Feature #12401

Add support for client certificate authentication.

Added by Robert Frank almost 2 years ago. Updated about 1 month ago.

Status:Closed
Priority:Normal
Assigned To:Robert Frank
Category:Hammer core
Target version:Foreman - Team Marek backlog
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/hammer-cli/pull/230, https://github.com/theforeman/hammer-cli-foreman/pull/291, https://github.com/theforeman/hammer-cli/pull/248
Story points-
Velocity based estimate-
Releasehammer-cli-0.10.0Release relationshipAuto

Description

We make heavy use of certificate authentication and I've set up a foreman server to only allow certificate authentication. Unfortunately the cli only allows basic user authentication and therefore can't be used to change foreman settings on the command line.


Related issues

Related to Hammer CLI - Bug #12400: Missing option to enable verification of the server certi... Closed 11/05/2015
Related to Hammer CLI - Support #18930: Document how to setup Hammer to auth with client cert New 03/16/2017

Associated revisions

Revision c10284d5
Added by Tomas Strachota 7 months ago

Refs #12401 - print original doc-loading exception

Revision 18cce183
Added by Tomas Strachota 7 months ago

Refs #12401 - handle credentials properly when ssl auth is used

Revision 7c2f44b3
Added by Robert Frank 7 months ago

Fixes #12401 - Add support for SSL options (#230)

  • Fixes #12401 - Add support for SSL options
  • Refs #12401 - Update apipie tests
  • Refs #12401 - Catching file exceptions
  • Refs #12401 - Default config file updated
  • Refs #12401 - Make sure ssl exceptions aren't hidden
  • Refs #12401 - Add option to allow both, standard and certificate auth

Revision e7ec2e9d
Added by Tomas Strachota about 1 month ago

Refs #12401 - More detailed description of ssl options (#248)

History

#1 Updated by Joe Mader 11 months ago

Our shop does the same (requires client certs at the httpd level on the Foreman server), so hammer is consequently "broken" in favor of this security practice.

#2 Updated by Tomáš Strachota 10 months ago

  • Category set to Hammer core
  • Target version set to Team Marek backlog

#3 Updated by Robert Frank 10 months ago

  • Related to Bug #12400: Missing option to enable verification of the server certificate. added

#4 Updated by Robert Frank 10 months ago

I've had a go at implementing it a while back in case anyone is interested:
https://github.com/rwf14f/hammer-cli-foreman/tree/server_client_cert_auth

It requires the changes in
https://github.com/rwf14f/hammer-cli-foreman/tree/server_verify_a
and
https://github.com/rwf14f/hammer-cli/tree/restclient_parameter_passing_a
for it to work (or the *_b branches).
I'm not sure whether it's still working at all though.

#5 Updated by Tomáš Strachota 10 months ago

Nice! There were some changes in apipie-bindings and hammer and authentication very recently. That unfortunately means you will need to backport your patch. On the other hand it should make it easier to implement. I think you can leave off the hammer-cli part now.

It should be just matter of implementing another authenticator, like here:
https://github.com/theforeman/hammer-cli-foreman/blob/master/lib/hammer_cli_foreman/api/interactive_basic_auth.rb

and then modifying the foreman api connection:
https://github.com/theforeman/hammer-cli-foreman/blob/master/lib/hammer_cli_foreman/api/connection.rb

#6 Updated by Robert Frank 10 months ago

Unfortunately, you can't use those authenticators to implement SSL authentication because SSL is set up before they are called. The authenticators only have access to the http request object (Net::HTTP::Get) and not the actual http object (Net::HTTP) which would be required to modify any SSL options (see transmit method in RestClient's request.rb).
Currently, you have to pass the SSL options to the apipie-bindings API using its options hash which is not supported by the current hammer-cli implementation.

#7 Updated by Robert Frank 10 months ago

Looking at this again makes me wonder whether support for additional SSL options should be added to hammer-cli itself instead of the Foreman module.

#8 Updated by Robert Frank 9 months ago

I've had a go at adding the ssl options to hammer-cli itself and it works for me:

https://github.com/rwf14f/hammer-cli/tree/ssloptions

#9 Updated by Tomáš Strachota 9 months ago

Cool, would you mind opening a pull request?

#11 Updated by Tomáš Strachota 9 months ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Robert Frank
  • Pull request https://github.com/theforeman/hammer-cli/pull/230 added

#12 Updated by Tomáš Strachota 7 months ago

  • Release set to hammer-cli-0.10.0

#13 Updated by The Foreman Bot 7 months ago

  • Pull request https://github.com/theforeman/hammer-cli-foreman/pull/291 added

#14 Updated by Martin Bacovsky 7 months ago

  • Related to Support #18930: Document how to setup Hammer to auth with client cert added

#15 Updated by Robert Frank 7 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#16 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/hammer-cli/pull/248 added

Also available in: Atom PDF