|
|
15f218 |
From 54e03344d1d10b66bb0aad92bf072c283ec07185 Mon Sep 17 00:00:00 2001
|
|
|
15f218 |
From: Tomas Jelinek <tojeline@redhat.com>
|
|
|
15f218 |
Date: Tue, 26 Jul 2016 13:44:09 +0200
|
|
|
15f218 |
Subject: [PATCH] fix exceptions when authenticating cluster nodes
|
|
|
15f218 |
|
|
|
15f218 |
---
|
|
|
15f218 |
pcsd/pcs.rb | 70 ++++++++++++++++++++++++++++++------------------------------
|
|
|
15f218 |
pcsd/pcsd.rb | 18 ++++++++++++++--
|
|
|
15f218 |
2 files changed, 51 insertions(+), 37 deletions(-)
|
|
|
15f218 |
|
|
|
15f218 |
diff --git a/pcsd/pcs.rb b/pcsd/pcs.rb
|
|
|
15f218 |
index 0956de9..ad54a75 100644
|
|
|
15f218 |
--- a/pcsd/pcs.rb
|
|
|
15f218 |
+++ b/pcsd/pcs.rb
|
|
|
15f218 |
@@ -395,47 +395,47 @@ end
|
|
|
15f218 |
|
|
|
15f218 |
def send_request(auth_user, node, request, post=false, data={}, remote=true, raw_data=nil, timeout=30, cookies_data=nil)
|
|
|
15f218 |
cookies_data = {} if not cookies_data
|
|
|
15f218 |
- begin
|
|
|
15f218 |
- request = "/#{request}" if not request.start_with?("/")
|
|
|
15f218 |
+ request = "/#{request}" if not request.start_with?("/")
|
|
|
15f218 |
|
|
|
15f218 |
- # fix ipv6 address for URI.parse
|
|
|
15f218 |
- node6 = node
|
|
|
15f218 |
- if (node.include?(":") and ! node.start_with?("["))
|
|
|
15f218 |
- node6 = "[#{node}]"
|
|
|
15f218 |
- end
|
|
|
15f218 |
+ # fix ipv6 address for URI.parse
|
|
|
15f218 |
+ node6 = node
|
|
|
15f218 |
+ if (node.include?(":") and ! node.start_with?("["))
|
|
|
15f218 |
+ node6 = "[#{node}]"
|
|
|
15f218 |
+ end
|
|
|
15f218 |
|
|
|
15f218 |
- if remote
|
|
|
15f218 |
- uri = URI.parse("https://#{node6}:2224/remote" + request)
|
|
|
15f218 |
- else
|
|
|
15f218 |
- uri = URI.parse("https://#{node6}:2224" + request)
|
|
|
15f218 |
- end
|
|
|
15f218 |
+ if remote
|
|
|
15f218 |
+ uri = URI.parse("https://#{node6}:2224/remote" + request)
|
|
|
15f218 |
+ else
|
|
|
15f218 |
+ uri = URI.parse("https://#{node6}:2224" + request)
|
|
|
15f218 |
+ end
|
|
|
15f218 |
|
|
|
15f218 |
- if post
|
|
|
15f218 |
- req = Net::HTTP::Post.new(uri.path)
|
|
|
15f218 |
- raw_data ? req.body = raw_data : req.set_form_data(data)
|
|
|
15f218 |
- else
|
|
|
15f218 |
- req = Net::HTTP::Get.new(uri.path)
|
|
|
15f218 |
- req.set_form_data(data)
|
|
|
15f218 |
- end
|
|
|
15f218 |
+ if post
|
|
|
15f218 |
+ req = Net::HTTP::Post.new(uri.path)
|
|
|
15f218 |
+ raw_data ? req.body = raw_data : req.set_form_data(data)
|
|
|
15f218 |
+ else
|
|
|
15f218 |
+ req = Net::HTTP::Get.new(uri.path)
|
|
|
15f218 |
+ req.set_form_data(data)
|
|
|
15f218 |
+ end
|
|
|
15f218 |
|
|
|
15f218 |
- cookies_to_send = []
|
|
|
15f218 |
- cookies_data_default = {}
|
|
|
15f218 |
- # Let's be safe about characters in cookie variables and do base64.
|
|
|
15f218 |
- # We cannot do it for CIB_user however to be backward compatible
|
|
|
15f218 |
- # so we at least remove disallowed characters.
|
|
|
15f218 |
- cookies_data_default['CIB_user'] = PCSAuth.cookieUserSafe(
|
|
|
15f218 |
- auth_user[:username].to_s
|
|
|
15f218 |
- )
|
|
|
15f218 |
- cookies_data_default['CIB_user_groups'] = PCSAuth.cookieUserEncode(
|
|
|
15f218 |
- (auth_user[:usergroups] || []).join(' ')
|
|
|
15f218 |
- )
|
|
|
15f218 |
+ cookies_to_send = []
|
|
|
15f218 |
+ cookies_data_default = {}
|
|
|
15f218 |
+ # Let's be safe about characters in cookie variables and do base64.
|
|
|
15f218 |
+ # We cannot do it for CIB_user however to be backward compatible
|
|
|
15f218 |
+ # so we at least remove disallowed characters.
|
|
|
15f218 |
+ cookies_data_default['CIB_user'] = PCSAuth.cookieUserSafe(
|
|
|
15f218 |
+ auth_user[:username].to_s
|
|
|
15f218 |
+ )
|
|
|
15f218 |
+ cookies_data_default['CIB_user_groups'] = PCSAuth.cookieUserEncode(
|
|
|
15f218 |
+ (auth_user[:usergroups] || []).join(' ')
|
|
|
15f218 |
+ )
|
|
|
15f218 |
|
|
|
15f218 |
- cookies_data_default.update(cookies_data)
|
|
|
15f218 |
- cookies_data_default.each { |name, value|
|
|
|
15f218 |
- cookies_to_send << CGI::Cookie.new('name' => name, 'value' => value).to_s
|
|
|
15f218 |
- }
|
|
|
15f218 |
- req.add_field('Cookie', cookies_to_send.join(';'))
|
|
|
15f218 |
+ cookies_data_default.update(cookies_data)
|
|
|
15f218 |
+ cookies_data_default.each { |name, value|
|
|
|
15f218 |
+ cookies_to_send << CGI::Cookie.new('name' => name, 'value' => value).to_s
|
|
|
15f218 |
+ }
|
|
|
15f218 |
+ req.add_field('Cookie', cookies_to_send.join(';'))
|
|
|
15f218 |
|
|
|
15f218 |
+ begin
|
|
|
15f218 |
# uri.host returns "[addr]" for ipv6 addresses, which is wrong
|
|
|
15f218 |
# uri.hostname returns "addr" for ipv6 addresses, which is correct, but it
|
|
|
15f218 |
# is not available in older ruby versions
|
|
|
15f218 |
diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
|
|
|
15f218 |
index d3032cf..287cf03 100644
|
|
|
15f218 |
--- a/pcsd/pcsd.rb
|
|
|
15f218 |
+++ b/pcsd/pcsd.rb
|
|
|
15f218 |
@@ -75,6 +75,7 @@ if development?
|
|
|
15f218 |
end
|
|
|
15f218 |
|
|
|
15f218 |
before do
|
|
|
15f218 |
+ # nobody is logged in yet
|
|
|
15f218 |
@auth_user = nil
|
|
|
15f218 |
|
|
|
15f218 |
# get session storage instance from env
|
|
|
15f218 |
@@ -83,8 +84,21 @@ before do
|
|
|
15f218 |
$session_storage_env = env
|
|
|
15f218 |
end
|
|
|
15f218 |
|
|
|
15f218 |
- if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth' and not request.path == '/login-status'
|
|
|
15f218 |
- protected!
|
|
|
15f218 |
+ # urls which are accesible for everybody including not logged in users
|
|
|
15f218 |
+ always_accessible = [
|
|
|
15f218 |
+ '/login',
|
|
|
15f218 |
+ '/logout',
|
|
|
15f218 |
+ '/login-status',
|
|
|
15f218 |
+ '/remote/auth',
|
|
|
15f218 |
+ ]
|
|
|
15f218 |
+ if not always_accessible.include?(request.path)
|
|
|
15f218 |
+ # Sets @auth_user to a hash containing info about logged in user or halts
|
|
|
15f218 |
+ # the request processing if login credentials are incorrect.
|
|
|
15f218 |
+ protected!
|
|
|
15f218 |
+ else
|
|
|
15f218 |
+ # Set a sane default: nobody is logged in, but we do not need to check both
|
|
|
15f218 |
+ # for nil and empty username (if auth_user and auth_user[:username])
|
|
|
15f218 |
+ @auth_user = {} if not @auth_user
|
|
|
15f218 |
end
|
|
|
15f218 |
$cluster_name = get_cluster_name()
|
|
|
15f218 |
end
|
|
|
15f218 |
--
|
|
|
15f218 |
1.8.3.1
|
|
|
15f218 |
|