Revert fix for #2386 to properly support Passenger 2.2.5
Christian Hofstaedtler
So, people are reporting that Puppet 0.25.x works with Passenger 2.2.5 and
people are reporting that it doesn't.
I've now been able to reproduce the "it does not work" case, and this seems
to be caused by Passenger doing a write once to ENV for all SSL headers. Using
rack's request.env seems to work though, and this is also the only documented
way of accessing the SSL env vars anyway.
Therefore I'm proposing to simply revert my old fix and update the docs
accordingly.
Please everyone with a Passenger setup test this, as I don't yet have a
Puppet 0.25.x production setup.
Thanks,
Christian
--
christian hofstaedtler
Christian Hofstaedtler
into a documentation only fix. As it turns out, ENV should have never been
used at all, as the Rack docs say nothing about it *and* Passenger's
behaviour in 2.2.3 + 2.2.4 was completely broken and still is half-way broken
in 2.2.5 (but is OK with the Rack specs).
---
ext/rack/README | 4 ++--
lib/puppet/network/http/rack/httphandler.rb | 18 ------------------
lib/puppet/network/http/rack/rest.rb | 8 ++++----
lib/puppet/network/http/rack/xmlrpc.rb | 8 ++++----
4 files changed, 10 insertions(+), 28 deletions(-)
diff --git a/ext/rack/README b/ext/rack/README
index 3bdcca5..d05d402 100644
--- a/ext/rack/README
+++ b/ext/rack/README
@@ -43,7 +43,7 @@ Make sure puppetmasterd ran at least once, so the CA & SSL certificates
got set up.
Requirements:
- Passenger version 2.2.2 or newer***
+ Passenger version 2.2.2 or 2.2.5 or newer***
Rack version 1.0.0
Apache 2.x
SSL Module loaded
@@ -68,6 +68,6 @@ config.ru. Therefore, config.ru shall be owned by the puppet user.
*** Important note about Passenger versions:
2.2.2 is known to work.
2.2.3-2.2.4 are known to *NOT* work.
- 2.2.5 (when it is released) is expected to work properly again.
+ 2.2.5 works again when used with Puppet 0.25.2+.
Passenger installation doc: http://www.modrails.com/install.html
diff --git a/lib/puppet/network/http/rack/httphandler.rb b/lib/puppet/network/http/rack/httphandler.rb
index 31aa837..e142068 100644
--- a/lib/puppet/network/http/rack/httphandler.rb
+++ b/lib/puppet/network/http/rack/httphandler.rb
@@ -12,23 +12,5 @@ class Puppet::Network::HTTP::RackHttpHandler
raise NotImplementedError, "Your RackHttpHandler subclass is supposed to override service(request)"
end
- def ssl_client_header(request)
- env_or_request_env(Puppet[:ssl_client_header], request)
- end
-
- def ssl_client_verify_header(request)
- env_or_request_env(Puppet[:ssl_client_verify_header], request)
- end
-
- # Older Passenger versions passed all Environment vars in app(env),
- # but since 2.2.3 they (some?) are really in ENV.
- # Mongrel, etc. may also still use request.env.
- def env_or_request_env(var, request)
- if ENV.include?(var)
- ENV[var]
- else
- request.env[var]
- end
- end
end
diff --git a/lib/puppet/network/http/rack/rest.rb b/lib/puppet/network/http/rack/rest.rb
index bdca651..1047512 100644
--- a/lib/puppet/network/http/rack/rest.rb
+++ b/lib/puppet/network/http/rack/rest.rb
@@ -63,11 +63,11 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
result[:ip] = request.ip
# if we find SSL info in the headers, use them to get a hostname.
- # try this with :ssl_client_header.
- # For Apache you need special configuration, see ext/rack/README.
- if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
+ # try this with :ssl_client_header, which defaults should work for
+ # Apache with StdEnvVars.
+ if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
result[:node] = dn_matchdata[1].to_str
- result[:authenticated] = (ssl_client_verify_header(request) == 'SUCCESS')
+ result[:authenticated] = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS')
else
result[:node] = resolve_node(result)
result[:authenticated] = false
diff --git a/lib/puppet/network/http/rack/xmlrpc.rb b/lib/puppet/network/http/rack/xmlrpc.rb
index 9d0f486..4fc9e82 100644
--- a/lib/puppet/network/http/rack/xmlrpc.rb
+++ b/lib/puppet/network/http/rack/xmlrpc.rb
@@ -43,11 +43,11 @@ class Puppet::Network::HTTP::RackXMLRPC < Puppet::Network::HTTP::RackHttpHandler
ip = request.ip
# if we find SSL info in the headers, use them to get a hostname.
- # try this with :ssl_client_header.
- # For Apache you need special configuration, see ext/rack/README.
- if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
+ # try this with :ssl_client_header, which defaults should work for
+ # Apache with StdEnvVars.
+ if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
node = dn_matchdata[1].to_str
- authenticated = (ssl_client_verify_header(request) == 'SUCCESS')
+ authenticated = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS')
else
begin
node = Resolv.getname(ip)
--
1.5.6.5
Luke Kanies
If computers get too powerful, we can organize them into a committee --
that will do them in. -- Bradley's Bromide
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
Andrew Forgue
> Puppet 0.25.x production setup.
2.2.5.
Thanks
Josh Anderson
I'm running Puppet 0.25.1 and Passenger 2.2.7 on Solaris 10 SPARC and
your patch works flawlessly for me.
This definitely needs to go into 0.25.2.
-Josh
James Turnbull
Hash: SHA1
Regards
James Turnbull
- --
Author of:
* Pro Linux System Administration (http://tinyurl.com/linuxadmin)
* Pulling Strings with Puppet (http://tinyurl.com/pupbook)
* Pro Nagios 2.0 (http://tinyurl.com/pronagios)
* Hardening Linux (http://tinyurl.com/hardeninglinux)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEVAwUBSyLzTCFa/lDkFHAyAQJ93Af/Zd0BJZNG7Pw6f7nXRNKcvlteTSLL7ljr
z9y3daIgnKwKPOzEbKb/NJOrHPNG2EWK7MTWRo/LqV43+77z596EFeXApUvUx4KH
kD7VGRnyWC+4WmBftmL49GkYrM1nZ7L3LupYTaYpLnZXFofTizX4t+mOFX6fi0pg
LE9DyYOYiIzEIL7lisF4tdearyxQMkUe6rEVYQ9wNPeMSou07XC+/AVb/h9oenlc
/sb+q/98i+tyMP8XazzlXdxn3kk7EBPr/EIxs0CvOlzojKymypSPhLaG66JV5dpR
9uyd22bPImLz2lvnOH67Ldo0Lw5AROikoepxTKiYYretviwAaIc4OA==
=v9KA
-----END PGP SIGNATURE-----
Joshua Anderson
--
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To post to this group, send email to puppe...@googlegroups.com.
To unsubscribe from this group, send email to puppet-dev+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
James Turnbull
Hash: SHA1
> Oops! That's what I get for posting via Google Groups.
>
> The original subject was "Revert fix for #2386 to properly support
> Passenger 2.2.5", but Google Groups says that the subject was changed
> for that thread, hence the confusion.
>
> Here's a link to the original
> message: http://groups.google.com/group/puppet-dev/msg/b15e1c93bbc70fdb
>
It's pushed at:
http://projects.reductivelabs.com/projects/puppet/repository/revisions/5ed2e2619fc366a9ea1e1b9866da055ba0cd57aa
Regards
James Turnbull
- --
Author of:
* Pro Linux System Administration (http://tinyurl.com/linuxadmin)
* Pulling Strings with Puppet (http://tinyurl.com/pupbook)
* Pro Nagios 2.0 (http://tinyurl.com/pronagios)
* Hardening Linux (http://tinyurl.com/hardeninglinux)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
gdaJKxi6wOHISYIuaI7ikeIyPu/ye+hRfXtBTn07Rv5702XOKog4BGL2ZJfgtCqO
uDK/ukZK6jypBkC5zE3e5kmNWcHXqLCIX+Ond0a4IoW33vGf/wwsMFeLoSMGW4Pf
0a5j+AAdyOXDTSJVBWYfqz2sFXxtCVvuYjl1WjBThrr6cyGVsrJNbFwssitCbopC
PiE3SD147VWltvqXdg1oCcm5+OIAC3uhHLgVffNwmosR02Clalpvy37TkHnoxKax
nDYBRAyTExm1A7soOTZaBO8cnesebGuk0B4nAY5yNGb5Zp600+ueqA==
=6w6p
-----END PGP SIGNATURE-----