diff options
| author | Brice Figureau <brice-puppet@daysofwonder.com> | 2009-03-30 23:10:19 +0200 |
|---|---|---|
| committer | Brice Figureau <brice-puppet@daysofwonder.com> | 2009-04-23 20:52:03 +0200 |
| commit | c0c824548e03e603f5a51c61262ae6a58e7549fb (patch) | |
| tree | c2fff712f555006a7569ec1b2b4324311532b375 /lib/puppet/network/http | |
| parent | aac996ed17e0ec72c5098b1225eb159aae4901fc (diff) | |
| download | puppet-c0c824548e03e603f5a51c61262ae6a58e7549fb.tar.gz puppet-c0c824548e03e603f5a51c61262ae6a58e7549fb.tar.xz puppet-c0c824548e03e603f5a51c61262ae6a58e7549fb.zip | |
Refactor rest authorization to raise exceptions deeper
The idea is to raise an AuthorizationException at the same place
we check the authorization instead of in an upper level to be
able to spot where the authorization took place in the exception
backtrace.
Moreover, this changes also makes Rights::allowed? to return
the matching acl so that the upper layer can have a chance to
report which ACL resulted in the match.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
Diffstat (limited to 'lib/puppet/network/http')
| -rw-r--r-- | lib/puppet/network/http/handler.rb | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/lib/puppet/network/http/handler.rb b/lib/puppet/network/http/handler.rb index 20234b2da..c6d34fe43 100644 --- a/lib/puppet/network/http/handler.rb +++ b/lib/puppet/network/http/handler.rb @@ -3,6 +3,7 @@ end require 'puppet/network/http/api/v1' require 'puppet/network/rest_authorization' +require 'puppet/network/rights' module Puppet::Network::HTTP::Handler include Puppet::Network::HTTP::API::V1 @@ -40,11 +41,9 @@ module Puppet::Network::HTTP::Handler def process(request, response) indirection_request = uri2indirection(http_method(request), path(request), params(request)) - if authorized?(indirection_request) - send("do_%s" % indirection_request.method, indirection_request, request, response) - else - return do_exception(response, "Request forbidden by configuration %s %s" % [indirection_request.indirection_name, indirection_request.key], 403) - end + check_authorization(indirection_request) + + send("do_%s" % indirection_request.method, indirection_request, request, response) rescue Exception => e return do_exception(response, e) end @@ -60,6 +59,11 @@ module Puppet::Network::HTTP::Handler end def do_exception(response, exception, status=400) + if exception.is_a?(Puppet::Network::AuthorizationError) + # make sure we return the correct status code + # for authorization issues + status = 403 if status == 400 + end if exception.is_a?(Exception) puts exception.backtrace if Puppet[:trace] Puppet.err(exception) |