diff options
| author | Brice Figureau <brice-puppet@daysofwonder.com> | 2009-04-11 18:58:56 +0200 |
|---|---|---|
| committer | Brice Figureau <brice-puppet@daysofwonder.com> | 2009-04-23 20:52:02 +0200 |
| commit | 22b82abcd27834e43426f2758fba5728c146be61 (patch) | |
| tree | 0ff8d542a0a1baf4bcfbecbc92a43455680d3671 /test | |
| parent | 15abe1709aa52bb45fe228139f4c0352dc8905df (diff) | |
| download | puppet-22b82abcd27834e43426f2758fba5728c146be61.tar.gz puppet-22b82abcd27834e43426f2758fba5728c146be61.tar.xz puppet-22b82abcd27834e43426f2758fba5728c146be61.zip | |
Add dynamic authorization to authstore
The idea is to have allow/deny authorization directives
that are dynamic: their evaluation is deferred until
we perform the authorization checking in allowed?.
This is done to allow replacing backreferences in allow/deny
directives by parameters of the match that selected this right.
For instance, it is possible to:
allow $1.$2
And using Right::interpolate() with the result of a regex match
using 2 captures, will evaluate $1.$2 to those captures.
For instance, if we captured [host, reductivelabs.com], then the
allow directive is replaced by:
allow host.reductivelabs.com
It is then safe to call allowed?, after which we can reset the
interpolation.
This interpolation is thread-safe.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
authconfig regex support
Diffstat (limited to 'test')
| -rwxr-xr-x | test/network/authstore.rb | 49 |
1 files changed, 48 insertions, 1 deletions
diff --git a/test/network/authstore.rb b/test/network/authstore.rb index ad4a4f1c2..587f39627 100755 --- a/test/network/authstore.rb +++ b/test/network/authstore.rb @@ -266,6 +266,51 @@ class TestAuthStore < Test::Unit::TestCase assert(@store.allowed?("host.madstop.com", "192.168.0.1"), "More specific allowal by ip failed") end + + def test_dynamic_backreferences + @store.allow("$1.madstop.com") + + assert_nothing_raised { @store.interpolate([nil, "host"]) } + assert(@store.allowed?("host.madstop.com", "192.168.0.1"), "interpolation failed") + assert_nothing_raised { @store.reset_interpolation } + end + + def test_dynamic_ip + @store.allow("192.168.0.$1") + + assert_nothing_raised { @store.interpolate([nil, "12"]) } + assert(@store.allowed?("host.madstop.com", "192.168.0.12"), "interpolation failed") + assert_nothing_raised { @store.reset_interpolation } + end + + def test_multiple_dynamic_backreferences + @store.allow("$1.$2") + + assert_nothing_raised { @store.interpolate([nil, "host", "madstop.com"]) } + assert(@store.allowed?("host.madstop.com", "192.168.0.1"), "interpolation failed") + assert_nothing_raised { @store.reset_interpolation } + end + + def test_multithreaded_allow_with_dynamic_backreferences + @store.allow("$1.madstop.com") + + threads = [] + 9.times { |a| + threads << Thread.new { + 9.times { |b| + Thread.pass + @store.interpolate([nil, "a#{b}", "madstop.com"]) + Thread.pass + assert( @store.allowed?("a#{b}.madstop.com", "192.168.0.1") ) + Thread.pass + @store.reset_interpolation + Thread.pass + } + } + } + threads.each { |th| th.join } + end + end class TestAuthStoreDeclaration < PuppetTest::TestCase @@ -292,7 +337,9 @@ class TestAuthStoreDeclaration < PuppetTest::TestCase "billy.Hostname.COM" => [:domain, %w{com hostname billy}, nil], "billy-jean.Hostname.COM" => [:domain, %w{com hostname billy-jean}, nil], "*.hostname.COM" => [:domain, %w{com hostname}, 2], - "*.hostname.COM" => [:domain, %w{com hostname}, 2] + "*.hostname.COM" => [:domain, %w{com hostname}, 2], + "$1.hostname.COM" => [:dynamic, %w{com hostname $1}, nil], + "192.168.$1.$2" => [:dynamic, %w{$2 $1 168 192}, nil] }.each do |input, output| # Create a new decl each time, so values aren't cached. |