Fix #1875 - Add a REST authorization system

This patch introduces a new configuration file (and configuration
setting to set it).
Each REST request is checked against this configuration file, and is
either allowed or denied.

The configuration file has the following format:

path /uripath
method <methods>
allow <ip> or <name>
deny <ip> or <name>

or
path ~ <regex>
method <methods>
allow <ip> or <name>
deny <ip> or <name>

where regex is a ruby regex.
This last syntax allows deny/allow interpolation from
the regex captures:

path ~ /files[^/]+/files/([^/]+)/([^/])/
method find
allow $2.$1

If you arrange your files/ directory to have files in
'domain.com/host/', then only the referenced host will
be able to access their files, other hosts will be denied.

For instance:
files/reductivelabs.com/dns/...
files/reductivelabs.com/www/...
then only files in dns can be accessible by dns.reductivelabs.com
and so on...

If the auth.conf file doesn't exist puppet uses sane defaults that allows
clients to check-in and ask for their configurations...

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index f21fbc26a..0eed2f884 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -395,6 +395,11 @@ module Puppet
             :group => "$group",
             :desc => "Where FileBucket files are stored."
         },
+        :rest_authconfig => [ "$confdir/auth.conf",
+            "The configuration file that defines the rights to the different
+            rest indirections.  This can be used as a fine-grained
+            authorization system for ``puppetmasterd``."
+        ],
         :ca => [true, "Wether the master should function as a certificate authority."],
         :modulepath => {:default => "$confdir/modules:/usr/share/puppet/modules",
            :desc => "The search path for modules as a colon-separated list of