manually merge the essence of PR84 - thanks @albu-diku. For the record I made a number of adjustments to document said conf options and put them in a slightly more 'logical' location and order, which I realized was not at all obvious for anyone but us few long-term operators.

jonasbardino · jonasbardino · commit d0b426d2f4b7 · 2024-07-16T10:53:10.000Z
git-svn-id: svn+ssh://svn.code.sf.net/p/migrid/code/trunk@6090 b75ad72c-e7d7-11dd-a971-7dbc132099af
diff --git a/mig/install/MiGserver-template.conf b/mig/install/MiGserver-template.conf
@@ -55,6 +55,18 @@ admin_list = __ADMIN_LIST__
 # If left empty the sender defaults to something like __USER__@__BASE_FQDN__ .
 smtp_sender = __SMTP_SENDER__
 
+# Optional client certificate authentication
+# FQDN of the Certificate Authority host managing/signing user certificates.
+# Leave empty to disable unless you want client certificate authentication and
+# have your own CA to handle that part.
+ca_fqdn = __CA_FQDN__
+# Local user account used for certificate handling on the CA host. Defaults to
+# mig-ca if unset but only ever used if ca_fqdn is set. 
+ca_user = __CA_USER__
+# SMTP server used in relation to the user certificate handling. Defaults to
+# localhost if unset but only ever used if ca_fqdn is set.
+ca_smtp = __CA_SMTP__
+
 # Base paths
 # TODO: tilde in paths is not expanded where configparser is used directly!
 state_path = __MIG_STATE__
diff --git a/mig/install/generateconfs.py b/mig/install/generateconfs.py
@@ -201,7 +201,10 @@ def usage(options):
         'gdp_data_categories',
         'gdp_id_scramble',
         'gdp_path_scramble',
-        'quota_backend'
+        'quota_backend',
+        'ca_fqdn',
+        'ca_user',
+        'ca_smtp'
     ]
     int_names = [
         'cert_valid_days',
diff --git a/mig/shared/install.py b/mig/shared/install.py
@@ -465,6 +465,9 @@ def generate_confs(
     quota_backend='lustre',
     quota_user_limit=(1024**4),
     quota_vgrid_limit=(1024**4),
+    ca_fqdn='',
+    ca_user='mig-ca',
+    ca_smtp='localhost',
     _getpwnam=pwd.getpwnam,
 ):
     """Generate Apache and MiG server confs with specified variables"""
@@ -649,6 +652,9 @@ def generate_confs(
     user_dict['__EXT_OIDC_REMOTE_USER_CLAIM__'] = ext_oidc_remote_user_claim
     user_dict['__EXT_OIDC_PASS_CLAIM_AS__'] = ext_oidc_pass_claim_as
     user_dict['__EXT_OIDC_REWRITE_COOKIE__'] = ext_oidc_rewrite_cookie
+    user_dict['__CA_FQDN__'] = ca_fqdn
+    user_dict['__CA_USER__'] = ca_user
+    user_dict['__CA_SMTP__'] = ca_smtp
     user_dict['__PUBLIC_URL__'] = ''
     user_dict['__PUBLIC_ALIAS_URL__'] = ''
     user_dict['__PUBLIC_HTTP_URL__'] = ''
diff --git a/tests/fixture/confs-stdlocal/MiGserver.conf b/tests/fixture/confs-stdlocal/MiGserver.conf
@@ -55,6 +55,18 @@ admin_list =
 # If left empty the sender defaults to something like testuser@ .
 smtp_sender = 
 
+# Optional client certificate authentication
+# FQDN of the Certificate Authority host managing/signing user certificates.
+# Leave empty to disable unless you want client certificate authentication and
+# have your own CA to handle that part.
+ca_fqdn = 
+# Local user account used for certificate handling on the CA host. Defaults to
+# mig-ca if unset but only ever used if ca_fqdn is set. 
+ca_user = mig-ca
+# SMTP server used in relation to the user certificate handling. Defaults to
+# localhost if unset but only ever used if ca_fqdn is set.
+ca_smtp = localhost
+
 # Base paths
 # TODO: tilde in paths is not expanded where configparser is used directly!
 state_path = /home/mig/state
