Move the mongrel client authentication to the new auth plugin
system.
Signed-off-by: Brice Figureau <[email protected]>
---
lib/puppet/auth/handler/mongrel/ssl.rb | 14 +++++++
lib/puppet/network/http/mongrel/rest.rb | 13 +-----
spec/unit/auth/handler/mongrel/ssl_spec.rb | 57 +++++++++++++++++++++++++++
spec/unit/network/http/mongrel/rest_spec.rb | 56 +++++---------------------
4 files changed, 83 insertions(+), 57 deletions(-)
create mode 100644 spec/unit/auth/handler/mongrel/ssl_spec.rb
diff --git a/lib/puppet/auth/handler/mongrel/ssl.rb
b/lib/puppet/auth/handler/mongrel/ssl.rb
index 907540d..d34d66f 100644
--- a/lib/puppet/auth/handler/mongrel/ssl.rb
+++ b/lib/puppet/auth/handler/mongrel/ssl.rb
@@ -1,3 +1,17 @@
Puppet::Auth.new_handler(:ssl, :mongrel) do
+ def authenticate(ip, params)
+ result = [false, nil]
+
+ # JJM #906 The following dn.match regular expression is forgiving
+ # enough to match the two Distinguished Name string contents
+ # coming from Apache, Pound or other reverse SSL proxies.
+ if dn = params[Puppet[:ssl_client_header]] and dn_matchdata =
dn.match(/^.*?CN\s*=\s*(.*)/)
+ result[1] = dn_matchdata[1].to_str
+ result[0] = (params[Puppet[:ssl_client_verify_header]] == 'SUCCESS')
+ else
+ result[1] = resolve_node(ip)
+ end
+ result
+ end
end
\ No newline at end of file
diff --git a/lib/puppet/network/http/mongrel/rest.rb
b/lib/puppet/network/http/mongrel/rest.rb
index 7ef13f0..8d845df 100644
--- a/lib/puppet/network/http/mongrel/rest.rb
+++ b/lib/puppet/network/http/mongrel/rest.rb
@@ -3,6 +3,7 @@ require 'puppet/network/http/handler'
class Puppet::Network::HTTP::MongrelREST < Mongrel::HttpHandler
include Puppet::Network::HTTP::Handler
+ include Puppet::Auth::Handler
ACCEPT_HEADER = "HTTP_ACCEPT".freeze # yay, zed's a crazy-man
@@ -76,17 +77,7 @@ class Puppet::Network::HTTP::MongrelREST <
Mongrel::HttpHandler
params = request.params
result[:ip] = params["HTTP_X_FORWARDED_FOR"] ?
params["HTTP_X_FORWARDED_FOR"].split(',').last.strip : params["REMOTE_ADDR"]
- # JJM #906 The following dn.match regular expression is forgiving
- # enough to match the two Distinguished Name string contents
- # coming from Apache, Pound or other reverse SSL proxies.
- if dn = params[Puppet[:ssl_client_header]] and dn_matchdata =
dn.match(/^.*?CN\s*=\s*(.*)/)
- result[:node] = dn_matchdata[1].to_str
- result[:authenticated] = (params[Puppet[:ssl_client_verify_header]] ==
'SUCCESS')
- else
- result[:node] = resolve_node(result)
- result[:authenticated] = false
- end
-
+ result[:authenticated], result[:node] = authenticate(result[:ip], params)
result
end
end
diff --git a/spec/unit/auth/handler/mongrel/ssl_spec.rb
b/spec/unit/auth/handler/mongrel/ssl_spec.rb
new file mode 100644
index 0000000..3847aaf
--- /dev/null
+++ b/spec/unit/auth/handler/mongrel/ssl_spec.rb
@@ -0,0 +1,57 @@
+#!/usr/bin/env ruby
+
+require File.dirname(__FILE__) + '/../../../../spec_helper'
+
+describe Puppet::Auth, "ssl mongrel authentication handler" do
+ confine "Mongrel is not available" => Puppet.features.mongrel?
+
+ before(:each) do
+ Puppet[:auth] = "ssl"
+ end
+
+ describe "when authenticating a mongrel HTTP client" do
+ before(:each) do
+ @handler = Class.new do
+ def self.name
+ "Puppet::Network::HTTP::MongrelREST"
+ end
+ include Puppet::Auth::Handler
+ end.new
+ @ip = :foo
+ end
+
+ it "should retrieve the hostname by matching the certificate parameter" do
+ Puppet[:ssl_client_header] = "myheader"
+ params = {"myheader" => "/CN=host.domain.com"}
+ @handler.authenticate(@ip, params)[1].should == "host.domain.com"
+ end
+
+ it "should consider the host authenticated if the validity parameter
contains 'SUCCESS'" do
+ Puppet[:ssl_client_header] = "certheader"
+ Puppet[:ssl_client_verify_header] = "myheader"
+ params = {"myheader" => "SUCCESS", "certheader" => "/CN=host.domain.com"}
+ @handler.authenticate(@ip, params)[0].should be_true
+ end
+
+ it "should consider the host unauthenticated if the validity parameter
does not contain 'SUCCESS'" do
+ Puppet[:ssl_client_header] = "certheader"
+ Puppet[:ssl_client_verify_header] = "myheader"
+ params = {"myheader" => "whatever", "certheader" =>
"/CN=host.domain.com"}
+ @handler.authenticate(@ip, params)[0].should be_false
+ end
+
+ it "should consider the host unauthenticated if no certificate information
is present" do
+ Puppet[:ssl_client_header] = "certheader"
+ Puppet[:ssl_client_verify_header] = "myheader"
+ params = {"myheader" => nil, "certheader" => "SUCCESS"}
+ @handler.authenticate(@ip, params)[0].should be_false
+ end
+
+ it "should resolve the node name with an ip address look-up if no
certificate is present" do
+ Puppet[:ssl_client_header] = "myheader"
+ params = {"myheader" => nil}
+ @handler.expects(:resolve_node).returns("host.domain.com")
+ @handler.authenticate(@ip, params)[1].should == "host.domain.com"
+ end
+ end
+end
diff --git a/spec/unit/network/http/mongrel/rest_spec.rb
b/spec/unit/network/http/mongrel/rest_spec.rb
index 92a81a1..1a73cef 100755
--- a/spec/unit/network/http/mongrel/rest_spec.rb
+++ b/spec/unit/network/http/mongrel/rest_spec.rb
@@ -10,11 +10,14 @@ describe "Puppet::Network::HTTP::MongrelREST" do
require 'puppet/network/http/mongrel/rest'
end
-
it "should include the Puppet::Network::HTTP::Handler module" do
Puppet::Network::HTTP::MongrelREST.ancestors.should
be_include(Puppet::Network::HTTP::Handler)
end
+ it "should include the Puppet::Auth::Handler module" do
+ Puppet::Network::HTTP::MongrelREST.ancestors.should
be_include(Puppet::Auth::Handler)
+ end
+
describe "when initializing" do
it "should call the Handler's initialization hook with its provided
arguments as the server and handler" do
Puppet::Network::HTTP::MongrelREST.any_instance.expects(:initialize_for_puppet).with(:server
=> "my", :handler => "arguments")
@@ -195,54 +198,15 @@ describe "Puppet::Network::HTTP::MongrelREST" do
@handler.params(@request)[:ip].should == "ipaddress"
end
- it "should use the :ssl_client_header to determine the parameter when
looking for the certificate" do
- Puppet.settings.stubs(:value).returns "eh"
- Puppet.settings.expects(:value).with(:ssl_client_header).returns
"myheader"
- @request.stubs(:params).returns("myheader" => "/CN=host.domain.com")
- @handler.params(@request)
- end
-
- it "should retrieve the hostname by matching the certificate parameter"
do
- Puppet.settings.stubs(:value).returns "eh"
- Puppet.settings.expects(:value).with(:ssl_client_header).returns
"myheader"
- @request.stubs(:params).returns("myheader" => "/CN=host.domain.com")
- @handler.params(@request)[:node].should == "host.domain.com"
- end
-
- it "should use the :ssl_client_header to determine the parameter for
checking whether the host certificate is valid" do
- Puppet.settings.stubs(:value).with(:ssl_client_header).returns
"certheader"
-
Puppet.settings.expects(:value).with(:ssl_client_verify_header).returns
"myheader"
- @request.stubs(:params).returns("myheader" => "SUCCESS", "certheader"
=> "/CN=host.domain.com")
+ it "should ask auth plugin if client is authenticated" do
+ @handler.expects(:authenticate)
@handler.params(@request)
end
- it "should consider the host authenticated if the validity parameter
contains 'SUCCESS'" do
- Puppet.settings.stubs(:value).with(:ssl_client_header).returns
"certheader"
- Puppet.settings.stubs(:value).with(:ssl_client_verify_header).returns
"myheader"
- @request.stubs(:params).returns("myheader" => "SUCCESS", "certheader"
=> "/CN=host.domain.com")
- @handler.params(@request)[:authenticated].should be_true
- end
-
- it "should consider the host unauthenticated if the validity parameter
does not contain 'SUCCESS'" do
- Puppet.settings.stubs(:value).with(:ssl_client_header).returns
"certheader"
- Puppet.settings.stubs(:value).with(:ssl_client_verify_header).returns
"myheader"
- @request.stubs(:params).returns("myheader" => "whatever", "certheader"
=> "/CN=host.domain.com")
- @handler.params(@request)[:authenticated].should be_false
- end
-
- it "should consider the host unauthenticated if no certificate
information is present" do
- Puppet.settings.stubs(:value).with(:ssl_client_header).returns
"certheader"
- Puppet.settings.stubs(:value).with(:ssl_client_verify_header).returns
"myheader"
- @request.stubs(:params).returns("myheader" => nil, "certheader" =>
"SUCCESS")
- @handler.params(@request)[:authenticated].should be_false
- end
-
- it "should resolve the node name with an ip address look-up if no
certificate is present" do
- Puppet.settings.stubs(:value).returns "eh"
- Puppet.settings.expects(:value).with(:ssl_client_header).returns
"myheader"
- @request.stubs(:params).returns("myheader" => nil)
- @handler.expects(:resolve_node).returns("host.domain.com")
- @handler.params(@request)[:node].should == "host.domain.com"
+ it "should use authentication result from auth plugin" do
+ @handler.stubs(:authenticate).returns([:authenticated, :node_name])
+ @handler.params(@request)[:authenticated].should == :authenticated
+ @handler.params(@request)[:node].should == :node_name
end
end
end
--
1.7.2.1
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
