From: Christian Hofstaedtler <[email protected]> Fix #2386, by checking either Request.env or ENV for the SSL environment variables. This is necessary as Passenger 2.2.3 changed the location of these vars, even though the Rack spec says nothing about ENV or these variables. --- ext/rack/README | 11 +++++++---- lib/puppet/network/http/rack/httphandler.rb | 22 ++++++++++++++++++++++ lib/puppet/network/http/rack/rest.rb | 8 ++++---- lib/puppet/network/http/rack/xmlrpc.rb | 8 ++++---- 4 files changed, 37 insertions(+), 12 deletions(-)
diff --git a/ext/rack/README b/ext/rack/README index 63b8fde..3bdcca5 100644 --- a/ext/rack/README +++ b/ext/rack/README @@ -39,11 +39,11 @@ rackup is part of the rack gem. Make sure it's in your path. Apache with Passenger (aka mod_rails) ------------------------------------- -Make sure puppetmasterd ran at least once, so the SSL certificates +Make sure puppetmasterd ran at least once, so the CA & SSL certificates got set up. Requirements: - Passenger version 2.2.2 or newer [1] + Passenger version 2.2.2 or newer*** Rack version 1.0.0 Apache 2.x SSL Module loaded @@ -65,6 +65,9 @@ instead an implicit setuid will be done, to the user whom owns config.ru. Therefore, config.ru shall be owned by the puppet user. -[1] http://www.modrails.com/install.html - +*** Important note about Passenger versions: + 2.2.2 is known to work. + 2.2.3-2.2.4 are known to *NOT* work. + 2.2.5 (when it is released) is expected to work properly again. + Passenger installation doc: http://www.modrails.com/install.html diff --git a/lib/puppet/network/http/rack/httphandler.rb b/lib/puppet/network/http/rack/httphandler.rb index e142068..96cd09a 100644 --- a/lib/puppet/network/http/rack/httphandler.rb +++ b/lib/puppet/network/http/rack/httphandler.rb @@ -12,5 +12,27 @@ class Puppet::Network::HTTP::RackHttpHandler raise NotImplementedError, "Your RackHttpHandler subclass is supposed to override service(request)" end + protected + + # Older Passenger versions passed all Environment vars in app(env), + # but since 2.2.3 they are really in ENV. + # Mongrel, etc. may also still use request.env. + def ssl_client_header(request) + _env_or_request_env(Puppet[:ssl_client_header], request) + end + + def ssl_client_verify_header(request) + _env_or_request_env(Puppet[:ssl_client_verify_header], request) + end + + def _env_or_request_env(var, request) + if ENV.include?(var) + Puppet.debug "rack: using var '%s' from ENV, value: '%s'" % [var, ENV[var]] + ENV[var] + else + Puppet.debug "rack: using var '%s' from request.env, value: '%s'" % [var, request.env[var]] + request.env[var] + end + end end diff --git a/lib/puppet/network/http/rack/rest.rb b/lib/puppet/network/http/rack/rest.rb index 1047512..bdca651 100644 --- a/lib/puppet/network/http/rack/rest.rb +++ b/lib/puppet/network/http/rack/rest.rb @@ -63,11 +63,11 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler result[:ip] = request.ip # if we find SSL info in the headers, use them to get a hostname. - # try this with :ssl_client_header, which defaults should work for - # Apache with StdEnvVars. - if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) + # try this with :ssl_client_header. + # For Apache you need special configuration, see ext/rack/README. + if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) result[:node] = dn_matchdata[1].to_str - result[:authenticated] = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS') + result[:authenticated] = (ssl_client_verify_header(request) == 'SUCCESS') else result[:node] = resolve_node(result) result[:authenticated] = false diff --git a/lib/puppet/network/http/rack/xmlrpc.rb b/lib/puppet/network/http/rack/xmlrpc.rb index 4fc9e82..9d0f486 100644 --- a/lib/puppet/network/http/rack/xmlrpc.rb +++ b/lib/puppet/network/http/rack/xmlrpc.rb @@ -43,11 +43,11 @@ class Puppet::Network::HTTP::RackXMLRPC < Puppet::Network::HTTP::RackHttpHandler ip = request.ip # if we find SSL info in the headers, use them to get a hostname. - # try this with :ssl_client_header, which defaults should work for - # Apache with StdEnvVars. - if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) + # try this with :ssl_client_header. + # For Apache you need special configuration, see ext/rack/README. + if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) node = dn_matchdata[1].to_str - authenticated = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS') + authenticated = (ssl_client_verify_header(request) == 'SUCCESS') else begin node = Resolv.getname(ip) -- 1.5.6.5 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
