search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
history | raw | HEAD
pairing with luke, nagios_command provider skeleton
[vinpup.git] / test / network / authstore.rb
blobad4a4f1c2ad40ddb41c7728ba0f98d04d5e11ad0
1 #!/usr/bin/env ruby
2
3 require File.dirname(__FILE__) + '/../lib/puppettest'
4
5 require 'puppettest'
6 require 'mocha'
7 require 'puppet/network/authstore'
8
9 class TestAuthStore < Test::Unit::TestCase
10         include PuppetTest
11     Declaration = Puppet::Network::AuthStore::Declaration
12     def mkstore
13         store = nil
14         assert_nothing_raised {
15             store = Puppet::Network::AuthStore.new
16         }
17
18         return store
19     end
20
21     def setup
22         super
23         @store = mkstore
24     end
25
26     def test_localallow
27         Puppet[:trace] = false
28         assert_nothing_raised {
29             assert(@store.allowed?(nil, nil), "Store disallowed local access")
30         }
31
32         assert_raise(Puppet::DevError) {
33             @store.allowed?("kirby.madstop.com", nil)
34         }
35
36         assert_raise(Puppet::DevError) {
37             @store.allowed?(nil, "192.168.0.1")
38         }
39     end
40
41     def test_simpleips
42         %w{
43             192.168.0.5
44             7.0.48.7
45         }.each { |ip|
46             assert_nothing_raised("Failed to @store IP address %s" % ip) {
47                 @store.allow(ip)
48             }
49
50             assert(@store.allowed?("hosttest.com", ip), "IP %s not allowed" % ip)
51         }
52
53         #assert_raise(Puppet::AuthStoreError) {
54         #    @store.allow("192.168.674.0")
55         #}
56
57         assert_raise(Puppet::AuthStoreError) {
58             @store.allow("192.168.0")
59         }
60     end
61
62     def test_ipranges
63         %w{
64             192.168.0.*
65             192.168.1.0/24
66             192.178.*
67             193.179.0.0/8
68         }.each { |range|
69             assert_nothing_raised("Failed to @store IP range %s" % range) {
70                 @store.allow(range)
71             }
72         }
73
74         %w{
75             192.168.0.1
76             192.168.1.5
77             192.178.0.5
78             193.0.0.1
79         }.each { |ip|
80             assert(@store.allowed?("fakename.com", ip), "IP %s is not allowed" % ip)
81         }
82     end
83
84     def test_iprangedenials
85         assert_nothing_raised("Failed to @store overlapping IP ranges") {
86             @store.allow("192.168.0.0/16")
87             @store.deny("192.168.0.0/24")
88         }
89
90         assert(@store.allowed?("fake.name", "192.168.1.50"), "/16 ip not allowed")
91         assert(! @store.allowed?("fake.name", "192.168.0.50"), "/24 ip allowed")
92     end
93
94     def test_subdomaindenails
95         assert_nothing_raised("Failed to @store overlapping IP ranges") {
96             @store.allow("*.madstop.com")
97             @store.deny("*.sub.madstop.com")
98         }
99
100         assert(@store.allowed?("hostname.madstop.com", "192.168.1.50"),
101             "hostname not allowed")
102         assert(! @store.allowed?("name.sub.madstop.com", "192.168.0.50"),
103             "subname name allowed")
104     end
105
106     def test_orderingstuff
107         assert_nothing_raised("Failed to @store overlapping IP ranges") {
108             @store.allow("*.madstop.com")
109             @store.deny("192.168.0.0/24")
110         }
111
112         assert(@store.allowed?("hostname.madstop.com", "192.168.1.50"),
113             "hostname not allowed")
114         assert(! @store.allowed?("hostname.madstop.com", "192.168.0.50"),
115             "Host allowed over IP")
116     end
117
118     def test_globalallow
119         assert_nothing_raised("Failed to add global allow") {
120             @store.allow("*")
121         }
122
123         [
124             %w{hostname.com 192.168.0.4},
125             %w{localhost 192.168.0.1},
126             %w{localhost 127.0.0.1}
127             
128         ].each { |ary|
129             assert(@store.allowed?(*ary), "Failed to allow %s" % [ary.join(",")])
130         }
131     end
132
133     def test_store
134         assert_nothing_raised do
135             assert_nil(@store.send(:store, :allow, "*.host.com"),
136                 "store did not return nil")
137         end
138         assert_equal([Declaration.new(:allow, "*.host.com")],
139             @store.send(:instance_variable_get, "@declarations"),
140             "Did not store declaration")
141
142         # Now add another one and make sure it gets sorted appropriately
143         assert_nothing_raised do
144             assert_nil(@store.send(:store, :allow, "me.host.com"),
145                 "store did not return nil")
146         end
147
148         assert_equal([
149             Declaration.new(:allow, "me.host.com"),
150             Declaration.new(:allow, "*.host.com")
151         ],
152             @store.send(:instance_variable_get, "@declarations"),
153             "Did not sort declarations")
154     end
155
156     def test_allow_and_deny
157         store = Puppet::Network::AuthStore.new
158         store.expects(:store).with(:allow, "host.com")
159         store.allow("host.com")
160
161         store = Puppet::Network::AuthStore.new
162         store.expects(:store).with(:deny, "host.com")
163         store.deny("host.com")
164
165         store = Puppet::Network::AuthStore.new
166         assert_nothing_raised do
167             assert_nil(store.allow("*"),
168                 "allow did not return nil")
169         end
170
171         assert(store.globalallow?,
172             "did not enable global allow")
173     end
174
175     def test_hostnames
176         Puppet[:trace] = false
177         %w{
178             kirby.madstop.com
179             luke.madstop.net
180             name-other.madstop.net
181         }.each { |name|
182             assert_nothing_raised("Failed to @store simple name %s" % name) {
183                 @store.allow(name)
184             }
185             assert(@store.allowed?(name, "192.168.0.1"), "Name %s not allowed" % name)
186         }
187
188         %w{
189             invalid
190             ^invalid!
191             inval$id
192         
193         }.each { |pat|
194             assert_raise(Puppet::AuthStoreError,
195                 "name '%s' was allowed" % pat) {
196                 @store.allow(pat)
197             }
198         }
199     end
200
201     def test_domains
202         assert_nothing_raised("Failed to @store domains") {
203             @store.allow("*.a.very.long.domain.name.com")
204             @store.allow("*.madstop.com")
205             @store.allow("*.some-other.net")
206             @store.allow("*.much.longer.more-other.net")
207         }
208
209         %w{
210             madstop.com
211             culain.madstop.com
212             kirby.madstop.com
213             funtest.some-other.net
214             ya-test.madstop.com
215             some.much.much.longer.more-other.net
216         }.each { |name|
217             assert(@store.allowed?(name, "192.168.0.1"), "Host %s not allowed" % name)
218         }
219
220         assert_raise(Puppet::AuthStoreError) {
221             @store.allow("domain.*.com")
222         }
223
224         assert(!@store.allowed?("very.long.domain.name.com", "1.2.3.4"),
225             "Long hostname allowed")
226
227         assert_raise(Puppet::AuthStoreError) {
228             @store.allow("domain.*.other.com")
229         }
230     end
231
232     # #531
233     def test_case_insensitivity
234         @store.allow("hostname.com")
235
236         %w{hostname.com Hostname.COM hostname.Com HOSTNAME.COM}.each do |name|
237             assert(@store.allowed?(name, "127.0.0.1"),
238                 "did not allow %s" % name)
239         end
240     end
241
242     def test_allowed?
243         Puppet[:trace] = false
244         assert(@store.allowed?(nil, nil),
245             "Did not default to true for local checks")
246         assert_raise(Puppet::DevError, "did not fail on one input") do
247             @store.allowed?("host.com", nil)
248         end
249         assert_raise(Puppet::DevError, "did not fail on one input") do
250             @store.allowed?(nil, "192.168.0.1")
251         end
252
253     end
254
255     # Make sure more specific allows and denies win over generalities
256     def test_specific_overrides
257         @store.allow("host.madstop.com")
258         @store.deny("*.madstop.com")
259
260         assert(@store.allowed?("host.madstop.com", "192.168.0.1"),
261             "More specific allowal by name failed")
262
263         @store.allow("192.168.0.1")
264         @store.deny("192.168.0.0/24")
265
266         assert(@store.allowed?("host.madstop.com", "192.168.0.1"),
267             "More specific allowal by ip failed")
268     end
269 end
270
271 class TestAuthStoreDeclaration < PuppetTest::TestCase
272         include PuppetTest
273     Declaration = Puppet::Network::AuthStore::Declaration
274
275     def setup
276         super
277         @decl = Declaration.new(:allow, "hostname.com")
278     end
279
280     def test_parse
281         {
282             "192.168.0.1" =>        [:ip, IPAddr.new("192.168.0.1"), nil],
283             "2001:700:300:1800::" => [:ip, IPAddr.new("2001:700:300:1800::"), nil],
284             "2001:700:300:1800::/64" => [:ip, IPAddr.new("2001:700:300:1800::/64"), 64],
285             "192.168.0.1/32" =>     [:ip, IPAddr.new("192.168.0.1/32"), 32],
286             "192.168.0.1/24" =>     [:ip, IPAddr.new("192.168.0.1/24"), 24],
287             "192.*" =>              [:ip, IPAddr.new("192.0.0.0/8"), 8],
288             "192.168.*" =>          [:ip, IPAddr.new("192.168.0.0/16"), 16],
289             "192.168.0.*" =>        [:ip, IPAddr.new("192.168.0.0/24"), 24],
290             "hostname.com" =>       [:domain, %w{com hostname}, nil],
291             "Hostname.COM" =>       [:domain, %w{com hostname}, nil],
292             "billy.Hostname.COM" => [:domain, %w{com hostname billy}, nil],
293             "billy-jean.Hostname.COM" => [:domain, %w{com hostname billy-jean}, nil],
294             "*.hostname.COM" => [:domain, %w{com hostname}, 2],
295             "*.hostname.COM" => [:domain, %w{com hostname}, 2]
296         }.each do |input, output|
297
298             # Create a new decl each time, so values aren't cached.
299             assert_nothing_raised do
300                 @decl = Declaration.new(:allow, input)
301             end
302
303             [:name, :pattern, :length].zip(output).each do |method, value|
304                 assert_equal(value, @decl.send(method),
305                     "Got incorrect value for %s from %s" % [method, input])
306             end
307         end
308
309         %w{192.168 hostname -hostname.com hostname.*}.each do |input|
310             assert_raise(Puppet::AuthStoreError, "Did not fail on %s" % input) do
311                 @decl.pattern = input
312             end
313         end
314
315         ["hostname .com", "192.168 .0.1"].each do |input|
316             assert_raise(Puppet::AuthStoreError, "Did not fail on %s" % input) do
317                 @decl.pattern = input
318             end
319         end
320     end
321
322     def test_result
323         ["allow", :allow].each do |val|
324             assert_nothing_raised { @decl.type = val }
325             assert_equal(true, @decl.result, "did not result to true with %s" %
326                 val.inspect)
327         end
328
329         [:deny, "deny"].each do |val|
330             assert_nothing_raised { @decl.type = val }
331             assert_equal(false, @decl.result,
332                 "did not result to false with %s" % val.inspect)
333         end
334
335         ["yay", 1, nil, false, true].each do |val|
336             assert_raise(ArgumentError, "Did not fail on %s" % val.inspect) do
337                 @decl.type = val
338             end
339         end
340     end
341
342     def test_munge_name
343         {
344             "hostname.com" => %w{com hostname},
345             "alley.hostname.com" => %w{com hostname alley},
346             "*.hostname.com" => %w{com hostname *},
347             "*.HOSTNAME.Com" => %w{com hostname *},
348             "*.HOSTNAME.Com" => %w{com hostname *},
349
350         }.each do |input, output|
351             assert_equal(output, @decl.send(:munge_name, input),
352                 "munged %s incorrectly" % input)
353         end
354     end
355
356     # Make sure people can specify TLDs
357     def test_match_tlds
358         assert_nothing_raised {
359             @decl.pattern = "*.tld"
360         }
361
362         assert_equal(%w{tld}, @decl.pattern, "Failed to allow custom tld")
363     end
364
365     # Make sure we sort correctly.
366     def test_sorting
367         # Make sure declarations with no length sort first.
368         host_exact = Declaration.new(:allow, "host.com")
369         host_range = Declaration.new(:allow, "*.host.com")
370
371         ip_exact = Declaration.new(:allow, "192.168.0.1")
372         ip_range = Declaration.new(:allow, "192.168.0.*")
373
374         assert_equal(-1, host_exact <=> host_range,
375             "exact name match did not sort first")
376
377         assert_equal(-1, ip_exact <=> ip_range,
378             "exact ip match did not sort first")
379
380         # Next make sure we sort by length
381         ip_long = Declaration.new(:allow, "192.168.*")
382         assert_equal(-1, ip_range <=> ip_long, "/16 sorted before /24 in ip")
383
384         # Now try it using masks
385         ip24 = Declaration.new(:allow, "192.168.0.0/24")
386         ip16 = Declaration.new(:allow, "192.168.0.0/16")
387
388         assert_equal(-1, ip24 <=> ip16, "/16 sorted before /24 in ip with masks")
389
390         # Make sure ip checks sort before host checks
391         assert_equal(-1, ip_exact <=> host_exact,
392             "IP exact did not sort before host exact")
393
394         assert_equal(-1, ip_range <=> host_range,
395             "IP range did not sort before host range")
396
397         host_long = Declaration.new(:allow, "*.domain.host.com")
398
399         assert_equal(-1, host_long <=> host_range, "did not sort by domain length")
400
401         # Now make sure denies sort before allows, for equivalent
402         # declarations.
403         host_deny = Declaration.new(:deny, "host.com")
404         assert_equal(-1, host_deny <=> host_exact, "deny did not sort before allow when exact")
405
406         host_range_deny = Declaration.new(:deny, "*.host.com")
407         assert_equal(-1, host_range_deny <=> host_range,
408             "deny did not sort before allow when ranged")
409
410         ip_allow = Declaration.new(:allow, "192.168.0.0/16")
411         ip_deny = Declaration.new(:deny, "192.168.0.0/16")
412
413         assert_equal(-1, ip_deny <=> ip_allow,
414             "deny did not sort before allow in ip range")
415
416         %w{host.com *.domain.com 192.168.0.1 192.168.0.1/24}.each do |decl|
417             assert_equal(0, Declaration.new(:allow, decl) <=>
418                 Declaration.new(:allow, decl),
419                 "Equivalent declarations for %s were considered different" %
420                 decl
421             )
422         end
423     end
424
425     def test_match?
426         host = Declaration.new(:allow, "host.com")
427         host.expects(:matchname?).with("host.com")
428         host.match?("host.com", "192.168.0.1")
429
430         ip = Declaration.new(:allow, "192.168.0.1")
431         ip.pattern.expects(:include?)
432         ip.match?("host.com", "192.168.0.1")
433     end
434
435     def test_matchname?
436         host = Declaration.new(:allow, "host.com")
437         assert(host.send(:matchname?, "host.com"), "exact did not match")
438         assert(! host.send(:matchname?, "yay.com"), "incorrect match")
439
440         domain = Declaration.new(:allow, "*.domain.com")
441         %w{host.domain.com domain.com very.long.domain.com very-long.domain.com
442         }.each do |name|
443             assert(domain.send(:matchname?, name),
444                 "Did not match %s" % name)
445         end
446     end
447 end
448
449
kevin's puppet work