Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Deprecate IP-based authentication

This will need to be made explicit in a future version, so it's good to
get people to stop using it if possible.
  • Loading branch information...
commit ab9150baa1b738467a33b01df1d90e076253fbbd 1 parent 34b9c0b
@nicklewis nicklewis authored
View
12 lib/puppet/network/authstore.rb
@@ -150,7 +150,16 @@ def ip?
# Does this declaration match the name/ip combo?
def match?(name, ip)
- ip? ? pattern.include?(IPAddr.new(ip)) : matchname?(name)
+ if ip?
+ if pattern.include?(IPAddr.new(ip))
+ Puppet.deprecation_warning "Authentication based on IP address is deprecated; please use certname-based rules instead"
+ true
+ else
+ false
+ end
+ else
+ matchname?(name)
+ end
end
# Set the pattern appropriately. Also sets the name and length.
@@ -212,7 +221,6 @@ def matchname?(name)
# Convert the name to a common pattern.
def munge_name(name)
- # LAK:NOTE http://snurl.com/21zf8 [groups_google_com]
# Change to name.downcase.split(".",-1).reverse for FQDN support
name.downcase.split(".").reverse
end
View
25 spec/integration/network/rest_authconfig_spec.rb
@@ -44,12 +44,31 @@ def add_regex_rule(regex, rule)
end
def request(args = {})
- { :ip => '10.1.1.1', :node => 'host.domain.com', :key => 'key', :authenticated => true }.each do |k,v|
- args[k] ||= v
- end
+ args = {
+ :key => 'key',
+ :node => 'host.domain.com',
+ :ip => '10.1.1.1',
+ :authenticated => true
+ }.merge(args)
['test', :find, args[:key], args]
end
+ it "should warn when matching against IP addresses" do
+ add_rule("allow 10.1.1.1")
+
+ @auth.should allow(request)
+
+ @logs.should be_any {|log| log.level == :warning and log.message =~ /Authentication based on IP address is deprecated/}
+ end
+
+ it "should not warn when matches against IP addresses fail" do
+ add_rule("allow 10.1.1.2")
+
+ @auth.should_not allow(request)
+
+ @logs.should_not be_any {|log| log.level == :warning and log.message =~ /Authentication based on IP address is deprecated/}
+ end
+
it "should support IPv4 address" do
add_rule("allow 10.1.1.1")
Please sign in to comment.
Something went wrong with that request. Please try again.