Class: Puppet::Network::Rights::Right

Inherits:

AuthStore

• Object
• AuthStore
• Puppet::Network::Rights::Right

Includes:

FileCollection::Lookup

Defined in:

lib/puppet/network/rights.rb

Overview

A right.

Constant Summary

ALL =

[:save, :destroy, :find, :search]

Instance Attribute Summary

• #acl_type ⇒ Object

  Returns the value of attribute acl_type.

• #authentication ⇒ Object

  Returns the value of attribute authentication.

• #environment ⇒ Object

  Returns the value of attribute environment.

• #key ⇒ Object

  Returns the value of attribute key.

• #methods ⇒ Object

  Returns the value of attribute methods.

• #name ⇒ Object

  Returns the value of attribute name.

Attributes included from FileCollection::Lookup

#file_index, #line

Instance Method Summary

• #<=>(rhs) ⇒ Object

  this is where all the magic happens.

• #==(name) ⇒ Object
• #allowed?(name, ip, args = {}) ⇒ Boolean

  does this right is allowed for this triplet? if this right is too restrictive (ie we don’t match this access method) then return :dunno so that upper layers have a chance to try another right tailored to the given method.

• #initialize(name, line, file) ⇒ Right constructor

  A new instance of Right.

• #match?(key) ⇒ Boolean
• #namespace_to_key(key) ⇒ Object
• #regex? ⇒ Boolean
• #restrict_authenticated(authentication) ⇒ Object
• #restrict_environment(env) ⇒ Object
• #restrict_method(m) ⇒ Object

  restrict this right to some method only.

• #to_s ⇒ Object
• #valid? ⇒ Boolean

  There’s no real check to do at this point.

Methods included from FileCollection::Lookup

#file, #file=, #file_collection

Methods inherited from AuthStore

#allow, #deny, #empty?, #globalallow?, #interpolate, #reset_interpolation

Methods included from Util::Logging

#send_log

Constructor Details

#initialize(name, line, file) ⇒ Right

Returns a new instance of Right.

# File 'lib/puppet/network/rights.rb', line 148

def initialize(name, line, file)
  @methods = []
  @environment = []
  @authentication = true # defaults to authenticated
  @name = name
  @line = line || 0
  @file = file

  case name
  when Symbol
    @acl_type = :name
    @key = name
  when /^\[(.+)\]$/
    @acl_type = :name
    @key = $1.intern if name.is_a?(String)
  when /^\//
    @acl_type = :regex
    @key = Regexp.new("^" + Regexp.escape(name))
    @methods = ALL
  when /^~/ # this is a regex
    @acl_type = :regex
    @name = name.gsub(/^~\s+/,'')
    @key = Regexp.new(@name)
    @methods = ALL
  else
    raise ArgumentError, "Unknown right type '#{name}'"
  end
  super()
end

Instance Attribute Details

#acl_type ⇒ Object

Returns the value of attribute acl_type.

# File 'lib/puppet/network/rights.rb', line 141

def acl_type
  @acl_type
end

#authentication ⇒ Object

Returns the value of attribute authentication.

# File 'lib/puppet/network/rights.rb', line 142

def authentication
  @authentication
end

#environment ⇒ Object

Returns the value of attribute environment.

# File 'lib/puppet/network/rights.rb', line 142

def environment
  @environment
end

#key ⇒ Object

Returns the value of attribute key.

# File 'lib/puppet/network/rights.rb', line 141

def key
  @key
end

#methods ⇒ Object

Returns the value of attribute methods.

# File 'lib/puppet/network/rights.rb', line 142

def methods
  @methods
end

#name ⇒ Object

Returns the value of attribute name.

# File 'lib/puppet/network/rights.rb', line 141

def name
  @name
end

Instance Method Details

#<=>(rhs) ⇒ Object

this is where all the magic happens. we’re sorting the rights array with this scheme:

* namespace rights are all in front
* regex path rights are then all queued in file order

# File 'lib/puppet/network/rights.rb', line 264

def <=>(rhs)
  # move namespace rights at front
  return self.acl_type == :name ? -1 : 1 if self.acl_type != rhs.acl_type

  # sort by creation order (ie first match appearing in the file will win)
  # that is don't sort, in which case the sort algorithm will order in the
  # natural array order (ie the creation order)
  0
end

#==(name) ⇒ Object

# File 'lib/puppet/network/rights.rb', line 274

def ==(name)
  return(acl_type == :name ? self.key == namespace_to_key(name) : self.name == name.gsub(/^~\s+/,''))
end

#allowed?(name, ip, args = {}) ⇒ Boolean

does this right is allowed for this triplet? if this right is too restrictive (ie we don’t match this access method) then return :dunno so that upper layers have a chance to try another right tailored to the given method

Returns:

• (Boolean)

# File 'lib/puppet/network/rights.rb', line 195

def allowed?(name, ip, args = {})
  return :dunno if acl_type == :regex and not @methods.include?(args[:method])
  return :dunno if acl_type == :regex and @environment.size > 0 and not @environment.include?(args[:environment])
  return :dunno if acl_type == :regex and not @authentication.nil? and args[:authenticated] != @authentication

  begin
    # make sure any capture are replaced if needed
    interpolate(args[:match]) if acl_type == :regex and args[:match]
    res = super(name,ip)
  ensure
    reset_interpolation if acl_type == :regex
  end
  res
end

#match?(key) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/network/rights.rb', line 247

def match?(key)
  # if we are a namespace compare directly
  return self.key == namespace_to_key(key) if acl_type == :name

  # otherwise match with the regex
  self.key.match(key)
end

#namespace_to_key(key) ⇒ Object

# File 'lib/puppet/network/rights.rb', line 255

def namespace_to_key(key)
  key = key.intern if key.is_a?(String)
  key
end

#regex? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/network/rights.rb', line 187

def regex?
  acl_type == :regex
end

#restrict_authenticated(authentication) ⇒ Object

# File 'lib/puppet/network/rights.rb', line 233

def restrict_authenticated(authentication)
  case authentication
  when "yes", "on", "true", true
    authentication = true
  when "no", "off", "false", false
    authentication = false
  when "all","any", :all, :any
    authentication = nil
  else
    raise ArgumentError, "'#{name}' incorrect authenticated value: #{authentication}"
  end
  @authentication = authentication
end

#restrict_environment(env) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/puppet/network/rights.rb', line 226

def restrict_environment(env)
  env = Puppet::Node::Environment.new(env)
  raise ArgumentError, "'#{env}' is already in the '#{name}' ACL" if @environment.include?(env)

  @environment << env
end

#restrict_method(m) ⇒ Object

restrict this right to some method only

Raises:

• (ArgumentError)

# File 'lib/puppet/network/rights.rb', line 211

def restrict_method(m)
  m = m.intern if m.is_a?(String)

  raise ArgumentError, "'#{m}' is not an allowed value for method directive" unless ALL.include?(m)

  # if we were allowing all methods, then starts from scratch
  if @methods === ALL
    @methods = []
  end

  raise ArgumentError, "'#{m}' is already in the '#{name}' ACL" if @methods.include?(m)

  @methods << m
end

#to_s ⇒ Object

# File 'lib/puppet/network/rights.rb', line 178

def to_s
  "access[#{@name}]"
end

#valid? ⇒ Boolean

There’s no real check to do at this point

Returns:

• (Boolean)

# File 'lib/puppet/network/rights.rb', line 183

def valid?
  true
end