Hi Siim,
Thank you for submitting this patch. I merged your changes to the
2.7.x branch, and in the process I converted the tests to rspec, since
we are trying to move away from the Test::Unit ones. I've put the diff
of the changes below.
Thanks again,
Josh
diff --git a/spec/unit/network/authstore_spec.rb b/spec/unit/network/
authstore_spec.rb
index d62c8ab..d5ff42d 100755
--- a/spec/unit/network/authstore_spec.rb
+++ b/spec/unit/network/authstore_spec.rb
@@ -4,11 +4,11 @@ require 'spec_helper'
require 'puppet/network/authconfig'
describe Puppet::Network::AuthStore do
- describe "when checking if the acl has some entries" do
- before :each do
- @authstore = Puppet::Network::AuthStore.new
- end
+ before :each do
+ @authstore = Puppet::Network::AuthStore.new
+ end
+ describe "when checking if the acl has some entries" do
it "should be empty if no ACE have been entered" do
@authstore.should be_empty
end
@@ -31,6 +31,37 @@ describe Puppet::Network::AuthStore do
@authstore.should_not be_empty
end
end
+
+ describe "when checking global allow" do
+ it "should not be enabled by default" do
+ @authstore.should_not be_globalallow
+ @authstore.should_not be_allowed('foo.bar.com', '192.168.1.1')
+ end
+
+ it "should always allow when enabled" do
+ @authstore.allow('*')
+
+ @authstore.should be_globalallow
+ @authstore.should be_allowed('foo.bar.com', '192.168.1.1')
+ end
+ end
+
+ describe "when checking a regex type of allow" do
+ before :each do
+ @authstore.allow('/^(test-)?host[0-9]+\.other-domain\.(com|org|
net)$|some-domain\.com/')
+ @ip = '192.168.1.1'
+ end
+ ['host5.other-domain.com', 'test-host12.other-domain.net',
'foo.some-domain.com'].each { |name|
+ it "should allow the host #{name}" do
+ @authstore.should be_allowed(name, @ip)
+ end
+ }
+ ['host0.some-other-domain.com',''].each { |name|
+ it "should not allow the host #{name}" do
+ @authstore.should_not be_allowed(name, @ip)
+ end
+ }
+ end
end
describe Puppet::Network::AuthStore::Declaration do
diff --git a/test/network/authstore.rb b/test/network/authstore.rb
index 32eabf5..e3c1853 100755
--- a/test/network/authstore.rb
+++ b/test/network/authstore.rb
@@ -257,22 +257,6 @@ class TestAuthStore < Test::Unit::TestCase
}
end
- def test_regex
- assert_nothing_raised("Failed to @store regexes") {
- @store.allow("/some-domain\.com/")
- @store.allow("/^(test-)?host[0-9]+\.other-domain\.(com|org|net)
$/")
- }
-
- %w{
- some-domain.com
- prefix.some-domain.com.suffix
- host5.other-domain.com
- test-host12.other-domain.net
- }.each { |name|
- assert(@store.allowed?(name, "192.168.0.1"), "Host #{name} not
allowed")
- }
- end
-
# #531
def test_case_insensitivity
@store.allow("hostname.com")
On Jan 25, 4:17 am, Siim Põder <[email protected]> wrote:
> When hosting multiple applications (especially with different security
> levels),
> you may not want to allow every client to read all the files required for
> every other client. Currently it is possible to do this when your host and
> domain names reasonably reflect that grouping, ex: hostXYZ.someapp.domain.com.
>
> However, if you have a more flat naming convention, it is difficult to write
> these ACLs. This patch adds support for matching hostnames with regular
> expressions, thus extending the ACLs to allow:
>
> path /file_content/secrets/appserver
> allow /appserver[0-9]+.example.com$/
>
> path /file_content/secrets/otherservice
> allow /^(test-)crazy[0-9]+.pattern.(com|net)$/
>
> Signed-off-by: Siim P der <[email protected]>
> ---
> lib/puppet/network/authstore.rb | 19 ++++++++++++++-----
> test/network/authstore.rb | 16 ++++++++++++++++
> 2 files changed, 30 insertions(+), 5 deletions(-)
>
> diff --git a/lib/puppet/network/authstore.rb b/lib/puppet/network/authstore.rb
> index 4ddd14f..51fd341 100755
> --- a/lib/puppet/network/authstore.rb
> +++ b/lib/puppet/network/authstore.rb
> @@ -182,9 +182,11 @@ module Puppet
> # we'll return a pattern of puppet.reductivelabs.com
> def interpolate(match)
> clone = dup
> - clone.pattern = clone.pattern.reverse.collect do |p|
> - p.gsub(/\$(\d)/) { |m| match[$1.to_i] }
> - end.join(".")
> + if @name == :dynamic
> + clone.pattern = clone.pattern.reverse.collect do |p|
> + p.gsub(/\$(\d)/) { |m| match[$1.to_i] }
> + end.join(".")
> + end
> clone
> end
>
> @@ -199,8 +201,13 @@ module Puppet
>
> # Does the name match our pattern?
> def matchname?(name)
> - name = munge_name(name)
> - (pattern == name) or (not exact? and pattern.zip(name).all? { |p,n|
> p == n })
> + case @name
> + when :domain, :dynamic, :opaque
> + name = munge_name(name)
> + (pattern == name) or (not exact? and pattern.zip(name).all? {
> |p,n| p == n })
> + when :regex
> + Regexp.new(pattern.slice(1..-2)).match(name)
> + end
> end
>
> # Convert the name to a common pattern.
> @@ -240,6 +247,8 @@ module Puppet
> [:dynamic,:exact,nil,munge_name(value)]
> when /^\w[-.@\w]*$/ # ? Just
> like a host name but allow '@'s and ending '.'s
> [:opaque,:exact,nil,[value]]
> + when /^\/.*\/$/ # a
> regular expression
> + [:regex,:inexact,nil,value]
> else
> raise AuthStoreError, "Invalid pattern #{value}"
> end
> diff --git a/test/network/authstore.rb b/test/network/authstore.rb
> index e3c1853..32eabf5 100755
> --- a/test/network/authstore.rb
> +++ b/test/network/authstore.rb
> @@ -257,6 +257,22 @@ class TestAuthStore < Test::Unit::TestCase
> }
> end
>
> + def test_regex
> + assert_nothing_raised("Failed to @store regexes") {
> + @store.allow("/some-domain\.com/")
> + @store.allow("/^(test-)?host[0-9]+\.other-domain\.(com|org|net)$/")
> + }
> +
> + %w{
> + some-domain.com
> + prefix.some-domain.com.suffix
> + host5.other-domain.com
> + test-host12.other-domain.net
> + }.each { |name|
> + assert(@store.allowed?(name, "192.168.0.1"), "Host #{name} not
> allowed")
> + }
> + end
> +
> # #531
> def test_case_insensitivity
> @store.allow("hostname.com")
> --
> 1.7.1
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
