1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../lib/puppettest'
require 'puppettest'
require 'puppet/network/authorization'
require 'mocha'
class TestAuthConfig < Test::Unit::TestCase
include PuppetTest
# A mock class for authconfig
class FakeAuth
class << self
attr_accessor :allow, :exists
end
def allowed?(req)
self.class.allow
end
def exists?
self.class.exists
end
end
class AuthTest
include Puppet::Network::Authorization
def clear
@loaded.clear
end
def load(name)
@loaded ||= []
@loaded << name
end
def handler_loaded?(name)
@loaded ||= []
@loaded.include?(name)
end
end
def setup
super
@obj = AuthTest.new
# Override the authconfig to make life easier
class << @obj
def authconfig
@authconfig ||= FakeAuth.new
end
end
@request = Puppet::Network::ClientRequest.new("host", "ip", false)
@request.handler = "foo"
@request.method = "bar"
end
def test_authconfig
obj = AuthTest.new
auth = nil
assert_nothing_raised { auth = obj.send(:authconfig) }
assert(auth, "did not get auth")
assert_equal(Puppet::Network::AuthConfig.main.object_id, auth.object_id, "did not get main authconfig")
end
def test_authorize
# Make sure that unauthenticated clients can do puppetca stuff, but
# nothing else.
@request.handler = "puppetca"
@request.method = "yay"
assert(@obj.authorized?(@request), "Did not allow unauthenticated ca call")
assert_logged(:notice, /Allowing/, "did not log call")
@request.handler = "other"
assert(! @obj.authorized?(@request), "Allowed unauthencated other call")
assert_logged(:notice, /Denying/, "did not log call")
@request.authenticated = true
# We start without the namespace auth file, so everything should
# start out denied
assert(! @obj.authorized?(@request), "Allowed call with no config file")
assert_logged(:notice, /Denying/, "did not log call")
# Now set our run_mode to master, so calls are allowed
Puppet.run_mode.stubs(:master?).returns true
assert(
@obj.authorized?(@request),
"Denied call with no config file and master")
assert_logged(:debug, /Allowing/, "did not log call")
# Now "create" the file, so we do real tests
FakeAuth.exists = true
# We start out denying
assert(! @obj.authorized?(@request), "Allowed call when denying")
assert_logged(:notice, /Denying/, "did not log call")
FakeAuth.allow = true
assert(@obj.authorized?(@request), "Denied call when allowing")
assert_logged(:debug, /Allowing/, "did not log call")
end
def test_available?
# Start out false
assert(! @obj.available?(@request), "Defaulted to true")
assert_logged(:warning, /requested unavailable/, "did not log call")
@obj.load(@request.handler)
assert(@obj.available?(@request), "did not see it loaded")
end
# Make sure we raise things appropriately
def test_verify
# Start out unavailabl
assert_raise(Puppet::Network::InvalidClientRequest) do
@obj.verify(@request)
end
class << @obj
def available?(req)
true
end
end
assert_raise(Puppet::Network::InvalidClientRequest) do
@obj.verify(@request)
end
class << @obj
def authorized?(req)
true
end
end
assert_nothing_raised do
@obj.verify(@request)
end
end
end
|
