Revision 358ec5a3
Added by Dominic Cleal over 11 years ago
- ID 358ec5a3a1b59c098b5c14fcd7a90ca1a6a5dccd
test/functional/hosts_controller_test.rb | ||
---|---|---|
end
|
||
|
||
test "externalNodes should render correctly when format text/html is given" do
|
||
get :externalNodes, {:name => @host.name}
|
||
get :externalNodes, {:name => @host.name}, set_session_user
|
||
assert_response :success
|
||
assert_template :text => @host.info.to_yaml.gsub("\n","<br/>")
|
||
end
|
||
... | ... | |
assert flash[:notice] == "Foreman now no longer manages the build cycle for #{@host.name}"
|
||
end
|
||
|
||
test 'when ":restrict_registered_puppetmasters" is false, HTTP requests should be able to get externalNodes' do
|
||
User.current = nil
|
||
Setting[:restrict_registered_puppetmasters] = false
|
||
SETTINGS[:require_ssl] = false
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
|
||
get :externalNodes, {:name => @host.name, :format => "yml"}
|
||
assert_response :success
|
||
end
|
||
|
||
test 'hosts with a registered smart proxy on should get externalNodes successfully' do
|
||
User.current = nil
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = false
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
|
||
get :externalNodes, {:name => @host.name, :format => "yml"}
|
||
assert_response :success
|
||
end
|
||
|
||
test 'hosts without a registered smart proxy on should not be able to get externalNodes' do
|
||
User.current = nil
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = false
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['another.host'])
|
||
get :externalNodes, {:name => @host.name, :format => "yml"}
|
||
assert_equal 403, @response.status
|
||
end
|
||
|
||
test 'hosts with a registered smart proxy and SSL cert should get externalNodes successfully' do
|
||
User.current = nil
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
|
||
@request.env['HTTPS'] = 'on'
|
||
@request.env['SSL_CLIENT_S_DN_CN'] = 'else.where'
|
||
@request.env['SSL_CLIENT_VERIFY'] = 'SUCCESS'
|
||
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
|
||
get :externalNodes, {:name => @host.name, :format => "yml"}
|
||
assert_response :success
|
||
end
|
||
|
||
test 'hosts without a registered smart proxy but with an SSL cert should not be able to get externalNodes' do
|
||
User.current = nil
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
|
||
@request.env['HTTPS'] = 'on'
|
||
@request.env['SSL_CLIENT_S_DN_CN'] = 'another.host'
|
||
@request.env['SSL_CLIENT_VERIFY'] = 'SUCCESS'
|
||
get :externalNodes, {:name => @host.name, :format => "yml"}
|
||
assert_equal 403, @response.status
|
||
end
|
||
|
||
test 'hosts with an unverified SSL cert should not be able to get externalNodes' do
|
||
User.current = nil
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
|
||
@request.env['HTTPS'] = 'on'
|
||
@request.env['SSL_CLIENT_S_DN_CN'] = 'else.where'
|
||
@request.env['SSL_CLIENT_VERIFY'] = 'FAILURE'
|
||
get :externalNodes, {:name => @host.name, :format => "yml"}
|
||
assert_equal 403, @response.status
|
||
end
|
||
|
||
test 'when "require_ssl_puppetmasters" and "require_ssl" are true, HTTP requests should not be able to get externalNodes' do
|
||
User.current = nil
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
SETTINGS[:require_ssl] = true
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
|
||
get :externalNodes, {:name => @host.name, :format => "yml"}
|
||
assert_equal 403, @response.status
|
||
end
|
||
|
||
test 'when "require_ssl_puppetmasters" is true and "require_ssl" is false, HTTP requests should be able to get externalNodes' do
|
||
User.current = nil
|
||
# since require_ssl_puppetmasters is only applicable to HTTPS connections, both should be set
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
SETTINGS[:require_ssl] = false
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
|
||
get :externalNodes, {:name => @host.name, :format => "yml"}
|
||
assert_response :success
|
||
end
|
||
|
||
test 'authenticated users over HTTP should be able to get externalNodes' do
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
SETTINGS[:require_ssl] = false
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['users.host'])
|
||
get :externalNodes, {:name => @host.name, :format => "yml"}, set_session_user
|
||
assert_response :success
|
||
end
|
||
|
||
test 'authenticated users over HTTPS should be able to get externalNodes' do
|
||
Setting[:restrict_registered_puppetmasters] = true
|
||
Setting[:require_ssl_puppetmasters] = true
|
||
SETTINGS[:require_ssl] = false
|
||
|
||
Resolv.any_instance.stubs(:getnames).returns(['users.host'])
|
||
@request.env['HTTPS'] = 'on'
|
||
get :externalNodes, {:name => @host.name, :format => "yml"}, set_session_user
|
||
assert_response :success
|
||
end
|
||
|
||
private
|
||
def initialize_host
|
||
User.current = users(:admin)
|
Also available in: Unified diff
fixes #2121, #2069 - restrict importers and ENC to puppetmasters and users
CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.
CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.
The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.
The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.
Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.