Class: Puppet::Network::RestAuthConfig

Inherits:
AuthConfig show all
Extended by:
MonitorMixin
Defined in:
lib/puppet/network/rest_authconfig.rb

Constant Summary collapse

DEFAULT_ACL = 
[
  { :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
  # this one will allow all file access, and thus delegate
  # to fileserver.conf
  { :acl => "/file" },
  { :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
  { :acl => "/report", :method => :save, :authenticated => true },
  { :acl => "/certificate/ca", :method => :find, :authenticated => false },
  { :acl => "/certificate/", :method => :find, :authenticated => false },
  { :acl => "/certificate_request", :method => [:find, :save], :authenticated => false },
  { :acl => "/status", :method => [:find], :authenticated => true },
]

Instance Attribute Summary collapse

Attributes inherited from Util::LoadedFile

#file, #statted, #tstamp

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from AuthConfig

#exists?, #read

Methods inherited from Util::LoadedFile

#changed?, #stamp, #to_s

Constructor Details

#initialize(file = nil, parsenow = true) ⇒ RestAuthConfig

Returns a new instance of RestAuthConfig.



47
48
49
50
51
52
53
 
# File 'lib/puppet/network/rest_authconfig.rb', line 47

def initialize(file = nil, parsenow = true)
  super(file || Puppet[:rest_authconfig], parsenow)

  # if we didn't read a file (ie it doesn't exist)
  # make sure we can create some default rights
  @rights ||= Puppet::Network::Rights.new
end

Instance Attribute Details

#rightsObject

Returns the value of attribute rights.



7
8
9
 
# File 'lib/puppet/network/rest_authconfig.rb', line 7

def rights
  @rights
end

Class Method Details

.mainObject 



22
23
24
25
26
27
28
29
 
# File 'lib/puppet/network/rest_authconfig.rb', line 22

def self.main
  synchronize do
    add_acl = @main.nil?
    super
    @main.insert_default_acl if add_acl and !@main.exists?
  end
  @main
end

Instance Method Details

#allowed?(request) ⇒ Boolean

check wether this request is allowed in our ACL raise an Puppet::Network::AuthorizedError if the request is denied.

Returns:

  • (Boolean) 


34
35
36
37
38
39
40
41
42
43
44
45
 
# File 'lib/puppet/network/rest_authconfig.rb', line 34

def allowed?(request)
  read

  # we're splitting the request in part because
  # fail_on_deny could as well be called in the XMLRPC context
  # with a ClientRequest.

  if authorization_failure_exception = @rights.is_request_forbidden_and_why?(request)
    Puppet.warning("Denying access: #{authorization_failure_exception}")
    raise authorization_failure_exception
  end
end

#insert_default_aclObject

force regular ACLs to be present



61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
# File 'lib/puppet/network/rest_authconfig.rb', line 61

def insert_default_acl
  DEFAULT_ACL.each do |acl|
    unless rights[acl[:acl]]
      Puppet.info "Inserting default '#{acl[:acl]}'(#{acl[:authenticated] ? "auth" : "non-auth"}) ACL because #{( !exists? ? "#{Puppet[:rest_authconfig]} doesn't exist" : "none were found in '#{@file}'")}"
      mk_acl(acl)
    end
  end
  # queue an empty (ie deny all) right for every other path
  # actually this is not strictly necessary as the rights system
  # denies not explicitely allowed paths
  unless rights["/"]
    rights.newright("/")
    rights.restrict_authenticated("/", :any)
  end
end

#mk_acl(acl) ⇒ Object 



77
78
79
80
81
82
83
84
85
86
 
# File 'lib/puppet/network/rest_authconfig.rb', line 77

def mk_acl(acl)
  @rights.newright(acl[:acl])
  @rights.allow(acl[:acl], acl[:allow] || "*")

  if method = acl[:method]
    method = [method] unless method.is_a?(Array)
    method.each { |m| @rights.restrict_method(acl[:acl], m) }
  end
  @rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil?
end

#parseObject 



55
56
57
58
 
# File 'lib/puppet/network/rest_authconfig.rb', line 55

def parse
  super()
  insert_default_acl
end