Revision 358ec5a3
Added by Dominic Cleal over 11 years ago
- ID 358ec5a3a1b59c098b5c14fcd7a90ca1a6a5dccd
test/functional/fact_values_controller_test.rb | ||
---|---|---|
Pathname.new("#{Rails.root}/test/fixtures/brslc022.facts.yaml").read
|
||
end
|
||
|
||
def setup
|
||
User.current = nil
|
||
end
|
||
|
||
fixtures
|
||
|
||
def test_index
|
||
... | ... | |
|
||
def test_create_invalid
|
||
User.current = nil
|
||
post :create, {:facts => fact_fixture[1..-1], :format => "yml"}
|
||
post :create, {:facts => fact_fixture[1..-1], :format => "yml"}, set_session_user
|
||
assert_response :bad_request
|
||
end
|
||
|
||
def test_create_valid_puppet_node_facts_object
|
||
User.current = nil
|
||
post :create, {:facts => fact_fixture, :format => "yml"}
|
||
post :create, {:facts => fact_fixture, :format => "yml"}, set_session_user
|
||
assert_response :success
|
||
end
|
||
|
||
... | ... | |
User.current = nil
|
||
facts = Facter.to_hash
|
||
assert_instance_of Hash, facts
|
||
post :create, {:facts => facts.to_yaml, :format => "yml"}
|
||
post :create, {:facts => facts.to_yaml, :format => "yml"}, set_session_user
|
||
assert_response :success
|
||
end
|
||
|
||
... | ... | |
assert_response :success
|
||
end
|
||
|
||
test 'when ":restrict_registered_puppetmasters" is false, HTTP requests should be able to import facts' do
|
||
Setting[:restrict_registered_puppetmasters] = false
|
||
SETTINGS[:require_ssl] = false
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
|
||
post :create, {:facts => fact_fixture, :format => "yml"}
|
||
assert_response :success
|
||
end
|
||
|
||
test 'hosts with a registered smart proxy on should import facts successfully' do
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = false
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
|
||
post :create, {:facts => fact_fixture, :format => "yml"}
|
||
assert_response :success
|
||
end
|
||
|
||
test 'hosts without a registered smart proxy on should not be able to import facts' do
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = false
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['another.host'])
|
||
post :create, {:facts => fact_fixture, :format => "yml"}
|
||
assert_equal 403, @response.status
|
||
end
|
||
|
||
test 'hosts with a registered smart proxy and SSL cert should import facts successfully' do
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
|
||
@request.env['HTTPS'] = 'on'
|
||
@request.env['SSL_CLIENT_S_DN_CN'] = 'else.where'
|
||
@request.env['SSL_CLIENT_VERIFY'] = 'SUCCESS'
|
||
post :create, {:facts => fact_fixture, :format => "yml"}
|
||
assert_response :success
|
||
end
|
||
|
||
test 'hosts without a registered smart proxy but with an SSL cert should not be able to import facts' do
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
|
||
@request.env['HTTPS'] = 'on'
|
||
@request.env['SSL_CLIENT_S_DN_CN'] = 'another.host'
|
||
@request.env['SSL_CLIENT_VERIFY'] = 'SUCCESS'
|
||
post :create, {:facts => fact_fixture, :format => "yml"}
|
||
assert_equal 403, @response.status
|
||
end
|
||
|
||
test 'hosts with an unverified SSL cert should not be able to import facts' do
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
|
||
@request.env['HTTPS'] = 'on'
|
||
@request.env['SSL_CLIENT_S_DN_CN'] = 'secure.host'
|
||
@request.env['SSL_CLIENT_VERIFY'] = 'FAILED'
|
||
post :create, {:facts => fact_fixture, :format => "yml"}
|
||
assert_equal 403, @response.status
|
||
end
|
||
|
||
test 'when "require_ssl_puppetmasters" and "require_ssl" are true, HTTP requests should not be able to import facts' do
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
SETTINGS[:require_ssl] = true
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
|
||
post :create, {:facts => fact_fixture, :format => "yml"}
|
||
assert_equal 403, @response.status
|
||
end
|
||
|
||
test 'when "require_ssl_puppetmasters" is true and "require_ssl" is false, HTTP requests should be able to import facts' do
|
||
# since require_ssl_puppetmasters is only applicable to HTTPS connections, both should be set
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
SETTINGS[:require_ssl] = false
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
|
||
post :create, {:facts => fact_fixture, :format => "yml"}
|
||
assert_response :success
|
||
end
|
||
end
|
Also available in: Unified diff
fixes #2121, #2069 - restrict importers and ENC to puppetmasters and users
CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.
CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.
The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.
The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.
Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.