Module: Puppet::Network::Authorization

Included in:

XMLRPCProcessor

Defined in:

lib/vendor/puppet/network/authorization.rb

Instance Method Summary

• #authconfig ⇒ Object

  Create our config object if necessary.

• #authorized?(request) ⇒ Boolean

  Verify that our client has access.

• #available?(request) ⇒ Boolean

  Is this functionality available?.

• #verify(request) ⇒ Object

  Make sure that this method is available and authorized.

Instance Method Details

#authconfig ⇒ Object

Create our config object if necessary. This works even if there’s no configuration file.

# File 'lib/vendor/puppet/network/authorization.rb', line 12

def authconfig
  @authconfig ||= Puppet::Network::AuthConfig.main

  @authconfig
end

#authorized?(request) ⇒ Boolean

Verify that our client has access. We allow untrusted access to puppetca methods but no others.

# File 'lib/vendor/puppet/network/authorization.rb', line 20

def authorized?(request)
  msg = "#{request.authenticated? ? "authenticated" : "unauthenticated"} client #{request} access to #{request.call}"

  if request.authenticated?
    if authconfig.exists?
      if authconfig.allowed?(request)
        Puppet.debug "Allowing #{msg}"
        return true
      else
        Puppet.notice "Denying #{msg}"
        return false
      end
    else
      if Puppet.run_mode.master?
        Puppet.debug "Allowing #{msg}"
        return true
      else
        Puppet.notice "Denying #{msg}"
        return false
      end
    end
  else
    if request.handler == "puppetca"
      Puppet.notice "Allowing #{msg}"
    else
      Puppet.notice "Denying #{msg}"
      return false
    end
  end
end

#available?(request) ⇒ Boolean

Is this functionality available?

# File 'lib/vendor/puppet/network/authorization.rb', line 52

def available?(request)
  if handler_loaded?(request.handler)
    return true
  else
    Puppet.warning "Client #{request} requested unavailable functionality #{request.handler}"
    return false
  end
end

#verify(request) ⇒ Object

Make sure that this method is available and authorized.

# File 'lib/vendor/puppet/network/authorization.rb', line 62

def verify(request)
  unless available?(request)
    raise InvalidClientRequest.new(
      "Functionality #{request.handler} not available"
    )
  end
  unless authorized?(request)
    raise InvalidClientRequest.new(
      "Host #{request} not authorized to call #{request.call}"
    )
  end
end