diff options
| author | luke <luke@980ebf18-57e1-0310-9a29-db15c13687c0> | 2007-02-08 02:22:57 +0000 |
|---|---|---|
| committer | luke <luke@980ebf18-57e1-0310-9a29-db15c13687c0> | 2007-02-08 02:22:57 +0000 |
| commit | a216df2bcb304ad379e152f2f59ef7d942f54f3b (patch) | |
| tree | eef3289c588cf44373fe959619d732c5a05ab7b5 /lib/puppet/network/server | |
| parent | 7e07e3dc843798bdbc7a03428ca054adaff2fb72 (diff) | |
| download | puppet-a216df2bcb304ad379e152f2f59ef7d942f54f3b.tar.gz puppet-a216df2bcb304ad379e152f2f59ef7d942f54f3b.tar.xz puppet-a216df2bcb304ad379e152f2f59ef7d942f54f3b.zip | |
Okay, last file moves for the night. The test code has been moved to match the lib directory, and I have moved a couple of things into network/ instead of network/server, since they did not belong as much.
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2180 980ebf18-57e1-0310-9a29-db15c13687c0
Diffstat (limited to 'lib/puppet/network/server')
| -rw-r--r-- | lib/puppet/network/server/authconfig.rb | 173 | ||||
| -rwxr-xr-x | lib/puppet/network/server/authstore.rb | 227 | ||||
| -rwxr-xr-x | lib/puppet/network/server/rights.rb | 74 |
3 files changed, 0 insertions, 474 deletions
diff --git a/lib/puppet/network/server/authconfig.rb b/lib/puppet/network/server/authconfig.rb deleted file mode 100644 index e4d31d8d8..000000000 --- a/lib/puppet/network/server/authconfig.rb +++ /dev/null @@ -1,173 +0,0 @@ -require 'puppet/util/loadedfile' -require 'puppet/network/server/rights' - -module Puppet - class ConfigurationError < Puppet::Error; end - class Network::AuthConfig < Puppet::Util::LoadedFile - Puppet.config.setdefaults(:puppet, - :authconfig => [ "$confdir/namespaceauth.conf", - "The configuration file that defines the rights to the different - namespaces and methods. This can be used as a coarse-grained - authorization system for both ``puppetd`` and ``puppetmasterd``." - ] - ) - - # Just proxy the setting methods to our rights stuff - [:allow, :deny].each do |method| - define_method(method) do |*args| - @rights.send(method, *args) - end - end - - # Here we add a little bit of semantics. They can set auth on a whole namespace - # or on just a single method in the namespace. - def allowed?(name, host, ip) - namespace, method = name.to_s.split(".") - unless namespace and method - raise ArgumentError, "Invalid method name %s" % name - end - - name = name.intern if name.is_a? String - namespace = namespace.intern - method = method.intern - - read() - - if @rights.include?(name) - return @rights[name].allowed?(host, ip) - elsif @rights.include?(namespace) - return @rights[namespace].allowed?(host, ip) - else - return false - end - end - - # Does the file exist? Puppetmasterd does not require it, but - # puppetd does. - def exists? - FileTest.exists?(@file) - end - - def initialize(file = nil, parsenow = true) - @file ||= Puppet[:authconfig] - - unless @file - raise Puppet::DevError, "No authconfig file defined" - end - return unless self.exists? - super(@file) - @rights = Puppet::Network::Rights.new - @configstamp = @configstatted = nil - @configtimeout = 60 - - if parsenow - read() - end - end - - # Read the configuration file. - def read - return unless FileTest.exists?(@file) - - if @configstamp - if @configtimeout and @configstatted - if Time.now - @configstatted > @configtimeout - @configstatted = Time.now - tmp = File.stat(@file).ctime - - if tmp == @configstamp - return - else - Puppet.notice "%s vs %s" % [tmp, @configstamp] - end - else - return - end - else - Puppet.notice "%s and %s" % [@configtimeout, @configstatted] - end - end - - parse() - - @configstamp = File.stat(@file).ctime - @configstatted = Time.now - end - - private - - def parse - newrights = Puppet::Network::Rights.new - begin - File.open(@file) { |f| - right = nil - count = 1 - f.each { |line| - case line - when /^\s*#/: next # skip comments - when /^\s*$/: next # skip blank lines - when /\[([\w.]+)\]/: # "namespace" or "namespace.method" - name = $1 - if newrights.include?(name) - raise FileServerError, "%s is already set at %s" % - [newrights[name], name] - end - newrights.newright(name) - right = newrights[name] - when /^\s*(\w+)\s+(.+)$/: - var = $1 - value = $2 - case var - when "allow": - value.split(/\s*,\s*/).each { |val| - begin - right.info "allowing %s access" % val - right.allow(val) - rescue AuthStoreError => detail - raise ConfigurationError, "%s at line %s of %s" % - [detail.to_s, count, @config] - end - } - when "deny": - value.split(/\s*,\s*/).each { |val| - begin - right.info "denying %s access" % val - right.deny(val) - rescue AuthStoreError => detail - raise ConfigurationError, "%s at line %s of %s" % - [detail.to_s, count, @config] - end - } - else - raise ConfigurationError, - "Invalid argument '%s' at line %s" % [var, count] - end - else - raise ConfigurationError, "Invalid line %s: %s" % [count, line] - end - count += 1 - } - } - rescue Errno::EACCES => detail - Puppet.err "Configuration error: Cannot read %s; cannot serve" % @file - #raise Puppet::Error, "Cannot read %s" % @config - rescue Errno::ENOENT => detail - Puppet.err "Configuration error: '%s' does not exit; cannot serve" % - @file - #raise Puppet::Error, "%s does not exit" % @config - #rescue FileServerError => detail - # Puppet.err "FileServer error: %s" % detail - end - - # Verify each of the rights are valid. - # We let the check raise an error, so that it can raise an error - # pointing to the specific problem. - newrights.each { |name, right| - right.valid? - } - @rights = newrights - end - end -end - -# $Id$ diff --git a/lib/puppet/network/server/authstore.rb b/lib/puppet/network/server/authstore.rb deleted file mode 100755 index 51ce93d46..000000000 --- a/lib/puppet/network/server/authstore.rb +++ /dev/null @@ -1,227 +0,0 @@ -# standard module for determining whether a given hostname or IP has access to -# the requested resource - -require 'ipaddr' - -module Puppet - class AuthStoreError < Puppet::Error; end - class AuthorizationError < Puppet::Error; end - - class Network::AuthStore - # This has to be an array, not a hash, else it loses its ordering. - ORDER = [ - [:ip, [:ip]], - [:name, [:hostname, :domain]] - ] - - Puppet::Util.logmethods(self, true) - - def allow(pattern) - # a simple way to allow anyone at all to connect - if pattern == "*" - @globalallow = true - else - store(pattern, @allow) - end - end - - def allowed?(name, ip) - if name or ip - # This is probably unnecessary, and can cause some weirdnesses in - # cases where we're operating over localhost but don't have a real - # IP defined. - unless name and ip - raise Puppet::DevError, "Name and IP must be passed to 'allowed?'" - end - # else, we're networked and such - else - # we're local - return true - end - - # yay insecure overrides - if @globalallow - return true - end - - value = nil - ORDER.each { |nametype, array| - if nametype == :ip - value = IPAddr.new(ip) - else - value = name.split(".").reverse - end - - - array.each { |type| - [[@deny, false], [@allow, true]].each { |ary| - hash, retval = ary - if hash.include?(type) - hash[type].each { |pattern| - if match?(nametype, value, pattern) - return retval - end - } - end - } - } - } - - self.info "defaulting to no access for %s" % name - # default to false - return false - end - - def deny(pattern) - store(pattern, @deny) - end - - def initialize - @globalallow = nil - @allow = Hash.new { |hash, key| - hash[key] = [] - } - @deny = Hash.new { |hash, key| - hash[key] = [] - } - end - - private - - def match?(nametype, value, pattern) - if value == pattern # simplest shortcut - return true - end - - case nametype - when :ip: matchip?(value, pattern) - when :name: matchname?(value, pattern) - else - raise Puppet::DevError, "Invalid match type %s" % nametype - end - end - - def matchip?(value, pattern) - # we're just using builtin stuff for this, thankfully - if pattern.include?(value) - return true - else - return false - end - end - - def matchname?(value, pattern) - # yay, horribly inefficient - if pattern[-1] != '*' # the pattern has no metachars and is not equal - # thus, no match - #Puppet.info "%s is not equal with no * in %s" % [value, pattern] - return false - else - # we know the last field of the pattern is '*' - # if everything up to that doesn't match, we're definitely false - if pattern[0..-2] != value[0..pattern.length-2] - #Puppet.notice "subpatterns didn't match; %s vs %s" % - # [pattern[0..-2], value[0..pattern.length-2]] - return false - end - - case value.length <=> pattern.length - when -1: # value is shorter than pattern - if pattern.length - value.length == 1 - # only ever allowed when the value is the domain of a - # splatted pattern - #Puppet.info "allowing splatted domain %s" % [value] - return true - else - return false - end - when 0: # value is the same length as pattern - if pattern[-1] == "*" - #Puppet.notice "same length with *" - return true - else - return false - end - when 1: # value is longer than pattern - # at this point we've already verified that everything up to - # the '*' in the pattern matches, so we are true - return true - end - end - end - - def store(pattern, hash) - type, value = type(pattern) - - if type and value - # this won't work once we get beyond simple stuff... - hash[type] << value - else - raise AuthStoreError, "Invalid pattern %s" % pattern - end - end - - def type(pattern) - type = value = nil - case pattern - when /^(\d+\.){3}\d+$/: - type = :ip - begin - value = IPAddr.new(pattern) - rescue ArgumentError => detail - raise AuthStoreError, "Invalid IP address pattern %s" % pattern - end - when /^(\d+\.){3}\d+\/(\d+)$/: - mask = Integer($2) - if mask < 1 or mask > 32 - raise AuthStoreError, "Invalid IP mask %s" % mask - end - type = :ip - begin - value = IPAddr.new(pattern) - rescue ArgumentError => detail - raise AuthStoreError, "Invalid IP address pattern %s" % pattern - end - when /^(\d+\.){1,3}\*$/: # an ip address with a '*' at the end - type = :ip - match = $1 - match.sub!(".", '') - ary = pattern.split(".") - - mask = case ary.index(match) - when 0: 8 - when 1: 16 - when 2: 24 - else - raise AuthStoreError, "Invalid IP pattern %s" % pattern - end - - ary.pop - while ary.length < 4 - ary.push("0") - end - - begin - value = IPAddr.new(ary.join(".") + "/" + mask.to_s) - rescue ArgumentError => detail - raise AuthStoreError, "Invalid IP address pattern %s" % pattern - end - when /^[\d.]+$/: # necessary so incomplete IP addresses can't look - # like hostnames - raise AuthStoreError, "Invalid IP address pattern %s" % pattern - when /^([a-zA-Z][-\w]*\.)+[-\w]+$/: # a full hostname - type = :hostname - value = pattern.split(".").reverse - when /^\*(\.([a-zA-Z][-\w]*)){1,}$/: - type = :domain - value = pattern.split(".").reverse - else - raise AuthStoreError, "Invalid pattern %s" % pattern - end - - return [type, value] - end - end -end - -# $Id$ diff --git a/lib/puppet/network/server/rights.rb b/lib/puppet/network/server/rights.rb deleted file mode 100755 index 11da3b705..000000000 --- a/lib/puppet/network/server/rights.rb +++ /dev/null @@ -1,74 +0,0 @@ -require 'ipaddr' -require 'puppet/network/server/authstore' - -# Define a set of rights and who has access to them. -class Puppet::Network::Rights < Hash - # We basically just proxy directly to our rights. Each Right stores - # its own auth abilities. - [:allow, :allowed?, :deny].each do |method| - define_method(method) do |name, *args| - name = name.intern if name.is_a? String - - if obj = right(name) - obj.send(method, *args) - else - raise ArgumentError, "Unknown right '%s'" % name - end - end - end - - def [](name) - name = name.intern if name.is_a? String - super(name) - end - - # Define a new right to which access can be provided. - def newright(name) - name = name.intern if name.is_a? String - shortname = Right.shortname(name) - if self.include? name - raise ArgumentError, "Right '%s' is already defined" % name - else - self[name] = Right.new(name, shortname) - end - end - - private - - # Retrieve a right by name. - def right(name) - name = name.intern if name.is_a? String - self[name] - end - - # A right. - class Right < Puppet::Network::AuthStore - attr_accessor :name, :shortname - - Puppet::Util.logmethods(self, true) - - def self.shortname(name) - name.to_s[0..0] - end - - def initialize(name, shortname = nil) - @name = name - @shortname = shortname - unless @shortname - @shortname = Right.shortname(name) - end - super() - end - - def to_s - "access[%s]" % @name - end - - # There's no real check to do at this point - def valid? - true - end - end -end - -# $Id$ |