Merge branch '2.7.x'

* 2.7.x: Deprecate RestAuthConfig#allowed? in favor of #check_authorization Fix #6026 - security file should support inline comments Fix #5010 - Allow leading whitespace in auth.conf Fix #5777 - rule interpolation broke auth.conf CIDR rules
author: Jacob Helwig <jacob@puppetlabs.com> 2011-07-26 16:15:38 -0700
committer: Jacob Helwig <jacob@puppetlabs.com> 2011-07-26 16:15:38 -0700
commit: 5b167eba2b602f5c6c6c224790fa1eb56b239ad4 (patch)
tree: 9440ead7019bf8cc3012e4d2743b163b27e8daad /spec
parent: 0506874ebeac8f2fb7d6c754ed6b606eab56d216 (diff)
parent: 5682125e1800f4c7b69b20fdd28f97a473d5d93c (diff)
download: puppet-5b167eba2b602f5c6c6c224790fa1eb56b239ad4.tar.gz
puppet-5b167eba2b602f5c6c6c224790fa1eb56b239ad4.tar.xz
puppet-5b167eba2b602f5c6c6c224790fa1eb56b239ad4.zip
4 files changed, 177 insertions, 1 deletions
diff --git a/spec/integration/network/rest_authconfig_spec.rb b/spec/integration/network/rest_authconfig_spec.rb
new file mode 100644
index 000000000..d2f539cd4
--- /dev/null
+++ b/spec/integration/network/rest_authconfig_spec.rb
@@ -0,0 +1,145 @@
+require 'spec_helper'
+
+require 'puppet/network/rest_authconfig'
+
+RSpec::Matchers.define :allow do |params|
+
+  match do |auth|
+    begin
+      auth.check_authorization(params[0], params[1], params[2], params[3])
+      true
+    rescue Puppet::Network::AuthorizationError
+      false
+    end
+  end
+
+  failure_message_for_should do |instance|
+    "expected #{params[3][:node]}/#{params[3][:ip]} to be allowed"
+  end
+
+  failure_message_for_should_not do |instance|
+    "expected #{params[3][:node]}/#{params[3][:ip]} to be forbidden"
+  end
+end
+
+describe Puppet::Network::RestAuthConfig do
+  include PuppetSpec::Files
+
+  before(:each) do
+    Puppet[:rest_authconfig] = tmpfile('auth.conf')
+  end
+
+  def add_rule(rule)
+    File.open(Puppet[:rest_authconfig],"w+") do |f|
+      f.print "path /test\n#{rule}\n"
+    end
+    @auth = Puppet::Network::RestAuthConfig.new(Puppet[:rest_authconfig], true)
+  end
+
+  def add_regex_rule(regex, rule)
+    File.open(Puppet[:rest_authconfig],"w+") do |f|
+      f.print "path ~ #{regex}\n#{rule}\n"
+    end
+    @auth = Puppet::Network::RestAuthConfig.new(Puppet[:rest_authconfig], true)
+  end
+
+  def request(args = {})
+    { :ip => '10.1.1.1', :node => 'host.domain.com', :key => 'key', :authenticated => true }.each do |k,v|
+      args[k] ||= v
+    end
+    ['test', :find, args[:key], args]
+  end
+
+  it "should support IPv4 address" do
+    add_rule("allow 10.1.1.1")
+
+    @auth.should allow(request)
+  end
+
+  it "should support CIDR IPv4 address" do
+    add_rule("allow 10.0.0.0/8")
+
+    @auth.should allow(request)
+  end
+
+  it "should support wildcard IPv4 address" do
+    add_rule("allow 10.1.1.*")
+
+    @auth.should allow(request)
+  end
+
+  it "should support IPv6 address" do
+    add_rule("allow 2001:DB8::8:800:200C:417A")
+
+    @auth.should allow(request(:ip => '2001:DB8::8:800:200C:417A'))
+  end
+
+  it "should support hostname" do
+    add_rule("allow host.domain.com")
+
+    @auth.should allow(request)
+  end
+
+  it "should support wildcard host" do
+    add_rule("allow *.domain.com")
+
+    @auth.should allow(request)
+  end
+
+  it "should support hostname backreferences" do
+    add_regex_rule('^/test/([^/]+)$', "allow $1.domain.com")
+
+    @auth.should allow(request(:key => 'host'))
+  end
+
+  it "should support opaque strings" do
+    add_rule("allow this-is-opaque@or-not")
+
+    @auth.should allow(request(:node => 'this-is-opaque@or-not'))
+  end
+
+  it "should support opaque strings and backreferences" do
+    add_regex_rule('^/test/([^/]+)$', "allow $1")
+
+    @auth.should allow(request(:key => 'this-is-opaque@or-not', :node => 'this-is-opaque@or-not'))
+  end
+
+  it "should support hostname ending with '.'" do
+    pending('bug #7589')
+    add_rule("allow host.domain.com.")
+
+    @auth.should allow(request(:node => 'host.domain.com.'))
+  end
+
+  it "should support hostname ending with '.' and backreferences" do
+    pending('bug #7589')
+    add_regex_rule('^/test/([^/]+)$',"allow $1")
+
+    @auth.should allow(request(:node => 'host.domain.com.'))
+  end
+
+  it "should support trailing whitespace" do
+    add_rule('allow host.domain.com    ')
+
+    @auth.should allow(request)
+  end
+
+  it "should support inlined comments" do
+    add_rule('allow host.domain.com # will it work?')
+
+    @auth.should allow(request)
+  end
+
+  it "should deny non-matching host" do
+    add_rule("allow inexistant")
+
+    @auth.should_not allow(request)
+  end
+
+  it "should deny denied hosts" do
+    add_rule("deny host.domain.com")
+
+    @auth.should_not allow(request)
+  end
+
+end
+\ No newline at end of file
diff --git a/spec/unit/file_serving/configuration/parser_spec.rb b/spec/unit/file_serving/configuration/parser_spec.rb
index 3d6b3e234..5ccfc5075 100755
--- a/spec/unit/file_serving/configuration/parser_spec.rb
+++ b/spec/unit/file_serving/configuration/parser_spec.rb
@@ -118,6 +118,14 @@ describe Puppet::FileServing::Configuration::Parser do
       @parser.parse
     end
 
+    it "should support inline comments" do
+      mock_file_content "[one]\nallow something \# will it work?\n"
+
+      @mount.expects(:info)
+      @mount.expects(:allow).with("something")
+      @parser.parse
+    end
+
     it "should tell the mount to deny any deny values from the section" do
       mock_file_content "[one]\ndeny something\n"
 
diff --git a/spec/unit/network/authconfig_spec.rb b/spec/unit/network/authconfig_spec.rb
index c47b2e0c5..ca94cc1ab 100755
--- a/spec/unit/network/authconfig_spec.rb
+++ b/spec/unit/network/authconfig_spec.rb
@@ -184,6 +184,29 @@ describe Puppet::Network::AuthConfig do
       @authconfig.read
     end
 
+    it "should strip whitespace around ACE" do
+      acl = stub 'acl', :info
+
+      @fd.stubs(:each).multiple_yields('[puppetca]', ' allow 127.0.0.1 , 172.16.10.0  ')
+      @rights.stubs(:newright).with("[puppetca]", 1, 'dummy').returns(acl)
+
+      acl.expects(:allow).with('127.0.0.1')
+      acl.expects(:allow).with('172.16.10.0')
+
+      @authconfig.read
+    end
+
+    it "should allow ACE inline comments" do
+      acl = stub 'acl', :info
+
+      @fd.stubs(:each).multiple_yields('[puppetca]', ' allow 127.0.0.1 # will it work?')
+      @rights.stubs(:newright).with("[puppetca]", 1, 'dummy').returns(acl)
+
+      acl.expects(:allow).with('127.0.0.1')
+
+      @authconfig.read
+    end
+
     it "should create an allow ACE on each subsequent allow" do
       acl = stub 'acl', :info
 
diff --git a/spec/unit/network/rest_authconfig_spec.rb b/spec/unit/network/rest_authconfig_spec.rb
index e1403997f..bebbb874f 100755
--- a/spec/unit/network/rest_authconfig_spec.rb
+++ b/spec/unit/network/rest_authconfig_spec.rb
@@ -29,7 +29,7 @@ describe Puppet::Network::RestAuthConfig do
     params = {:ip => "127.0.0.1", :node => "me", :environment => :env, :authenticated => true}
     @acl.expects(:is_request_forbidden_and_why?).with("path", :save, "to/resource", params).returns(nil)
 
-    @authconfig.allowed?("path", :save, "to/resource", params)
+    @authconfig.check_authorization("path", :save, "to/resource", params)
   end
 
   describe "when defining an acl with mk_acl" do
author	Jacob Helwig <jacob@puppetlabs.com>	2011-07-26 16:15:38 -0700
committer	Jacob Helwig <jacob@puppetlabs.com>	2011-07-26 16:15:38 -0700
commit	5b167eba2b602f5c6c6c224790fa1eb56b239ad4 (patch)
tree	9440ead7019bf8cc3012e4d2743b163b27e8daad /spec
parent	0506874ebeac8f2fb7d6c754ed6b606eab56d216 (diff)
parent	5682125e1800f4c7b69b20fdd28f97a473d5d93c (diff)
download	puppet-5b167eba2b602f5c6c6c224790fa1eb56b239ad4.tar.gz puppet-5b167eba2b602f5c6c6c224790fa1eb56b239ad4.tar.xz puppet-5b167eba2b602f5c6c6c224790fa1eb56b239ad4.zip