From 54e03344d1d10b66bb0aad92bf072c283ec07185 Mon Sep 17 00:00:00 2001 From: Tomas Jelinek Date: Tue, 26 Jul 2016 13:44:09 +0200 Subject: [PATCH] fix exceptions when authenticating cluster nodes --- pcsd/pcs.rb | 70 ++++++++++++++++++++++++++++++------------------------------ pcsd/pcsd.rb | 18 ++++++++++++++-- 2 files changed, 51 insertions(+), 37 deletions(-) diff --git a/pcsd/pcs.rb b/pcsd/pcs.rb index 0956de9..ad54a75 100644 --- a/pcsd/pcs.rb +++ b/pcsd/pcs.rb @@ -395,47 +395,47 @@ end def send_request(auth_user, node, request, post=false, data={}, remote=true, raw_data=nil, timeout=30, cookies_data=nil) cookies_data = {} if not cookies_data - begin - request = "/#{request}" if not request.start_with?("/") + request = "/#{request}" if not request.start_with?("/") - # fix ipv6 address for URI.parse - node6 = node - if (node.include?(":") and ! node.start_with?("[")) - node6 = "[#{node}]" - end + # fix ipv6 address for URI.parse + node6 = node + if (node.include?(":") and ! node.start_with?("[")) + node6 = "[#{node}]" + end - if remote - uri = URI.parse("https://#{node6}:2224/remote" + request) - else - uri = URI.parse("https://#{node6}:2224" + request) - end + if remote + uri = URI.parse("https://#{node6}:2224/remote" + request) + else + uri = URI.parse("https://#{node6}:2224" + request) + end - if post - req = Net::HTTP::Post.new(uri.path) - raw_data ? req.body = raw_data : req.set_form_data(data) - else - req = Net::HTTP::Get.new(uri.path) - req.set_form_data(data) - end + if post + req = Net::HTTP::Post.new(uri.path) + raw_data ? req.body = raw_data : req.set_form_data(data) + else + req = Net::HTTP::Get.new(uri.path) + req.set_form_data(data) + end - cookies_to_send = [] - cookies_data_default = {} - # Let's be safe about characters in cookie variables and do base64. - # We cannot do it for CIB_user however to be backward compatible - # so we at least remove disallowed characters. - cookies_data_default['CIB_user'] = PCSAuth.cookieUserSafe( - auth_user[:username].to_s - ) - cookies_data_default['CIB_user_groups'] = PCSAuth.cookieUserEncode( - (auth_user[:usergroups] || []).join(' ') - ) + cookies_to_send = [] + cookies_data_default = {} + # Let's be safe about characters in cookie variables and do base64. + # We cannot do it for CIB_user however to be backward compatible + # so we at least remove disallowed characters. + cookies_data_default['CIB_user'] = PCSAuth.cookieUserSafe( + auth_user[:username].to_s + ) + cookies_data_default['CIB_user_groups'] = PCSAuth.cookieUserEncode( + (auth_user[:usergroups] || []).join(' ') + ) - cookies_data_default.update(cookies_data) - cookies_data_default.each { |name, value| - cookies_to_send << CGI::Cookie.new('name' => name, 'value' => value).to_s - } - req.add_field('Cookie', cookies_to_send.join(';')) + cookies_data_default.update(cookies_data) + cookies_data_default.each { |name, value| + cookies_to_send << CGI::Cookie.new('name' => name, 'value' => value).to_s + } + req.add_field('Cookie', cookies_to_send.join(';')) + begin # uri.host returns "[addr]" for ipv6 addresses, which is wrong # uri.hostname returns "addr" for ipv6 addresses, which is correct, but it # is not available in older ruby versions diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb index d3032cf..287cf03 100644 --- a/pcsd/pcsd.rb +++ b/pcsd/pcsd.rb @@ -75,6 +75,7 @@ if development? end before do + # nobody is logged in yet @auth_user = nil # get session storage instance from env @@ -83,8 +84,21 @@ before do $session_storage_env = env end - if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth' and not request.path == '/login-status' - protected! + # urls which are accesible for everybody including not logged in users + always_accessible = [ + '/login', + '/logout', + '/login-status', + '/remote/auth', + ] + if not always_accessible.include?(request.path) + # Sets @auth_user to a hash containing info about logged in user or halts + # the request processing if login credentials are incorrect. + protected! + else + # Set a sane default: nobody is logged in, but we do not need to check both + # for nil and empty username (if auth_user and auth_user[:username]) + @auth_user = {} if not @auth_user end $cluster_name = get_cluster_name() end -- 1.8.3.1