From 548547b2e41c8e2cf79b929405cf18aecbdedebc Mon Sep 17 00:00:00 2001
From: Jeff Darcy <jdarcy@redhat.com>
Date: Tue, 6 Jan 2015 10:03:49 -0500
Subject: transport: fix default behavior for SSL authorization

Previously, enabling SSL authentication/encryption but not authorization
required explicitly setting ssl-allow=*.  Now that same behavior is the
default (i.e. when ssl-allow is not set).

Also, there's no reason that a name used for *login* auth (typically a
UUID for internal purposes or a human name when using SSL) should
validate as an RFC-compliant host name or IP address.  Therefore the
validation only occurs when the auth type is "addr" (not "login" or
anything else).

Change-Id: I01485ff4f0ab37de4b182858235a5fb0cf4c3c7d
BUG: 1179208
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/9397
Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
---
 tests/features/ssl-authz.t | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

(limited to 'tests')

diff --git a/tests/features/ssl-authz.t b/tests/features/ssl-authz.t
index efaa47c6d40..67d72e8f136 100755
--- a/tests/features/ssl-authz.t
+++ b/tests/features/ssl-authz.t
@@ -49,10 +49,31 @@ TEST $CLI volume create $V0 $H0:$B0/1
 TEST $CLI volume set $V0 server.ssl on
 TEST $CLI volume set $V0 client.ssl on
 #EST $CLI volume set $V0 ssl.cipher-list $(valid_ciphers)
+TEST $CLI volume start $V0
+
+# This mount should SUCCEED because ssl-allow=* by default.  This effectively
+# disables SSL authorization, though authentication and encryption might still
+# be enabled.
+TEST glusterfs --volfile-server=$H0 --volfile-id=$V0 $M0
+TEST ping_file $M0/before
+EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0
+
+# Set ssl-allow to a wildcard that includes our identity.
+TEST $CLI volume stop $V0
+TEST $CLI volume set $V0 auth.ssl-allow Any*
+TEST $CLI volume start $V0
+
+# This mount should SUCCEED because we match the wildcard.
+TEST glusterfs --volfile-server=$H0 --volfile-id=$V0 $M0
+TEST ping_file $M0/before
+EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0
+
+# Set ssl-allow to include the identity we've created.
+TEST $CLI volume stop $V0
 TEST $CLI volume set $V0 auth.ssl-allow Anyone
 TEST $CLI volume start $V0
 
-# This mount should WORK.
+# This mount should SUCCEED because this specific identity is allowed.
 TEST glusterfs --volfile-server=$H0 --volfile-id=$V0 $M0
 TEST ping_file $M0/before
 EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0
-- 
cgit