Fix #5020 - Prefer finding node name from REST uri over certname

This is a behavior change. Before this patch, we always used the currently connected node's certname to compile the catalog, despite the value of the catalog URI REST request. With this patch we now use the URI as the compiled node name. This is safe because the default auth.conf (and default inserted rules when no auth.conf is present) only allow the given connected node to compile its own catalog. But this also allows for greater flexibility with auth.conf. For instance it can be used by a monitoring system to check multiple nodes catalogs with only one certificate: path ~ ^/catalog/([^/]+)$ method find allow $1 allow monitoring-station.domain.com Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
author: Brice Figureau <brice-puppet@daysofwonder.com> 2010-10-16 16:58:04 +0200
committer: James Turnbull <james@lovedthanlost.net> 2010-11-12 04:12:39 +1100
commit: ea435a43dc97487d054271a9efb208f361408339 (patch)
tree: 6abea315c00d7cb6de990b72010f50022f0de8cb
parent: a097b939ab52bafb681cf7c5dcaf11717add07e6 (diff)
download: puppet-ea435a43dc97487d054271a9efb208f361408339.tar.gz
puppet-ea435a43dc97487d054271a9efb208f361408339.tar.xz
puppet-ea435a43dc97487d054271a9efb208f361408339.zip
2 files changed, 17 insertions, 12 deletions
diff --git a/lib/puppet/indirector/catalog/compiler.rb b/lib/puppet/indirector/catalog/compiler.rb
index c50022fff..6375e801f 100644
--- a/lib/puppet/indirector/catalog/compiler.rb
+++ b/lib/puppet/indirector/catalog/compiler.rb
@@ -107,10 +107,14 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
       return node
     end
 
-    # If the request is authenticated, then the 'node' info will
-    # be available; if not, then we use the passed-in key.  We rely
-    # on our authorization system to determine whether this is allowed.
-    name = request.node || request.key
+    # We rely on our authorization system to determine whether the connected
+    # node is allowed to compile the catalog's node referenced by key.
+    # By default the REST authorization system makes sure only the connected node
+    # can compile his catalog.
+    # This allows for instance monitoring systems or puppet-load to check several
+    # node's catalog with only one certificate and a modification to auth.conf 
+    # If no key is provided we can only compile the currently connected node.
+    name = request.key || request.node
     if node = find_node(name)
       return node
     end
diff --git a/spec/unit/indirector/catalog/compiler_spec.rb b/spec/unit/indirector/catalog/compiler_spec.rb
index 2ae5f6ff3..6c950b626 100755
--- a/spec/unit/indirector/catalog/compiler_spec.rb
+++ b/spec/unit/indirector/catalog/compiler_spec.rb
@@ -6,6 +6,7 @@
 require File.dirname(__FILE__) + '/../../../spec_helper'
 
 require 'puppet/indirector/catalog/compiler'
+require 'puppet/rails'
 
 describe Puppet::Resource::Catalog::Compiler do
   before do
@@ -33,8 +34,8 @@ describe Puppet::Resource::Catalog::Compiler do
       Puppet::Node.stubs(:find).with('node1').returns(node1)
       Puppet::Node.stubs(:find).with('node2').returns(node2)
 
-      compiler.find(stub('request', :node => 'node1', :options => {}))
-      compiler.find(stub('node2request', :node => 'node2', :options => {}))
+      compiler.find(stub('request', :key => 'node1', :node => 'node1', :options => {}))
+      compiler.find(stub('node2request', :key => 'node2', :node => 'node2', :options => {}))
     end
 
     it "should provide a method for determining if the catalog is networked" do
@@ -70,7 +71,7 @@ describe Puppet::Resource::Catalog::Compiler do
       @node = Puppet::Node.new @name
       @node.stubs(:merge)
       Puppet::Node.stubs(:find).returns @node
-      @request = stub 'request', :key => "does not matter", :node => @name, :options => {}
+      @request = stub 'request', :key => @name, :node => @name, :options => {}
     end
 
     it "should directly use provided nodes" do
@@ -80,14 +81,14 @@ describe Puppet::Resource::Catalog::Compiler do
       @compiler.find(@request)
     end
 
-    it "should use the request's node name if no explicit node is provided" do
+    it "should use the authenticated node name if no request key is provided" do
+      @request.stubs(:key).returns(nil)
       Puppet::Node.expects(:find).with(@name).returns(@node)
       @compiler.expects(:compile).with(@node)
       @compiler.find(@request)
     end
 
-    it "should use the provided node name if no explicit node is provided and no authenticated node information is available" do
-      @request.expects(:node).returns nil
+    it "should use the provided node name by default" do
       @request.expects(:key).returns "my_node"
 
       Puppet::Node.expects(:find).with("my_node").returns @node
@@ -198,7 +199,7 @@ describe Puppet::Resource::Catalog::Compiler do
       @compiler = Puppet::Resource::Catalog::Compiler.new
       @name = "me"
       @node = mock 'node'
-      @request = stub 'request', :node => @name, :options => {}
+      @request = stub 'request', :key => @name, :options => {}
       @compiler.stubs(:compile)
     end
 
@@ -217,7 +218,7 @@ describe Puppet::Resource::Catalog::Compiler do
       @compiler = Puppet::Resource::Catalog::Compiler.new
       @name = "me"
       @node = mock 'node'
-      @request = stub 'request', :node => @name, :options => {}
+      @request = stub 'request', :key => @name, :options => {}
       @compiler.stubs(:compile)
       Puppet::Node.stubs(:find).with(@name).returns(@node)
     end
author	Brice Figureau <brice-puppet@daysofwonder.com>	2010-10-16 16:58:04 +0200
committer	James Turnbull <james@lovedthanlost.net>	2010-11-12 04:12:39 +1100
commit	ea435a43dc97487d054271a9efb208f361408339 (patch)
tree	6abea315c00d7cb6de990b72010f50022f0de8cb
parent	a097b939ab52bafb681cf7c5dcaf11717add07e6 (diff)
download	puppet-ea435a43dc97487d054271a9efb208f361408339.tar.gz puppet-ea435a43dc97487d054271a9efb208f361408339.tar.xz puppet-ea435a43dc97487d054271a9efb208f361408339.zip