diff --git a/lib/puppet/indirector/node/ldap.rb b/lib/puppet/indirector/node/ldap.rb index b9fe35575..ecebc8279 100644 --- a/lib/puppet/indirector/node/ldap.rb +++ b/lib/puppet/indirector/node/ldap.rb @@ -1,300 +1,256 @@ require 'puppet/node' require 'puppet/indirector/ldap' class Puppet::Node::Ldap < Puppet::Indirector::Ldap desc "Search in LDAP for node configuration information. See the `LdapNodes`:trac: page for more information. This will first search for whatever the certificate name is, then (if that name contains a '.') for the short name, then 'default'." # The attributes that Puppet class information is stored in. def class_attributes # LAK:NOTE See http://snurl.com/21zf8 [groups_google_com] x = Puppet[:ldapclassattrs].split(/\s*,\s*/) end # Separate this out so it's relatively atomic. It's tempting to call # process instead of name2hash() here, but it ends up being # difficult to test because all exceptions get caught by ldapsearch. # LAK:NOTE Unfortunately, the ldap support is too stupid to throw anything # but LDAP::ResultError, even on bad connections, so we are rough handed # with our error handling. - def name2hash(name,name_env,node_type) + def name2hash(name) info = nil - ldapsearch(search_filter(name)) { - |entry| info = entry2hash(entry) - if info[:environment] - if name_env == info[:environment] - return info - else - info = nil - end - else - info_env = "production" - if name_env == info[:environment] - return info - else - info = nil - end - end - } - if node_type == 'parent' - raise Puppet::Error.new("Could not find node '#{name}' with environment '#{name_env}'") - end - - info = name2hash('default',name_env,'parent') + ldapsearch(search_filter(name)) { |entry| info = entry2hash(entry) } + info end # Look for our node in ldap. def find(request) names = [request.key] names << request.key.sub(/\..+/, '') if request.key.include?(".") # we assume it's an fqdn names << "default" node = nil names.each do |name| - facts = Puppet::Node::Facts.find(name) - if facts.values["environment"] - name_env = facts.values["environment"] - else - name_env = "production" - end - info = name2hash(name,name_env,'child') - next if info == nil - - if info - break if node = info2node(request.key, info) - end + next unless info = name2hash(name) + + break if node = info2node(request.key, info) end node end # Find more than one node. LAK:NOTE This is a bit of a clumsy API, because the 'search' # method currently *requires* a key. It seems appropriate in some cases but not others, # and I don't really know how to get rid of it as a requirement but allow it when desired. def search(request) if classes = request.options[:class] classes = [classes] unless classes.is_a?(Array) filter = "(&(objectclass=puppetClient)(puppetclass=" + classes.join(")(puppetclass=") + "))" else filter = "(objectclass=puppetClient)" end infos = [] ldapsearch(filter) { |entry| infos << entry2hash(entry, request.options[:fqdn]) } return infos.collect do |info| info2node(info[:name], info) end end # The parent attribute, if we have one. def parent_attribute if pattr = Puppet[:ldapparentattr] and ! pattr.empty? pattr else nil end end # The attributes that Puppet will stack as array over the full # hierarchy. def stacked_attributes(dummy_argument=:work_arround_for_ruby_GC_bug) Puppet[:ldapstackedattrs].split(/\s*,\s*/) end # Convert the found entry into a simple hash. def entry2hash(entry, fqdn = false) result = {} cn = entry.dn[ /cn\s*=\s*([^,\s]+)/i,1] dcs = entry.dn.scan(/dc\s*=\s*([^,\s]+)/i) result[:name] = fqdn ? ([cn]+dcs).join('.') : cn result[:parent] = get_parent_from_entry(entry) if parent_attribute result[:classes] = get_classes_from_entry(entry) result[:stacked] = get_stacked_values_from_entry(entry) result[:parameters] = get_parameters_from_entry(entry) result[:environment] = result[:parameters]["environment"] if result[:parameters]["environment"] result[:stacked_parameters] = {} if result[:stacked] result[:stacked].each do |value| param = value.split('=', 2) result[:stacked_parameters][param[0]] = param[1] end end if result[:stacked_parameters] result[:stacked_parameters].each do |param, value| result[:parameters][param] = value unless result[:parameters].include?(param) end end result[:parameters] = convert_parameters(result[:parameters]) result end # Default to all attributes. def search_attributes ldapattrs = Puppet[:ldapattrs] # results in everything getting returned return nil if ldapattrs == "all" search_attrs = class_attributes + ldapattrs.split(/\s*,\s*/) if pattr = parent_attribute search_attrs << pattr end search_attrs end # The ldap search filter to use. def search_filter(name) filter = Puppet[:ldapstring] if filter.include? "%s" # Don't replace the string in-line, since that would hard-code our node # info. filter = filter.gsub('%s', name) end filter end private # Add our hash of ldap information to the node instance. def add_to_node(node, information) node.classes = information[:classes].uniq unless information[:classes].nil? or information[:classes].empty? node.parameters = information[:parameters] unless information[:parameters].nil? or information[:parameters].empty? node.environment = information[:environment] if information[:environment] end def convert_parameters(parameters) result = {} parameters.each do |param, value| if value.is_a?(Array) result[param] = value.collect { |v| convert(v) } else result[param] = convert(value) end end result end # Convert any values if necessary. def convert(value) case value when Integer, Fixnum, Bignum; value when "true"; true when "false"; false else value end end # Find information for our parent and merge it into the current info. def find_and_merge_parent(parent, information) - - if information[:environment] - name_env = information[:environment] - else - name_env = 'production' - end - - parent_info = name2hash(parent,name_env,'parent') - if parent_info + parent_info = name2hash(parent) || raise(Puppet::Error.new("Could not find parent node '#{parent}'")) information[:classes] += parent_info[:classes] parent_info[:parameters].each do |param, value| - # Specifically test for whether it's set, so false values are handled - # correctly. + # Specifically test for whether it's set, so false values are handled correctly. information[:parameters][param] = value unless information[:parameters].include?(param) end - information[:environment] ||= parent_info[:environment] parent_info[:parent] - else - raise Puppet::Error.new("Could not find parent node '#{parent}'") - nil - end - end # Take a name and a hash, and return a node instance. def info2node(name, info) merge_parent(info) if info[:parent] node = Puppet::Node.new(name) add_to_node(node, info) node.fact_merge node end def merge_parent(info) parent_info = nil parent = info[:parent] # Preload the parent array with the node name. parents = [info[:name]] while parent raise ArgumentError, "Found loop in LDAP node parents; #{parent} appears twice" if parents.include?(parent) parents << parent parent = find_and_merge_parent(parent, info) end info end def get_classes_from_entry(entry) result = class_attributes.inject([]) do |array, attr| if values = entry.vals(attr) values.each do |v| array << v end end array end result.uniq end def get_parameters_from_entry(entry) stacked_params = stacked_attributes entry.to_hash.inject({}) do |hash, ary| unless stacked_params.include?(ary[0]) # don't add our stacked parameters to the main param list if ary[1].length == 1 hash[ary[0]] = ary[1].shift else hash[ary[0]] = ary[1] end end hash end end def get_parent_from_entry(entry) pattr = parent_attribute return nil unless values = entry.vals(pattr) if values.length > 1 raise Puppet::Error, "Node entry #{entry.dn} specifies more than one parent: #{values.inspect}" end return(values.empty? ? nil : values.shift) end def get_stacked_values_from_entry(entry) stacked_attributes.inject([]) do |result, attr| if values = entry.vals(attr) result += values end result end end end diff --git a/spec/unit/indirector/node/ldap_spec.rb b/spec/unit/indirector/node/ldap_spec.rb index a5f14fc23..042e7bd54 100755 --- a/spec/unit/indirector/node/ldap_spec.rb +++ b/spec/unit/indirector/node/ldap_spec.rb @@ -1,452 +1,454 @@ #!/usr/bin/env ruby require File.dirname(__FILE__) + '/../../../spec_helper' require 'puppet/indirector/node/ldap' describe Puppet::Node::Ldap do describe "when searching for a single node" do before :each do @searcher = Puppet::Node::Ldap.new @name = "mynode.domain.com" @node = stub 'node', :name => @name, :name= => nil @node.stub_everything Puppet::Node.stubs(:new).returns(@node) @request = stub 'request', :key => @name end it "should convert the hostname into a search filter" do - entry = stub 'entry', :dn => 'cn=mynode.domain.com,ou=hosts,dc=madstop,dc=com', :vals => %w{}, :to_hash => {"environment" => 'production'} + entry = stub 'entry', :dn => 'cn=mynode.domain.com,ou=hosts,dc=madstop,dc=com', :vals => %w{}, :to_hash => {} @searcher.expects(:ldapsearch).with("(&(objectclass=puppetClient)(cn=#{@name}))").yields entry - @searcher.name2hash(@name, 'production', 'parent') + @searcher.name2hash(@name) end it "should convert any found entry into a hash" do - entry = stub 'entry', :dn => 'cn=mynode.domain.com,ou=hosts,dc=madstop,dc=com', :vals => %w{}, :to_hash => {"environment" => 'production'} + entry = stub 'entry', :dn => 'cn=mynode.domain.com,ou=hosts,dc=madstop,dc=com', :vals => %w{}, :to_hash => {} @searcher.expects(:ldapsearch).with("(&(objectclass=puppetClient)(cn=#{@name}))").yields entry - myhash = {"myhash" => true, :environment => 'production'} + myhash = {"myhash" => true} @searcher.expects(:entry2hash).with(entry).returns myhash - @searcher.name2hash(@name, 'production', 'parent').should == myhash + @searcher.name2hash(@name).should == myhash end # This heavily tests our entry2hash method, so we don't have to stub out the stupid entry information any more. describe "when an ldap entry is found" do before do @entry = stub 'entry', :dn => 'cn=mynode,ou=hosts,dc=madstop,dc=com', :vals => %w{}, :to_hash => {} @searcher.stubs(:ldapsearch).yields @entry end it "should convert the entry to a hash" do @searcher.entry2hash(@entry).should be_instance_of(Hash) end it "should add the entry's common name to the hash if fqdn if false" do @searcher.entry2hash(@entry,fqdn = false)[:name].should == "mynode" end it "should add the entry's fqdn name to the hash if fqdn if true" do @searcher.entry2hash(@entry,fqdn = true)[:name].should == "mynode.madstop.com" end it "should add all of the entry's classes to the hash" do @entry.stubs(:vals).with("puppetclass").returns %w{one two} @searcher.entry2hash(@entry)[:classes].should == %w{one two} end it "should deduplicate class values" do @entry.stubs(:to_hash).returns({}) @searcher.stubs(:class_attributes).returns(%w{one two}) @entry.stubs(:vals).with("one").returns(%w{a b}) @entry.stubs(:vals).with("two").returns(%w{b c}) @searcher.entry2hash(@entry)[:classes].should == %w{a b c} end it "should add the entry's environment to the hash" do @entry.stubs(:to_hash).returns("environment" => %w{production}) @searcher.entry2hash(@entry)[:environment].should == "production" end it "should add all stacked parameters as parameters in the hash" do @entry.stubs(:vals).with("puppetvar").returns(%w{one=two three=four}) result = @searcher.entry2hash(@entry) result[:parameters]["one"].should == "two" result[:parameters]["three"].should == "four" end it "should not add the stacked parameter as a normal parameter" do @entry.stubs(:vals).with("puppetvar").returns(%w{one=two three=four}) @entry.stubs(:to_hash).returns("puppetvar" => %w{one=two three=four}) @searcher.entry2hash(@entry)[:parameters]["puppetvar"].should be_nil end it "should add all other attributes as parameters in the hash" do @entry.stubs(:to_hash).returns("foo" => %w{one two}) @searcher.entry2hash(@entry)[:parameters]["foo"].should == %w{one two} end it "should return single-value parameters as strings, not arrays" do @entry.stubs(:to_hash).returns("foo" => %w{one}) @searcher.entry2hash(@entry)[:parameters]["foo"].should == "one" end it "should convert 'true' values to the boolean 'true'" do @entry.stubs(:to_hash).returns({"one" => ["true"]}) @searcher.entry2hash(@entry)[:parameters]["one"].should == true end it "should convert 'false' values to the boolean 'false'" do @entry.stubs(:to_hash).returns({"one" => ["false"]}) @searcher.entry2hash(@entry)[:parameters]["one"].should == false end it "should convert 'true' values to the boolean 'true' inside an array" do @entry.stubs(:to_hash).returns({"one" => ["true", "other"]}) @searcher.entry2hash(@entry)[:parameters]["one"].should == [true, "other"] end it "should convert 'false' values to the boolean 'false' inside an array" do @entry.stubs(:to_hash).returns({"one" => ["false", "other"]}) @searcher.entry2hash(@entry)[:parameters]["one"].should == [false, "other"] end it "should add the parent's name if present" do @entry.stubs(:vals).with("parentnode").returns(%w{foo}) @searcher.entry2hash(@entry)[:parent].should == "foo" end it "should fail if more than one parent is specified" do @entry.stubs(:vals).with("parentnode").returns(%w{foo}) @searcher.entry2hash(@entry)[:parent].should == "foo" end end it "should search first for the provided key" do - @searcher.expects(:name2hash).with("mynode.domain.com", 'production', 'child').returns({}) + @searcher.expects(:name2hash).with("mynode.domain.com").returns({}) @searcher.find(@request) end it "should search for the short version of the provided key if the key looks like a hostname and no results are found for the key itself" do - @searcher.expects(:name2hash).with("mynode.domain.com", 'production', 'child').returns(nil) - @searcher.expects(:name2hash).with("mynode", 'production', 'child').returns({}) + @searcher.expects(:name2hash).with("mynode.domain.com").returns(nil) + @searcher.expects(:name2hash).with("mynode").returns({}) @searcher.find(@request) end it "should search for default information if no information can be found for the key" do - @searcher.expects(:name2hash).with("mynode.domain.com", 'production', 'child').returns(nil) - @searcher.expects(:name2hash).with("mynode", 'production', 'child').returns(nil) - @searcher.expects(:name2hash).with("default", 'production', 'child').returns({}) + @searcher.expects(:name2hash).with("mynode.domain.com").returns(nil) + @searcher.expects(:name2hash).with("mynode").returns(nil) + @searcher.expects(:name2hash).with("default").returns({}) @searcher.find(@request) end it "should return nil if no results are found in ldap" do @searcher.stubs(:name2hash).returns nil @searcher.find(@request).should be_nil end it "should return a node object if results are found in ldap" do @searcher.stubs(:name2hash).returns({}) @searcher.find(@request).should equal(@node) end describe "and node information is found in LDAP" do before do @result = {} @searcher.stubs(:name2hash).returns @result end it "should create the node with the correct name, even if it was found by a different name" do - @searcher.expects(:name2hash).with("mynode.domain.com", 'production', 'child').returns nil - @searcher.expects(:name2hash).with("mynode", 'production', 'child').returns @result + @searcher.expects(:name2hash).with("mynode.domain.com").returns nil + @searcher.expects(:name2hash).with("mynode").returns @result Puppet::Node.expects(:new).with("mynode.domain.com").returns @node @searcher.find(@request) end it "should add any classes from ldap" do @result[:classes] = %w{a b c d} @node.expects(:classes=).with(%w{a b c d}) @searcher.find(@request) end it "should add all entry attributes as node parameters" do @result[:parameters] = {"one" => "two", "three" => "four"} @node.expects(:parameters=).with("one" => "two", "three" => "four") @searcher.find(@request) end it "should set the node's environment to the environment of the results" do @result[:environment] = "test" @node.expects(:environment=).with("test") @searcher.find(@request) end it "should retain false parameter values" do @result[:parameters] = {} @result[:parameters]["one"] = false @node.expects(:parameters=).with("one" => false) @searcher.find(@request) end it "should merge the node's facts after the parameters from ldap are assigned" do # Make sure we've got data to start with, so the parameters are actually set. @result[:parameters] = {} @result[:parameters]["one"] = "yay" # A hackish way to enforce order. set = false @node.expects(:parameters=).with { |*args| set = true } @node.expects(:fact_merge).with { |*args| raise "Facts were merged before parameters were set" unless set; true } @searcher.find(@request) end describe "and a parent node is specified" do before do @entry = {:classes => [], :parameters => {}} @parent = {:classes => [], :parameters => {}} @parent_parent = {:classes => [], :parameters => {}} - @searcher.stubs(:name2hash).with{|name, env, mode| name == @name}.returns(@entry) - @searcher.stubs(:name2hash).with{|name, env, mode| name == 'parent'}.returns(@parent) - @searcher.stubs(:name2hash).with{|name, env, mode| name == 'parent_parent'}.returns(@parent_parent) + @searcher.stubs(:name2hash).with(@name).returns(@entry) + @searcher.stubs(:name2hash).with('parent').returns(@parent) + @searcher.stubs(:name2hash).with('parent_parent').returns(@parent_parent) @searcher.stubs(:parent_attribute).returns(:parent) end it "should search for the parent node" do @entry[:parent] = "parent" + @searcher.expects(:name2hash).with(@name).returns @entry + @searcher.expects(:name2hash).with('parent').returns @parent @searcher.find(@request) end it "should fail if the parent cannot be found" do @entry[:parent] = "parent" - @searcher.expects(:name2hash).with('parent', 'production', 'parent').returns nil + @searcher.expects(:name2hash).with('parent').returns nil proc { @searcher.find(@request) }.should raise_error(Puppet::Error) end it "should add any parent classes to the node's classes" do @entry[:parent] = "parent" @entry[:classes] = %w{a b} @parent[:classes] = %w{c d} @node.expects(:classes=).with(%w{a b c d}) @searcher.find(@request) end it "should add any parent parameters to the node's parameters" do @entry[:parent] = "parent" @entry[:parameters]["one"] = "two" @parent[:parameters]["three"] = "four" @node.expects(:parameters=).with("one" => "two", "three" => "four") @searcher.find(@request) end it "should prefer node parameters over parent parameters" do @entry[:parent] = "parent" @entry[:parameters]["one"] = "two" @parent[:parameters]["one"] = "three" @node.expects(:parameters=).with("one" => "two") @searcher.find(@request) end it "should use the parent's environment if the node has none" do @entry[:parent] = "parent" @parent[:environment] = "parent" @node.stubs(:parameters=) @node.expects(:environment=).with("parent") @searcher.find(@request) end it "should prefer the node's environment to the parent's" do @entry[:parent] = "parent" @entry[:environment] = "child" @parent[:environment] = "parent" @node.stubs(:parameters=) @node.expects(:environment=).with("child") @searcher.find(@request) end it "should recursively look up parent information" do @entry[:parent] = "parent" @entry[:parameters]["one"] = "two" @parent[:parent] = "parent_parent" @parent[:parameters]["three"] = "four" @parent_parent[:parameters]["five"] = "six" @node.expects(:parameters=).with("one" => "two", "three" => "four", "five" => "six") @searcher.find(@request) end it "should not allow loops in parent declarations" do @entry[:parent] = "parent" @parent[:parent] = @name proc { @searcher.find(@request) }.should raise_error(ArgumentError) end end end end describe "when searching for multiple nodes" do before :each do @searcher = Puppet::Node::Ldap.new @options = {} @request = stub 'request', :key => "foo", :options => @options Puppet::Node::Facts.stubs(:terminus_class).returns :yaml end it "should find all nodes if no arguments are provided" do @searcher.expects(:ldapsearch).with("(objectclass=puppetClient)") # LAK:NOTE The search method requires an essentially bogus key. It's # an API problem that I don't really know how to fix. @searcher.search @request end describe "and a class is specified" do it "should find all nodes that are members of that class" do @searcher.expects(:ldapsearch).with("(&(objectclass=puppetClient)(puppetclass=one))") @options[:class] = "one" @searcher.search @request end end describe "multiple classes are specified" do it "should find all nodes that are members of all classes" do @searcher.expects(:ldapsearch).with("(&(objectclass=puppetClient)(puppetclass=one)(puppetclass=two))") @options[:class] = %w{one two} @searcher.search @request end end it "should process each found entry" do # .yields can't be used to yield multiple values :/ @searcher.expects(:ldapsearch).yields("one") @searcher.expects(:entry2hash).with("one",nil).returns(:name => "foo") @searcher.search @request end it "should return a node for each processed entry with the name from the entry" do @searcher.expects(:ldapsearch).yields("whatever") @searcher.expects(:entry2hash).with("whatever",nil).returns(:name => "foo") result = @searcher.search(@request) result[0].should be_instance_of(Puppet::Node) result[0].name.should == "foo" end it "should merge each node's facts" do node = mock 'node' Puppet::Node.expects(:new).with("foo").returns node node.expects(:fact_merge) @searcher.stubs(:ldapsearch).yields("one") @searcher.stubs(:entry2hash).with("one",nil).returns(:name => "foo") @searcher.search(@request) end it "should pass the request's fqdn option to entry2hash" do node = mock 'node' @options[:fqdn] = :hello Puppet::Node.stubs(:new).with("foo").returns node node.stubs(:fact_merge) @searcher.stubs(:ldapsearch).yields("one") @searcher.expects(:entry2hash).with("one",:hello).returns(:name => "foo") @searcher.search(@request) end end end describe Puppet::Node::Ldap, " when developing the search query" do before do @searcher = Puppet::Node::Ldap.new end it "should return the value of the :ldapclassattrs split on commas as the class attributes" do Puppet.stubs(:[]).with(:ldapclassattrs).returns("one,two") @searcher.class_attributes.should == %w{one two} end it "should return nil as the parent attribute if the :ldapparentattr is set to an empty string" do Puppet.stubs(:[]).with(:ldapparentattr).returns("") @searcher.parent_attribute.should be_nil end it "should return the value of the :ldapparentattr as the parent attribute" do Puppet.stubs(:[]).with(:ldapparentattr).returns("pere") @searcher.parent_attribute.should == "pere" end it "should use the value of the :ldapstring as the search filter" do Puppet.stubs(:[]).with(:ldapstring).returns("mystring") @searcher.search_filter("testing").should == "mystring" end it "should replace '%s' with the node name in the search filter if it is present" do Puppet.stubs(:[]).with(:ldapstring).returns("my%sstring") @searcher.search_filter("testing").should == "mytestingstring" end it "should not modify the global :ldapstring when replacing '%s' in the search filter" do filter = mock 'filter' filter.expects(:include?).with("%s").returns(true) filter.expects(:gsub).with("%s", "testing").returns("mynewstring") Puppet.stubs(:[]).with(:ldapstring).returns(filter) @searcher.search_filter("testing").should == "mynewstring" end end describe Puppet::Node::Ldap, " when deciding attributes to search for" do before do @searcher = Puppet::Node::Ldap.new end it "should use 'nil' if the :ldapattrs setting is 'all'" do Puppet.stubs(:[]).with(:ldapattrs).returns("all") @searcher.search_attributes.should be_nil end it "should split the value of :ldapattrs on commas and use the result as the attribute list" do Puppet.stubs(:[]).with(:ldapattrs).returns("one,two") @searcher.stubs(:class_attributes).returns([]) @searcher.stubs(:parent_attribute).returns(nil) @searcher.search_attributes.should == %w{one two} end it "should add the class attributes to the search attributes if not returning all attributes" do Puppet.stubs(:[]).with(:ldapattrs).returns("one,two") @searcher.stubs(:class_attributes).returns(%w{three four}) @searcher.stubs(:parent_attribute).returns(nil) # Sort them so i don't have to care about return order @searcher.search_attributes.sort.should == %w{one two three four}.sort end it "should add the parent attribute to the search attributes if not returning all attributes" do Puppet.stubs(:[]).with(:ldapattrs).returns("one,two") @searcher.stubs(:class_attributes).returns([]) @searcher.stubs(:parent_attribute).returns("parent") @searcher.search_attributes.sort.should == %w{one two parent}.sort end it "should not add nil parent attributes to the search attributes" do Puppet.stubs(:[]).with(:ldapattrs).returns("one,two") @searcher.stubs(:class_attributes).returns([]) @searcher.stubs(:parent_attribute).returns(nil) @searcher.search_attributes.should == %w{one two} end end