diff options
| author | Siim Põder <siim.poder@skype.net> | 2011-01-21 14:26:37 +0200 |
|---|---|---|
| committer | Josh Cooper <josh@puppetlabs.com> | 2011-05-31 09:12:15 -0700 |
| commit | c02126df4804b42ecaca2cdff675be9c4e24aa54 (patch) | |
| tree | 70aa53510b6660fedf0ae445b57581f6359bee04 /spec | |
| parent | d0592fabd27472ba0f5586393eff20e536f8766a (diff) | |
| download | puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.tar.gz puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.tar.xz puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.zip | |
(#5966) Add support for hostname regular expressions in auth.conf
When hosting multiple applications (especially with different security levels),
you may not want to allow every client to read all the files required for
every other client. Currently it is possible to do this when your host and
domain names reasonably reflect that grouping, ex: hostXYZ.someapp.domain.com.
However, if you have a more flat naming convention, it is difficult to write
these ACLs. This patch adds support for matching hostnames with regular
expressions, thus extending the ACLs to allow:
path /file_content/secrets/appserver
allow /appserver[0-9]+.example.com$/
path /file_content/secrets/otherservice
allow /^(test-)crazy[0-9]+.pattern.(com|net)$/
Signed-off-by: Josh Cooper <josh@puppetlabs.com>
Reviewed-by: Jacob Helwig <jacob@puppetlabs.com>
Diffstat (limited to 'spec')
| -rwxr-xr-x | spec/unit/network/authstore_spec.rb | 39 |
1 files changed, 35 insertions, 4 deletions
diff --git a/spec/unit/network/authstore_spec.rb b/spec/unit/network/authstore_spec.rb index d62c8abaa..d5ff42d6e 100755 --- a/spec/unit/network/authstore_spec.rb +++ b/spec/unit/network/authstore_spec.rb @@ -4,11 +4,11 @@ require 'spec_helper' require 'puppet/network/authconfig' describe Puppet::Network::AuthStore do - describe "when checking if the acl has some entries" do - before :each do - @authstore = Puppet::Network::AuthStore.new - end + before :each do + @authstore = Puppet::Network::AuthStore.new + end + describe "when checking if the acl has some entries" do it "should be empty if no ACE have been entered" do @authstore.should be_empty end @@ -31,6 +31,37 @@ describe Puppet::Network::AuthStore do @authstore.should_not be_empty end end + + describe "when checking global allow" do + it "should not be enabled by default" do + @authstore.should_not be_globalallow + @authstore.should_not be_allowed('foo.bar.com', '192.168.1.1') + end + + it "should always allow when enabled" do + @authstore.allow('*') + + @authstore.should be_globalallow + @authstore.should be_allowed('foo.bar.com', '192.168.1.1') + end + end + + describe "when checking a regex type of allow" do + before :each do + @authstore.allow('/^(test-)?host[0-9]+\.other-domain\.(com|org|net)$|some-domain\.com/') + @ip = '192.168.1.1' + end + ['host5.other-domain.com', 'test-host12.other-domain.net', 'foo.some-domain.com'].each { |name| + it "should allow the host #{name}" do + @authstore.should be_allowed(name, @ip) + end + } + ['host0.some-other-domain.com',''].each { |name| + it "should not allow the host #{name}" do + @authstore.should_not be_allowed(name, @ip) + end + } + end end describe Puppet::Network::AuthStore::Declaration do |