Merge branch '2.6.x' into next

* 2.6.x: (21 commits) (#5900) Include ResourceStatus#failed in serialized reports (#5882) Added error-handling for bucketing files in puppet inspect (#5882) Added error-handling to puppet inspect when auditing (#5171) Made "puppet inspect" upload audited files to a file bucket Prep for #5171: Added a missing require to inspect application. Locked Puppet license to GPLv2 (#5838) Support paths as part of file bucket requests. (#5838) Improve the quality of file bucket specs. (#5838) Make file bucket dipper efficient when saving a file that already exists (#5838) Implemented the "head" method for FileBucketFile::File terminus. (#5838) Reworked file dipper spec to perform less stubbing. (#5838) Added support for HEAD requests to the indirector. (#5838) Refactored error handling logic into find_in_cache. (#5838) Refactored Puppet::Network::Rights#fail_on_deny maint: Remove unused Rakefile in spec directory (#5171) Made filebucket able to perform diffs (#5710) Removed unnecessary calls to insync? Prep for fixing #5710: Refactor stub provider in resource harness spec Maint: test partial resource failure maint: Inspect reports should have audited = true on events ... Manually Resolved Conflicts: lib/puppet/file_bucket/dipper.rb lib/puppet/indirector.rb lib/puppet/network/rest_authconfig.rb spec/unit/file_bucket/dipper_spec.rb spec/unit/file_bucket/file_spec.rb spec/unit/indirector_spec.rb
author: Matt Robinson <matt@puppetlabs.com> 2011-01-19 17:36:23 -0800
committer: Matt Robinson <matt@puppetlabs.com> 2011-01-19 17:36:23 -0800
commit: 6d9cae2e9ca6a56506f679db02ba9abb30a4df91 (patch)
tree: 854c260815825a8d5368296aecf7bc86f8ea8ff9 /lib/puppet/network
parent: 27abd84611564ac573c5fde8abb6b98e6bd3d9b7 (diff)
parent: 517c6794606e9adde7f2912d3b949cfcc18a446a (diff)
download: puppet-6d9cae2e9ca6a56506f679db02ba9abb30a4df91.tar.gz
puppet-6d9cae2e9ca6a56506f679db02ba9abb30a4df91.tar.xz
puppet-6d9cae2e9ca6a56506f679db02ba9abb30a4df91.zip
4 files changed, 46 insertions, 27 deletions
diff --git a/lib/puppet/network/http/api/v1.rb b/lib/puppet/network/http/api/v1.rb
index abbb2dfa9..4b7c15a36 100644
--- a/lib/puppet/network/http/api/v1.rb
+++ b/lib/puppet/network/http/api/v1.rb
@@ -13,6 +13,9 @@ module Puppet::Network::HTTP::API::V1
     },
     "DELETE" => {
       :singular => :destroy
+    },
+    "HEAD" => {
+      :singular => :head
     }
   }
 
diff --git a/lib/puppet/network/http/handler.rb b/lib/puppet/network/http/handler.rb
index 916f02c8d..2b9e81b61 100644
--- a/lib/puppet/network/http/handler.rb
+++ b/lib/puppet/network/http/handler.rb
@@ -114,7 +114,22 @@ module Puppet::Network::HTTP::Handler
     format = format_to_use(request)
     set_content_type(response, format)
 
-    set_response(response, result.render(format))
+    if result.respond_to?(:render)
+      set_response(response, result.render(format))
+    else
+      set_response(response, result)
+    end
+  end
+
+  # Execute our head.
+  def do_head(indirection_request, request, response)
+    unless indirection_request.model.head(indirection_request.key, indirection_request.to_hash)
+      Puppet.info("Could not find #{indirection_request.indirection_name} for '#{indirection_request.key}'")
+      return do_exception(response, "Could not find #{indirection_request.indirection_name} #{indirection_request.key}", 404)
+    end
+
+    # No need to set a response because no response is expected from a
+    # HEAD request.  All we need to do is not die.
   end
 
   # Execute our search.
diff --git a/lib/puppet/network/rest_authconfig.rb b/lib/puppet/network/rest_authconfig.rb
index 850f9211c..9e3632499 100644
--- a/lib/puppet/network/rest_authconfig.rb
+++ b/lib/puppet/network/rest_authconfig.rb
@@ -38,14 +38,10 @@ module Puppet
       # fail_on_deny could as well be called in the XMLRPC context
       # with a ClientRequest.
 
-      @rights.fail_on_deny(
-        build_uri(indirection, key),
-        :node => params[:node],
-        :ip => params[:ip],
-        :method => method,
-        :environment => params[:environment],
-        :authenticated => params[:authenticated]
-      )
+      if authorization_failure_exception = @rights.is_request_forbidden_and_why?(indirection, method, key, params)
+        Puppet.warning("Denying access: #{authorization_failure_exception}")
+        raise authorization_failure_exception
+      end
     end
 
     def initialize(file = nil, parsenow = true)
@@ -88,9 +84,5 @@ module Puppet
       end
       @rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil?
     end
-
-    def build_uri(indirection_name, key)
-      "/#{indirection_name}/#{key}"
-    end
   end
 end
diff --git a/lib/puppet/network/rights.rb b/lib/puppet/network/rights.rb
index e3cd3179a..56af53983 100755
--- a/lib/puppet/network/rights.rb
+++ b/lib/puppet/network/rights.rb
@@ -26,19 +26,29 @@ class Rights
 
   # Check that name is allowed or not
   def allowed?(name, *args)
-    begin
-      fail_on_deny(name, :node => args[0], :ip => args[1])
-    rescue AuthorizationError
-      return false
-    rescue ArgumentError
-      # the namespace contract says we should raise this error
-      # if we didn't find the right acl
-      raise
+    !is_forbidden_and_why?(name, :node => args[0], :ip => args[1])
+  end
+
+  def is_request_forbidden_and_why?(indirection, method, key, params)
+    methods_to_check = if method == :head
+                         # :head is ok if either :find or :save is ok.
+                         [:find, :save]
+                       else
+                         [method]
+                       end
+    authorization_failure_exceptions = methods_to_check.map do |method|
+      is_forbidden_and_why?("/#{indirection}/#{key}", params.merge({:method => method}))
+    end
+    if authorization_failure_exceptions.include? nil
+      # One of the methods we checked is ok, therefore this request is ok.
+      nil
+    else
+      # Just need to return any of the failure exceptions.
+      authorization_failure_exceptions.first
     end
-    true
   end
 
-  def fail_on_deny(name, args = {})
+  def is_forbidden_and_why?(name, args = {})
     res = :nomatch
     right = @rights.find do |acl|
       found = false
@@ -49,7 +59,7 @@ class Rights
         args[:match] = match
         if (res = acl.allowed?(args[:node], args[:ip], args)) != :dunno
           # return early if we're allowed
-          return if res
+          return nil if res
           # we matched, select this acl
           found = true
         end
@@ -70,13 +80,12 @@ class Rights
         error.file = right.file
         error.line = right.line
       end
-      Puppet.warning("Denying access: #{error}")
     else
       # there were no rights allowing/denying name
       # if name is not a path, let's throw
-      error = ArgumentError.new "Unknown namespace right '#{name}'"
+      raise ArgumentError.new "Unknown namespace right '#{name}'"
     end
-    raise error
+    error
   end
 
   def initialize
author	Matt Robinson <matt@puppetlabs.com>	2011-01-19 17:36:23 -0800
committer	Matt Robinson <matt@puppetlabs.com>	2011-01-19 17:36:23 -0800
commit	6d9cae2e9ca6a56506f679db02ba9abb30a4df91 (patch)
tree	854c260815825a8d5368296aecf7bc86f8ea8ff9 /lib/puppet/network
parent	27abd84611564ac573c5fde8abb6b98e6bd3d9b7 (diff)
parent	517c6794606e9adde7f2912d3b949cfcc18a446a (diff)
download	puppet-6d9cae2e9ca6a56506f679db02ba9abb30a4df91.tar.gz puppet-6d9cae2e9ca6a56506f679db02ba9abb30a4df91.tar.xz puppet-6d9cae2e9ca6a56506f679db02ba9abb30a4df91.zip