Adding the calls to the authorization hooks in the Indirection.

1 files changed, 16 insertions, 0 deletions

diff --git a/lib/puppet/indirector/indirection.rb b/lib/puppet/indirector/indirection.rb
index f464f846f..50a27f771 100644
--- a/lib/puppet/indirector/indirection.rb
+++ b/lib/puppet/indirector/indirection.rb
@@ -109,6 +109,8 @@ class Puppet::Indirector::Indirection
             terminus_name = terminus_class
         end
 
+        check_authorization(:find, terminus_name, ([key] + args))
+
         # See if our instance is in the cache and up to date.
         if cache? and cache.has_most_recent?(key, terminus(terminus_name).version(key))
             Puppet.info "Using cached %s %s" % [self.name, key]
@@ -127,15 +129,21 @@ class Puppet::Indirector::Indirection
     end
 
     def destroy(*args)
+        check_authorization(:destroy, terminus_class, args)
+
         terminus.destroy(*args)
     end
 
     def search(*args)
+        check_authorization(:search, terminus_class, args)
+
         terminus.search(*args)
     end
 
     # these become instance methods 
     def save(instance, *args)
+        check_authorization(:save, terminus_class, ([instance] + args))
+
         instance.version ||= Time.now.utc
         dest = cache? ? cache : terminus
         return if dest.has_most_recent?(instance.name, instance.version)
@@ -150,6 +158,14 @@ class Puppet::Indirector::Indirection
 
     private
 
+    # Check authorization if there's a hook available; fail if there is one
+    # and it returns false.
+    def check_authorization(method, terminus_name, arguments)
+        if terminus(terminus_name).respond_to?(:authorized?) and ! terminus(terminus_name).authorized?(method, *arguments)
+            raise ArgumentError, "Not authorized to call %s with %s" % [method, arguments[0]]
+        end
+    end
+
     # Create a new terminus instance.
     def make_terminus(terminus_class)
         # Load our terminus class.