(choria-legacy#550) ruby mcollective server security provider

Changing the method in choria-legacy#552, didn't notice it was being used elsewhere (and hidden by mocking) - broke use of it downstream in the security provider and in `mco choria show_config`. Fix use of methods.
vjanelle · Dec 17, 2018 · 02c9e0c · 02c9e0c
1 parent 9d44924
commit 02c9e0c
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 5 deletions.
diff --git a/lib/mcollective/application/choria.rb b/lib/mcollective/application/choria.rb
@@ -188,7 +188,7 @@ def show_config_command # rubocop:disable Metrics/MethodLength
         puts "            CSR Path: %s (%s)" % [choria.csr_path, choria.has_csr? ? Util.colorize(:green, "found") : Util.colorize(:red, "absent")]
 
         if choria.has_client_public_cert?
-          cn = choria.valid_certificate?(File.read(choria.client_public_cert), false)
+          cn = choria.valid_certificate?(File.read(choria.client_public_cert), choria.certname, false)
 
           puts "      Public Cert CN: %s (%s)" % [cn, cn == choria.certname ? Util.colorize(:green, "match") : Util.colorize(:red, "does not match certname")]
         end

diff --git a/lib/mcollective/security/choria.rb b/lib/mcollective/security/choria.rb
@@ -358,8 +358,8 @@ def certname_whitelist_regex
       # @param callerid [String] callerid who sent this cert
       # @return [Boolean]
       def should_cache_certname?(pubcert, callerid)
-        certname = choria.valid_certificate?(pubcert)
         callerid_certname = certname_from_callerid(callerid)
+        certname = choria.valid_certificate?(pubcert, callerid_certname)
         valid_regex = certname_whitelist_regex
 
         unless certname

diff --git a/lib/mcollective/util/choria.rb b/lib/mcollective/util/choria.rb
@@ -335,6 +335,8 @@ def have_ssl_files?(log=true)
       # @raise [StandardError] in case OpenSSL fails to open the various certificates
       # @raise [OpenSSL::X509::CertificateError] if the CA is invalid
       def valid_certificate?(pubcert, name, log=true)
+        return false unless name
+
         unless File.readable?(ca_path)
           raise("Cannot find or read the CA in %s, cannot verify public certificate" % ca_path)
         end

diff --git a/spec/unit/mcollective/security/choria_spec.rb b/spec/unit/mcollective/security/choria_spec.rb
@@ -353,13 +353,13 @@ module MCollective
 
     describe "#should_cache_certname?" do
       it "should not allow unvalidated certs" do
-        choria.expects(:valid_certificate?).with("x").returns(false)
+        choria.expects(:valid_certificate?).with("x", "rspec").returns(false)
         Log.expects(:warn).with("Received a certificate for 'rspec' that is not signed by a known CA, discarding")
         expect(security.should_cache_certname?("x", "choria=rspec")).to be_falsey
       end
 
       it "should allow callers to cache only their own certs" do
-        choria.expects(:valid_certificate?).with("x").returns("bob")
+        choria.expects(:valid_certificate?).with("x", "rspec").returns("bob")
         Log.expects(:warn).with("Received a certificate called 'bob' that does not match the received callerid of 'rspec'")
         expect(security.should_cache_certname?("x", "choria=rspec")).to be_falsey
       end
@@ -385,7 +385,7 @@ module MCollective
 
       it "should only allow the privileged user cert to override callerids" do
         choria.stubs(:valid_certificate?).returns("bob.mcollective")
-        choria.expects(:valid_certificate?).with("rest_server2.privileged.mcollective").never
+        choria.expects(:valid_certificate?).with("rspec", "rest_server2.privileged.mcollective").never
         security.stubs(:privilegeduser_certs).returns(["rest_server2.privileged.mcollective"])
         expect(security.should_cache_certname?("rspec", "choria=x.rspec")).to be_falsey
       end