This is a behavior change. Before this patch, we always used the currently connected node's certname to compile the catalog, despite the value of the catalog URI REST request. With this patch we now use the URI as the compiled node name.
This is safe because the default auth.conf (and default inserted rules when no auth.conf is present) only allow the given connected node to compile its own catalog. But this also allows for greater flexibility with auth.conf. For instance it can be used by a monitoring system to check multiple nodes catalogs with only one certificate: path ~ ^/catalog/([^/]+)$ method find allow $1 allow monitoring-station.domain.com Signed-off-by: Brice Figureau <[email protected]> --- lib/puppet/indirector/catalog/compiler.rb | 12 ++++++++---- spec/unit/indirector/catalog/compiler_spec.rb | 17 +++++++++-------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/lib/puppet/indirector/catalog/compiler.rb b/lib/puppet/indirector/catalog/compiler.rb index c50022f..6375e80 100644 --- a/lib/puppet/indirector/catalog/compiler.rb +++ b/lib/puppet/indirector/catalog/compiler.rb @@ -107,10 +107,14 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code return node end - # If the request is authenticated, then the 'node' info will - # be available; if not, then we use the passed-in key. We rely - # on our authorization system to determine whether this is allowed. - name = request.node || request.key + # We rely on our authorization system to determine whether the connected + # node is allowed to compile the catalog's node referenced by key. + # By default the REST authorization system makes sure only the connected node + # can compile his catalog. + # This allows for instance monitoring systems or puppet-load to check several + # node's catalog with only one certificate and a modification to auth.conf + # If no key is provided we can only compile the currently connected node. + name = request.key || request.node if node = find_node(name) return node end diff --git a/spec/unit/indirector/catalog/compiler_spec.rb b/spec/unit/indirector/catalog/compiler_spec.rb index 2ae5f6f..6c950b6 100755 --- a/spec/unit/indirector/catalog/compiler_spec.rb +++ b/spec/unit/indirector/catalog/compiler_spec.rb @@ -6,6 +6,7 @@ require File.dirname(__FILE__) + '/../../../spec_helper' require 'puppet/indirector/catalog/compiler' +require 'puppet/rails' describe Puppet::Resource::Catalog::Compiler do before do @@ -33,8 +34,8 @@ describe Puppet::Resource::Catalog::Compiler do Puppet::Node.stubs(:find).with('node1').returns(node1) Puppet::Node.stubs(:find).with('node2').returns(node2) - compiler.find(stub('request', :node => 'node1', :options => {})) - compiler.find(stub('node2request', :node => 'node2', :options => {})) + compiler.find(stub('request', :key => 'node1', :node => 'node1', :options => {})) + compiler.find(stub('node2request', :key => 'node2', :node => 'node2', :options => {})) end it "should provide a method for determining if the catalog is networked" do @@ -70,7 +71,7 @@ describe Puppet::Resource::Catalog::Compiler do @node = Puppet::Node.new @name @node.stubs(:merge) Puppet::Node.stubs(:find).returns @node - @request = stub 'request', :key => "does not matter", :node => @name, :options => {} + @request = stub 'request', :key => @name, :node => @name, :options => {} end it "should directly use provided nodes" do @@ -80,14 +81,14 @@ describe Puppet::Resource::Catalog::Compiler do @compiler.find(@request) end - it "should use the request's node name if no explicit node is provided" do + it "should use the authenticated node name if no request key is provided" do + @request.stubs(:key).returns(nil) Puppet::Node.expects(:find).with(@name).returns(@node) @compiler.expects(:compile).with(@node) @compiler.find(@request) end - it "should use the provided node name if no explicit node is provided and no authenticated node information is available" do - @request.expects(:node).returns nil + it "should use the provided node name by default" do @request.expects(:key).returns "my_node" Puppet::Node.expects(:find).with("my_node").returns @node @@ -198,7 +199,7 @@ describe Puppet::Resource::Catalog::Compiler do @compiler = Puppet::Resource::Catalog::Compiler.new @name = "me" @node = mock 'node' - @request = stub 'request', :node => @name, :options => {} + @request = stub 'request', :key => @name, :options => {} @compiler.stubs(:compile) end @@ -217,7 +218,7 @@ describe Puppet::Resource::Catalog::Compiler do @compiler = Puppet::Resource::Catalog::Compiler.new @name = "me" @node = mock 'node' - @request = stub 'request', :node => @name, :options => {} + @request = stub 'request', :key => @name, :options => {} @compiler.stubs(:compile) Puppet::Node.stubs(:find).with(@name).returns(@node) end -- 1.7.2.1 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
