From 233790ff547a4683b84d2b4a2884760955edc3d3 Mon Sep 17 00:00:00 2001
From: Ben Roberts <ben@sihnon.net>
Date: Sun, 9 Nov 2014 13:26:20 +0000
Subject: [PATCH] Support multiple callerids in policy files

This patch adds support for multiple callerids in the policy files, just
as the other fields (actions, facts, classes) can. Updated poliicy files
look like this:
```
policy default deny
allow	uid=500 uid=600	*	*		*
```

This is useful because it allows bulk granting of permissions when using
mcollective::actionpolicy::rule from puppetlabs-mcollective:
```
    $admin_users = ['foo','bar']
    mcollective::actionpolicy {
        'default':
            default => 'deny';
        'nrpe':
            default => 'deny';
    }
     mcollective::actionpolicy::rule {
        'admins-allow-all':
            agent    => 'default',
            callerid => join(prefix($admin_users, 'cert='), ' ');
        'admins-allow-all-nrpe':
            agent    => 'nrpe',
            callerid => join(prefix($admin_users, 'cert='), ' ');
        'nrpe-nagios':
            agent    => 'nrpe',
            callerid => 'cert=nagios';
    }
```

This is especially helpful when there are large numbers of admin users being
managed by puppet (say ~10) since any `mcollective::actionpolicy::rule` added
for an agent prevents the default policy being used and so the admins have to
be explicitly re-added for each agent, rapidly bloating the size of the
manifest and causing massive duplication of code.

Backward compatibility change:
* Certificates with spaces in the filename (if even supported) would be
    broken by this change.

This commit also includes tests that verify both positive and negative lookups
in a policy file with multiple callerids.
---
 spec/actionpolicy/actionpolicy_spec.rb | 14 ++++++++++++++
 spec/actionpolicy/fixtures/example16   |  3 +++
 util/actionpolicy.rb                   |  2 +-
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 spec/actionpolicy/fixtures/example16

diff --git a/spec/actionpolicy/actionpolicy_spec.rb b/spec/actionpolicy/actionpolicy_spec.rb
index 1de72db..1e22aba 100644
--- a/spec/actionpolicy/actionpolicy_spec.rb
+++ b/spec/actionpolicy/actionpolicy_spec.rb
@@ -343,6 +343,20 @@ module MCollective
 
 
         end
+
+        it 'should parse example16 correctly' do
+          # match uid in the list
+          request.stubs(:caller).returns('uid=600')
+          actionpolicy = ActionPolicy.new(request)
+          actionpolicy.parse_policy_file(File.join(@fixtures_dir, 'example16')).should be_true
+
+          # match uid not in the list
+          request.stubs(:caller).returns('uid=800')
+          actionpolicy = ActionPolicy.new(request)
+          expect{
+            actionpolicy.parse_policy_file(File.join(@fixtures_dir, 'example16'))
+          }.to raise_error RPCAborted
+        end
       end
 
       describe '#check_policy' do
diff --git a/spec/actionpolicy/fixtures/example16 b/spec/actionpolicy/fixtures/example16
new file mode 100644
index 0000000..a525846
--- /dev/null
+++ b/spec/actionpolicy/fixtures/example16
@@ -0,0 +1,3 @@
+policy default deny
+allow	uid=500 uid=600 uid=700	*	*		*
+
diff --git a/util/actionpolicy.rb b/util/actionpolicy.rb
index 903595c..284d8d9 100644
--- a/util/actionpolicy.rb
+++ b/util/actionpolicy.rb
@@ -67,7 +67,7 @@ module MCollective
       def check_policy(rpccaller, actions, facts, classes)
         # If we have a wildcard caller or the caller matches our policy line
         # then continue else skip this policy line\
-        if (rpccaller != '*') && (rpccaller != @caller)
+        if (rpccaller != '*') && (! rpccaller || ! rpccaller.split.include?(@caller))
           return false
         end