File: authconfig_spec.rb

package info (click to toggle)
puppet 4.8.2-5
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 20,736 kB
  • ctags: 14,616
  • sloc: ruby: 236,754; xml: 1,586; sh: 1,178; lisp: 299; sql: 103; yacc: 72; makefile: 52
file content (139 lines) | stat: -rw-r--r-- 4,819 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
 
#! /usr/bin/env ruby
require 'spec_helper'

require 'puppet/network/authconfig'

describe Puppet::Network::DefaultAuthProvider do
  before :each do
    Puppet::FileSystem.stubs(:stat).returns stub('stat', :ctime => :now)
    Time.stubs(:now).returns Time.now

    Puppet::Network::DefaultAuthProvider.any_instance.stubs(:exists?).returns(true)
    # FIXME @authprovider = Puppet::Network::DefaultAuthProvider.new("dummy")
  end

  describe "when initializing" do
    it "inserts default ACLs after setting initial rights" do
      Puppet::Network::DefaultAuthProvider.any_instance.expects(:insert_default_acl)
      Puppet::Network::DefaultAuthProvider.new
    end
  end

  describe "when defining an acl with mk_acl" do
    before :each do
      Puppet::Network::DefaultAuthProvider.any_instance.stubs(:insert_default_acl)
      @authprovider = Puppet::Network::DefaultAuthProvider.new
    end

    it "should create a new right for each default acl" do
      @authprovider.mk_acl(:acl => '/')
      expect(@authprovider.rights['/']).to be
    end

    it "allows everyone for each default right" do
      @authprovider.mk_acl(:acl => '/')
      expect(@authprovider.rights['/']).to be_globalallow
    end

    it "accepts an argument to restrict the method" do
      @authprovider.mk_acl(:acl => '/', :method => :find)
      expect(@authprovider.rights['/'].methods).to eq([:find])
    end

    it "creates rights with authentication set to true by default" do
      @authprovider.mk_acl(:acl => '/')
      expect(@authprovider.rights['/'].authentication).to be_truthy
    end

    it "accepts an argument to set the authentication requirement" do
      @authprovider.mk_acl(:acl => '/', :authenticated => :any)
      expect(@authprovider.rights['/'].authentication).to be_falsey
    end
  end

  describe "when adding default ACLs" do
    before :each do
      Puppet::Network::DefaultAuthProvider.any_instance.stubs(:insert_default_acl)
      @authprovider = Puppet::Network::DefaultAuthProvider.new
      Puppet::Network::DefaultAuthProvider.any_instance.unstub(:insert_default_acl)
    end

    Puppet::Network::DefaultAuthProvider::default_acl.each do |acl|
      it "should create a default right for #{acl[:acl]}" do
        @authprovider.stubs(:mk_acl)
        @authprovider.expects(:mk_acl).with(acl)
        @authprovider.insert_default_acl
      end
    end

    it "should log at info loglevel" do
      Puppet.expects(:info).at_least_once
      @authprovider.insert_default_acl
    end

    it "creates an empty catch-all rule for '/' for any authentication request state" do
      @authprovider.stubs(:mk_acl)

      @authprovider.insert_default_acl
      expect(@authprovider.rights['/']).to be_empty
      expect(@authprovider.rights['/'].authentication).to be_falsey
    end

    it '(CVE-2013-2275) allows report submission only for the node matching the certname by default' do
      acl = {
        :acl => "~ ^#{Puppet::Network::HTTP::MASTER_URL_PREFIX}\/v3\/report\/([^\/]+)$",
        :method => :save,
        :allow => '$1',
        :authenticated => true
      }
      @authprovider.stubs(:mk_acl)
      @authprovider.expects(:mk_acl).with(acl)
      @authprovider.insert_default_acl
    end
  end

  describe "when checking authorization" do
    it "should ask for authorization to the ACL subsystem" do
      params = {
        :ip => "127.0.0.1",
        :node => "me",
        :environment => :env,
        :authenticated => true
      }

      Puppet::Network::Rights.any_instance.expects(:is_request_forbidden_and_why?).with(:save, "/path/to/resource", params)

      described_class.new.check_authorization(:save, "/path/to/resource", params)
    end
  end
end

describe Puppet::Network::AuthConfig do
  after :each do
    Puppet::Network::AuthConfig.authprovider_class = nil
  end

  class TestAuthProvider
    def initialize(rights=nil); end
    def check_authorization(method, path, params); end
  end

  it "instantiates authprovider_class with rights" do
    Puppet::Network::AuthConfig.authprovider_class = TestAuthProvider
    rights = Puppet::Network::Rights.new
    TestAuthProvider.expects(:new).with(rights)
    described_class.new(rights)
  end

  it "delegates authorization check to authprovider_class" do
    Puppet::Network::AuthConfig.authprovider_class = TestAuthProvider
    TestAuthProvider.any_instance.expects(:check_authorization).with(:save, '/path/to/resource', {})
    described_class.new.check_authorization(:save, '/path/to/resource', {})
  end

  it "uses DefaultAuthProvider by default" do
    Puppet::Network::AuthConfig.authprovider_class = nil
    Puppet::Network::DefaultAuthProvider.any_instance.expects(:check_authorization).with(:save, '/path/to/resource', {})
    described_class.new.check_authorization(:save, '/path/to/resource', {})
  end
end