From: Christian Hofstaedtler <[email protected]> As RackREST will not stay the only handler for HTTP requests via Rack, we make the required interface explicit by providing a base class and moving the client authentication there.
Signed-off-by: Christian Hofstaedtler <[email protected]> --- lib/puppet/network/http/rack/httphandler.rb | 49 +++++++++++++++++++++++++++ lib/puppet/network/http/rack/rest.rb | 37 +------------------- 2 files changed, 51 insertions(+), 35 deletions(-) create mode 100644 lib/puppet/network/http/rack/httphandler.rb diff --git a/lib/puppet/network/http/rack/httphandler.rb b/lib/puppet/network/http/rack/httphandler.rb new file mode 100644 index 0000000..6903d8c --- /dev/null +++ b/lib/puppet/network/http/rack/httphandler.rb @@ -0,0 +1,49 @@ +require 'openssl' +require 'puppet/ssl/certificate' + +class Puppet::Network::HTTP::RackHttpHandler + + def initialize() + end + + # do something useful with request (a Rack::Request) and use + # response to fill your Rack::Response + def process(request, response) + raise NotImplementedError, "Your RackHttpHandler subclass is supposed to override service(request)" + end + + def extract_client_info(request) + ip = request.ip + valid = false + client = nil + + # if we find an SSL cert in the headers, use it to get a hostname + # (for WEBrick, or Apache with ExportCertData) + if request.env['SSL_CLIENT_CERT'] + cert = OpenSSL::X509::Certificate.new(request.env['SSL_CLIENT_CERT']) + nameary = cert.subject.to_a.find { |ary| + ary[0] == "CN" + } + if nameary + client = nameary[1] + # XXX: certificate validation works by finding the supposed + # cert the client should be using, and comparing that to what + # got sent. this *should* be fine, but maybe it's not? + valid = (Puppet::SSL::Certificate.find(client).to_text == cert.to_text) + end + + # now try with :ssl_client_header, which defaults should work for + # Apache with StdEnvVars. + elsif dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) + client = dn_matchdata[1].to_str + valid = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS') + end + + result = {:ip => ip, :authenticated => valid} + if client + result[:node] = client + end + result + end +end + diff --git a/lib/puppet/network/http/rack/rest.rb b/lib/puppet/network/http/rack/rest.rb index 5679c41..9b6b834 100644 --- a/lib/puppet/network/http/rack/rest.rb +++ b/lib/puppet/network/http/rack/rest.rb @@ -1,6 +1,7 @@ require 'puppet/network/http/handler' +require 'puppet/network/http/rack/httphandler' -class Puppet::Network::HTTP::RackREST +class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler include Puppet::Network::HTTP::Handler @@ -51,38 +52,4 @@ class Puppet::Network::HTTP::RackREST request.body.each { |part| body += part } body end - - def extract_client_info(request) - ip = request.ip - valid = false - client = nil - - # if we find an SSL cert in the headers, use it to get a hostname - # (for WEBrick, or Apache with ExportCertData) - if request.env['SSL_CLIENT_CERT'] - cert = OpenSSL::X509::Certificate.new(request.env['SSL_CLIENT_CERT']) - nameary = cert.subject.to_a.find { |ary| - ary[0] == "CN" - } - if nameary - client = nameary[1] - # XXX: certificate validation works by finding the supposed - # cert the client should be using, and comparing that to what - # got sent. this *should* be fine, but maybe it's not? - valid = (Puppet::SSL::Certificate.find(client).to_text == cert.to_text) - end - - # now try with :ssl_client_header, which defaults should work for - # Apache with StdEnvVars. - elsif dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) - client = dn_matchdata[1].to_str - valid = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS') - end - - result = {:ip => ip, :authenticated => valid} - if client - result[:node] = client - end - result - end end -- 1.5.6.5 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
