Add support for client cert auth

CHANGES/122.feature

@@ -0,0 +1 @@
+Added support for client certificate auth

README.md

@@ -65,6 +65,19 @@ login admin
 password password
 ```
 
+### Katello
+
+If you have a Katello environment and wish to use pulp-cli to connect to Pulp, you'll need to
+configure client certificate authentication:
+
+```toml
+[cli]
+base_url = "https://<your FQDN>"
+cert = "/etc/pki/katello/certs/pulp-client.crt"
+key = "/etc/pki/katello/private/pulp-client.key"
+verify_ssl = false
+```
+
 ## Known issues
 
   * Redirecting from `http` to `https`, as done by a typical Pulp installation,

pulpcore/cli/common/__init__.py

@@ -42,6 +42,10 @@ def _config_callback(ctx: click.Context, param: Any, value: Optional[str]) -> No
 @click.option("--base-url", default="https://localhost", help="Api base url")
 @click.option("--username", help="Username on pulp server")
 @click.option("--password", help="Password on pulp server")
+@click.option("--cert", help="Path to client certificate")
+@click.option(
+    "--key", help="Path to client private key. Not required if client cert contains this."
+)
 @click.option("--verify-ssl/--no-verify-ssl", default=True, help="Verify SSL connection")
 @click.option(
     "--format", type=click.Choice(["json", "yaml", "none"], case_sensitive=False), default="json"
@@ -69,6 +73,8 @@ def main(
     base_url: str,
     username: Optional[str],
     password: Optional[str],
+    cert: Optional[str],
+    key: Optional[str],
     verify_ssl: bool,
     format: str,
     verbose: int,
@@ -85,6 +91,8 @@ def _debug_callback(level: int, x: str) -> None:
         doc_path="/pulp/api/v3/docs/api.json",
         username=username,
         password=password,
+        cert=cert,
+        key=key,
         validate_certs=verify_ssl,
         refresh_cache=refresh_api,
         safe_calls_only=dry_run,

pulpcore/cli/common/openapi.py

@@ -26,6 +26,8 @@ def __init__(
         doc_path: str,
         username: Optional[str] = None,
         password: Optional[str] = None,
+        cert: Optional[str] = None,
+        key: Optional[str] = None,
         validate_certs: bool = True,
         refresh_cache: bool = False,
         safe_calls_only: bool = False,
@@ -45,11 +47,19 @@ def __init__(
         }
         self._session: requests.Session = requests.session()
         if username and password:
+            if cert or key:
+                raise OpenAPIError("Cannot use both username/password and cert auth.")
             self._session.auth = (username, password)
         elif username:
             raise OpenAPIError("Password is required if username is set.")
         elif password:
             raise OpenAPIError("Username is required if password is set.")
+        elif cert and key:
+            self._session.cert = (cert, key)
+        elif cert:
+            self._session.cert = cert
+        elif key:
+            raise OpenAPIError("Cert is required if key is set.")
         self._session.headers.update(headers)
         self._session.verify = validate_certs
 

tests/scripts/test_config.sh

@@ -16,3 +16,9 @@ expect_fail pulp --config "$good_settings" --base-url "http://badurl" file repos
 
 # fail as both username and password are required together
 expect_fail pulp --password test file repository list
+
+# fail when using basic auth and cert auth
+expect_fail pulp --username test --password test --client "/some/path" status
+
+# fail when using basic auth and cert auth
+expect_fail pulp --key "/some/path" file remote list