Always compare CNs as downcase

ehelms · ekohl · commit 5caacb078907 · 2025-02-24T20:11:26.000+01:00
diff --git a/manifests/container.pp b/manifests/container.pp
@@ -24,7 +24,7 @@
         'provider'        => 'location',
         'path'            => "${location_prefix}${registry_v2_path}",
         'request_headers' => ["set SSL_CLIENT_S_DN \"admin\""],
-        'requires'        => ["expr %{SSL_CLIENT_S_DN_CN} == \"${certs::foreman_proxy::hostname}\""]
+        'requires'        => ["expr %{tolower:%{SSL_CLIENT_S_DN_CN}} == \"${certs::foreman_proxy::hostname.downcase}\""]
       },
     ],
     'proxy_pass' => [
diff --git a/spec/classes/foreman_proxy_content__container_spec.rb b/spec/classes/foreman_proxy_content__container_spec.rb
@@ -18,7 +18,7 @@
             .with_vhost('pulpcore-https')
             .with_priority('10')
             .with_content(%r{^\s+<Location "/pulpcore_registry/v2/">$})
-            .with_content(%r{^\s+Require expr %\{SSL_CLIENT_S_DN_CN\} == "foo.example.com"$})
+            .with_content(%r{^\s+Require expr %\{tolower:%\{SSL_CLIENT_S_DN_CN\}\} == "foo.example.com"$})
             .with_content(%r{^\s+RequestHeader set SSL_CLIENT_S_DN "admin"$})
             .with_content(%r{^\s+</Location>$})
             .with_content(%r{^\s+ProxyPass /v1/ https://foo\.example\.com:8443/container_gateway/v1/$})
@@ -37,7 +37,7 @@
             .with_vhost('rhsm-pulpcore-reverse-proxy-443')
             .with_priority('10')
             .with_content(%r{^\s+<Location "/other_pulpcore_registry/vr2/">$})
-            .with_content(%r{^\s+Require expr %\{SSL_CLIENT_S_DN_CN\} == "foo.example.com"$})
+            .with_content(%r{^\s+Require expr %\{tolower:%\{SSL_CLIENT_S_DN_CN\}\} == "foo.example.com"$})
             .with_content(%r{^\s+RequestHeader set SSL_CLIENT_S_DN "admin"$})
             .with_content(%r{^\s+</Location>$})
             .with_content(%r{^\s+ProxyPass /vr1/ https://foo\.example\.com:8443/container_gateway/vr1/$})
