diff options
| author | Brice Figureau <brice-puppet@daysofwonder.com> | 2009-06-28 14:42:04 +0200 |
|---|---|---|
| committer | James Turnbull <james@lovedthanlost.net> | 2009-07-07 16:19:39 +1000 |
| commit | ea66cf6b9a5de1dd784dfed8995babf90225f8a0 (patch) | |
| tree | 678a1a2ba846b1092131f2957cba479ee4a11566 | |
| parent | 1e83aadc749aea9d52281d4f4041f6144a7229c7 (diff) | |
| download | puppet-ea66cf6b9a5de1dd784dfed8995babf90225f8a0.tar.gz puppet-ea66cf6b9a5de1dd784dfed8995babf90225f8a0.tar.xz puppet-ea66cf6b9a5de1dd784dfed8995babf90225f8a0.zip | |
Fix #2348 - Allow authstore (and REST auth) to match allow/deny against opaque strings
This patch removes the limitation of allow/deny which were
only matching ip addresses or hostname (or pattern of).
It makes sure any kind of string can be matched (by strict
equality) while still keeping the old behaviour.
Opaque strings can only contains: alphanumeric characters, -
_ and @.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
| -rwxr-xr-x | lib/puppet/network/authstore.rb | 13 | ||||
| -rwxr-xr-x | test/network/authstore.rb | 10 |
2 files changed, 13 insertions, 10 deletions
diff --git a/lib/puppet/network/authstore.rb b/lib/puppet/network/authstore.rb index 6f7a7df25..306e1ba8a 100755 --- a/lib/puppet/network/authstore.rb +++ b/lib/puppet/network/authstore.rb @@ -249,7 +249,7 @@ module Puppet # Does the name match our pattern? def matchname?(name) - name = munge_name(name) + name = munge_name(name) unless @name == :opaque return true if self.pattern == name # If it's an exact match, then just return false, since the @@ -324,10 +324,17 @@ module Puppet end begin @pattern = IPAddr.new(value) + @name = :ip rescue ArgumentError => detail - raise AuthStoreError, "Invalid pattern %s" % value + # so nothing matched, let's match as an opaque value + # some sanity checks first + unless value =~ /^[a-zA-Z0-9][-a-zA-Z0-9_.@]*$/ + raise AuthStoreError, "Invalid pattern %s" % value + end + @pattern = [value] + @length = nil # force an exact match + @name = :opaque end - @name = :ip end end end diff --git a/test/network/authstore.rb b/test/network/authstore.rb index 7a793afe5..93f379164 100755 --- a/test/network/authstore.rb +++ b/test/network/authstore.rb @@ -53,10 +53,6 @@ class TestAuthStore < Test::Unit::TestCase #assert_raise(Puppet::AuthStoreError) { # @store.allow("192.168.674.0") #} - - assert_raise(Puppet::AuthStoreError) { - @store.allow("192.168.0") - } end def test_ipranges @@ -186,7 +182,6 @@ class TestAuthStore < Test::Unit::TestCase } %w{ - invalid ^invalid! inval$id @@ -339,7 +334,8 @@ class TestAuthStoreDeclaration < PuppetTest::TestCase "*.hostname.COM" => [:domain, %w{com hostname}, 2], "*.hostname.COM" => [:domain, %w{com hostname}, 2], "$1.hostname.COM" => [:dynamic, %w{com hostname $1}, nil], - "192.168.$1.$2" => [:dynamic, %w{$2 $1 168 192}, nil] + "192.168.$1.$2" => [:dynamic, %w{$2 $1 168 192}, nil], + "8A5BC90C-B8FD-4CBC-81DA-BAD84D551791" => [:opaque, %w{8A5BC90C-B8FD-4CBC-81DA-BAD84D551791}, nil] }.each do |input, output| # Create a new decl each time, so values aren't cached. @@ -353,7 +349,7 @@ class TestAuthStoreDeclaration < PuppetTest::TestCase end end - %w{192.168 hostname -hostname.com hostname.*}.each do |input| + %w{-hostname.com hostname.*}.each do |input| assert_raise(Puppet::AuthStoreError, "Did not fail on %s" % input) do @decl.pattern = input end |