diff options
| author | Christian Hofstaedtler <hofstaedtler@inqnet.at> | 2009-08-02 08:26:04 +0000 |
|---|---|---|
| committer | James Turnbull <james@lovedthanlost.net> | 2009-08-03 10:00:17 +1000 |
| commit | c702f76b271515e9c42dcb923d379fbfac4c83cd (patch) | |
| tree | 21c56e651645ca69ceeb3bc44937a17de4290008 | |
| parent | ca17b3c4dec9a095b7e1bf24a55edbaaa6561a00 (diff) | |
| download | puppet-c702f76b271515e9c42dcb923d379fbfac4c83cd.tar.gz puppet-c702f76b271515e9c42dcb923d379fbfac4c83cd.tar.xz puppet-c702f76b271515e9c42dcb923d379fbfac4c83cd.zip | |
rack: SSL Env vars can be in Request.env or ENV
Fix #2386, by checking either Request.env or ENV for the SSL environment
variables. This is necessary as Passenger 2.2.3 changed the location of
these vars, even though the Rack spec says nothing about ENV or these
variables.
| -rw-r--r-- | ext/rack/README | 11 | ||||
| -rw-r--r-- | lib/puppet/network/http/rack/httphandler.rb | 18 | ||||
| -rw-r--r-- | lib/puppet/network/http/rack/rest.rb | 8 | ||||
| -rw-r--r-- | lib/puppet/network/http/rack/xmlrpc.rb | 8 |
4 files changed, 33 insertions, 12 deletions
diff --git a/ext/rack/README b/ext/rack/README index 63b8fde7a..3bdcca53f 100644 --- a/ext/rack/README +++ b/ext/rack/README @@ -39,11 +39,11 @@ rackup is part of the rack gem. Make sure it's in your path. Apache with Passenger (aka mod_rails) ------------------------------------- -Make sure puppetmasterd ran at least once, so the SSL certificates +Make sure puppetmasterd ran at least once, so the CA & SSL certificates got set up. Requirements: - Passenger version 2.2.2 or newer [1] + Passenger version 2.2.2 or newer*** Rack version 1.0.0 Apache 2.x SSL Module loaded @@ -65,6 +65,9 @@ instead an implicit setuid will be done, to the user whom owns config.ru. Therefore, config.ru shall be owned by the puppet user. -[1] http://www.modrails.com/install.html - +*** Important note about Passenger versions: + 2.2.2 is known to work. + 2.2.3-2.2.4 are known to *NOT* work. + 2.2.5 (when it is released) is expected to work properly again. + Passenger installation doc: http://www.modrails.com/install.html diff --git a/lib/puppet/network/http/rack/httphandler.rb b/lib/puppet/network/http/rack/httphandler.rb index e14206850..31aa8371e 100644 --- a/lib/puppet/network/http/rack/httphandler.rb +++ b/lib/puppet/network/http/rack/httphandler.rb @@ -12,5 +12,23 @@ class Puppet::Network::HTTP::RackHttpHandler raise NotImplementedError, "Your RackHttpHandler subclass is supposed to override service(request)" end + def ssl_client_header(request) + env_or_request_env(Puppet[:ssl_client_header], request) + end + + def ssl_client_verify_header(request) + env_or_request_env(Puppet[:ssl_client_verify_header], request) + end + + # Older Passenger versions passed all Environment vars in app(env), + # but since 2.2.3 they (some?) are really in ENV. + # Mongrel, etc. may also still use request.env. + def env_or_request_env(var, request) + if ENV.include?(var) + ENV[var] + else + request.env[var] + end + end end diff --git a/lib/puppet/network/http/rack/rest.rb b/lib/puppet/network/http/rack/rest.rb index 104751271..bdca651d1 100644 --- a/lib/puppet/network/http/rack/rest.rb +++ b/lib/puppet/network/http/rack/rest.rb @@ -63,11 +63,11 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler result[:ip] = request.ip # if we find SSL info in the headers, use them to get a hostname. - # try this with :ssl_client_header, which defaults should work for - # Apache with StdEnvVars. - if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) + # try this with :ssl_client_header. + # For Apache you need special configuration, see ext/rack/README. + if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) result[:node] = dn_matchdata[1].to_str - result[:authenticated] = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS') + result[:authenticated] = (ssl_client_verify_header(request) == 'SUCCESS') else result[:node] = resolve_node(result) result[:authenticated] = false diff --git a/lib/puppet/network/http/rack/xmlrpc.rb b/lib/puppet/network/http/rack/xmlrpc.rb index 4fc9e82fc..9d0f486bc 100644 --- a/lib/puppet/network/http/rack/xmlrpc.rb +++ b/lib/puppet/network/http/rack/xmlrpc.rb @@ -43,11 +43,11 @@ class Puppet::Network::HTTP::RackXMLRPC < Puppet::Network::HTTP::RackHttpHandler ip = request.ip # if we find SSL info in the headers, use them to get a hostname. - # try this with :ssl_client_header, which defaults should work for - # Apache with StdEnvVars. - if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) + # try this with :ssl_client_header. + # For Apache you need special configuration, see ext/rack/README. + if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) node = dn_matchdata[1].to_str - authenticated = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS') + authenticated = (ssl_client_verify_header(request) == 'SUCCESS') else begin node = Resolv.getname(ip) |