Convert Apache IPA authentication template to EPP

This moves the IPA authentication from 4 separate ERB files to a single
EPP file. This gives better guarantees because of data types. It's also
easier to maintain a single file that gives the complete overview of the
feature.

It's moved to foreman::config::apache together with the inclusion of
required modules. This does make the http_keytab variable a bit uglier.

Author: ekohl

manifests/config.pp

@@ -207,7 +207,7 @@
         content => template('foreman/pam_service.erb'),
       }
 
-      $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab")
+      $http_keytab = $foreman::config::apache::http_keytab
 
       exec { 'ipa-getkeytab':
         command => "/bin/echo Get keytab \
@@ -222,24 +222,6 @@
         mode   => '0600',
       }
 
-      $gssapi_local_name = bool2str($foreman::gssapi_local_name, 'On', 'Off')
-
-      foreman::config::apache::fragment { 'intercept_form_submit':
-        ssl_content => template('foreman/intercept_form_submit.conf.erb'),
-      }
-
-      foreman::config::apache::fragment { 'lookup_identity':
-        ssl_content => template('foreman/lookup_identity.conf.erb'),
-      }
-
-      foreman::config::apache::fragment { 'auth_gssapi':
-        ssl_content => template('foreman/auth_gssapi.conf.erb'),
-      }
-
-      foreman::config::apache::fragment { 'external_auth_api':
-        ssl_content => template('foreman/external_auth_api.conf.erb'),
-      }
-
       if $foreman::ipa_manage_sssd {
         $sssd = pick(fact('foreman_sssd'), {})
         $sssd_services = join(unique(pick($sssd['services'], []) + ['ifp']), ', ')

manifests/config/apache.pp

@@ -238,6 +238,20 @@
     include apache::mod::intercept_form_submit
     include apache::mod::lookup_identity
     include apache::mod::auth_gssapi
+
+    # This is also used in manifests::config
+    $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab")
+
+    $external_auth_context = {
+      'pam_service'            => $foreman::pam_service,
+      'keytab'                 => $foreman::http_keytab,
+      'gssapi_local_name'      => $foreman::gssapi_local_name,
+      'ipa_authentication_api' => $foreman::ipa_authentication_api,
+    }
+
+    foreman::config::apache::fragment { 'intercept_form_submit':
+      ssl_content => epp('foreman/apache_ipa_authentication.epp', $external_auth_context),
+    }
   } elsif $keycloak {
     include apache::mod::auth_openidc
 

templates/apache_ipa_authentication.epp

@@ -0,0 +1,69 @@
+<%|
+  String[1] $pam_service,
+  Stdlib::Absolutepath $keytab,
+  Boolean $gssapi_local_name,
+  Boolean $ipa_authentication_api,
+-%>
+
+<Location /users/login>
+  InterceptFormPAMService <%= $pam_service %>
+  InterceptFormLogin login[login]
+  InterceptFormPassword login[password]
+</Location>
+
+<LocationMatch ^(/api(/v2)?)?/users/(ext)?login/?$>
+  LookupUserAttr email REMOTE_USER_EMAIL
+  LookupUserAttr firstname REMOTE_USER_FIRSTNAME
+  LookupUserAttr lastname REMOTE_USER_LASTNAME
+  LookupUserGroups REMOTE_USER_GROUPS :
+  LookupUserGroupsIter REMOTE_USER_GROUP
+
+  # Set headers for proxy requests
+  RequestHeader set REMOTE_USER %{REMOTE_USER}e
+  RequestHeader set REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
+  RequestHeader set REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
+  RequestHeader set REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
+  RequestHeader set REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
+</LocationMatch>
+
+<LocationMatch ^/users/extlogin/?$>
+  SSLRequireSSL
+  AuthType GSSAPI
+  AuthName "GSSAPI Single Sign On Login"
+  GssapiCredStore keytab:<%= $keytab %>
+  GssapiSSLonly On
+  GssapiLocalName <%= $gssapi_local_name %>
+  # require valid-user
+  require pam-account <%= $pam_service %>
+  ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
+  # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
+  ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
+</LocationMatch>
+
+<LocationMatch ^/api(/v2)?/users/extlogin/?$>
+  SSLRequireSSL
+  <% if $ipa_authentication_api -%>
+  <If "%{HTTP:Authorization} =~ /^Basic/">
+    AuthType Basic
+    AuthName "PAM Authentication"
+    AuthBasicProvider PAM
+    AuthPAMService <%= $pam_service %>
+  </If>
+  <Else>
+    AuthType GSSAPI
+    AuthName "GSSAPI Single Sign On Login"
+    GssapiCredStore keytab:<%= $keytab %>
+    GssapiSSLonly On
+    GssapiLocalName <%= apache::bool2httpd($gssapi_local_name) %>
+  </Else>
+  <% else -%>
+  AuthType Basic
+  AuthName "PAM Authentication"
+  AuthBasicProvider PAM
+  AuthPAMService <%= $pam_service %>
+  <% end -%>
+  require pam-account <%= $pam_service %>
+  ErrorDocument 401 '{ "error": "External authentication did not pass." }'
+  # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
+  ErrorDocument 500 '{ "error": "External authentication did not pass." }'
+</LocationMatch>