URL: https://github.com/freeipa/freeipa/pull/5314 Author: abbra Title: #5314: [Backport][ipa-4-9] Allow Apache to answer to ipa-ca requests without a redirect Action: opened
PR body: """ This PR was opened automatically because PR #5294 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5314/head:pr5314 git checkout pr5314
From fc5a2f72aae691a7922f51d8be90e5af684df21f Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Tue, 24 Nov 2020 16:15:17 -0500 Subject: [PATCH 1/2] Allow Apache to answer to ipa-ca requests without a redirect Any request other than the FQDN is redirected with a permanent move (301). Allowing ipa-ca as a valid name saves a round-trip. This is only allowed on /ca, /kra, /pki, /acme and /ipa/crl. https://pagure.io/freeipa/issue/8595 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- install/share/ipa-rewrite.conf.template | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/install/share/ipa-rewrite.conf.template b/install/share/ipa-rewrite.conf.template index 37661b8200e..c3d61646f51 100644 --- a/install/share/ipa-rewrite.conf.template +++ b/install/share/ipa-rewrite.conf.template @@ -1,4 +1,4 @@ -# VERSION 6 - DO NOT REMOVE THIS LINE +# VERSION 7 - DO NOT REMOVE THIS LINE RewriteEngine on @@ -9,6 +9,7 @@ ${AUTOREDIR}RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301] # Redirect to the fully-qualified hostname. Not redirecting to secure # port so configuration files can be retrieved without requiring SSL. RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC] +RewriteCond %{HTTP_HOST} !^ipa-ca.$DOMAIN$$ [NC] RewriteRule ^/ipa/(.*) http://$FQDN/ipa/$$1 [L,R=301] # Redirect to the secure port if not displaying an error or retrieving @@ -18,5 +19,10 @@ RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl) RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$ RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC] +RewriteCond %{HTTP_HOST} ^ipa-ca.$DOMAIN$$ [NC] +RewriteCond %{REQUEST_URI} !^/ipa/crl +RewriteCond %{REQUEST_URI} !^/(ca|kra|pki|acme) +RewriteRule ^/(.*) https://$FQDN/$$1 [L,R=301] + # Rewrite for plugin index, make it like it's a static file RewriteRule ^/ipa/ui/js/freeipa/plugins.js$$ /ipa/wsgi/plugins.py [PT] From 510e73aeb6ffe4844f4a3e993b2be01c435895a7 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Tue, 24 Nov 2020 17:17:50 -0500 Subject: [PATCH 2/2] ipatests: Test that ipa-ca.$domain can retrieve CRLs without redirect https://pagure.io/freeipa/issue/8595 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- .../test_integration/test_installation.py | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index b5df42b6705..1335b29306f 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -21,6 +21,7 @@ from ipalib import x509 from ipalib.constants import DOMAIN_LEVEL_0 +from ipalib.constants import IPA_CA_RECORD from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE from ipapython.dn import DN from ipaplatform.constants import constants @@ -1039,6 +1040,64 @@ def test_ipa_selinux_policy(self): } assert ('200', 'ipa', 'pp') in entries + def test_ipaca_no_redirect(self): + """Test that ipa-ca.$DOMAIN does not redirect + + ipa-ca is a valid name for an IPA server. It should not + require a redirect. + + CRL generation does not need to be enabled for this test. + We aren't exactly testing that a CRL can be retrieved, just + that the redirect doesn't happen. + """ + + def run_request(url, expected_stdout=None, expected_stderr=None): + result = self.master.run_command(['curl', '-s', '-v', url]) + if expected_stdout: + assert expected_stdout in result.stdout_text + if expected_stderr: + assert expected_stderr in result.stderr_text + + # CRL publishing on start-up is disabled so drop a file there + crlfile = os.path.join(paths.PKI_CA_PUBLISH_DIR, 'MasterCRL.bin') + self.master.put_file_contents(crlfile, 'secret') + + hosts = ( + f'{IPA_CA_RECORD}.{self.master.domain.name}', + self.master.hostname, + ) + + # Positive tests. Both hosts can serve these. + urls = ( + 'http://{host}/ipa/crl/MasterCRL.bin', + 'http://{host}/ca/ocsp', + 'https://{host}/ca/admin/ca/getCertChain', + 'https://{host}/acme/', + ) + for url in urls: + for host in hosts: + run_request( + url.format(host=host), + expected_stderr='HTTP/1.1 200' + ) + + # Negative tests. ipa-ca cannot serve these and will redirect and + # test that existing redirect for unencrypted still works + urls = ( + 'http://{host}/', + 'http://{host}/ipa/json', + 'http://{carecord}.{domain}/ipa/json', + 'https://{carecord}.{domain}/ipa/json', + 'http://{carecord}.{domain}/ipa/config/ca.crt', + ) + for url in urls: + run_request( + url.format(host=self.master.hostname, + domain=self.master.domain.name, + carecord=IPA_CA_RECORD), + expected_stdout=f'href="https://{self.master.hostname}/' + ) + class TestInstallMasterKRA(IntegrationTest):
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
