Add environment support in the REST authorization layer

With the help of the new auth.conf directive 'environment',
any ACL can now be restricted to a specific environment.
Omission of the directive means that the ACL will apply
to all the defined environment.

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>

3 files changed, 23 insertions, 16 deletions

diff --git a/lib/puppet/network/authconfig.rb b/lib/puppet/network/authconfig.rb
index f78cdc621..3e0807ad1 100644
--- a/lib/puppet/network/authconfig.rb
+++ b/lib/puppet/network/authconfig.rb
@@ -112,7 +112,7 @@ module Puppet
                             end
                             name.chomp!
                             right = newrights.newright(name, count)
-                        when /^\s*(allow|deny|method)\s+(.+)$/
+                        when /^\s*(allow|deny|method|environment)\s+(.+)$/
                             parse_right_directive(right, $1, $2, count)
                         else
                             raise ConfigurationError, "Invalid line %s: %s" % [count, line]
@@ -150,7 +150,12 @@ module Puppet
                 unless right.acl_type == :regex
                     raise ConfigurationError, "'method' directive not allowed in namespace ACL at line %s of %s" % [count, @config]
                 end
-                modify_right(right, :restrict_method, value, "allowing method %s access", count)
+                modify_right(right, :restrict_method, value, "allowing 'method' %s", count)
+            when "environment"
+                unless right.acl_type == :regex
+                    raise ConfigurationError, "'environment' directive not allowed in namespace ACL at line %s of %s" % [count, @config]
+                end
+                modify_right(right, :restrict_environment, value, "adding environment %s", count)
             else
                 raise ConfigurationError,
                     "Invalid argument '%s' at line %s" % [var, count]
diff --git a/lib/puppet/network/rest_authconfig.rb b/lib/puppet/network/rest_authconfig.rb
index 58708e120..e3fd51753 100644
--- a/lib/puppet/network/rest_authconfig.rb
+++ b/lib/puppet/network/rest_authconfig.rb
@@ -25,7 +25,7 @@ module Puppet
         # check wether this request is allowed in our ACL
         def allowed?(request)
             read()
-            return @rights.allowed?(build_uri(request), request.node, request.ip, request.method)
+            return @rights.allowed?(build_uri(request), request.node, request.ip, request.method, request.environment)
         end
 
         def initialize(file = nil, parsenow = true)
diff --git a/lib/puppet/network/rights.rb b/lib/puppet/network/rights.rb
index 6b2082cdb..7f4bed7f6 100755
--- a/lib/puppet/network/rights.rb
+++ b/lib/puppet/network/rights.rb
@@ -8,7 +8,7 @@ class Puppet::Network::Rights
 
     # We basically just proxy directly to our rights.  Each Right stores
     # its own auth abilities.
-    [:allow, :deny].each do |method|
+    [:allow, :deny, :restrict_method, :restrict_environment].each do |method|
         define_method(method) do |name, *args|
             if obj = self[name]
                 obj.send(method, *args)
@@ -18,16 +18,6 @@ class Puppet::Network::Rights
         end
     end
 
-    # this method is used to add a new allowed +method+ to +name+
-    # method applies only to path rights
-    def restrict_method(name, *args)
-        if right = self[name]
-            right.restrict_method(*args)
-        else
-            raise ArgumentError, "'%s' right is not allowing method specification" % name
-        end
-    end
-
     def allowed?(name, *args)
         res = :nomatch
         right = @rights.find do |acl|
@@ -99,7 +89,7 @@ class Puppet::Network::Rights
     # A right.
     class Right < Puppet::Network::AuthStore
         attr_accessor :name, :key, :acl_type, :line
-        attr_accessor :methods, :length
+        attr_accessor :methods, :environment
 
         ALL = [:save, :destroy, :find, :search]
 
@@ -107,8 +97,10 @@ class Puppet::Network::Rights
 
         def initialize(name, line)
             @methods = []
+            @environment = []
             @name = name
             @line = line || 0
+
             case name
             when Symbol
                 @acl_type = :name
@@ -148,8 +140,9 @@ class Puppet::Network::Rights
         # if this right is too restrictive (ie we don't match this access method)
         # then return :dunno so that upper layers have a chance to try another right
         # tailored to the given method
-        def allowed?(name, ip, method = nil, match = nil)
+        def allowed?(name, ip, method = nil, environment = nil, match = nil)
             return :dunno if acl_type == :regex and not @methods.include?(method)
+            return :dunno if acl_type == :regex and @environment.size > 0 and not @environment.include?(environment)
 
             if acl_type == :regex and match # make sure any capture are replaced
                 interpolate(match)
@@ -183,6 +176,15 @@ class Puppet::Network::Rights
             @methods << m
         end
 
+        def restrict_environment(env)
+            env = Puppet::Node::Environment.new(env)
+            if @environment.include?(env)
+                raise ArgumentError, "'%s' is already in the '%s' ACL" % [env, name]
+            end
+
+            @environment << env
+        end
+
         def match?(key)
             # if we are a namespace compare directly
             return self.key == namespace_to_key(key) if acl_type == :name