spec/unit/network/rest_authconfig_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

#!/usr/bin/env ruby

require 'spec_helper'

require 'puppet/network/rest_authconfig'

describe Puppet::Network::RestAuthConfig do

  DEFAULT_ACL = [
    { :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
    # this one will allow all file access, and thus delegate
    # to fileserver.conf
    { :acl => "/file" },
    { :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
    { :acl => "/report", :method => :save, :authenticated => true },
    { :acl => "/certificate/ca", :method => :find, :authenticated => false },
    { :acl => "/certificate/", :method => :find, :authenticated => false },
    { :acl => "/certificate_request", :method => [:find, :save], :authenticated => false },
    { :acl => "/status", :method => [:find], :authenticated => true },
  ]

  before :each do
    FileTest.stubs(:exists?).returns(true)
    File.stubs(:stat).returns(stub('stat', :ctime => :now))
    Time.stubs(:now).returns Time.now

    @authconfig = Puppet::Network::RestAuthConfig.new("dummy", false)
    @authconfig.stubs(:read)

    @acl = stub_everything 'rights'
    @authconfig.rights = @acl
  end

  it "should use the puppet default rest authorization file" do
    Puppet.expects(:[]).with(:rest_authconfig).returns("dummy")

    Puppet::Network::RestAuthConfig.new(nil, false)
  end

  it "should ask for authorization to the ACL subsystem" do
    params = {:ip => "127.0.0.1", :node => "me", :environment => :env, :authenticated => true}
    @acl.expects(:is_request_forbidden_and_why?).with("path", :save, "to/resource", params).returns(nil)

    @authconfig.allowed?("path", :save, "to/resource", params)
  end

  describe "when defining an acl with mk_acl" do
    it "should create a new right for each default acl" do
      @acl.expects(:newright).with(:path)
      @authconfig.mk_acl(:acl => :path)
    end

    it "should allow everyone for each default right" do
      @acl.expects(:allow).with(:path, "*")
      @authconfig.mk_acl(:acl => :path)
    end

    it "should restrict the ACL to a method" do
      @acl.expects(:restrict_method).with(:path, :method)
      @authconfig.mk_acl(:acl => :path, :method => :method)
    end

    it "should restrict the ACL to a specific authentication state" do
      @acl.expects(:restrict_authenticated).with(:path, :authentication)
      @authconfig.mk_acl(:acl => :path, :authenticated => :authentication)
    end
  end

  describe "when parsing the configuration file" do
    it "should check for missing ACL after reading the authconfig file" do
      File.stubs(:open)

      @authconfig.expects(:insert_default_acl)

      @authconfig.parse
    end
  end

  DEFAULT_ACL.each do |acl|
    it "should insert #{acl[:acl]} if not present" do
      @authconfig.rights.stubs(:[]).returns(true)
      @authconfig.rights.stubs(:[]).with(acl[:acl]).returns(nil)

      @authconfig.expects(:mk_acl).with { |h| h[:acl] == acl[:acl] }

      @authconfig.insert_default_acl
    end

    it "should not insert #{acl[:acl]} if present" do
      @authconfig.rights.stubs(:[]).returns(true)
      @authconfig.rights.stubs(:[]).with(acl).returns(true)

      @authconfig.expects(:mk_acl).never

      @authconfig.insert_default_acl
    end
  end

  it "should create default ACL entries if no file have been read" do
    Puppet::Network::RestAuthConfig.any_instance.stubs(:exists?).returns(false)

    Puppet::Network::RestAuthConfig.any_instance.expects(:insert_default_acl)

    Puppet::Network::RestAuthConfig.main
  end

  describe "when adding default ACLs" do

    DEFAULT_ACL.each do |acl|
      it "should create a default right for #{acl[:acl]}" do
        @authconfig.stubs(:mk_acl)
        @authconfig.expects(:mk_acl).with(acl)
        @authconfig.insert_default_acl
      end
    end

    it "should log at info loglevel" do
      Puppet.expects(:info).at_least_once
      @authconfig.insert_default_acl
    end

    it "should create a last catch-all deny all rule" do
      @authconfig.stubs(:mk_acl)
      @acl.expects(:newright).with("/")
      @authconfig.insert_default_acl
    end

    it "should create a last catch-all deny all rule for any authenticated request state" do
      @authconfig.stubs(:mk_acl)
      @acl.stubs(:newright).with("/")

      @acl.expects(:restrict_authenticated).with("/", :any)

      @authconfig.insert_default_acl
    end

  end

end