Class: Puppet::Network::Rights

Inherits:

Object

• Object
• Puppet::Network::Rights

Defined in:

lib/puppet/network/rights.rb

Overview

Rights class manages a list of ACLs for paths.

Defined Under Namespace

Classes: Right

Instance Method Summary

• #[](name) ⇒ Object
• #allowed?(name, *args) ⇒ Boolean

  Check that name is allowed or not.

• #each ⇒ Object
• #empty? ⇒ Boolean
• #include?(name) ⇒ Boolean
• #initialize ⇒ Rights constructor

  A new instance of Rights.

• #is_forbidden_and_why?(name, args = {}) ⇒ Boolean
• #is_request_forbidden_and_why?(method, path, params) ⇒ Boolean
• #newright(name, line = nil, file = nil) ⇒ Object

  Define a new right to which access can be provided.

Constructor Details

#initialize ⇒ Rights

Returns a new instance of Rights.

# File 'lib/puppet/network/rights.rb', line 71

def initialize
  @rights = []
end

Instance Method Details

#[](name) ⇒ Object

# File 'lib/puppet/network/rights.rb', line 75

def [](name)
  @rights.find { |acl| acl == name }
end

#allowed?(name, *args) ⇒ Boolean

Check that name is allowed or not

# File 'lib/puppet/network/rights.rb', line 12

def allowed?(name, *args)
  !is_forbidden_and_why?(name, :node => args[0], :ip => args[1])
end

#each ⇒ Object

# File 'lib/puppet/network/rights.rb', line 87

def each
  @rights.each { |r| yield r.name,r }
end

#empty? ⇒ Boolean

# File 'lib/puppet/network/rights.rb', line 79

def empty?
  @rights.empty?
end

#include?(name) ⇒ Boolean

# File 'lib/puppet/network/rights.rb', line 83

def include?(name)
  @rights.include?(name)
end

#is_forbidden_and_why?(name, args = {}) ⇒ Boolean

# File 'lib/puppet/network/rights.rb', line 35

def is_forbidden_and_why?(name, args = {})
  res = :nomatch
  right = @rights.find do |acl|
    found = false
    # an acl can return :dunno, which means "I'm not qualified to answer your question,
    # please ask someone else". This is used when for instance an acl matches, but not for the
    # current rest method, where we might think some other acl might be more specific.
    if match = acl.match?(name)
      args[:match] = match
      if (res = acl.allowed?(args[:node], args[:ip], args)) != :dunno
        # return early if we're allowed
        return nil if res
        # we matched, select this acl
        found = true
      end
    end
    found
  end

  # if we end up here, then that means we either didn't match or failed, in any
  # case will return an error to the outside world
  host_description = args[:node] ? "#{args[:node]}(#{args[:ip]})" : args[:ip]

  msg = "#{host_description} access to #{name} [#{args[:method]}]"

  if args[:authenticated]
    msg += " authenticated "
  end

  if right
    msg += " at #{right.file}:#{right.line}"
  end

  AuthorizationError.new("Forbidden request: #{msg}")
end

#is_request_forbidden_and_why?(method, path, params) ⇒ Boolean

# File 'lib/puppet/network/rights.rb', line 16

def is_request_forbidden_and_why?(method, path, params)
  methods_to_check = if method == :head
                       # :head is ok if either :find or :save is ok.
                       [:find, :save]
                     else
                       [method]
                     end
  authorization_failure_exceptions = methods_to_check.map do |m|
    is_forbidden_and_why?(path, params.merge({:method => m}))
  end
  if authorization_failure_exceptions.include? nil
    # One of the methods we checked is ok, therefore this request is ok.
    nil
  else
    # Just need to return any of the failure exceptions.
    authorization_failure_exceptions.first
  end
end

#newright(name, line = nil, file = nil) ⇒ Object

Define a new right to which access can be provided.

# File 'lib/puppet/network/rights.rb', line 92

def newright(name, line=nil, file=nil)
  add_right( Right.new(name, line, file) )
end