Enhance authconfig format to support uri paths and regex

This patch introduces a new set of directive to the authconfig
parser/file format:

path /uripath or patch ~ <regex>
This directive declares a new kind of ACL based on the uri path.

method save, find
This directive which is to be used under path directive restricts a
path ACL to only some REST verbs.

The ACL path system matches on path prefix possible, or
on regex matches (first match wins).
If no path are matching, then the authorization is not allowed.
The same if no ACL matches for the given REST verb.

The old namespace right matching still works as usual.

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>

1 files changed, 44 insertions, 38 deletions

diff --git a/lib/puppet/network/authconfig.rb b/lib/puppet/network/authconfig.rb
index dc67723c4..f78cdc621 100644
--- a/lib/puppet/network/authconfig.rb
+++ b/lib/puppet/network/authconfig.rb
@@ -44,7 +44,7 @@ module Puppet
         end
 
         def initialize(file = nil, parsenow = true)
-            @file ||= Puppet[:authconfig]
+            @file = file || Puppet[:authconfig]
 
             unless @file
                 raise Puppet::DevError, "No authconfig file defined"
@@ -99,44 +99,21 @@ module Puppet
                     count = 1
                     f.each { |line|
                         case line
-                        when /^\s*#/; next # skip comments
-                        when /^\s*$/; next # skip blank lines
-                        when /\[([\w.]+)\]/ # "namespace" or "namespace.method"
-                            name = $1
-                            if newrights.include?(name)
-                                raise FileServerError, "%s is already set at %s" %
-                                    [newrights[name], name]
-                            end
-                            newrights.newright(name)
-                            right = newrights[name]
-                        when /^\s*(\w+)\s+(.+)$/
-                            var = $1
-                            value = $2
-                            case var
-                            when "allow"
-                                value.split(/\s*,\s*/).each { |val|
-                                    begin
-                                        right.info "allowing %s access" % val
-                                        right.allow(val)
-                                    rescue AuthStoreError => detail
-                                        raise ConfigurationError, "%s at line %s of %s" %
-                                            [detail.to_s, count, @config]
-                                    end
-                                }
-                            when "deny"
-                                value.split(/\s*,\s*/).each { |val|
-                                    begin
-                                        right.info "denying %s access" % val
-                                        right.deny(val)
-                                    rescue AuthStoreError => detail
-                                        raise ConfigurationError, "%s at line %s of %s" %
-                                            [detail.to_s, count, @config]
-                                    end
-                                }
-                            else
-                                raise ConfigurationError,
-                                    "Invalid argument '%s' at line %s" % [var, count]
+                        when /^\s*#/ # skip comments
+                            count += 1
+                            next
+                        when /^\s*$/  # skip blank lines
+                            count += 1
+                            next
+                        when /^(?:(\[[\w.]+\])|(path)\s+((?:~\s+)?[^ ]+))\s*$/ # "namespace" or "namespace.method" or "path /path" or "path ~ regex"
+                             name = $1
+                            if $2 == "path"
+                                name = $3
                             end
+                            name.chomp!
+                            right = newrights.newright(name, count)
+                        when /^\s*(allow|deny|method)\s+(.+)$/
+                            parse_right_directive(right, $1, $2, count)
                         else
                             raise ConfigurationError, "Invalid line %s: %s" % [count, line]
                         end
@@ -162,6 +139,35 @@ module Puppet
             }
             @rights = newrights
         end
+
+        def parse_right_directive(right, var, value, count)
+            case var
+            when "allow"
+                modify_right(right, :allow, value, "allowing %s access", count)
+            when "deny"
+                modify_right(right, :deny, value, "denying %s access", count)
+            when "method"
+                unless right.acl_type == :regex
+                    raise ConfigurationError, "'method' directive not allowed in namespace ACL at line %s of %s" % [count, @config]
+                end
+                modify_right(right, :restrict_method, value, "allowing method %s access", count)
+            else
+                raise ConfigurationError,
+                    "Invalid argument '%s' at line %s" % [var, count]
+            end
+        end
+
+        def modify_right(right, method, value, msg, count)
+            value.split(/\s*,\s*/).each do |val|
+                begin
+                    right.info msg % val
+                    right.send(method, val)
+                rescue AuthStoreError => detail
+                    raise ConfigurationError, "%s at line %s of %s" % [detail.to_s, count, @file]
+                end
+            end
+        end
+
     end
 end