diff options
| author | Luke Kanies <luke@madstop.com> | 2005-08-28 02:23:10 +0000 |
|---|---|---|
| committer | Luke Kanies <luke@madstop.com> | 2005-08-28 02:23:10 +0000 |
| commit | f2795359521709b5d4a64900ebed5e7b0be84c6b (patch) | |
| tree | 59aba403256c85c6d0de6170422f2c2066329aa8 | |
| parent | 28be88cc6e13c1af193fe01d56a1a446a18e01bb (diff) | |
This should be the commit that brings us to Beta 1. All tests pass, although I get some (gracefully handled) failures in tc_metrics.rb, and there is now a config file for the fileserver module, including authorization specification for it. I have also reworked error handling in the xmlrpc client and server so errors should propagate more correctly.
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@594 980ebf18-57e1-0310-9a29-db15c13687c0
| -rwxr-xr-x | bin/puppetmasterd | 46 | ||||
| -rw-r--r-- | lib/puppet/client.rb | 10 | ||||
| -rwxr-xr-x | lib/puppet/daemon.rb | 4 | ||||
| -rw-r--r-- | lib/puppet/server.rb | 5 | ||||
| -rw-r--r-- | lib/puppet/server/ca.rb | 2 | ||||
| -rwxr-xr-x | lib/puppet/server/filebucket.rb | 4 | ||||
| -rwxr-xr-x | lib/puppet/server/fileserver.rb | 62 | ||||
| -rw-r--r-- | lib/puppet/server/master.rb | 5 | ||||
| -rw-r--r-- | lib/puppet/server/servlet.rb | 59 | ||||
| -rwxr-xr-x | lib/puppet/sslcertificates.rb | 5 | ||||
| -rw-r--r-- | lib/puppet/type.rb | 10 | ||||
| -rw-r--r-- | lib/puppet/type/pfile.rb | 6 | ||||
| -rwxr-xr-x | test/executables/tc_puppetd.rb | 8 | ||||
| -rwxr-xr-x | test/executables/tc_puppetmasterd.rb | 15 | ||||
| -rw-r--r-- | test/parser/tc_lexer.rb | 3 | ||||
| -rw-r--r-- | test/parser/tc_parser.rb | 2 | ||||
| -rwxr-xr-x | test/server/tc_authstore.rb | 35 | ||||
| -rwxr-xr-x | test/server/tc_fileserver.rb | 69 | ||||
| -rw-r--r-- | test/server/tc_server.rb | 4 | ||||
| -rwxr-xr-x | test/test | 3 | ||||
| -rwxr-xr-x | test/types/tc_filesources.rb | 40 |
21 files changed, 304 insertions, 93 deletions
diff --git a/bin/puppetmasterd b/bin/puppetmasterd index 8ed9f739e..0c832aba6 100755 --- a/bin/puppetmasterd +++ b/bin/puppetmasterd @@ -15,6 +15,7 @@ result = GetoptLong.new( [ "--ssldir", "-s", GetoptLong::REQUIRED_ARGUMENT ], [ "--port", "-p", GetoptLong::REQUIRED_ARGUMENT ], [ "--noinit", "-n", GetoptLong::NO_ARGUMENT ], + [ "--autosign", "-a", GetoptLong::NO_ARGUMENT ], [ "--debug", "-d", GetoptLong::NO_ARGUMENT ], [ "--verbose", "-v", GetoptLong::NO_ARGUMENT ], [ "--noca", GetoptLong::NO_ARGUMENT ], @@ -22,7 +23,11 @@ result = GetoptLong.new( ) noinit = false -ca = true + +haveca = true +master = {} +ca = {} +args = {} result.each { |opt,arg| case opt @@ -33,20 +38,23 @@ result.each { |opt,arg| Puppet[:loglevel] = :info when "--debug" Puppet[:debug] = true + when "--autosign" + ca[:autosign] = true when "--noca" - ca = false + haveca = false when "--port" - Puppet[:masterport] = arg + args[:Port] = arg when "--ssldir" Puppet[:ssldir] = arg when "--manifest" - Puppet[:manifest] = arg + master[:File] = arg when "--noinit" noinit = true when "--logfile" - Puppet[:masterlog] = arg + args[:AccessLog] = arg else - raise "Invalid option '#{opt}'" + $stderr.puts "Invalid option '#{opt}'" + exit(1) end } @@ -62,16 +70,28 @@ if bg Puppet[:logdest] = Puppet[:masterlog] end +handlers = { + :Master => master, + :Status => {} +} + + +if haveca + handlers[:CA] = ca +end + +if File.exists?(Puppet[:fileserverconfig]) + handlers[:FileServer] = { + :Config => Puppet[:fileserverconfig] + } +end + +args[:Handlers] = handlers + begin # use the default, um, everything #server = Puppet::Server.new(:CA => ca) - server = Puppet::Server.new( - :Handlers => { - :CA => {}, # so that certs autogenerate - :Master => {}, - :Status => {} - } - ) + server = Puppet::Server.new(args) rescue => detail $stderr.puts detail exit(1) diff --git a/lib/puppet/client.rb b/lib/puppet/client.rb index 67307e621..868c86f58 100644 --- a/lib/puppet/client.rb +++ b/lib/puppet/client.rb @@ -47,14 +47,14 @@ module Puppet begin call("%s.%s" % [namespace, method.to_s],*args) rescue XMLRPC::FaultException => detail - Puppet.err "XML Could not call %s.%s: %s" % + Puppet.err "Could not call %s.%s: %s" % [namespace, method, detail.faultString] raise NetworkClientError, "XMLRPC Error: %s" % detail.faultString - rescue => detail - Puppet.err "Could not call %s.%s: %s" % - [namespace, method, detail.inspect] - raise NetworkClientError.new(detail.to_s) + #rescue => detail + # Puppet.err "Could not call %s.%s: %s" % + # [namespace, method, detail.inspect] + # raise NetworkClientError.new(detail.to_s) end } } diff --git a/lib/puppet/daemon.rb b/lib/puppet/daemon.rb index 837debd79..040292b36 100755 --- a/lib/puppet/daemon.rb +++ b/lib/puppet/daemon.rb @@ -6,8 +6,10 @@ module Puppet module Daemon def daemonize unless Puppet[:logdest] == :file - Puppet.err "You must reset log destination before daemonizing" + raise Puppet::DevError, + "You must reset log destination before daemonizing" end + if pid = fork() Process.detach(pid) exit(0) diff --git a/lib/puppet/server.rb b/lib/puppet/server.rb index 47b53a27b..d3259e60d 100644 --- a/lib/puppet/server.rb +++ b/lib/puppet/server.rb @@ -32,6 +32,8 @@ module Puppet include Puppet::Daemon def initialize(hash = {}) + # FIXME we should have some kind of access control here, using + # :RequestHandler hash[:Port] ||= Puppet[:masterport] hash[:Logger] ||= self.httplog hash[:AccessLog] ||= [ @@ -139,7 +141,7 @@ module Puppet @name = :Status - def status(status = nil, request = nil) + def status(status = nil, client = nil, clientip = nil) Puppet.warning "Returning status" return 1 end @@ -150,6 +152,7 @@ module Puppet #--------------------------------------------------------------- end +require 'puppet/server/authstore' require 'puppet/server/servlet' require 'puppet/server/master' require 'puppet/server/ca' diff --git a/lib/puppet/server/ca.rb b/lib/puppet/server/ca.rb index 20caee9bb..669fe1290 100644 --- a/lib/puppet/server/ca.rb +++ b/lib/puppet/server/ca.rb @@ -67,7 +67,7 @@ class Server # our client sends us a csr, and we either store it for later signing, # or we sign it right away - def getcert(csrtext, request = nil) + def getcert(csrtext, client = nil, clientip = nil) # okay, i need to retrieve the hostname from the csr, and then # verify that i get the same hostname through reverse lookup or # something diff --git a/lib/puppet/server/filebucket.rb b/lib/puppet/server/filebucket.rb index fa02d967a..9c02e0794 100755 --- a/lib/puppet/server/filebucket.rb +++ b/lib/puppet/server/filebucket.rb @@ -60,7 +60,7 @@ class Server end # accept a file from a client - def addfile(string,path, request = nil) + def addfile(string,path, client = nil, clientip = nil) #puts "entering addfile" contents = Base64.decode64(string) #puts "string is decoded" @@ -129,7 +129,7 @@ class Server return md5 end - def getfile(md5, request = nil) + def getfile(md5, client = nil, clientip = nil) bpath, bfile, bpaths = FileBucket.paths(@bucket,md5) unless FileTest.exists?(bfile) diff --git a/lib/puppet/server/fileserver.rb b/lib/puppet/server/fileserver.rb index 179459f42..6eec3503d 100755 --- a/lib/puppet/server/fileserver.rb +++ b/lib/puppet/server/fileserver.rb @@ -1,4 +1,5 @@ require 'puppet' +require 'webrick/httpstatus' require 'cgi' module Puppet @@ -40,18 +41,22 @@ class Server return obj end - def describe(file, request = nil) + def describe(file, client = nil, clientip = nil) mount, path = splitpath(file) - subdir = nil - unless subdir = subdir(mount, path) + unless @mounts[mount].allowed?(client, clientip) + raise Puppet::Server::AuthorizationError, "Cannot access %s" % mount + end + + sdir = nil + unless sdir = subdir(mount, path) Puppet.notice "Could not find subdirectory %s" % "//%s/%s" % [mount, path] return "" end obj = nil - unless obj = self.check(subdir) + unless obj = self.check(sdir) return "" end @@ -112,9 +117,13 @@ class Server end end - def list(dir, recurse = false, sum = "md5", request = nil) + def list(dir, recurse = false, client = nil, clientip = nil) mount, path = splitpath(dir) + unless @mounts[mount].allowed?(client, clientip) + raise Puppet::Server::AuthorizationError, "Cannot access %s" % mount + end + subdir = nil unless subdir = subdir(mount, path) Puppet.notice "Could not find subdirectory %s" % @@ -194,11 +203,25 @@ class Server mount.path = value when "allow": value.split(/\s*,\s*/).each { |val| - mount.allow(val) + begin + Puppet.info "Allowing %s access to %s" % + [val, mount.name] + mount.allow(val) + rescue AuthStoreError => detail + raise Puppet::Error, "%s at line %s of %s" % + [detail.to_s, count, @config] + end } when "deny": value.split(/\s*,\s*/).each { |val| - mount.deny(val) + begin + Puppet.info "Denying %s access to %s" % + [val, mount.name] + mount.deny(val) + rescue AuthStoreError => detail + raise Puppet::Error, "%s at line %s of %s" % + [detail.to_s, count, @config] + end } else raise Puppet::Error, @@ -218,12 +241,15 @@ class Server end end - def retrieve(file, request = nil) + def retrieve(file, client = nil, clientip = nil) mount, path = splitpath(file) unless (@mounts.include?(mount)) - # FIXME I really need some better way to pass and handle xmlrpc errors - raise FileServerError, "%s not mounted" % mount + raise Puppet::Server::FileServerError, "%s not mounted" % mount + end + + unless @mounts[mount].allowed?(client, clientip) + raise Puppet::Server::AuthorizationError, "Cannot access %s" % mount end fpath = nil @@ -327,30 +353,20 @@ class Server return dirname end - class Mount + class Mount < AuthStore attr_reader :path, :name - def allow(pattern) - end - - def allowed?(host) - end - - def deny(pattern) - end - def initialize(name, path = nil) unless name =~ %r{^\w+$} raise FileServerError, "Invalid name format '%s'" % name end @name = name - @allow = [] - @deny = [] - if path self.path = path end + + super() end def path=(path) diff --git a/lib/puppet/server/master.rb b/lib/puppet/server/master.rb index 00d62eb5b..b45f91210 100644 --- a/lib/puppet/server/master.rb +++ b/lib/puppet/server/master.rb @@ -17,6 +17,7 @@ class Server def initialize(hash = {}) + # FIXME this should all be s/:File/:Manifest/g or something # build our AST @file = hash[:File] || Puppet[:manifest] @parser = Puppet::Parser::Parser.new() @@ -37,8 +38,8 @@ class Server end end - def getconfig(facts, request = nil) - if request + def getconfig(facts, client = nil, clientip = nil) + if client #Puppet.warning request.inspect end if @local diff --git a/lib/puppet/server/servlet.rb b/lib/puppet/server/servlet.rb index b14efe645..4c45ebc62 100644 --- a/lib/puppet/server/servlet.rb +++ b/lib/puppet/server/servlet.rb @@ -4,6 +4,8 @@ module Puppet class Server class ServletError < RuntimeError; end class Servlet < XMLRPC::WEBrickServlet + ERR_UNAUTHORIZED = 30 + attr_accessor :request # this is just a duplicate of the normal method; it's here for @@ -12,6 +14,10 @@ class Server self.new(server, *options) end + def authorize(request, method) + true + end + def initialize(server, handlers) #Puppet.info server.inspect @@ -28,28 +34,55 @@ class Server } @request = nil + @client = nil + @clientip = nil self.set_service_hook { |obj, *args| #raise "crap!" - if @request - args.push @request + if @client and @clientip + args.push(@client, @clientip) #obj.call(args, @request) end begin obj.call(*args) + rescue Puppet::Server::AuthorizationError => detail + Puppet.warning obj.inspect + Puppet.warning args.inspect + Puppet.err "Permission denied: %s" % detail.to_s + raise XMLRPC::FaultException.new( + 1, detail.to_s + ) + rescue Puppet::Error => detail + Puppet.warning obj.inspect + Puppet.warning args.inspect + Puppet.err "Puppet error: %s" % detail.to_s + raise XMLRPC::FaultException.new( + 1, detail.to_s + ) rescue => detail Puppet.warning obj.inspect Puppet.warning args.inspect Puppet.err "Could not call: %s" % detail.to_s + raise error end } end def service(request, response) @request = request - if @request.client_cert - Puppet.info "client cert is %s" % @request.client_cert + if peer = request.peeraddr + @client = peer[2] + @clientip = peer[3] + else + raise XMLRPC::FaultException.new( + ERR_UNCAUGHT_EXCEPTION, + "Could not retrieve client information" + ) + end + + if request.client_cert + Puppet.info "client cert is %s" % request.client_cert end - if @request.server_cert + if request.server_cert #Puppet.info "server cert is %s" % @request.server_cert end #p @request @@ -59,6 +92,8 @@ class Server Puppet.err "Could not service request: %s: %s" % [detail.class, detail] end + @client = nil + @clientip = nil @request = nil end @@ -66,7 +101,21 @@ class Server # this is pretty much just a copy of the original method but with more # feedback + # here's where we have our authorization hooks def dispatch(methodname, *args) + + if defined? @request and @request + unless self.authorize(@request, methodname) + raise XMLRPC::FaultException.new( + ERR_UNAUTHORIZED, + "Host %s not authorized to call %s" % + [@request.host, methodname] + ) + end + else + raise Puppet::DevError, "Did not get request in dispatch" + end + #Puppet.warning "dispatch on %s called with %s" % # [methodname, args.inspect] for name, obj in @handler diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb index 5b587a41b..fd26c097a 100755 --- a/lib/puppet/sslcertificates.rb +++ b/lib/puppet/sslcertificates.rb @@ -92,7 +92,7 @@ module SSLCertificates when :server: basic_constraint = "CA:FALSE" key_usage = %w{digitalSignature keyEncipherment} - ext_key_usage = %w{serverAuth} + ext_key_usage = %w{serverAuth clientAuth} when :ocsp: basic_constraint = "CA:FALSE" key_usage = %w{nonRepudiation digitalSignature} @@ -106,9 +106,6 @@ module SSLCertificates raise Puppet::Error, "unknown cert type '%s'" % hash[:type] end - Puppet.debug "Key usage is %s" % key_usage.inspect - Puppet.debug "ExtKey usage is %s" % ext_key_usage.inspect - ex << ef.create_extension("nsComment", "Puppet Ruby/OpenSSL Generated Certificate") ex << ef.create_extension("basicConstraints", basic_constraint, true) diff --git a/lib/puppet/type.rb b/lib/puppet/type.rb index 107e9e906..a15f41edb 100644 --- a/lib/puppet/type.rb +++ b/lib/puppet/type.rb @@ -498,10 +498,18 @@ class Type < Puppet::Element :should => value ) @states[name] = newstate - rescue => detail + rescue Puppet::Error => detail # the state failed, so just ignore it Puppet.debug "State %s failed: %s" % [name, detail] + rescue Puppet::DevError => detail + # the state failed, so just ignore it + Puppet.notice "State %s failed: %s" % + [name, detail] + rescue => detail + # the state failed, so just ignore it + Puppet.err "State %s failed: %s (%s)" % + [name, detail, detail.class] end end end diff --git a/lib/puppet/type/pfile.rb b/lib/puppet/type/pfile.rb index cffa6a890..c39b0b51f 100644 --- a/lib/puppet/type/pfile.rb +++ b/lib/puppet/type/pfile.rb @@ -1283,9 +1283,11 @@ module Puppet when "file": unless defined? @@localfileserver @@localfileserver = Puppet::Server::FileServer.new( - :Local => true + :Local => true, + :Mount => { "/" => "localhost" }, + :Config => false ) - @@localfileserver.mount("/", "localhost") + #@@localfileserver.mount("/", "localhost") end sourceobj.server = @@localfileserver path = "/localhost" + uri.path diff --git a/test/executables/tc_puppetd.rb b/test/executables/tc_puppetd.rb index 264bc80ef..38e382392 100755 --- a/test/executables/tc_puppetd.rb +++ b/test/executables/tc_puppetd.rb @@ -47,7 +47,7 @@ class TestPuppetDExe < Test::Unit::TestCase assert_nothing_raised { output = %x{puppetmasterd --port #{Puppet[:masterport]} --manifest #{file}}.chomp } - assert($? == 0) + assert($? == 0, "Puppetmasterd return status was %s" % $?) @@tmppids << $?.pid assert_equal("", output) end @@ -62,7 +62,7 @@ class TestPuppetDExe < Test::Unit::TestCase pid = ary[1].to_i end } - assert(pid) + assert(pid, "No puppetmasterd pid") assert_nothing_raised { Process.kill("-INT", pid) @@ -75,8 +75,8 @@ class TestPuppetDExe < Test::Unit::TestCase assert_nothing_raised { output = %x{puppetd --server localhost}.chomp } - assert($? == 0) - assert_equal("", output) + assert($? == 0, "Puppetd exited with code %s" % $?) + assert_equal("", output, "Puppetd produced output %s" % output) assert_nothing_raised { socket = TCPSocket.new("127.0.0.1", Puppet[:masterport]) diff --git a/test/executables/tc_puppetmasterd.rb b/test/executables/tc_puppetmasterd.rb index 44aa03da4..ef89aa044 100755 --- a/test/executables/tc_puppetmasterd.rb +++ b/test/executables/tc_puppetmasterd.rb @@ -38,6 +38,7 @@ class TestPuppetMasterD < Test::Unit::TestCase Puppet[:loglevel] = :debug end @@tmpfiles = [] + @port = 8320 end def startmasterd(args) @@ -48,10 +49,10 @@ class TestPuppetMasterD < Test::Unit::TestCase # cmd += " --debug" #end assert_nothing_raised { - output = %x{puppetmasterd #{args}}.chomp + output = %x{puppetmasterd --port #{@port} #{args}}.chomp } - assert($? == 0) - assert_equal("", output) + assert($? == 0, "Puppetmasterd exit status was %s" % $?) + assert_equal("", output, "Puppetmasterd produced output %s" % output) end def stopmasterd(running = true) @@ -91,13 +92,13 @@ class TestPuppetMasterD < Test::Unit::TestCase startmasterd("--manifest #{file}") assert_nothing_raised { - socket = TCPSocket.new("127.0.0.1", Puppet[:masterport]) + socket = TCPSocket.new("127.0.0.1", @port) socket.close } client = nil assert_nothing_raised() { - client = XMLRPC::Client.new("localhost", "/RPC2", Puppet[:masterport], + client = XMLRPC::Client.new("localhost", "/RPC2", @port, nil, nil, nil, nil, true, 5) } retval = nil @@ -105,7 +106,7 @@ class TestPuppetMasterD < Test::Unit::TestCase assert_nothing_raised() { retval = client.call("status.status", "") } - assert_equal(1, retval) + assert_equal(1, retval, "Status.status return value was %s" % retval) facts = {} Facter.each { |p,v| facts[p] = v @@ -149,7 +150,7 @@ class TestPuppetMasterD < Test::Unit::TestCase assert_nothing_raised() { retval = client.nothing } - assert_equal(1, retval) + assert_equal(1, retval, "return value was %s" % retval) facts = {} Facter.each { |p,v| facts[p] = v diff --git a/test/parser/tc_lexer.rb b/test/parser/tc_lexer.rb index b8fd3e23b..d0ed19324 100644 --- a/test/parser/tc_lexer.rb +++ b/test/parser/tc_lexer.rb @@ -1,7 +1,6 @@ if __FILE__ == $0 $:.unshift '../../lib' - $:.unshift '../../../../library/trunk/lib/' - $:.unshift '../../../../library/trunk/test/' + $:.unshift '..' $puppetbase = "../.." end diff --git a/test/parser/tc_parser.rb b/test/parser/tc_parser.rb index 8a05a5765..cb3cea0e9 100644 --- a/test/parser/tc_parser.rb +++ b/test/parser/tc_parser.rb @@ -71,7 +71,5 @@ class TestParser < Test::Unit::TestCase assert_nothing_raised { ret = parser.parse } - puts ret.class - p ret end end diff --git a/test/server/tc_authstore.rb b/test/server/tc_authstore.rb index 89d3c72e1..38c657770 100755 --- a/test/server/tc_authstore.rb +++ b/test/server/tc_authstore.rb @@ -154,7 +154,7 @@ class TestAuthStore < TestPuppet } end - def test_ziprangedenials + def test_iprangedenials store = mkstore assert_nothing_raised("Failed to store overlapping IP ranges") { @@ -166,7 +166,7 @@ class TestAuthStore < TestPuppet assert(! store.allowed?("fake.name", "192.168.0.50"), "/24 ip allowed") end - def test_zsubdomaindenails + def test_subdomaindenails store = mkstore assert_nothing_raised("Failed to store overlapping IP ranges") { @@ -179,6 +179,37 @@ class TestAuthStore < TestPuppet assert(! store.allowed?("name.sub.madstop.com", "192.168.0.50"), "subname name allowed") end + + def test_orderingstuff + store = mkstore + + assert_nothing_raised("Failed to store overlapping IP ranges") { + store.allow("*.madstop.com") + store.deny("192.168.0.0/24") + } + + assert(store.allowed?("hostname.madstop.com", "192.168.1.50"), + "hostname not allowed") + assert(! store.allowed?("hostname.madstop.com", "192.168.0.50"), + "Host allowed over IP") + end + + def test_globalallow + store = mkstore + + assert_nothing_raised("Failed to add global allow") { + store.allow("*") + } + + [ + %w{hostname.com 192.168.0.4}, + %w{localhost 192.168.0.1}, + %w{localhost 127.0.0.1} + + ].each { |ary| + assert(store.allowed?(*ary), "Failed to allow %s" % [ary.join(",")]) + } + end end # $Id$ diff --git a/test/server/tc_fileserver.rb b/test/server/tc_fileserver.rb index 7369ef5ab..29895a38e 100755 --- a/test/server/tc_fileserver.rb +++ b/test/server/tc_fileserver.rb @@ -418,7 +418,7 @@ class TestFileServer < TestPuppet Dir.mkdir(basedir) mounts = {} - %w{thing thus ahna the}.each { |dir| + %w{thing thus these those}.each { |dir| path = File.join(basedir, dir) conftext << "[#{dir}] path #{path} @@ -431,7 +431,24 @@ class TestFileServer < TestPuppet @@tmpfiles << conffile File.open(conffile, "w") { |f| - f.print conftext + f.print "# a test config file + +[thing] + path #{basedir}/thing + allow 192.168.0.* + +[thus] + path #{basedir}/thus + allow *.madstop.com, *.kanies.com + deny *.sub.madstop.com + +[these] + path #{basedir}/these + +[those] + path #{basedir}/those + +" } @@ -443,6 +460,7 @@ class TestFileServer < TestPuppet } list = nil + # run through once with no host/ip info, to verify everything is working mounts.each { |mount, files| mount = "/#{mount}/" assert_nothing_raised { @@ -465,6 +483,53 @@ class TestFileServer < TestPuppet assert_match(/^\d+/, desc, "Got invalid description %s" % f) } } + + # now let's check that things are being correctly forbidden + { + "thing" => { + :deny => [ + ["hostname.com", "192.168.1.0"], + ["hostname.com", "192.158.0.0"] + ], + :allow => [ + ["hostname.com", "192.168.0.0"], + ["hostname.com", "192.168.0.245"], + ] + }, + "thus" => { + :deny => [ + ["hostname.com", "192.168.1.0"], + ["name.sub.madstop.com", "192.158.0.0"] + ], + :allow => [ + ["luke.kanies.com", "192.168.0.0"], + ["luke.madstop.com", "192.168.0.245"], + ] + } + }.each { |mount, hash| + mount = "/#{mount}/" + + hash.each { |type, ary| + ary.each { |sub| + host, ip = sub + + case type + when :deny: + assert_raise(Puppet::Server::AuthorizationError, + "Host %s, ip %s, allowed %s" % + [host, ip, mount]) { + list = server.list(mount, true, host, ip) + } + when :allow: + assert_nothing_raised("Host %s, ip %s, denied %s" % + [host, ip, mount]) { + list = server.list(mount, true, host, ip) + } + end + } + } + } + end end diff --git a/test/server/tc_server.rb b/test/server/tc_server.rb index 50c5a6cec..1b7225748 100644 --- a/test/server/tc_server.rb +++ b/test/server/tc_server.rb @@ -132,7 +132,6 @@ class TestServer < Test::Unit::TestCase clthread = Thread.new { assert_nothing_raised() { - Puppet.notice "calling status" retval = client.call("status.status", "") } } @@ -186,7 +185,6 @@ class TestServer < Test::Unit::TestCase retval = nil assert_nothing_raised() { - Puppet.notice "calling status" retval = client.call("status.status") } @@ -244,7 +242,6 @@ class TestServer < Test::Unit::TestCase retval = nil assert_nothing_raised() { - Puppet.notice "calling status" retval = client.getconfig } @@ -257,7 +254,6 @@ class TestServer < Test::Unit::TestCase facts = CGI.escape(Marshal.dump(Puppet::Client::MasterClient.facts)) assert_nothing_raised() { - Puppet.notice "calling status" retval = client.call("puppetmaster.getconfig", facts) } @@ -49,3 +49,6 @@ end suites.each { |suite| PuppetTestSuite.new(suite) } + +# This damn problem just doesn't seem to want to go away +system("%s/etc/init.d/sleeper stop 2>/dev/null 1>/dev/null" % $puppetbase) diff --git a/test/types/tc_filesources.rb b/test/types/tc_filesources.rb index ba10eaacd..cb280a288 100755 --- a/test/types/tc_filesources.rb +++ b/test/types/tc_filesources.rb @@ -194,7 +194,6 @@ class TestFileSources < Test::Unit::TestCase if networked source = "puppet://localhost/%s%s" % [networked, fromdir] end - Puppet.warning "Source is %s" % source recursive_source_test(source, todir) return [fromdir,todir] @@ -310,9 +309,28 @@ class TestFileSources < Test::Unit::TestCase assert(klass[file3]) end - def test_SimpleNetworkSources + def mkfileserverconf(mounts) + file = "/tmp/fileserverconftestingfile%s" % rand(100) + File.open(file, "w") { |f| + mounts.each { |path, name| + f.puts "[#{name}]\n\tpath #{path}\n\tallow *\n" + } + } + + @@tmpfiles << file + return file + end + + def test_zSimpleNetworkSources server = nil basedir = "/tmp/simplnetworksourcetesting" + + mounts = { + "/" => "root" + } + + fileserverconf = mkfileserverconf(mounts) + if File.exists?(basedir) system("rm -rf %s" % basedir) end @@ -335,9 +353,7 @@ class TestFileSources < Test::Unit::TestCase :Handlers => { :CA => {}, # so that certs autogenerate :FileServer => { - :Mount => { - "/" => "root" - } + :Config => fileserverconf } } ) @@ -364,7 +380,7 @@ class TestFileSources < Test::Unit::TestCase list = nil rpath = "/root%s" % tmpfile assert_nothing_raised { - list = client.call("fileserver.list", rpath) + list = client.call("fileserver.list", rpath, false) } assert_equal("/\tfile", list) @@ -387,7 +403,7 @@ class TestFileSources < Test::Unit::TestCase } end - def test_NetworkSources + def test_zNetworkSources server = nil basedir = "/tmp/networksourcetesting" if File.exists?(basedir) @@ -395,6 +411,12 @@ class TestFileSources < Test::Unit::TestCase end Dir.mkdir(basedir) + mounts = { + "/" => "root" + } + + fileserverconf = mkfileserverconf(mounts) + Puppet[:puppetconf] = basedir Puppet[:puppetvar] = basedir Puppet[:autosign] = true @@ -408,9 +430,7 @@ class TestFileSources < Test::Unit::TestCase :Handlers => { :CA => {}, # so that certs autogenerate :FileServer => { - :Mount => { - "/" => "root" - } + :Config => fileserverconf } } ) |