From 54e03344d1d10b66bb0aad92bf072c283ec07185 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Tue, 26 Jul 2016 13:44:09 +0200
Subject: [PATCH] fix exceptions when authenticating cluster nodes
---
pcsd/pcs.rb | 70 ++++++++++++++++++++++++++++++------------------------------
pcsd/pcsd.rb | 18 ++++++++++++++--
2 files changed, 51 insertions(+), 37 deletions(-)
diff --git a/pcsd/pcs.rb b/pcsd/pcs.rb
index 0956de9..ad54a75 100644
--- a/pcsd/pcs.rb
+++ b/pcsd/pcs.rb
@@ -395,47 +395,47 @@ end
def send_request(auth_user, node, request, post=false, data={}, remote=true, raw_data=nil, timeout=30, cookies_data=nil)
cookies_data = {} if not cookies_data
- begin
- request = "/#{request}" if not request.start_with?("/")
+ request = "/#{request}" if not request.start_with?("/")
- # fix ipv6 address for URI.parse
- node6 = node
- if (node.include?(":") and ! node.start_with?("["))
- node6 = "[#{node}]"
- end
+ # fix ipv6 address for URI.parse
+ node6 = node
+ if (node.include?(":") and ! node.start_with?("["))
+ node6 = "[#{node}]"
+ end
- if remote
- uri = URI.parse("https://#{node6}:2224/remote" + request)
- else
- uri = URI.parse("https://#{node6}:2224" + request)
- end
+ if remote
+ uri = URI.parse("https://#{node6}:2224/remote" + request)
+ else
+ uri = URI.parse("https://#{node6}:2224" + request)
+ end
- if post
- req = Net::HTTP::Post.new(uri.path)
- raw_data ? req.body = raw_data : req.set_form_data(data)
- else
- req = Net::HTTP::Get.new(uri.path)
- req.set_form_data(data)
- end
+ if post
+ req = Net::HTTP::Post.new(uri.path)
+ raw_data ? req.body = raw_data : req.set_form_data(data)
+ else
+ req = Net::HTTP::Get.new(uri.path)
+ req.set_form_data(data)
+ end
- cookies_to_send = []
- cookies_data_default = {}
- # Let's be safe about characters in cookie variables and do base64.
- # We cannot do it for CIB_user however to be backward compatible
- # so we at least remove disallowed characters.
- cookies_data_default['CIB_user'] = PCSAuth.cookieUserSafe(
- auth_user[:username].to_s
- )
- cookies_data_default['CIB_user_groups'] = PCSAuth.cookieUserEncode(
- (auth_user[:usergroups] || []).join(' ')
- )
+ cookies_to_send = []
+ cookies_data_default = {}
+ # Let's be safe about characters in cookie variables and do base64.
+ # We cannot do it for CIB_user however to be backward compatible
+ # so we at least remove disallowed characters.
+ cookies_data_default['CIB_user'] = PCSAuth.cookieUserSafe(
+ auth_user[:username].to_s
+ )
+ cookies_data_default['CIB_user_groups'] = PCSAuth.cookieUserEncode(
+ (auth_user[:usergroups] || []).join(' ')
+ )
- cookies_data_default.update(cookies_data)
- cookies_data_default.each { |name, value|
- cookies_to_send << CGI::Cookie.new('name' => name, 'value' => value).to_s
- }
- req.add_field('Cookie', cookies_to_send.join(';'))
+ cookies_data_default.update(cookies_data)
+ cookies_data_default.each { |name, value|
+ cookies_to_send << CGI::Cookie.new('name' => name, 'value' => value).to_s
+ }
+ req.add_field('Cookie', cookies_to_send.join(';'))
+ begin
# uri.host returns "[addr]" for ipv6 addresses, which is wrong
# uri.hostname returns "addr" for ipv6 addresses, which is correct, but it
# is not available in older ruby versions
diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
index d3032cf..287cf03 100644
--- a/pcsd/pcsd.rb
+++ b/pcsd/pcsd.rb
@@ -75,6 +75,7 @@ if development?
end
before do
+ # nobody is logged in yet
@auth_user = nil
# get session storage instance from env
@@ -83,8 +84,21 @@ before do
$session_storage_env = env
end
- if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth' and not request.path == '/login-status'
- protected!
+ # urls which are accesible for everybody including not logged in users
+ always_accessible = [
+ '/login',
+ '/logout',
+ '/login-status',
+ '/remote/auth',
+ ]
+ if not always_accessible.include?(request.path)
+ # Sets @auth_user to a hash containing info about logged in user or halts
+ # the request processing if login credentials are incorrect.
+ protected!
+ else
+ # Set a sane default: nobody is logged in, but we do not need to check both
+ # for nil and empty username (if auth_user and auth_user[:username])
+ @auth_user = {} if not @auth_user
end
$cluster_name = get_cluster_name()
end
--
1.8.3.1