Class: Puppet::Network::RestAuthConfig
- Inherits:
-
AuthConfig
- Object
- Util::LoadedFile
- AuthConfig
- Puppet::Network::RestAuthConfig
- Extended by:
- MonitorMixin
- Defined in:
- lib/vendor/puppet/network/rest_authconfig.rb
Constant Summary collapse
- DEFAULT_ACL =
[ { :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true }, { :acl => "~ ^\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true }, # this one will allow all file access, and thus delegate # to fileserver.conf { :acl => "/file" }, { :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true }, { :acl => "/report", :method => :save, :authenticated => true }, # These allow `auth any`, because if you can do them anonymously you # should probably also be able to do them when trusted. { :acl => "/certificate/ca", :method => :find, :authenticated => :any }, { :acl => "/certificate/", :method => :find, :authenticated => :any }, { :acl => "/certificate_request", :method => [:find, :save], :authenticated => :any }, { :acl => "/status", :method => [:find], :authenticated => true }, ]
Instance Attribute Summary collapse
-
#rights ⇒ Object
Returns the value of attribute rights.
Attributes inherited from Util::LoadedFile
Class Method Summary collapse
Instance Method Summary collapse
- #allowed?(request) ⇒ Boolean
-
#check_authorization(indirection, method, key, params) ⇒ Object
check wether this request is allowed in our ACL raise an Puppet::Network::AuthorizedError if the request is denied.
-
#initialize(file = nil, parsenow = true) ⇒ RestAuthConfig
constructor
A new instance of RestAuthConfig.
-
#insert_default_acl ⇒ Object
force regular ACLs to be present.
- #mk_acl(acl) ⇒ Object
- #parse ⇒ Object
Methods inherited from AuthConfig
Methods inherited from Util::LoadedFile
Constructor Details
#initialize(file = nil, parsenow = true) ⇒ RestAuthConfig
Returns a new instance of RestAuthConfig.
55 56 57 58 59 60 61 |
# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 55 def initialize(file = nil, parsenow = true) super(file || Puppet[:rest_authconfig], parsenow) # if we didn't read a file (ie it doesn't exist) # make sure we can create some default rights @rights ||= Puppet::Network::Rights.new end |
Instance Attribute Details
#rights ⇒ Object
Returns the value of attribute rights.
7 8 9 |
# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 7 def rights @rights end |
Class Method Details
.main ⇒ Object
25 26 27 28 29 30 31 32 |
# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 25 def self.main synchronize do add_acl = @main.nil? super @main.insert_default_acl if add_acl and !@main.exists? end @main end |
Instance Method Details
#allowed?(request) ⇒ Boolean
34 35 36 37 |
# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 34 def allowed?(request) Puppet.deprecation_warning "allowed? should not be called for REST authorization - use check_authorization instead" (request) end |
#check_authorization(indirection, method, key, params) ⇒ Object
check wether this request is allowed in our ACL raise an Puppet::Network::AuthorizedError if the request is denied.
42 43 44 45 46 47 48 49 50 51 52 53 |
# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 42 def (indirection, method, key, params) read # we're splitting the request in part because # fail_on_deny could as well be called in the XMLRPC context # with a ClientRequest. if = @rights.is_request_forbidden_and_why?(indirection, method, key, params) Puppet.warning("Denying access: #{}") raise end end |
#insert_default_acl ⇒ Object
force regular ACLs to be present
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 |
# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 69 def insert_default_acl if exists? then reason = "none were found in '#{@file}'" else reason = "#{Puppet[:rest_authconfig]} doesn't exist" end DEFAULT_ACL.each do |acl| unless rights[acl[:acl]] Puppet.info "Inserting default '#{acl[:acl]}' (auth #{acl[:authenticated]}) ACL because #{reason}" mk_acl(acl) end end # queue an empty (ie deny all) right for every other path # actually this is not strictly necessary as the rights system # denies not explicitely allowed paths unless rights["/"] rights.newright("/") rights.restrict_authenticated("/", :any) end end |
#mk_acl(acl) ⇒ Object
91 92 93 94 95 96 97 98 99 100 |
# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 91 def mk_acl(acl) @rights.newright(acl[:acl]) @rights.allow(acl[:acl], acl[:allow] || "*") if method = acl[:method] method = [method] unless method.is_a?(Array) method.each { |m| @rights.restrict_method(acl[:acl], m) } end @rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil? end |
#parse ⇒ Object
63 64 65 66 |
# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 63 def parse super() insert_default_acl end |