From 54e03344d1d10b66bb0aad92bf072c283ec07185 Mon Sep 17 00:00:00 2001

From: Tomas Jelinek <tojeline@redhat.com>

Date: Tue, 26 Jul 2016 13:44:09 +0200

Subject: [PATCH] fix exceptions when authenticating cluster nodes

---

 pcsd/pcs.rb  | 70 ++++++++++++++++++++++++++++++------------------------------

 pcsd/pcsd.rb | 18 ++++++++++++++--

 2 files changed, 51 insertions(+), 37 deletions(-)

diff --git a/pcsd/pcs.rb b/pcsd/pcs.rb

index 0956de9..ad54a75 100644

--- a/pcsd/pcs.rb

+++ b/pcsd/pcs.rb

@@ -395,47 +395,47 @@ end

 def send_request(auth_user, node, request, post=false, data={}, remote=true, raw_data=nil, timeout=30, cookies_data=nil)

   cookies_data = {} if not cookies_data

-  begin

-    request = "/#{request}" if not request.start_with?("/")

+  request = "/#{request}" if not request.start_with?("/")

-    # fix ipv6 address for URI.parse

-    node6 = node

-    if (node.include?(":") and ! node.start_with?("["))

-      node6 = "[#{node}]"

-    end

+  # fix ipv6 address for URI.parse

+  node6 = node

+  if (node.include?(":") and ! node.start_with?("["))

+    node6 = "[#{node}]"

+  end

-    if remote

-      uri = URI.parse("https://#{node6}:2224/remote" + request)

-    else

-      uri = URI.parse("https://#{node6}:2224" + request)

-    end

+  if remote

+    uri = URI.parse("https://#{node6}:2224/remote" + request)

+  else

+    uri = URI.parse("https://#{node6}:2224" + request)

+  end

-    if post

-      req = Net::HTTP::Post.new(uri.path)

-      raw_data ? req.body = raw_data : req.set_form_data(data)

-    else

-      req = Net::HTTP::Get.new(uri.path)

-      req.set_form_data(data)

-    end

+  if post

+    req = Net::HTTP::Post.new(uri.path)

+    raw_data ? req.body = raw_data : req.set_form_data(data)

+  else

+    req = Net::HTTP::Get.new(uri.path)

+    req.set_form_data(data)

+  end

-    cookies_to_send = []

-    cookies_data_default = {}

-    # Let's be safe about characters in cookie variables and do base64.

-    # We cannot do it for CIB_user however to be backward compatible

-    # so we at least remove disallowed characters.

-    cookies_data_default['CIB_user'] = PCSAuth.cookieUserSafe(

-      auth_user[:username].to_s

-    )

-    cookies_data_default['CIB_user_groups'] = PCSAuth.cookieUserEncode(

-      (auth_user[:usergroups] || []).join(' ')

-    )

+  cookies_to_send = []

+  cookies_data_default = {}

+  # Let's be safe about characters in cookie variables and do base64.

+  # We cannot do it for CIB_user however to be backward compatible

+  # so we at least remove disallowed characters.

+  cookies_data_default['CIB_user'] = PCSAuth.cookieUserSafe(

+    auth_user[:username].to_s

+  )

+  cookies_data_default['CIB_user_groups'] = PCSAuth.cookieUserEncode(

+    (auth_user[:usergroups] || []).join(' ')

+  )

-    cookies_data_default.update(cookies_data)

-    cookies_data_default.each { |name, value|

-      cookies_to_send << CGI::Cookie.new('name' => name, 'value' => value).to_s

-    }

-    req.add_field('Cookie', cookies_to_send.join(';'))

+  cookies_data_default.update(cookies_data)

+  cookies_data_default.each { |name, value|

+    cookies_to_send << CGI::Cookie.new('name' => name, 'value' => value).to_s

+  }

+  req.add_field('Cookie', cookies_to_send.join(';'))

+  begin

     # uri.host returns "[addr]" for ipv6 addresses, which is wrong

     # uri.hostname returns "addr" for ipv6 addresses, which is correct, but it

     #   is not available in older ruby versions

diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb

index d3032cf..287cf03 100644

--- a/pcsd/pcsd.rb

+++ b/pcsd/pcsd.rb

@@ -75,6 +75,7 @@ if development?

 end

 before do

+  # nobody is logged in yet

   @auth_user = nil

   # get session storage instance from env

@@ -83,8 +84,21 @@ before do

     $session_storage_env = env

   end

-  if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth' and not request.path == '/login-status'

-    protected! 

+  # urls which are accesible for everybody including not logged in users

+  always_accessible = [

+    '/login',

+    '/logout',

+    '/login-status',

+    '/remote/auth',

+  ]

+  if not always_accessible.include?(request.path)

+    # Sets @auth_user to a hash containing info about logged in user or halts

+    # the request processing if login credentials are incorrect.

+    protected!

+  else

+    # Set a sane default: nobody is logged in, but we do not need to check both

+    # for nil and empty username (if auth_user and auth_user[:username])

+    @auth_user = {} if not @auth_user

   end

   $cluster_name = get_cluster_name()

 end

-- 

1.8.3.1