translation missing: en.field_release set to 233
Updated by The Foreman Bot about 7 years ago
- Pull request https://github.com/theforeman/hammer-cli-foreman/pull/291 added
Updated by Martin Bacovsky about 7 years ago
- Related to Feature #18930: Document how to setup Hammer to auth with client cert added
Updated by Robert Frank about 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 7c2f44b3deddc60f005856660fb370b8e370b258.
Updated by The Foreman Bot over 6 years ago
- Pull request https://github.com/theforeman/hammer-cli/pull/248 added