(SIMP-10739) Fix auth issues #91
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The secrets file for an rsync module must be owned by the same user that the daemon is running as, but was owned by the user and group that the rsync module was using for file ownership. This fixes that. Additionally, if auth_users or user_pass variables were not Undef but just empty, as would be expected if an iterable they were meant to be based on had been handled incorrectly by accident, the result was an entirely anonymous rsync module rather than an rsync module with no allowed users. In addition, if user_pass parameter was given, a secrets file would be generated with valid contents, but the rsync module would not contain an auth users list or any reference to the secrets file, resulting in an anonymous-access rsync module if only one of the two available means of passing authentication data (but not both) was given. In this case the auth_users array was entirely ignored, meaning that it was impossible to pass a mix of users with generated passwords and users with specified passwords. The auth_users param can now be either an Array of allowed users (with all passwords generated by simplib::passgen()) or a Hash of allowed user keys to their password values, and any passwords that are empty or undef will be generated using simplib::passgen(). This paves the way for entirely doing away with the user_pass array and using only one clear paramter for all user specification. Unit test coverage has also been significantly expanded.
Updated the acceptance tests (which I cannot run, so gosh I hope they work) to use the newer convention for user/password specification.
greatflyingsteve
force-pushed
the
SIMP-10739-fix-auth-issues
branch
from
da61868 to
b5b4b43
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The secrets file for an rsync module must be owned by the same user that the daemon is running as, but was owned by the user and group that the rsync module was using for file ownership. This fixes that.
Additionally, if auth_users or user_pass variables were not
Undefbut just empty, as would be expected if an iterable they were meant to be based on had been handled incorrectly by accident, the result was an entirely anonymous rsync module rather than an rsync module with no allowed users. In addition, if the user_pass parameter was given, a secrets file would be generated with valid contents, but the rsync module would not contain an auth users list or any reference to the secrets file, resulting in an anonymous-access rsync module if only one of the two available means of passing authentication data (but not both) was given. In this case the auth_users array was entirely ignored, meaning that it was impossible to pass a mix of users with generated passwords and users with specified passwords.The auth_users param can now be either an Array of allowed users (with all passwords generated by simplib::passgen()) or a Hash of allowed user keys to their password values, and any passwords that are empty or undef will be generated using simplib::passgen(). This paves the way for entirely doing away with the user_pass array and using only one clear paramter for all user specification. Unit test coverage has also been significantly expanded, including tests for secrets file ownership when the section had a non-root uid/gid.
These changes have been validated by live tests on my own hardware. Hopefully the acceptance tests also work.
SIMP-10739 #close