Fix #1875 - Add a REST authorization system

This patch introduces a new configuration file (and configuration setting to set it). Each REST request is checked against this configuration file, and is either allowed or denied. The configuration file has the following format: path /uripath method <methods> allow <ip> or <name> deny <ip> or <name> or path ~ <regex> method <methods> allow <ip> or <name> deny <ip> or <name> where regex is a ruby regex. This last syntax allows deny/allow interpolation from the regex captures: path ~ /files[^/]+/files/([^/]+)/([^/])/ method find allow $2.$1 If you arrange your files/ directory to have files in 'domain.com/host/', then only the referenced host will be able to access their files, other hosts will be denied. For instance: files/reductivelabs.com/dns/... files/reductivelabs.com/www/... then only files in dns can be accessible by dns.reductivelabs.com and so on... If the auth.conf file doesn't exist puppet uses sane defaults that allows clients to check-in and ask for their configurations... Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
author: Brice Figureau <brice-puppet@daysofwonder.com> 2009-04-21 23:53:48 +0200
committer: Brice Figureau <brice-puppet@daysofwonder.com> 2009-04-23 20:52:03 +0200
commit: dc1cd6fb6b143b6525953e619a716f04e678727c (patch)
tree: ab38c7fac99ba1cddab062176142ba071caea831 /lib/puppet/network/http/handler.rb
parent: 85233768f080b4cbc4e20eb0c354b6d859a2fb23 (diff)
download: puppet-dc1cd6fb6b143b6525953e619a716f04e678727c.tar.gz
puppet-dc1cd6fb6b143b6525953e619a716f04e678727c.tar.xz
puppet-dc1cd6fb6b143b6525953e619a716f04e678727c.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/puppet/network/http/handler.rb b/lib/puppet/network/http/handler.rb
index 04ba14401..20234b2da 100644
--- a/lib/puppet/network/http/handler.rb
+++ b/lib/puppet/network/http/handler.rb
@@ -2,9 +2,11 @@ module Puppet::Network::HTTP
 end
 
 require 'puppet/network/http/api/v1'
+require 'puppet/network/rest_authorization'
 
 module Puppet::Network::HTTP::Handler
     include Puppet::Network::HTTP::API::V1
+    include Puppet::Network::RestAuthorization
 
     attr_reader :server, :handler
 
@@ -38,7 +40,11 @@ module Puppet::Network::HTTP::Handler
     def process(request, response)
         indirection_request = uri2indirection(http_method(request), path(request), params(request))
 
-        send("do_%s" % indirection_request.method, indirection_request, request, response)
+        if authorized?(indirection_request)
+            send("do_%s" % indirection_request.method, indirection_request, request, response)
+        else
+            return do_exception(response, "Request forbidden by configuration %s %s" % [indirection_request.indirection_name, indirection_request.key], 403)
+        end
     rescue Exception => e
         return do_exception(response, e)
     end
author	Brice Figureau <brice-puppet@daysofwonder.com>	2009-04-21 23:53:48 +0200
committer	Brice Figureau <brice-puppet@daysofwonder.com>	2009-04-23 20:52:03 +0200
commit	dc1cd6fb6b143b6525953e619a716f04e678727c (patch)
tree	ab38c7fac99ba1cddab062176142ba071caea831 /lib/puppet/network/http/handler.rb
parent	85233768f080b4cbc4e20eb0c354b6d859a2fb23 (diff)
download	puppet-dc1cd6fb6b143b6525953e619a716f04e678727c.tar.gz puppet-dc1cd6fb6b143b6525953e619a716f04e678727c.tar.xz puppet-dc1cd6fb6b143b6525953e619a716f04e678727c.zip