/spec/integration/network/rest_authconfig_spec.rb

https://github.com/lak/puppet-old · Ruby · 145 lines · 104 code · 41 blank · 0 comment · 0 complexity · 27249a4b855b1acf328bbcccc4bb36de MD5 · raw file 

    

  1. require 'spec_helper'
    2. 

  2. 

  3. require 'puppet/network/rest_authconfig'
    4. 

  4. 

  5. RSpec::Matchers.define :allow do |params|
    6. 

  6. 

  7.   match do |auth|
    8. 

  8.     begin
    9. 

  9.       auth.check_authorization(params[0], params[1], params[2], params[3])
    10. 

  10.       true
    11. 

  11.     rescue Puppet::Network::AuthorizationError
    12. 

  12.       false
    13. 

  13.     end
    14. 

  14.   end
    15. 

  15. 

  16.   failure_message_for_should do |instance|
    17. 

  17.     "expected #{params[3][:node]}/#{params[3][:ip]} to be allowed"
    18. 

  18.   end
    19. 

  19. 

  20.   failure_message_for_should_not do |instance|
    21. 

  21.     "expected #{params[3][:node]}/#{params[3][:ip]} to be forbidden"
    22. 

  22.   end
    23. 

  23. end
    24. 

  24. 

  25. describe Puppet::Network::RestAuthConfig do
    26. 

  26.   include PuppetSpec::Files
    27. 

  27. 

  28.   before(:each) do
    29. 

  29.     Puppet[:rest_authconfig] = tmpfile('auth.conf')
    30. 

  30.   end
    31. 

  31. 

  32.   def add_rule(rule)
    33. 

  33.     File.open(Puppet[:rest_authconfig],"w+") do |f|
    34. 

  34.       f.print "path /test\n#{rule}\n"
    35. 

  35.     end
    36. 

  36.     @auth = Puppet::Network::RestAuthConfig.new(Puppet[:rest_authconfig], true)
    37. 

  37.   end
    38. 

  38. 

  39.   def add_regex_rule(regex, rule)
    40. 

  40.     File.open(Puppet[:rest_authconfig],"w+") do |f|
    41. 

  41.       f.print "path ~ #{regex}\n#{rule}\n"
    42. 

  42.     end
    43. 

  43.     @auth = Puppet::Network::RestAuthConfig.new(Puppet[:rest_authconfig], true)
    44. 

  44.   end
    45. 

  45. 

  46.   def request(args = {})
    47. 

  47.     { :ip => '10.1.1.1', :node => 'host.domain.com', :key => 'key', :authenticated => true }.each do |k,v|
    48. 

  48.       args[k] ||= v
    49. 

  49.     end
    50. 

  50.     ['test', :find, args[:key], args]
    51. 

  51.   end
    52. 

  52. 

  53.   it "should support IPv4 address" do
    54. 

  54.     add_rule("allow 10.1.1.1")
    55. 

  55. 

  56.     @auth.should allow(request)
    57. 

  57.   end
    58. 

  58. 

  59.   it "should support CIDR IPv4 address" do
    60. 

  60.     add_rule("allow 10.0.0.0/8")
    61. 

  61. 

  62.     @auth.should allow(request)
    63. 

  63.   end
    64. 

  64. 

  65.   it "should support wildcard IPv4 address" do
    66. 

  66.     add_rule("allow 10.1.1.*")
    67. 

  67. 

  68.     @auth.should allow(request)
    69. 

  69.   end
    70. 

  70. 

  71.   it "should support IPv6 address" do
    72. 

  72.     add_rule("allow 2001:DB8::8:800:200C:417A")
    73. 

  73. 

  74.     @auth.should allow(request(:ip => '2001:DB8::8:800:200C:417A'))
    75. 

  75.   end
    76. 

  76. 

  77.   it "should support hostname" do
    78. 

  78.     add_rule("allow host.domain.com")
    79. 

  79. 

  80.     @auth.should allow(request)
    81. 

  81.   end
    82. 

  82. 

  83.   it "should support wildcard host" do
    84. 

  84.     add_rule("allow *.domain.com")
    85. 

  85. 

  86.     @auth.should allow(request)
    87. 

  87.   end
    88. 

  88. 

  89.   it "should support hostname backreferences" do
    90. 

  90.     add_regex_rule('^/test/([^/]+)$', "allow $1.domain.com")
    91. 

  91. 

  92.     @auth.should allow(request(:key => 'host'))
    93. 

  93.   end
    94. 

  94. 

  95.   it "should support opaque strings" do
    96. 

  96.     add_rule("allow this-is-opaque@or-not")
    97. 

  97. 

  98.     @auth.should allow(request(:node => 'this-is-opaque@or-not'))
    99. 

  99.   end
    100. 

  100. 

  101.   it "should support opaque strings and backreferences" do
    102. 

  102.     add_regex_rule('^/test/([^/]+)$', "allow $1")
    103. 

  103. 

  104.     @auth.should allow(request(:key => 'this-is-opaque@or-not', :node => 'this-is-opaque@or-not'))
    105. 

  105.   end
    106. 

  106. 

  107.   it "should support hostname ending with '.'" do
    108. 

  108.     pending('bug #7589')
    109. 

  109.     add_rule("allow host.domain.com.")
    110. 

  110. 

  111.     @auth.should allow(request(:node => 'host.domain.com.'))
    112. 

  112.   end
    113. 

  113. 

  114.   it "should support hostname ending with '.' and backreferences" do
    115. 

  115.     pending('bug #7589')
    116. 

  116.     add_regex_rule('^/test/([^/]+)$',"allow $1")
    117. 

  117. 

  118.     @auth.should allow(request(:node => 'host.domain.com.'))
    119. 

  119.   end
    120. 

  120. 

  121.   it "should support trailing whitespace" do
    122. 

  122.     add_rule('allow host.domain.com    ')
    123. 

  123. 

  124.     @auth.should allow(request)
    125. 

  125.   end
    126. 

  126. 

  127.   it "should support inlined comments" do
    128. 

  128.     add_rule('allow host.domain.com # will it work?')
    129. 

  129. 

  130.     @auth.should allow(request)
    131. 

  131.   end
    132. 

  132. 

  133.   it "should deny non-matching host" do
    134. 

  134.     add_rule("allow inexistant")
    135. 

  135. 

  136.     @auth.should_not allow(request)
    137. 

  137.   end
    138. 

  138. 

  139.   it "should deny denied hosts" do
    140. 

  140.     add_rule("deny host.domain.com")
    141. 

  141. 

  142.     @auth.should_not allow(request)
    143. 

  143.   end
    144. 

  144. 

  145. end
    146.