Commit ce7de156 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

caddy-frontend: Fix slave authorization

Because of checking slave id in a whole string, slaves which shall not be
authorized has been put on authorized list.

Example: -frontend-authorized-slave-string == "custom_http",
         slave_id = "custom" has been authorized.
parent 39329c8a
......@@ -22,11 +22,11 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
[template-apache-frontend]
filename = instance-apache-frontend.cfg.in
md5sum = 3bf520c34753cf9ee9e665e9ef7fb469
md5sum = ab1795f92e32655d05c662c965d2b1f5
[template-apache-replicate]
filename = instance-apache-replicate.cfg.in
md5sum = 1576859772052bcb85ff2b5a7b786410
md5sum = f49cf291a0e46eddcf4bc4b4710e88d8
[template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in
......
......@@ -64,7 +64,7 @@ context =
}) %}
{% endfor %}
{% set authorized_slave_string = slapparameter_dict.pop('-frontend-authorized-slave-string', '') %}
{% set authorized_slave_string_list = slapparameter_dict.pop('-frontend-authorized-slave-string', '').split() %}
{% set authorized_slave_list = [] %}
{% set rejected_slave_dict = {} %}
{% set used_host_list = [] %}
......@@ -93,7 +93,7 @@ context =
{% endif %}
{% for key in ['caddy_custom_http', 'caddy_custom_https', 'apache_custom_http', 'apache_custom_https'] %}
{% if slave.get(key) %}
{% if not slave.get('slave_reference') in authorized_slave_string %}
{% if not slave.get('slave_reference') in authorized_slave_string_list %}
{% if not unauthorised_message in slave_error_list %}
{% do slave_error_list.append(unauthorised_message) %}
{% endif %}
......
......@@ -708,6 +708,12 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'caddy_custom_http': cls.caddy_custom_http % dict(
url=cls.backend_url),
},
# this has to be rejected
'caddy_custom_http_s': {
'url': cls.backend_url,
'caddy_custom_https': '# caddy_custom_https_filled_in_rejected_2',
'caddy_custom_http': '# caddy_custom_http_filled_in_rejected_2',
},
'prefer-gzip-encoding-to-backend': {
'url': cls.backend_url,
'prefer-gzip-encoding-to-backend': 'true',
......@@ -753,7 +759,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'slave-amount': '35',
'rejected-slave-dict':
'{"_apache_custom_http_s-rejected": ["slave not authorised"], '
'"_caddy_custom_http_s-rejected": ["slave not authorised"]}'
'"_caddy_custom_http_s-rejected": ["slave not authorised"], '
'"_caddy_custom_http_s": ["slave not authorised"]'
}
self.assertEqual(
......@@ -2190,6 +2197,27 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
if 'caddy_custom_http_filled_in_rejected' in open(q).read()]
self.assertEqual([], configuration_file_with_custom_http_list)
def test_caddy_custom_http_s(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'caddy_custom_http_s']
self.assertEqual(
{
'request-error-list': '["slave not authorised"]'
},
parameter_dict)
slave_configuration_file_list = glob.glob(os.path.join(
self.instance_path, '*', 'etc', '*slave-conf.d', '*.conf'))
# no configuration file contains provided custom http
configuration_file_with_custom_https_list = [
q for q in slave_configuration_file_list
if 'caddy_custom_https_filled_in_rejected_2' in open(q).read()]
self.assertEqual([], configuration_file_with_custom_https_list)
configuration_file_with_custom_http_list = [
q for q in slave_configuration_file_list
if 'caddy_custom_http_filled_in_rejected_2' in open(q).read()]
self.assertEqual([], configuration_file_with_custom_http_list)
def test_caddy_custom_http_s_accepted(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'caddy_custom_http_s-accepted']
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment