Class: Puppet::Network::RestAuthConfig

Inherits:

AuthConfig

• Object
• Util::LoadedFile
• AuthConfig
• Puppet::Network::RestAuthConfig

Extended by:

MonitorMixin

Defined in:

lib/vendor/puppet/network/rest_authconfig.rb

Constant Summary

DEFAULT_ACL =

[
  { :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
  { :acl => "~ ^\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
  # this one will allow all file access, and thus delegate
  # to fileserver.conf
  { :acl => "/file" },
  { :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
  { :acl => "/report", :method => :save, :authenticated => true },
  # These allow `auth any`, because if you can do them anonymously you
  # should probably also be able to do them when trusted.
  { :acl => "/certificate/ca", :method => :find, :authenticated => :any },
  { :acl => "/certificate/", :method => :find, :authenticated => :any },
  { :acl => "/certificate_request", :method => [:find, :save], :authenticated => :any },
  { :acl => "/status", :method => [:find], :authenticated => true },
]

Instance Attribute Summary

• #rights ⇒ Object

  Returns the value of attribute rights.

Attributes inherited from Util::LoadedFile

#file, #statted, #tstamp

Class Method Summary

• .main ⇒ Object

Instance Method Summary

• #allowed?(request) ⇒ Boolean
• #check_authorization(indirection, method, key, params) ⇒ Object

  check wether this request is allowed in our ACL raise an Puppet::Network::AuthorizedError if the request is denied.

• #initialize(file = nil, parsenow = true) ⇒ RestAuthConfig constructor

  A new instance of RestAuthConfig.

• #insert_default_acl ⇒ Object

  force regular ACLs to be present.

• #mk_acl(acl) ⇒ Object
• #parse ⇒ Object

Methods inherited from AuthConfig

#exists?, #read

Methods inherited from Util::LoadedFile

#changed?, #stamp, #to_s

Constructor Details

#initialize(file = nil, parsenow = true) ⇒ RestAuthConfig

Returns a new instance of RestAuthConfig.

# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 55

def initialize(file = nil, parsenow = true)
  super(file || Puppet[:rest_authconfig], parsenow)

  # if we didn't read a file (ie it doesn't exist)
  # make sure we can create some default rights
  @rights ||= Puppet::Network::Rights.new
end

Instance Attribute Details

#rights ⇒ Object

Returns the value of attribute rights.

# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 7

def rights
  @rights
end

Class Method Details

.main ⇒ Object

# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 25

def self.main
  synchronize do
    add_acl = @main.nil?
    super
    @main.insert_default_acl if add_acl and !@main.exists?
  end
  @main
end

Instance Method Details

#allowed?(request) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 34

def allowed?(request)
  Puppet.deprecation_warning "allowed? should not be called for REST authorization - use check_authorization instead"
  check_authorization(request)
end

#check_authorization(indirection, method, key, params) ⇒ Object

check wether this request is allowed in our ACL raise an Puppet::Network::AuthorizedError if the request is denied.

# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 42

def check_authorization(indirection, method, key, params)
  read

  # we're splitting the request in part because
  # fail_on_deny could as well be called in the XMLRPC context
  # with a ClientRequest.

  if authorization_failure_exception = @rights.is_request_forbidden_and_why?(indirection, method, key, params)
    Puppet.warning("Denying access: #{authorization_failure_exception}")
    raise authorization_failure_exception
  end
end

#insert_default_acl ⇒ Object

force regular ACLs to be present

# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 69

def insert_default_acl
  if exists? then
    reason = "none were found in '#{@file}'"
  else
    reason = "#{Puppet[:rest_authconfig]} doesn't exist"
  end

  DEFAULT_ACL.each do |acl|
    unless rights[acl[:acl]]
      Puppet.info "Inserting default '#{acl[:acl]}' (auth #{acl[:authenticated]}) ACL because #{reason}"
      mk_acl(acl)
    end
  end
  # queue an empty (ie deny all) right for every other path
  # actually this is not strictly necessary as the rights system
  # denies not explicitely allowed paths
  unless rights["/"]
    rights.newright("/")
    rights.restrict_authenticated("/", :any)
  end
end

#mk_acl(acl) ⇒ Object

# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 91

def mk_acl(acl)
  @rights.newright(acl[:acl])
  @rights.allow(acl[:acl], acl[:allow] || "*")

  if method = acl[:method]
    method = [method] unless method.is_a?(Array)
    method.each { |m| @rights.restrict_method(acl[:acl], m) }
  end
  @rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil?
end

#parse ⇒ Object

# File 'lib/vendor/puppet/network/rest_authconfig.rb', line 63

def parse
  super()
  insert_default_acl
end