From 0d984abc36b06ac197ec984062d5ec6bda245eb4 Mon Sep 17 00:00:00 2001
From: David Davis <daviddavis@redhat.com>
Date: Fri, 5 Feb 2021 15:53:05 -0500
Subject: [PATCH] Add support for client cert auth

[noissue]
---
 CHANGES/122.feature             |  1 +
 README.md                       | 13 +++++++++++++
 pulpcore/cli/common/__init__.py |  8 ++++++++
 pulpcore/cli/common/openapi.py  |  6 ++++++
 4 files changed, 28 insertions(+)
 create mode 100644 CHANGES/122.feature

diff --git a/CHANGES/122.feature b/CHANGES/122.feature
new file mode 100644
index 000000000..ffdca5870
--- /dev/null
+++ b/CHANGES/122.feature
@@ -0,0 +1 @@
+Added support for client certificate auth
diff --git a/README.md b/README.md
index 27f7a3dca..7c90baf3e 100644
--- a/README.md
+++ b/README.md
@@ -65,6 +65,19 @@ login admin
 password password
 ```
 
+### Katello
+
+If you have a Katello environment and wish to use pulp-cli to connect to Pulp, you'll need to
+configure client certificate authentication:
+
+```toml
+[cli]
+base_url = "https://<your FQDN>"
+client_cert = "/etc/pki/katello/certs/pulp-client.crt"
+client_key = "/etc/pki/katello/private/pulp-client.key"
+verify_ssl = false
+```
+
 ## Known issues
 
   * Redirecting from `http` to `https`, as done by a typical Pulp installation,
diff --git a/pulpcore/cli/common/__init__.py b/pulpcore/cli/common/__init__.py
index 73ed1fd42..df5b4b7d5 100644
--- a/pulpcore/cli/common/__init__.py
+++ b/pulpcore/cli/common/__init__.py
@@ -42,6 +42,10 @@ def _config_callback(ctx: click.Context, param: Any, value: Optional[str]) -> No
 @click.option("--base-url", default="https://localhost", help="Api base url")
 @click.option("--username", help="Username on pulp server")
 @click.option("--password", help="Password on pulp server")
+@click.option("--client-cert", help="Path to client certificate")
+@click.option(
+    "--client-key", help="Path to client private key. Not required if client cert contains this."
+)
 @click.option("--verify-ssl/--no-verify-ssl", default=True, help="Verify SSL connection")
 @click.option(
     "--format", type=click.Choice(["json", "yaml", "none"], case_sensitive=False), default="json"
@@ -69,6 +73,8 @@ def main(
     base_url: str,
     username: Optional[str],
     password: Optional[str],
+    client_cert: Optional[str],
+    client_key: Optional[str],
     verify_ssl: bool,
     format: str,
     verbose: int,
@@ -85,6 +91,8 @@ def _debug_callback(level: int, x: str) -> None:
         doc_path="/pulp/api/v3/docs/api.json",
         username=username,
         password=password,
+        client_cert=client_cert,
+        client_key=client_key,
         validate_certs=verify_ssl,
         refresh_cache=refresh_api,
         safe_calls_only=dry_run,
diff --git a/pulpcore/cli/common/openapi.py b/pulpcore/cli/common/openapi.py
index 9fcbc95db..bb97e73ef 100644
--- a/pulpcore/cli/common/openapi.py
+++ b/pulpcore/cli/common/openapi.py
@@ -26,6 +26,8 @@ def __init__(
         doc_path: str,
         username: Optional[str] = None,
         password: Optional[str] = None,
+        client_cert: Optional[str] = None,
+        client_key: Optional[str] = None,
         validate_certs: bool = True,
         refresh_cache: bool = False,
         safe_calls_only: bool = False,
@@ -50,6 +52,10 @@ def __init__(
             raise OpenAPIError("Password is required if username is set.")
         elif password:
             raise OpenAPIError("Username is required if password is set.")
+        elif client_cert and client_key:
+            self._session.cert = (client_cert, client_key)
+        elif client_cert:
+            self._session.cert = client_cert
         self._session.headers.update(headers)
         self._session.verify = validate_certs