From 6787832bdee7dbb039616e13f9721d026ef23f4e Mon Sep 17 00:00:00 2001
From: Priit Tark <priit@gitlab.eu>
Date: Mon, 11 May 2015 12:30:25 +0300
Subject: [PATCH] Added helpful pki config errors if dedected, updated apache
 examples

---
 CHANGELOG.md                                     | 1 +
 README.md                                        | 6 ++++++
 app/controllers/registrar/sessions_controller.rb | 8 ++++++++
 config/locales/en.yml                            | 2 ++
 doc/certificates.md                              | 2 +-
 5 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index dd60bfcea..eeb8acb3b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 * Registrar: only dev can skip pki login certificate, 
   please be sure all application.yml and apache conf is correctly setup for pki
+* Updated Registrar Apache example: added user name directive example config
 
 24.04.2015
 
diff --git a/README.md b/README.md
index 73f7dee9d..1e59f49aa 100644
--- a/README.md
+++ b/README.md
@@ -179,6 +179,12 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
   <Location ~ "/(registrar|assets)\/.+">
     Allow from all
   </Location>
+
+  RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+  <Location /registrar/sessions>
+    SSLVerifyClient require
+    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+  </Location>
 </VirtualHost>
 ```
 
diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index d96d5eca1..ce5ad9852 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -16,6 +16,14 @@ class Registrar::SessionsController < ::SessionsController
       )
     )
 
+    if @depp_user.pki && request.env['HTTP_SSL_CLIENT_S_DN_CN'].blank?
+      @depp_user.errors.add(:base, :webserver_missing_user_name_directive)
+    end
+
+    if @depp_user.pki && request.env['HTTP_SSL_CLIENT_S_DN_CN'] == '(null)'
+      @depp_user.errors.add(:base, :webserver_user_name_directive_should_be_required)
+    end
+
     if @depp_user.pki && request.env['HTTP_SSL_CLIENT_S_DN_CN'] != params[:depp_user][:tag]
       @depp_user.errors.add(:base, :invalid_cert)
     end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 2bd7107c3..8d8330764 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -529,6 +529,8 @@ en:
               authorization_error: 'Authorization error'
               invalid_cert: 'Invalid certificate'
               not_active: 'User is not active'
+              webserver_missing_user_name_directive: 'Webserver configuration error: Apache or nginx is missing user name directive.'
+              webserver_user_name_directive_should_be_required: 'Webserver configuration error: Apache or nginx should require name directive.'
             tag:
               blank: "Username can't be blank"
             password:
diff --git a/doc/certificates.md b/doc/certificates.md
index e9d821053..c1b0c9333 100644
--- a/doc/certificates.md
+++ b/doc/certificates.md
@@ -151,7 +151,7 @@ Add these lines:
 
     RequestHeader set SSL_CLIENT_S_DN_CN ""
 
-    <Location /sessions/pki>
+    <Location /sessions>
       SSLVerifyClient require
       RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
     </Location>