From 5533c264d1874ac06400a321b090b4297efccf85 Mon Sep 17 00:00:00 2001 From: Patrick Carlisle Date: Wed, 18 Apr 2018 14:14:47 -0700 Subject: [PATCH] (PUP-3650) Remove CA routes Some limited knowledge of the ca routes remains so that the agent can talk to puppetserver which still implements these. --- lib/puppet/network/authconfig.rb | 13 ---------- lib/puppet/network/http.rb | 2 -- lib/puppet/network/http/api.rb | 11 +------- lib/puppet/network/http/api/ca.rb | 2 -- lib/puppet/network/http/api/ca/v1.rb | 11 -------- spec/unit/network/http/api/ca/v1_spec.rb | 26 ------------------- .../http/api/indirected_routes_spec.rb | 4 --- spec/unit/network/http/api_spec.rb | 26 ------------------- 8 files changed, 1 insertion(+), 94 deletions(-) delete mode 100644 lib/puppet/network/http/api/ca.rb delete mode 100644 lib/puppet/network/http/api/ca/v1.rb delete mode 100644 spec/unit/network/http/api/ca/v1_spec.rb diff --git a/lib/puppet/network/authconfig.rb b/lib/puppet/network/authconfig.rb index 6e04cc28c0a..d06267b0e0e 100644 --- a/lib/puppet/network/authconfig.rb +++ b/lib/puppet/network/authconfig.rb @@ -10,10 +10,6 @@ def self.master_url_prefix Puppet::Network::HTTP::MASTER_URL_PREFIX end - def self.ca_url_prefix - Puppet::Network::HTTP::CA_URL_PREFIX - end - def self.default_acl [ # Master API V3 @@ -28,15 +24,6 @@ def self.default_acl { :acl => "#{master_url_prefix}/v3/file" }, { :acl => "#{master_url_prefix}/v3/status", :method => [:find], :authenticated => true }, - - # CA API V1 - { :acl => "#{ca_url_prefix}/v1/certificate_revocation_list/ca", :method => :find, :authenticated => true }, - - # These allow `auth any`, because if you can do them anonymously you - # should probably also be able to do them when trusted. - { :acl => "#{ca_url_prefix}/v1/certificate/ca", :method => :find, :authenticated => :any }, - { :acl => "#{ca_url_prefix}/v1/certificate/", :method => :find, :authenticated => :any }, - { :acl => "#{ca_url_prefix}/v1/certificate_request", :method => [:find, :save], :authenticated => :any }, ] end diff --git a/lib/puppet/network/http.rb b/lib/puppet/network/http.rb index efefe4964a6..f4a2677b472 100644 --- a/lib/puppet/network/http.rb +++ b/lib/puppet/network/http.rb @@ -13,8 +13,6 @@ module Puppet::Network::HTTP require 'puppet/network/http/error' require 'puppet/network/http/route' require 'puppet/network/http/api' - require 'puppet/network/http/api/ca' - require 'puppet/network/http/api/ca/v1' require 'puppet/network/http/api/master' require 'puppet/network/http/api/master/v3' require 'puppet/network/http/handler' diff --git a/lib/puppet/network/http/api.rb b/lib/puppet/network/http/api.rb index e3f0d0fc316..c21aa962b4e 100644 --- a/lib/puppet/network/http/api.rb +++ b/lib/puppet/network/http/api.rb @@ -20,8 +20,7 @@ def self.not_found_upgrade "or point them to a server running Puppet 3.\n\n" + "Master Info:\n" + " Puppet version: #{Puppet.version}\n" + - " Supported /puppet API versions: #{Puppet::Network::HTTP::MASTER_URL_VERSIONS}\n" + - " Supported /puppet-ca API versions: #{Puppet::Network::HTTP::CA_URL_VERSIONS}", + " Supported /puppet API versions: #{Puppet::Network::HTTP::MASTER_URL_VERSIONS}\n", Puppet::Network::HTTP::Issues::HANDLER_NOT_FOUND) end) end @@ -33,12 +32,4 @@ def self.master_routes chain(Puppet::Network::HTTP::API::Master::V3.routes, Puppet::Network::HTTP::API.not_found) end - - def self.ca_routes - ca_prefix = Regexp.new("^#{Puppet::Network::HTTP::CA_URL_PREFIX}/") - Puppet::Network::HTTP::Route.path(ca_prefix). - any. - chain(Puppet::Network::HTTP::API::CA::V1.routes, - Puppet::Network::HTTP::API.not_found) - end end diff --git a/lib/puppet/network/http/api/ca.rb b/lib/puppet/network/http/api/ca.rb deleted file mode 100644 index 9e4828d6a27..00000000000 --- a/lib/puppet/network/http/api/ca.rb +++ /dev/null @@ -1,2 +0,0 @@ -module Puppet::Network::HTTP::API::CA -end diff --git a/lib/puppet/network/http/api/ca/v1.rb b/lib/puppet/network/http/api/ca/v1.rb deleted file mode 100644 index 15a721eae13..00000000000 --- a/lib/puppet/network/http/api/ca/v1.rb +++ /dev/null @@ -1,11 +0,0 @@ -require 'puppet/network/http/api/indirected_routes' -class Puppet::Network::HTTP::API::CA::V1 - - INDIRECTED = Puppet::Network::HTTP::Route. - path(/.*/). - any(Puppet::Network::HTTP::API::IndirectedRoutes.new) - - def self.routes - Puppet::Network::HTTP::Route.path(%r{v1}).any.chain(INDIRECTED) - end -end diff --git a/spec/unit/network/http/api/ca/v1_spec.rb b/spec/unit/network/http/api/ca/v1_spec.rb deleted file mode 100644 index bb6cff664d2..00000000000 --- a/spec/unit/network/http/api/ca/v1_spec.rb +++ /dev/null @@ -1,26 +0,0 @@ -require 'spec_helper' - -require 'puppet/network/http' - -describe Puppet::Network::HTTP::API::CA::V1 do - let(:response) { Puppet::Network::HTTP::MemoryResponse.new } - let(:ca_url_prefix) { "#{Puppet::Network::HTTP::CA_URL_PREFIX}/v1"} - - let(:ca_routes) { - Puppet::Network::HTTP::Route. - path(Regexp.new("#{Puppet::Network::HTTP::CA_URL_PREFIX}/")). - any. - chain(Puppet::Network::HTTP::API::CA::V1.routes) - } - - it "mounts ca routes" do - Puppet::SSL::Certificate.indirection.stubs(:find).returns "foo" - request = Puppet::Network::HTTP::Request. - from_hash(:path => "#{ca_url_prefix}/certificate/foo", - :params => {:environment => "production"}, - :headers => {"accept" => "s"}) - ca_routes.process(request, response) - - expect(response.code).to eq(200) - end -end diff --git a/spec/unit/network/http/api/indirected_routes_spec.rb b/spec/unit/network/http/api/indirected_routes_spec.rb index 4f63f7755d5..f445e040388 100644 --- a/spec/unit/network/http/api/indirected_routes_spec.rb +++ b/spec/unit/network/http/api/indirected_routes_spec.rb @@ -50,10 +50,6 @@ expect(lambda { handler.uri2indirection("GET", "#{master_url_prefix}/certificate/foo", params) }).to raise_error(bad_request_error) end - it "should fail if the indirection does not have the correct version" do - expect(lambda { handler.uri2indirection("GET", "#{Puppet::Network::HTTP::CA_URL_PREFIX}/v3/certificate/foo", params) }).to raise_error(bad_request_error) - end - it "should not pass a buck_path parameter through (See Bugs #13553, #13518, #13511)" do expect(handler.uri2indirection("GET", "#{master_url_prefix}/node/bar", { :environment => "env", diff --git a/spec/unit/network/http/api_spec.rb b/spec/unit/network/http/api_spec.rb index 80564f81d01..a4d37c159c5 100644 --- a/spec/unit/network/http/api_spec.rb +++ b/spec/unit/network/http/api_spec.rb @@ -39,11 +39,9 @@ def respond(text) describe "Puppet API" do let(:handler) { PuppetSpec::Handler.new(Puppet::Network::HTTP::API.master_routes, - Puppet::Network::HTTP::API.ca_routes, Puppet::Network::HTTP::API.not_found_upgrade) } let(:master_prefix) { Puppet::Network::HTTP::MASTER_URL_PREFIX } - let(:ca_prefix) { Puppet::Network::HTTP::CA_URL_PREFIX } it "raises a not-found error for non-CA or master routes and suggests an upgrade" do req = Puppet::Network::HTTP::Request.from_hash(:path => "/unknown") @@ -61,7 +59,6 @@ def respond(text) expect(res[:status]).to eq(404) expect(res[:body]).to include("Puppet version: #{Puppet.version}") expect(res[:body]).to include("Supported /puppet API versions: #{Puppet::Network::HTTP::MASTER_URL_VERSIONS}") - expect(res[:body]).to include("Supported /puppet-ca API versions: #{Puppet::Network::HTTP::CA_URL_VERSIONS}") end it "gives an upgrade message for CA routes" do @@ -71,7 +68,6 @@ def respond(text) expect(res[:status]).to eq(404) expect(res[:body]).to include("Puppet version: #{Puppet.version}") expect(res[:body]).to include("Supported /puppet API versions: #{Puppet::Network::HTTP::MASTER_URL_VERSIONS}") - expect(res[:body]).to include("Supported /puppet-ca API versions: #{Puppet::Network::HTTP::CA_URL_VERSIONS}") end end @@ -101,27 +97,5 @@ def respond(text) expect(res[:body]).not_to include("Puppet version: #{Puppet.version}") end end - - describe "when processing CA routes" do - it "responds to v1 indirector requests" do - Puppet::SSL::Certificate.indirection.stubs(:find).returns "foo" - req = Puppet::Network::HTTP::Request.from_hash(:path => "#{ca_prefix}/v1/certificate/foo", - :params => {:environment => "production"}, - :headers => {'accept' => "s"}) - res = {} - handler.process(req, res) - expect(res[:body]).to eq("foo") - expect(res[:status]).to eq(200) - end - - it "responds with a not found error to non-v1 requests and does not suggest an upgrade" do - req = Puppet::Network::HTTP::Request.from_hash(:path => "#{ca_prefix}/unknown") - res = {} - handler.process(req, res) - expect(res[:status]).to eq(404) - expect(res[:body]).to include("No route for GET #{ca_prefix}/unknown") - expect(res[:body]).not_to include("Puppet version: #{Puppet.version}") - end - end end end