Add support for client cert auth

[noissue]
pulp · Feb 5, 2021 · 0d984ab · 0d984ab
1 parent a0be3c8
commit 0d984ab
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 0 deletions.
diff --git a/CHANGES/122.feature b/CHANGES/122.feature
@@ -0,0 +1 @@
+Added support for client certificate auth
diff --git a/README.md b/README.md
@@ -65,6 +65,19 @@ login admin
 password password
 ```
 
+### Katello
+
+If you have a Katello environment and wish to use pulp-cli to connect to Pulp, you'll need to
+configure client certificate authentication:
+
+```toml
+[cli]
+base_url = "https://<your FQDN>"
+client_cert = "/etc/pki/katello/certs/pulp-client.crt"
+client_key = "/etc/pki/katello/private/pulp-client.key"
+verify_ssl = false
+```
+
 ## Known issues
 
   * Redirecting from `http` to `https`, as done by a typical Pulp installation,

diff --git a/pulpcore/cli/common/__init__.py b/pulpcore/cli/common/__init__.py
@@ -42,6 +42,10 @@ def _config_callback(ctx: click.Context, param: Any, value: Optional[str]) -> No
 @click.option("--base-url", default="https://localhost", help="Api base url")
 @click.option("--username", help="Username on pulp server")
 @click.option("--password", help="Password on pulp server")
+@click.option("--client-cert", help="Path to client certificate")
+@click.option(
+    "--client-key", help="Path to client private key. Not required if client cert contains this."
+)
 @click.option("--verify-ssl/--no-verify-ssl", default=True, help="Verify SSL connection")
 @click.option(
     "--format", type=click.Choice(["json", "yaml", "none"], case_sensitive=False), default="json"
@@ -69,6 +73,8 @@ def main(
     base_url: str,
     username: Optional[str],
     password: Optional[str],
+    client_cert: Optional[str],
+    client_key: Optional[str],
     verify_ssl: bool,
     format: str,
     verbose: int,
@@ -85,6 +91,8 @@ def _debug_callback(level: int, x: str) -> None:
         doc_path="/pulp/api/v3/docs/api.json",
         username=username,
         password=password,
+        client_cert=client_cert,
+        client_key=client_key,
         validate_certs=verify_ssl,
         refresh_cache=refresh_api,
         safe_calls_only=dry_run,

diff --git a/pulpcore/cli/common/openapi.py b/pulpcore/cli/common/openapi.py
@@ -26,6 +26,8 @@ def __init__(
         doc_path: str,
         username: Optional[str] = None,
         password: Optional[str] = None,
+        client_cert: Optional[str] = None,
+        client_key: Optional[str] = None,
         validate_certs: bool = True,
         refresh_cache: bool = False,
         safe_calls_only: bool = False,
@@ -50,6 +52,10 @@ def __init__(
             raise OpenAPIError("Password is required if username is set.")
         elif password:
             raise OpenAPIError("Username is required if password is set.")
+        elif client_cert and client_key:
+            self._session.cert = (client_cert, client_key)
+        elif client_cert:
+            self._session.cert = client_cert
         self._session.headers.update(headers)
         self._session.verify = validate_certs