Add support for puppetdb behind basic auth

Andrew · Andrew · commit 7e384783550b · 2017-11-13T14:59:15.000-06:00
We have a moderately unique puppet setup (though remarkably close to
github's setup, in some ways). We run puppetdb behind a proxy that is
secured with basic auth (and we will eventually be submitting patches
upstream to puppet). This commit allows octocatalog-diff to parse basic
auth username, and password from a URL.
diff --git a/lib/octocatalog-diff/puppetdb.rb b/lib/octocatalog-diff/puppetdb.rb
@@ -108,6 +108,9 @@ def _get(path)
 
         begin
           more_options = { headers: { 'Accept' => 'application/json' }, timeout: @timeout }
+          if connection[:username] || connection[:password]
+            more_options[:basic_auth] = { username: connection[:username], password: connection[:password] }
+          end
           response = OctocatalogDiff::Util::HTTParty.get(complete_url, @options.merge(more_options), 'puppetdb')
 
           # Handle all non-200's from PuppetDB
@@ -153,7 +156,13 @@ def parse_url(url)
       end
 
       raise ArgumentError, "URL #{url} has invalid scheme" unless uri.scheme =~ /^https?$/
-      { ssl: uri.scheme == 'https', host: uri.host, port: uri.port }
+      parsed_url = { ssl: uri.scheme == 'https', host: uri.host, port: uri.port }
+      if uri.user || uri.password
+        parsed_url[:username] = uri.user
+        parsed_url[:password] = uri.password
+      end
+
+      parsed_url
     rescue URI::InvalidURIError => exc
       raise exc.class, "Invalid URL: #{url} (#{exc.message})"
     end
diff --git a/spec/octocatalog-diff/tests/puppetdb_spec.rb b/spec/octocatalog-diff/tests/puppetdb_spec.rb
@@ -25,6 +25,24 @@ def ssl_test(server_opts, opts = {})
   test_server.stop
 end
 
+def basic_auth_test(server_opts, opts = {})
+  server_opts[:rsa_key] ||= File.read(OctocatalogDiff::Spec.fixture_path('ssl/generated/server.key'))
+  server_opts[:cert] ||= File.read(OctocatalogDiff::Spec.fixture_path('ssl/generated/server.crt'))
+  server_opts[:require_header] ||= {}
+  server_opts[:require_header]['Authorization'] = 'Basic dXNlcm5hbWU6cGFzc3dvcmQ=' # username:password
+  test_server = nil
+  3.times do
+    test_server = SSLTestServer.new(server_opts)
+    test_server.start
+    break if test_server.port > 0
+  end
+  raise OctocatalogDiff::Spec::FixtureError, 'Unable to instantiate SSLTestServer' unless test_server.port > 0
+  testobj = OctocatalogDiff::PuppetDB.new(opts.merge(puppetdb_url: "https://username:password@localhost:#{test_server.port}"))
+  return testobj.get('/foo')
+ensure
+  test_server.stop
+end
+
 describe OctocatalogDiff::PuppetDB do
   # Test constructor's ability to create @connections
   describe '#initialize' do
@@ -272,6 +290,53 @@ def ssl_test(server_opts, opts = {})
         expect { testobj.send(:parse_url, test_url) }.to raise_error(URI::InvalidURIError)
       end
     end
+
+    context 'basic auth' do
+      it 'should detect a username:password combination' do
+        test_url = 'https://username:password@foo.bar.host:8090'
+        testobj = OctocatalogDiff::PuppetDB.new
+        result = testobj.send(:parse_url, test_url)
+        expect(result[:username]).to eq('username')
+        expect(result[:password]).to eq('password')
+      end
+
+      it 'should allow usernames without passwords' do
+        test_url = 'https://username:@foo.bar.host:8090'
+        testobj = OctocatalogDiff::PuppetDB.new
+        result = testobj.send(:parse_url, test_url)
+        expect(result[:username]).to eq('username')
+        expect(result[:password]).to eq('')
+      end
+
+      it 'should allow passwords without usernames' do
+        test_url = 'https://:password@foo.bar.host:8090'
+        testobj = OctocatalogDiff::PuppetDB.new
+        result = testobj.send(:parse_url, test_url)
+        expect(result[:username]).to eq('')
+        expect(result[:password]).to eq('password')
+      end
+
+      it 'should not parse a username or password when none are provided' do
+        test_url = 'https://foo.bar.host:8090'
+        testobj = OctocatalogDiff::PuppetDB.new
+        result = testobj.send(:parse_url, test_url)
+        expect(result[:username]).to eq(nil)
+        expect(result[:password]).to eq(nil)
+      end
+    end
+  end
+
+  context 'basic auth connection options' do
+    context 'with basic auth on' do
+      let(:server_opts) { {} }
+      let(:client_opts) { {} }
+      describe '#get' do
+        it 'should not fail with basic auth on' do
+          result = basic_auth_test(server_opts, client_opts)
+          expect(result.key?('success')).to eq(true)
+        end
+      end
+    end
   end
 
   context 'puppetdb ssl connection options' do
