Deprecate RestAuthConfig#allowed? in favor of #check_authorization

 #allowed? was a poorly named method since it isn't actually a predicate
method. Instead of returning a boolean, this methods throws an
exception when the access is denied (in order to keep the full context
of what ACE triggered the deny).

Given that #allowed? was overriding the behavior from AuthConfig, we
leave a version of #allowed? in place that will issue a deprecation
warning before delegating to #check_authorization.  Once support for
XML-RPC agents is removed from the master, we will be able to remove
this delegation, since there should no longer be a reason for a
distinction between AuthConfig and RestAuthConfig.

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
Signed-off-by: Jacob Helwig <jacob@puppetlabs.com>

4 files changed, 9 insertions, 4 deletions

diff --git a/lib/puppet/network/rest_authconfig.rb b/lib/puppet/network/rest_authconfig.rb
index dfe8f85c4..7dcc81ef4 100644
--- a/lib/puppet/network/rest_authconfig.rb
+++ b/lib/puppet/network/rest_authconfig.rb
@@ -29,10 +29,15 @@ module Puppet
       @main
     end
 
+    def allowed?(request)
+      Puppet.deprecation_warning "allowed? should not be called for REST authorization - use check_authorization instead"
+      check_authorization(request)
+    end
+
     # check wether this request is allowed in our ACL
     # raise an Puppet::Network::AuthorizedError if the request
     # is denied.
-    def allowed?(indirection, method, key, params)
+    def check_authorization(indirection, method, key, params)
       read
 
       # we're splitting the request in part because
diff --git a/lib/puppet/network/rest_authorization.rb b/lib/puppet/network/rest_authorization.rb
index 50f094e3e..d636d486a 100644
--- a/lib/puppet/network/rest_authorization.rb
+++ b/lib/puppet/network/rest_authorization.rb
@@ -16,7 +16,7 @@ module Puppet::Network
 
     # Verify that our client has access.
     def check_authorization(indirection, method, key, params)
-      authconfig.allowed?(indirection, method, key, params)
+      authconfig.check_authorization(indirection, method, key, params)
     end
   end
 end
diff --git a/spec/integration/network/rest_authconfig_spec.rb b/spec/integration/network/rest_authconfig_spec.rb
index 0e5278860..d2f539cd4 100644
--- a/spec/integration/network/rest_authconfig_spec.rb
+++ b/spec/integration/network/rest_authconfig_spec.rb
@@ -6,7 +6,7 @@ RSpec::Matchers.define :allow do |params|
 
   match do |auth|
     begin
-      auth.allowed?(params[0], params[1], params[2], params[3])
+      auth.check_authorization(params[0], params[1], params[2], params[3])
       true
     rescue Puppet::Network::AuthorizationError
       false
diff --git a/spec/unit/network/rest_authconfig_spec.rb b/spec/unit/network/rest_authconfig_spec.rb
index e1403997f..bebbb874f 100755
--- a/spec/unit/network/rest_authconfig_spec.rb
+++ b/spec/unit/network/rest_authconfig_spec.rb
@@ -29,7 +29,7 @@ describe Puppet::Network::RestAuthConfig do
     params = {:ip => "127.0.0.1", :node => "me", :environment => :env, :authenticated => true}
     @acl.expects(:is_request_forbidden_and_why?).with("path", :save, "to/resource", params).returns(nil)
 
-    @authconfig.allowed?("path", :save, "to/resource", params)
+    @authconfig.check_authorization("path", :save, "to/resource", params)
   end
 
   describe "when defining an acl with mk_acl" do