Allow to configure SSL authnetication backend.

By configuring in JSON ssl-authentication to true for backend it will turn listening apache to SSL based authorisation system. SSL authorisation on such entry point is obligatory. In order to follow typical ERP5 configuration SSL_CLIENT_S_DN_CN will be passed as REMOTE_USER to Zope backend. ERP5 CA is used to validate certificates.

Allow to configure SSL authnetication backend.
By configuring in JSON ssl-authentication to true for backend it will turn listening apache to SSL based authorisation system. SSL authorisation on such entry point is obligatory. In order to follow typical ERP5 configuration SSL_CLIENT_S_DN_CN will be passed as REMOTE_USER to Zope backend. ERP5 CA is used to validate certificates.
cc10a28c · Łukasz Nowak · 7fd8b983 · cc10a28c · cc10a28c · cc10a28c
Commit cc10a28c authored Mar 15, 2012 by Łukasz Nowak
5 changed files
--- a/slapos/recipe/apache_zope_backend/__init__.py
+++ b/slapos/recipe/apache_zope_backend/__init__.py
@@ -49,6 +49,12 @@ class Recipe(GenericBaseRecipe):
      apache_conf['ssl_session_cache'] = self.options['ssl-session-cache']
      apache_conf['ssl_snippet'] = pkg_resources.resource_string(__name__,
          'template/snippet.ssl.in') % apache_conf
+      if self.optionIsTrue('ssl-authentication'):
+        apache_conf['ssl_snippet'] += pkg_resources.resource_string(__name__,
+          'template/snippet.ssl.ca.in') % dict(
+            ca_certificate=self.options['ssl-authentication-certificate'],
+            ca_crl=self.options['ssl-authentication-crl']
+          )
    else:
      raise ValueError, "Unsupported scheme %s" % scheme


--- a/slapos/recipe/apache_zope_backend/template/snippet.ssl.ca.in
+++ b/slapos/recipe/apache_zope_backend/template/snippet.ssl.ca.in
+SSLVerifyClient require
+RequestHeader set REMOTE_USER %%{SSL_CLIENT_S_DN_CN}s
+SSLCACertificateFile %(ca_certificate)s
+SSLCARevocationPath %(ca_crl)s
--- a/slapos/recipe/generate_erp5_tidstorage.py
+++ b/slapos/recipe/generate_erp5_tidstorage.py
@@ -168,7 +168,9 @@ class Recipe(GenericSlapRecipe):
        access_control_string=backend_configuration['access-control-string'],
        maxconn=backend_configuration['maxconn'],
        server_check_path='/%s/getId' % site_id,
-        haproxy_backend_list=' '.join(haproxy_backend_list)
+        haproxy_backend_list=' '.join(haproxy_backend_list),
+        ssl_authentication=backend_configuration.get('ssl-authentication',
+          False)
      )
      current_apache_port += 1
      output += snippet_backend % backend_dict

--- a/software/erp5/snippet-backend.cfg
+++ b/software/erp5/snippet-backend.cfg
@@ -30,6 +30,10 @@ ssl-session-cache = $${basedirectory:log}/apache-ssl-session-cache
 error-log = $${basedirectory:log}/apache-%(backend_name)s-error.log
 access-log = $${basedirectory:log}/apache-%(backend_name)s-access.log
 apache-binary = ${apache:location}/bin/httpd
+ssl-authentication = %(ssl_authentication)s
+# Note: Without erp5-certificate-authority main certificate have to be hardcoded
+ssl-authentication-certificate = $${erp5-certificate-authority:ca-dir}/cacert.pem
+ssl-authentication-crl = $${erp5-certificate-authority:ca-crl}

 [ca-apache-%(backend_name)s]
 <= certificate-authority

--- a/software/erp5/software.cfg
+++ b/software/erp5/software.cfg
@@ -136,7 +136,7 @@ mode = 0644
 [template-snippet-backend]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/snippet-backend.cfg
-md5sum = 7285e671bfb6d905f859d0787ac931c4
+md5sum = 30c59038d504addaf9dfb276b84004a9
 output = ${buildout:directory}/template-snippet-backend.cfg
 mode = 0644

@@ -227,4 +227,4 @@ signature-certificate-list =
  YLEZJbofF7gSrRIcrlUJYXfTfw1QUBOKkGFFDsiJpEg4y5pUk1s5Jq9K3SDzNq/W
  it1oYjOhuGg3al8OOeKFrU6nvNTF1BAvJCl0tr3POai5yXyN5jlK/zPfypmQYxE+
  TaqQSGBJPVXYt6lrq/PRD9ciZgKLOwEqK8w=
-  -----END CERTIFICATE-----
\ No newline at end of file
+  -----END CERTIFICATE-----