~racb/ubuntu/saucy/puppet/dep8-hiera

Viewing changes to .pc/security-mar-2013.patch/lib/puppet/network/rest_authconfig.rb

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2013-03-11 11:16:08 UTC
Revision ID: package-import@ubuntu.com-20130311111608-6gtkc65hikm0p07r

Tags: 2.7.18-1ubuntu2

* SECURITY UPDATE: Multiple security issues
  - debian/patches/security-mar-2013.patch: upstream patch to fix
    multiple security issues.
  - CVE-2013-1640 - Remote code execution on master from authenticated clients
  - CVE-2013-1652 - Insufficient input validation
  - CVE-2013-1653 - Remote code execution
  - CVE-2013-1654 - Protocol downgrade
  - CVE-2013-1655 - Unauthenticated remote code execution risk
  - CVE-2013-2275 - Incorrect default report ACL

files added:
.pc/security-mar-2013.patch

.pc/security-mar-2013.patch/acceptance

.pc/security-mar-2013.patch/acceptance/tests

.pc/security-mar-2013.patch/acceptance/tests/security

.pc/security-mar-2013.patch/acceptance/tests/security/cve-2013-1640_facter_string.rb

.pc/security-mar-2013.patch/acceptance/tests/security/cve-2013-1652_improper_query_params.rb

.pc/security-mar-2013.patch/acceptance/tests/security/cve-2013-1652_poison_other_node_cache.rb

.pc/security-mar-2013.patch/acceptance/tests/security/cve-2013-1653_puppet_kick.rb

.pc/security-mar-2013.patch/acceptance/tests/security/cve-2013-1654_sslv2_downgrade_agent.rb

.pc/security-mar-2013.patch/acceptance/tests/security/cve-2013-1654_sslv2_downgrade_master.rb

.pc/security-mar-2013.patch/acceptance/tests/security/cve-2013-1655_safe_yaml_deserialization.rb

.pc/security-mar-2013.patch/acceptance/tests/security/cve-2013-2274_all_your_agent_terminii_belong_to_us.rb

.pc/security-mar-2013.patch/acceptance/tests/security/cve-2013-2274_all_your_master_terminii_belong_to_us.rb

.pc/security-mar-2013.patch/acceptance/tests/security/cve-2013-2275_report_acl.rb

.pc/security-mar-2013.patch/conf

.pc/security-mar-2013.patch/conf/auth.conf

.pc/security-mar-2013.patch/lib

.pc/security-mar-2013.patch/lib/puppet

.pc/security-mar-2013.patch/lib/puppet/indirector

.pc/security-mar-2013.patch/lib/puppet/indirector/catalog

.pc/security-mar-2013.patch/lib/puppet/indirector/catalog/compiler.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/certificate_status

.pc/security-mar-2013.patch/lib/puppet/indirector/certificate_status/file.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/errors.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/file_bucket_file

.pc/security-mar-2013.patch/lib/puppet/indirector/file_bucket_file/file.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/file_bucket_file/selector.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/indirection.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/request.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/resource

.pc/security-mar-2013.patch/lib/puppet/indirector/resource/active_record.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/resource/ral.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/resource/store_configs.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/resource/validator.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/rest.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/run

.pc/security-mar-2013.patch/lib/puppet/indirector/run/local.rb

.pc/security-mar-2013.patch/lib/puppet/indirector/terminus.rb

.pc/security-mar-2013.patch/lib/puppet/network

.pc/security-mar-2013.patch/lib/puppet/network/formats.rb

.pc/security-mar-2013.patch/lib/puppet/network/handler

.pc/security-mar-2013.patch/lib/puppet/network/handler/master.rb

.pc/security-mar-2013.patch/lib/puppet/network/handler/report.rb

.pc/security-mar-2013.patch/lib/puppet/network/http

.pc/security-mar-2013.patch/lib/puppet/network/http/handler.rb

.pc/security-mar-2013.patch/lib/puppet/network/http/rack

.pc/security-mar-2013.patch/lib/puppet/network/http/rack/rest.rb

.pc/security-mar-2013.patch/lib/puppet/network/http/webrick.rb

.pc/security-mar-2013.patch/lib/puppet/network/rest_authconfig.rb

.pc/security-mar-2013.patch/lib/puppet/parser

.pc/security-mar-2013.patch/lib/puppet/parser/templatewrapper.rb

.pc/security-mar-2013.patch/lib/puppet/util

.pc/security-mar-2013.patch/lib/puppet/util/monkey_patches.rb

.pc/security-mar-2013.patch/spec

.pc/security-mar-2013.patch/spec/integration

.pc/security-mar-2013.patch/spec/integration/indirector

.pc/security-mar-2013.patch/spec/integration/indirector/catalog

.pc/security-mar-2013.patch/spec/integration/indirector/catalog/compiler_spec.rb

.pc/security-mar-2013.patch/spec/integration/indirector/catalog/queue_spec.rb

.pc/security-mar-2013.patch/spec/integration/resource

.pc/security-mar-2013.patch/spec/integration/resource/catalog_spec.rb

.pc/security-mar-2013.patch/spec/unit

.pc/security-mar-2013.patch/spec/unit/indirector

.pc/security-mar-2013.patch/spec/unit/indirector/catalog

.pc/security-mar-2013.patch/spec/unit/indirector/catalog/compiler_spec.rb

.pc/security-mar-2013.patch/spec/unit/indirector/indirection_spec.rb

.pc/security-mar-2013.patch/spec/unit/indirector/request_spec.rb

.pc/security-mar-2013.patch/spec/unit/indirector/terminus_spec.rb

.pc/security-mar-2013.patch/spec/unit/network

.pc/security-mar-2013.patch/spec/unit/network/formats_spec.rb

.pc/security-mar-2013.patch/spec/unit/network/http

.pc/security-mar-2013.patch/spec/unit/network/http/handler_spec.rb

.pc/security-mar-2013.patch/spec/unit/network/http/rack

.pc/security-mar-2013.patch/spec/unit/network/http/rack/rest_spec.rb

.pc/security-mar-2013.patch/spec/unit/network/http/webrick_spec.rb

.pc/security-mar-2013.patch/spec/unit/network/http_pool_spec.rb

.pc/security-mar-2013.patch/spec/unit/network/rest_authconfig_spec.rb

.pc/security-mar-2013.patch/spec/unit/parser

.pc/security-mar-2013.patch/spec/unit/parser/functions

.pc/security-mar-2013.patch/spec/unit/parser/functions/inline_template_spec.rb

.pc/security-mar-2013.patch/spec/unit/parser/functions/template_spec.rb

.pc/security-mar-2013.patch/spec/unit/parser/templatewrapper_spec.rb

.pc/security-mar-2013.patch/spec/unit/ssl

.pc/security-mar-2013.patch/spec/unit/ssl/certificate_request_spec.rb

.pc/security-mar-2013.patch/spec/unit/ssl/host_spec.rb

.pc/security-mar-2013.patch/spec/unit/util

.pc/security-mar-2013.patch/spec/unit/util/monkey_patches_spec.rb

.pc/security-mar-2013.patch/test

.pc/security-mar-2013.patch/test/language

.pc/security-mar-2013.patch/test/language/snippets.rb

acceptance

acceptance/tests

acceptance/tests/security

acceptance/tests/security/cve-2013-1640_facter_string.rb

acceptance/tests/security/cve-2013-1652_improper_query_params.rb

acceptance/tests/security/cve-2013-1652_poison_other_node_cache.rb

acceptance/tests/security/cve-2013-1653_puppet_kick.rb

acceptance/tests/security/cve-2013-1654_sslv2_downgrade_agent.rb

acceptance/tests/security/cve-2013-1654_sslv2_downgrade_master.rb

acceptance/tests/security/cve-2013-1655_safe_yaml_deserialization.rb

acceptance/tests/security/cve-2013-2274_all_your_agent_terminii_belong_to_us.rb

acceptance/tests/security/cve-2013-2274_all_your_master_terminii_belong_to_us.rb

acceptance/tests/security/cve-2013-2275_report_acl.rb

debian/patches/security-mar-2013.patch

lib/puppet/indirector/errors.rb

lib/puppet/indirector/resource/validator.rb

files modified:
.pc/applied-patches

conf/auth.conf

debian/changelog

debian/patches/series

lib/puppet/indirector/catalog/compiler.rb

lib/puppet/indirector/certificate_status/file.rb

lib/puppet/indirector/file_bucket_file/file.rb

lib/puppet/indirector/file_bucket_file/selector.rb

lib/puppet/indirector/indirection.rb

lib/puppet/indirector/request.rb

lib/puppet/indirector/resource/active_record.rb

lib/puppet/indirector/resource/ral.rb

lib/puppet/indirector/resource/store_configs.rb

lib/puppet/indirector/rest.rb

lib/puppet/indirector/run/local.rb

lib/puppet/indirector/terminus.rb

lib/puppet/network/formats.rb

lib/puppet/network/handler/master.rb

lib/puppet/network/handler/report.rb

lib/puppet/network/http/handler.rb

lib/puppet/network/http/rack/rest.rb

lib/puppet/network/http/webrick.rb

lib/puppet/network/rest_authconfig.rb

lib/puppet/parser/templatewrapper.rb

lib/puppet/util/monkey_patches.rb

spec/integration/indirector/catalog/compiler_spec.rb

spec/integration/indirector/catalog/queue_spec.rb

spec/integration/resource/catalog_spec.rb

spec/unit/indirector/catalog/compiler_spec.rb

spec/unit/indirector/indirection_spec.rb

spec/unit/indirector/request_spec.rb

spec/unit/indirector/terminus_spec.rb

spec/unit/network/formats_spec.rb

spec/unit/network/http/handler_spec.rb

spec/unit/network/http/rack/rest_spec.rb

spec/unit/network/http/webrick_spec.rb

spec/unit/network/http_pool_spec.rb

spec/unit/network/rest_authconfig_spec.rb

spec/unit/parser/functions/inline_template_spec.rb

spec/unit/parser/functions/template_spec.rb

spec/unit/parser/templatewrapper_spec.rb

spec/unit/ssl/certificate_request_spec.rb

spec/unit/ssl/host_spec.rb

spec/unit/util/monkey_patches_spec.rb

test/language/snippets.rb

Show diffs side-by-side

added added

removed removed

.pc/security-mar-2013.patch/lib/puppet/network/rest_authconfig.rb

require 'puppet/network/authconfig'

module Puppet

class Network::RestAuthConfig < Network::AuthConfig

extend MonitorMixin

attr_accessor :rights

DEFAULT_ACL = [

{ :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },

{ :acl => "~ ^\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },

# this one will allow all file access, and thus delegate

# to fileserver.conf

{ :acl => "/file" },

{ :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },

{ :acl => "/report", :method => :save, :authenticated => true },

# These allow `auth any`, because if you can do them anonymously you

# should probably also be able to do them when trusted.

{ :acl => "/certificate/ca", :method => :find, :authenticated => :any },

{ :acl => "/certificate/", :method => :find, :authenticated => :any },

{ :acl => "/certificate_request", :method => [:find, :save], :authenticated => :any },

{ :acl => "/status", :method => [:find], :authenticated => true },

]

def self.main

synchronize do

add_acl = @main.nil?

super

@main.insert_default_acl if add_acl and !@main.exists?

end

@main

end

def allowed?(request)

Puppet.deprecation_warning "allowed? should not be called for REST authorization - use check_authorization instead"

check_authorization(request)

end

# check wether this request is allowed in our ACL

# raise an Puppet::Network::AuthorizedError if the request

# is denied.

def check_authorization(indirection, method, key, params)

read

# we're splitting the request in part because

# fail_on_deny could as well be called in the XMLRPC context

# with a ClientRequest.

if authorization_failure_exception = @rights.is_request_forbidden_and_why?(indirection, method, key, params)

Puppet.warning("Denying access: #{authorization_failure_exception}")

raise authorization_failure_exception

end

def initialize(file = nil, parsenow = true)

super(file || Puppet[:rest_authconfig], parsenow)

# if we didn't read a file (ie it doesn't exist)

# make sure we can create some default rights

@rights ||= Puppet::Network::Rights.new

end

def parse

super()

insert_default_acl

end

# force regular ACLs to be present

def insert_default_acl

if exists? then

reason = "none were found in '#{@file}'"

else

reason = "#{Puppet[:rest_authconfig]} doesn't exist"

end

DEFAULT_ACL.each do |acl|

unless rights[acl[:acl]]

Puppet.info "Inserting default '#{acl[:acl]}' (auth #{acl[:authenticated]}) ACL because #{reason}"

mk_acl(acl)

end

# queue an empty (ie deny all) right for every other path

# actually this is not strictly necessary as the rights system

# denies not explicitely allowed paths

unless rights["/"]

rights.newright("/")

rights.restrict_authenticated("/", :any)

end

def mk_acl(acl)

@rights.newright(acl[:acl])

@rights.allow(acl[:acl], acl[:allow] || "*")

if method = acl[:method]

method = [method] unless method.is_a?(Array)

method.each { |m| @rights.restrict_method(acl[:acl], m) }

end

@rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil?

100

end

101

end

102

end

Older »