[Puppet-dev] [PATCH/puppet 8/8] Convert the rack rest handler to the plugable auth system.

[Brice Figureau]

Signed-off-by: Brice Figureau <brice-pup...@daysofwonder.com>
---
 lib/puppet/auth/handler/rack/ssl.rb      |   18 ++++++++
 lib/puppet/network/http/rack/rest.rb     |   12 +-----
 spec/unit/auth/handler/rack/ssl_spec.rb  |   70 ++++++++++++++++++++++++++++++
 spec/unit/network/http/rack/rest_spec.rb |   65 ++++------------------------
 4 files changed, 98 insertions(+), 67 deletions(-)
 create mode 100644 lib/puppet/auth/handler/rack/ssl.rb
 create mode 100644 spec/unit/auth/handler/rack/ssl_spec.rb

diff --git a/lib/puppet/auth/handler/rack/ssl.rb 
b/lib/puppet/auth/handler/rack/ssl.rb
new file mode 100644
index 0000000..6991e92
--- /dev/null
+++ b/lib/puppet/auth/handler/rack/ssl.rb
@@ -0,0 +1,18 @@
+
+Puppet::Auth.new_handler(:ssl, :rack) do
+
+  def authenticate(ip, request)
+    result = []
+    # if we find SSL info in the headers, use them to get a hostname.
+    # try this with :ssl_client_header, which defaults should work for
+    # Apache with StdEnvVars.
+    if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = 
dn.match(/^.*?CN\s*=\s*(.*)/)
+      result[1] = dn_matchdata[1].to_str
+      result[0] = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS')
+    else
+      result[1] = resolve_node(ip)
+      result[0] = false
+    end
+    result
+  end
+end
diff --git a/lib/puppet/network/http/rack/rest.rb 
b/lib/puppet/network/http/rack/rest.rb
index b7e1d97..7ad7575 100644
--- a/lib/puppet/network/http/rack/rest.rb
+++ b/lib/puppet/network/http/rack/rest.rb
@@ -85,17 +85,7 @@ class Puppet::Network::HTTP::RackREST < 
Puppet::Network::HTTP::RackHttpHandler
     result = {}
     result[:ip] = request.ip
 
-    # if we find SSL info in the headers, use them to get a hostname.
-    # try this with :ssl_client_header, which defaults should work for
-    # Apache with StdEnvVars.
-    if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = 
dn.match(/^.*?CN\s*=\s*(.*)/)
-      result[:node] = dn_matchdata[1].to_str
-      result[:authenticated] = (request.env[Puppet[:ssl_client_verify_header]] 
== 'SUCCESS')
-    else
-      result[:node] = resolve_node(result)
-      result[:authenticated] = false
-    end
-
+    result[:authenticated], result[:node] = authenticate(result[:ip], request)
     result
   end
 
diff --git a/spec/unit/auth/handler/rack/ssl_spec.rb 
b/spec/unit/auth/handler/rack/ssl_spec.rb
new file mode 100644
index 0000000..1582594
--- /dev/null
+++ b/spec/unit/auth/handler/rack/ssl_spec.rb
@@ -0,0 +1,70 @@
+#!/usr/bin/env ruby
+
+require File.dirname(__FILE__) + '/../../../../spec_helper'
+
+describe Puppet::Auth, "ssl rack authentication handler" do
+  confine "Rack is not available" => Puppet.features.rack?
+
+  before(:each) do
+    Puppet[:auth] = "ssl"
+  end
+
+  def mk_req(uri, opts = {})
+    env = Rack::MockRequest.env_for(uri, opts)
+    Rack::Request.new(env)
+  end
+
+  describe "when authenticating a rack HTTP client" do
+    before(:each) do
+      @handler = Class.new do
+        def self.name
+          "Puppet::Network::HTTP::RackREST"
+        end
+        include Puppet::Auth::Handler
+      end.new
+      @ip = :foo
+    end
+
+    it "should set 'authenticated' to false if no certificate is present" do
+      req = mk_req('/')
+      @handler.authenticate(@ip, req)[0].should be_false
+    end
+
+    describe "with pre-validated certificates" do
+
+      it "should retrieve the hostname by matching the certificate parameter" 
do
+        Puppet[:ssl_client_header] = "myheader"
+        req = mk_req('/', "myheader" => "/CN=host.domain.com")
+        @handler.authenticate(@ip, req)[1].should == "host.domain.com"
+      end
+
+      it "should consider the host authenticated if the validity parameter 
contains 'SUCCESS'" do
+        Puppet[:ssl_client_header] = "certheader"
+        Puppet[:ssl_client_verify_header] = "myheader"
+        req = mk_req('/', "myheader" => "SUCCESS", "certheader" => 
"/CN=host.domain.com")
+        @handler.authenticate(@ip, req)[0].should be_true
+      end
+
+      it "should consider the host unauthenticated if the validity parameter 
does not contain 'SUCCESS'" do
+        Puppet[:ssl_client_header] = "certheader"
+        Puppet[:ssl_client_verify_header] = "myheader"
+        req = mk_req('/', "myheader" => "whatever", "certheader" => 
"/CN=host.domain.com")
+        @handler.authenticate(@ip, req)[0].should be_false
+      end
+
+      it "should consider the host unauthenticated if no certificate 
information is present" do
+        Puppet[:ssl_client_header] = "certheader"
+        Puppet[:ssl_client_verify_header] = "myheader"
+        req = mk_req('/', "myheader" => nil, "certheader" => 
"/CN=host.domain.com")
+        @handler.authenticate(@ip, req)[0].should be_false
+      end
+
+      it "should resolve the node name with an ip address look-up if no 
certificate is present" do
+        Puppet[:ssl_client_header] = "myheader"
+        req = mk_req('/', "myheader" => nil)
+        @handler.expects(:resolve_node).returns("host.domain.com")
+        @handler.authenticate(@ip, req)[1].should == "host.domain.com"
+      end
+    end
+  end
+end
diff --git a/spec/unit/network/http/rack/rest_spec.rb 
b/spec/unit/network/http/rack/rest_spec.rb
index 96cf84c..58c0403 100755
--- a/spec/unit/network/http/rack/rest_spec.rb
+++ b/spec/unit/network/http/rack/rest_spec.rb
@@ -97,6 +97,10 @@ describe "Puppet::Network::HTTP::RackREST" do
     end
 
     describe "and determining the request parameters" do
+      before(:each) do
+        @handler.stubs(:authenticate)
+      end
+
       it "should include the HTTP request parameters, with the keys as 
symbols" do
         req = mk_req('/?foo=baz&bar=xyzzy')
         result = @handler.params(req)
@@ -157,62 +161,11 @@ describe "Puppet::Network::HTTP::RackREST" do
         @handler.params(req)[:ip].should == "ipaddress"
       end
 
-      it "should set 'authenticated' to false if no certificate is present" do
-        req = mk_req('/')
-        @handler.params(req)[:authenticated].should be_false
-      end
-    end
-
-    describe "with pre-validated certificates" do
-
-      it "should use the :ssl_client_header to determine the parameter when 
looking for the certificate" do
-        Puppet.settings.stubs(:value).returns "eh"
-        Puppet.settings.expects(:value).with(:ssl_client_header).returns 
"myheader"
-        req = mk_req('/', "myheader" => "/CN=host.domain.com")
-        @handler.params(req)
-      end
-
-      it "should retrieve the hostname by matching the certificate parameter" 
do
-        Puppet.settings.stubs(:value).returns "eh"
-        Puppet.settings.expects(:value).with(:ssl_client_header).returns 
"myheader"
-        req = mk_req('/', "myheader" => "/CN=host.domain.com")
-        @handler.params(req)[:node].should == "host.domain.com"
-      end
-
-      it "should use the :ssl_client_header to determine the parameter for 
checking whether the host certificate is valid" do
-        Puppet.settings.stubs(:value).with(:ssl_client_header).returns 
"certheader"
-        
Puppet.settings.expects(:value).with(:ssl_client_verify_header).returns 
"myheader"
-        req = mk_req('/', "myheader" => "SUCCESS", "certheader" => 
"/CN=host.domain.com")
-        @handler.params(req)
-      end
-
-      it "should consider the host authenticated if the validity parameter 
contains 'SUCCESS'" do
-        Puppet.settings.stubs(:value).with(:ssl_client_header).returns 
"certheader"
-        Puppet.settings.stubs(:value).with(:ssl_client_verify_header).returns 
"myheader"
-        req = mk_req('/', "myheader" => "SUCCESS", "certheader" => 
"/CN=host.domain.com")
-        @handler.params(req)[:authenticated].should be_true
-      end
-
-      it "should consider the host unauthenticated if the validity parameter 
does not contain 'SUCCESS'" do
-        Puppet.settings.stubs(:value).with(:ssl_client_header).returns 
"certheader"
-        Puppet.settings.stubs(:value).with(:ssl_client_verify_header).returns 
"myheader"
-        req = mk_req('/', "myheader" => "whatever", "certheader" => 
"/CN=host.domain.com")
-        @handler.params(req)[:authenticated].should be_false
-      end
-
-      it "should consider the host unauthenticated if no certificate 
information is present" do
-        Puppet.settings.stubs(:value).with(:ssl_client_header).returns 
"certheader"
-        Puppet.settings.stubs(:value).with(:ssl_client_verify_header).returns 
"myheader"
-        req = mk_req('/', "myheader" => nil, "certheader" => 
"/CN=host.domain.com")
-        @handler.params(req)[:authenticated].should be_false
-      end
-
-      it "should resolve the node name with an ip address look-up if no 
certificate is present" do
-        Puppet.settings.stubs(:value).returns "eh"
-        Puppet.settings.expects(:value).with(:ssl_client_header).returns 
"myheader"
-        req = mk_req('/', "myheader" => nil)
-        @handler.expects(:resolve_node).returns("host.domain.com")
-        @handler.params(req)[:node].should == "host.domain.com"
+      it "should use the auth plugin authentication" do
+        req = mk_req("/",'REMOTE_ADDR' => 'ipaddress')
+        @handler.stubs(:authenticate).with('ipaddress', 
req).returns([:authenticated, :node_name])
+        @handler.params(req)[:authenticated].should == :authenticated
+        @handler.params(req)[:node].should == :node_name
       end
     end
   end
-- 
1.7.2.1

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Developers" group.
To post to this group, send email to puppet-...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-dev?hl=en.