Fix #2348 - Allow authstore (and REST auth) to match allow/deny against opaque strings

This patch removes the limitation of allow/deny which were
only matching ip addresses or hostname (or pattern of).

It makes sure any kind of string can be matched (by strict
equality) while still keeping the old behaviour.

Opaque strings can only contains: alphanumeric characters, -
_ and @.

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>

1 files changed, 10 insertions, 3 deletions

diff --git a/lib/puppet/network/authstore.rb b/lib/puppet/network/authstore.rb
index 6f7a7df25..306e1ba8a 100755
--- a/lib/puppet/network/authstore.rb
+++ b/lib/puppet/network/authstore.rb
@@ -249,7 +249,7 @@ module Puppet
 
             # Does the name match our pattern?
             def matchname?(name)
-                name = munge_name(name)
+                name = munge_name(name) unless @name == :opaque
                 return true if self.pattern == name
 
                 # If it's an exact match, then just return false, since the
@@ -324,10 +324,17 @@ module Puppet
                     end
                     begin
                         @pattern = IPAddr.new(value)
+                        @name = :ip
                     rescue ArgumentError => detail
-                        raise AuthStoreError, "Invalid pattern %s" % value
+                        # so nothing matched, let's match as an opaque value
+                        # some sanity checks first
+                        unless value =~ /^[a-zA-Z0-9][-a-zA-Z0-9_.@]*$/
+                            raise AuthStoreError, "Invalid pattern %s" % value
+                        end
+                        @pattern = [value]
+                        @length = nil # force an exact match
+                        @name = :opaque
                     end
-                    @name = :ip
                 end
             end
         end