+1, although this could probably be squashed with the first patch. On Apr 19, 2009, at 1:51 PM, Christian Hofstaedtler wrote:
> > From: Christian Hofstaedtler <[email protected]> > > As RackREST will not stay the only handler for HTTP requests via Rack, > we make the required interface explicit by providing a base class and > moving the client authentication there. > > Signed-off-by: Christian Hofstaedtler <[email protected]> > --- > lib/puppet/network/http/rack/httphandler.rb | 49 ++++++++++++++++++ > +++++++++ > lib/puppet/network/http/rack/rest.rb | 37 > +------------------- > 2 files changed, 51 insertions(+), 35 deletions(-) > create mode 100644 lib/puppet/network/http/rack/httphandler.rb > > diff --git a/lib/puppet/network/http/rack/httphandler.rb b/lib/ > puppet/network/http/rack/httphandler.rb > new file mode 100644 > index 0000000..6903d8c > --- /dev/null > +++ b/lib/puppet/network/http/rack/httphandler.rb > @@ -0,0 +1,49 @@ > +require 'openssl' > +require 'puppet/ssl/certificate' > + > +class Puppet::Network::HTTP::RackHttpHandler > + > + def initialize() > + end > + > + # do something useful with request (a Rack::Request) and use > + # response to fill your Rack::Response > + def process(request, response) > + raise NotImplementedError, "Your RackHttpHandler subclass > is supposed to override service(request)" > + end > + > + def extract_client_info(request) > + ip = request.ip > + valid = false > + client = nil > + > + # if we find an SSL cert in the headers, use it to get a > hostname > + # (for WEBrick, or Apache with ExportCertData) > + if request.env['SSL_CLIENT_CERT'] > + cert = > OpenSSL::X509::Certificate.new(request.env['SSL_CLIENT_CERT']) > + nameary = cert.subject.to_a.find { |ary| > + ary[0] == "CN" > + } > + if nameary > + client = nameary[1] > + # XXX: certificate validation works by finding the > supposed > + # cert the client should be using, and comparing > that to what > + # got sent. this *should* be fine, but maybe it's > not? > + valid = > (Puppet::SSL::Certificate.find(client).to_text == cert.to_text) > + end > + > + # now try with :ssl_client_header, which defaults should > work for > + # Apache with StdEnvVars. > + elsif dn = request.env[Puppet[:ssl_client_header]] and > dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) > + client = dn_matchdata[1].to_str > + valid = (request.env[Puppet[:ssl_client_verify_header]] > == 'SUCCESS') > + end > + > + result = {:ip => ip, :authenticated => valid} > + if client > + result[:node] = client > + end > + result > + end > +end > + > diff --git a/lib/puppet/network/http/rack/rest.rb b/lib/puppet/ > network/http/rack/rest.rb > index 5679c41..9b6b834 100644 > --- a/lib/puppet/network/http/rack/rest.rb > +++ b/lib/puppet/network/http/rack/rest.rb > @@ -1,6 +1,7 @@ > require 'puppet/network/http/handler' > +require 'puppet/network/http/rack/httphandler' > > -class Puppet::Network::HTTP::RackREST > +class Puppet::Network::HTTP::RackREST < > Puppet::Network::HTTP::RackHttpHandler > > include Puppet::Network::HTTP::Handler > > @@ -51,38 +52,4 @@ class Puppet::Network::HTTP::RackREST > request.body.each { |part| body += part } > body > end > - > - def extract_client_info(request) > - ip = request.ip > - valid = false > - client = nil > - > - # if we find an SSL cert in the headers, use it to get a > hostname > - # (for WEBrick, or Apache with ExportCertData) > - if request.env['SSL_CLIENT_CERT'] > - cert = > OpenSSL::X509::Certificate.new(request.env['SSL_CLIENT_CERT']) > - nameary = cert.subject.to_a.find { |ary| > - ary[0] == "CN" > - } > - if nameary > - client = nameary[1] > - # XXX: certificate validation works by finding the > supposed > - # cert the client should be using, and comparing > that to what > - # got sent. this *should* be fine, but maybe it's > not? > - valid = > (Puppet::SSL::Certificate.find(client).to_text == cert.to_text) > - end > - > - # now try with :ssl_client_header, which defaults should > work for > - # Apache with StdEnvVars. > - elsif dn = request.env[Puppet[:ssl_client_header]] and > dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/) > - client = dn_matchdata[1].to_str > - valid = (request.env[Puppet[:ssl_client_verify_header]] > == 'SUCCESS') > - end > - > - result = {:ip => ip, :authenticated => valid} > - if client > - result[:node] = client > - end > - result > - end > end > -- > 1.5.6.5 > > > > -- Health nuts are going to feel stupid someday, lying in hospitals dying of nothing. --Redd Foxx --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
