1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
#!/usr/bin/env ruby
require 'spec_helper'
require 'puppet/network/rest_authconfig'
describe Puppet::Network::RestAuthConfig do
DEFAULT_ACL = [
{ :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
# this one will allow all file access, and thus delegate
# to fileserver.conf
{ :acl => "/file" },
{ :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
{ :acl => "/report", :method => :save, :authenticated => true },
{ :acl => "/certificate/ca", :method => :find, :authenticated => false },
{ :acl => "/certificate/", :method => :find, :authenticated => false },
{ :acl => "/certificate_request", :method => [:find, :save], :authenticated => false },
{ :acl => "/status", :method => [:find], :authenticated => true },
]
before :each do
FileTest.stubs(:exists?).returns(true)
File.stubs(:stat).returns(stub('stat', :ctime => :now))
Time.stubs(:now).returns Time.now
@authconfig = Puppet::Network::RestAuthConfig.new("dummy", false)
@authconfig.stubs(:read)
@acl = stub_everything 'rights'
@authconfig.rights = @acl
end
it "should use the puppet default rest authorization file" do
Puppet.expects(:[]).with(:rest_authconfig).returns("dummy")
Puppet::Network::RestAuthConfig.new(nil, false)
end
it "should ask for authorization to the ACL subsystem" do
params = {:ip => "127.0.0.1", :node => "me", :environment => :env, :authenticated => true}
@acl.expects(:is_request_forbidden_and_why?).with("path", :save, "to/resource", params).returns(nil)
@authconfig.allowed?("path", :save, "to/resource", params)
end
describe "when defining an acl with mk_acl" do
it "should create a new right for each default acl" do
@acl.expects(:newright).with(:path)
@authconfig.mk_acl(:acl => :path)
end
it "should allow everyone for each default right" do
@acl.expects(:allow).with(:path, "*")
@authconfig.mk_acl(:acl => :path)
end
it "should restrict the ACL to a method" do
@acl.expects(:restrict_method).with(:path, :method)
@authconfig.mk_acl(:acl => :path, :method => :method)
end
it "should restrict the ACL to a specific authentication state" do
@acl.expects(:restrict_authenticated).with(:path, :authentication)
@authconfig.mk_acl(:acl => :path, :authenticated => :authentication)
end
end
describe "when parsing the configuration file" do
it "should check for missing ACL after reading the authconfig file" do
File.stubs(:open)
@authconfig.expects(:insert_default_acl)
@authconfig.parse
end
end
DEFAULT_ACL.each do |acl|
it "should insert #{acl[:acl]} if not present" do
@authconfig.rights.stubs(:[]).returns(true)
@authconfig.rights.stubs(:[]).with(acl[:acl]).returns(nil)
@authconfig.expects(:mk_acl).with { |h| h[:acl] == acl[:acl] }
@authconfig.insert_default_acl
end
it "should not insert #{acl[:acl]} if present" do
@authconfig.rights.stubs(:[]).returns(true)
@authconfig.rights.stubs(:[]).with(acl).returns(true)
@authconfig.expects(:mk_acl).never
@authconfig.insert_default_acl
end
end
it "should create default ACL entries if no file have been read" do
Puppet::Network::RestAuthConfig.any_instance.stubs(:exists?).returns(false)
Puppet::Network::RestAuthConfig.any_instance.expects(:insert_default_acl)
Puppet::Network::RestAuthConfig.main
end
describe "when adding default ACLs" do
DEFAULT_ACL.each do |acl|
it "should create a default right for #{acl[:acl]}" do
@authconfig.stubs(:mk_acl)
@authconfig.expects(:mk_acl).with(acl)
@authconfig.insert_default_acl
end
end
it "should log at info loglevel" do
Puppet.expects(:info).at_least_once
@authconfig.insert_default_acl
end
it "should create a last catch-all deny all rule" do
@authconfig.stubs(:mk_acl)
@acl.expects(:newright).with("/")
@authconfig.insert_default_acl
end
it "should create a last catch-all deny all rule for any authenticated request state" do
@authconfig.stubs(:mk_acl)
@acl.stubs(:newright).with("/")
@acl.expects(:restrict_authenticated).with("/", :any)
@authconfig.insert_default_acl
end
end
end
|