Blame SOURCES/bz1359154-01-fix-exceptions-when-authenticating-cluster-nodes.patch

15f218
From 54e03344d1d10b66bb0aad92bf072c283ec07185 Mon Sep 17 00:00:00 2001
15f218
From: Tomas Jelinek <tojeline@redhat.com>
15f218
Date: Tue, 26 Jul 2016 13:44:09 +0200
15f218
Subject: [PATCH] fix exceptions when authenticating cluster nodes
15f218
15f218
---
15f218
 pcsd/pcs.rb  | 70 ++++++++++++++++++++++++++++++------------------------------
15f218
 pcsd/pcsd.rb | 18 ++++++++++++++--
15f218
 2 files changed, 51 insertions(+), 37 deletions(-)
15f218
15f218
diff --git a/pcsd/pcs.rb b/pcsd/pcs.rb
15f218
index 0956de9..ad54a75 100644
15f218
--- a/pcsd/pcs.rb
15f218
+++ b/pcsd/pcs.rb
15f218
@@ -395,47 +395,47 @@ end
15f218
 
15f218
 def send_request(auth_user, node, request, post=false, data={}, remote=true, raw_data=nil, timeout=30, cookies_data=nil)
15f218
   cookies_data = {} if not cookies_data
15f218
-  begin
15f218
-    request = "/#{request}" if not request.start_with?("/")
15f218
+  request = "/#{request}" if not request.start_with?("/")
15f218
 
15f218
-    # fix ipv6 address for URI.parse
15f218
-    node6 = node
15f218
-    if (node.include?(":") and ! node.start_with?("["))
15f218
-      node6 = "[#{node}]"
15f218
-    end
15f218
+  # fix ipv6 address for URI.parse
15f218
+  node6 = node
15f218
+  if (node.include?(":") and ! node.start_with?("["))
15f218
+    node6 = "[#{node}]"
15f218
+  end
15f218
 
15f218
-    if remote
15f218
-      uri = URI.parse("https://#{node6}:2224/remote" + request)
15f218
-    else
15f218
-      uri = URI.parse("https://#{node6}:2224" + request)
15f218
-    end
15f218
+  if remote
15f218
+    uri = URI.parse("https://#{node6}:2224/remote" + request)
15f218
+  else
15f218
+    uri = URI.parse("https://#{node6}:2224" + request)
15f218
+  end
15f218
 
15f218
-    if post
15f218
-      req = Net::HTTP::Post.new(uri.path)
15f218
-      raw_data ? req.body = raw_data : req.set_form_data(data)
15f218
-    else
15f218
-      req = Net::HTTP::Get.new(uri.path)
15f218
-      req.set_form_data(data)
15f218
-    end
15f218
+  if post
15f218
+    req = Net::HTTP::Post.new(uri.path)
15f218
+    raw_data ? req.body = raw_data : req.set_form_data(data)
15f218
+  else
15f218
+    req = Net::HTTP::Get.new(uri.path)
15f218
+    req.set_form_data(data)
15f218
+  end
15f218
 
15f218
-    cookies_to_send = []
15f218
-    cookies_data_default = {}
15f218
-    # Let's be safe about characters in cookie variables and do base64.
15f218
-    # We cannot do it for CIB_user however to be backward compatible
15f218
-    # so we at least remove disallowed characters.
15f218
-    cookies_data_default['CIB_user'] = PCSAuth.cookieUserSafe(
15f218
-      auth_user[:username].to_s
15f218
-    )
15f218
-    cookies_data_default['CIB_user_groups'] = PCSAuth.cookieUserEncode(
15f218
-      (auth_user[:usergroups] || []).join(' ')
15f218
-    )
15f218
+  cookies_to_send = []
15f218
+  cookies_data_default = {}
15f218
+  # Let's be safe about characters in cookie variables and do base64.
15f218
+  # We cannot do it for CIB_user however to be backward compatible
15f218
+  # so we at least remove disallowed characters.
15f218
+  cookies_data_default['CIB_user'] = PCSAuth.cookieUserSafe(
15f218
+    auth_user[:username].to_s
15f218
+  )
15f218
+  cookies_data_default['CIB_user_groups'] = PCSAuth.cookieUserEncode(
15f218
+    (auth_user[:usergroups] || []).join(' ')
15f218
+  )
15f218
 
15f218
-    cookies_data_default.update(cookies_data)
15f218
-    cookies_data_default.each { |name, value|
15f218
-      cookies_to_send << CGI::Cookie.new('name' => name, 'value' => value).to_s
15f218
-    }
15f218
-    req.add_field('Cookie', cookies_to_send.join(';'))
15f218
+  cookies_data_default.update(cookies_data)
15f218
+  cookies_data_default.each { |name, value|
15f218
+    cookies_to_send << CGI::Cookie.new('name' => name, 'value' => value).to_s
15f218
+  }
15f218
+  req.add_field('Cookie', cookies_to_send.join(';'))
15f218
 
15f218
+  begin
15f218
     # uri.host returns "[addr]" for ipv6 addresses, which is wrong
15f218
     # uri.hostname returns "addr" for ipv6 addresses, which is correct, but it
15f218
     #   is not available in older ruby versions
15f218
diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
15f218
index d3032cf..287cf03 100644
15f218
--- a/pcsd/pcsd.rb
15f218
+++ b/pcsd/pcsd.rb
15f218
@@ -75,6 +75,7 @@ if development?
15f218
 end
15f218
 
15f218
 before do
15f218
+  # nobody is logged in yet
15f218
   @auth_user = nil
15f218
 
15f218
   # get session storage instance from env
15f218
@@ -83,8 +84,21 @@ before do
15f218
     $session_storage_env = env
15f218
   end
15f218
 
15f218
-  if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth' and not request.path == '/login-status'
15f218
-    protected! 
15f218
+  # urls which are accesible for everybody including not logged in users
15f218
+  always_accessible = [
15f218
+    '/login',
15f218
+    '/logout',
15f218
+    '/login-status',
15f218
+    '/remote/auth',
15f218
+  ]
15f218
+  if not always_accessible.include?(request.path)
15f218
+    # Sets @auth_user to a hash containing info about logged in user or halts
15f218
+    # the request processing if login credentials are incorrect.
15f218
+    protected!
15f218
+  else
15f218
+    # Set a sane default: nobody is logged in, but we do not need to check both
15f218
+    # for nil and empty username (if auth_user and auth_user[:username])
15f218
+    @auth_user = {} if not @auth_user
15f218
   end
15f218
   $cluster_name = get_cluster_name()
15f218
 end
15f218
-- 
15f218
1.8.3.1
15f218