Merge branch 'master' into tickets/master/4258-dev

8 files changed, 56 insertions, 38 deletions

diff --git a/lib/puppet/network/handler/filebucket.rb b/lib/puppet/network/handler/filebucket.rb
index 6aaa2df1c..55028ee64 100755
--- a/lib/puppet/network/handler/filebucket.rb
+++ b/lib/puppet/network/handler/filebucket.rb
@@ -28,12 +28,12 @@ class Puppet::Network::Handler # :nodoc:
     def addfile(contents, path, client = nil, clientip = nil)
       contents = Base64.decode64(contents) if client
       bucket = Puppet::FileBucket::File.new(contents)
-      bucket.save
+      Puppet::FileBucket::File.indirection.save(bucket)
     end
 
     # Return the contents associated with a given md5 sum.
     def getfile(md5, client = nil, clientip = nil)
-      bucket = Puppet::FileBucket::File.find("md5:#{md5}")
+      bucket = Puppet::FileBucket::File.indirection.find("md5:#{md5}")
       contents = bucket.contents
 
       if client
diff --git a/lib/puppet/network/handler/fileserver.rb b/lib/puppet/network/handler/fileserver.rb
index 9abc7ee1a..5b4b17a32 100755
--- a/lib/puppet/network/handler/fileserver.rb
+++ b/lib/puppet/network/handler/fileserver.rb
@@ -236,7 +236,7 @@ class Puppet::Network::Handler
       unless hostname = (client || Facter.value("hostname"))
         raise ArgumentError, "Could not find hostname"
       end
-      env = (node = Puppet::Node.find(hostname)) ? node.environment : nil
+      env = (node = Puppet::Node.indirection.find(hostname)) ? node.environment : nil
 
       # And use the environment to look up the module.
       (mod = Puppet::Node::Environment.new(env).module(module_name) and mod.files?) ? @mounts[MODULES].copy(mod.name, mod.file_directory) : nil
diff --git a/lib/puppet/network/handler/master.rb b/lib/puppet/network/handler/master.rb
index c21aafafc..62aab539e 100644
--- a/lib/puppet/network/handler/master.rb
+++ b/lib/puppet/network/handler/master.rb
@@ -47,9 +47,9 @@ class Puppet::Network::Handler
       client ||= facts["hostname"]
 
       # Pass the facts to the fact handler
-      Puppet::Node::Facts.new(client, facts).save unless local?
+      Puppet::Node::Facts.indirection.save(Puppet::Node::Facts.new(client, facts)) unless local?
 
-      catalog = Puppet::Resource::Catalog.find(client)
+      catalog = Puppet::Resource::Catalog.indirection.find(client)
 
       case format
       when "yaml"
diff --git a/lib/puppet/network/http/api/v1.rb b/lib/puppet/network/http/api/v1.rb
index abbb2dfa9..4b7c15a36 100644
--- a/lib/puppet/network/http/api/v1.rb
+++ b/lib/puppet/network/http/api/v1.rb
@@ -13,6 +13,9 @@ module Puppet::Network::HTTP::API::V1
     },
     "DELETE" => {
       :singular => :destroy
+    },
+    "HEAD" => {
+      :singular => :head
     }
   }
 
diff --git a/lib/puppet/network/http/handler.rb b/lib/puppet/network/http/handler.rb
index 82238aa0a..2b9e81b61 100644
--- a/lib/puppet/network/http/handler.rb
+++ b/lib/puppet/network/http/handler.rb
@@ -103,7 +103,7 @@ module Puppet::Network::HTTP::Handler
 
   # Execute our find.
   def do_find(indirection_name, key, params, request, response)
-    unless result = model(indirection_name).find(key, params)
+    unless result = model(indirection_name).indirection.find(key, params)
       Puppet.info("Could not find #{indirection_name} for '#{key}'")
       return do_exception(response, "Could not find #{indirection_name} #{key}", 404)
     end
@@ -114,13 +114,28 @@ module Puppet::Network::HTTP::Handler
     format = format_to_use(request)
     set_content_type(response, format)
 
-    set_response(response, result.render(format))
+    if result.respond_to?(:render)
+      set_response(response, result.render(format))
+    else
+      set_response(response, result)
+    end
+  end
+
+  # Execute our head.
+  def do_head(indirection_request, request, response)
+    unless indirection_request.model.head(indirection_request.key, indirection_request.to_hash)
+      Puppet.info("Could not find #{indirection_request.indirection_name} for '#{indirection_request.key}'")
+      return do_exception(response, "Could not find #{indirection_request.indirection_name} #{indirection_request.key}", 404)
+    end
+
+    # No need to set a response because no response is expected from a
+    # HEAD request.  All we need to do is not die.
   end
 
   # Execute our search.
   def do_search(indirection_name, key, params, request, response)
     model  = self.model(indirection_name)
-    result = model.search(key, params)
+    result = model.indirection.search(key, params)
 
     if result.nil?
       return do_exception(response, "Could not find instances in #{indirection_name} with '#{key}'", 404)
@@ -134,7 +149,7 @@ module Puppet::Network::HTTP::Handler
 
   # Execute our destroy.
   def do_destroy(indirection_name, key, params, request, response)
-    result = model(indirection_name).destroy(key, params)
+    result = model(indirection_name).indirection.destroy(key, params)
 
     return_yaml_response(response, result)
   end
@@ -146,7 +161,7 @@ module Puppet::Network::HTTP::Handler
 
     format = request_format(request)
     obj = model(indirection_name).convert_from(format, data)
-    result = obj.save(key)
+    result = model(indirection_name).indirection.save(obj, key)
     return_yaml_response(response, result)
   end
 
diff --git a/lib/puppet/network/http/webrick.rb b/lib/puppet/network/http/webrick.rb
index 8ed0b28ca..54bcf30c2 100644
--- a/lib/puppet/network/http/webrick.rb
+++ b/lib/puppet/network/http/webrick.rb
@@ -105,7 +105,7 @@ class Puppet::Network::HTTP::WEBrick
     results[:SSLStartImmediately] = true
     results[:SSLEnable] = true
 
-    raise Puppet::Error, "Could not find CA certificate" unless Puppet::SSL::Certificate.find(Puppet::SSL::CA_NAME)
+    raise Puppet::Error, "Could not find CA certificate" unless Puppet::SSL::Certificate.indirection.find(Puppet::SSL::CA_NAME)
 
     results[:SSLCACertificateFile] = Puppet[:localcacert]
     results[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER
diff --git a/lib/puppet/network/rest_authconfig.rb b/lib/puppet/network/rest_authconfig.rb
index b6a163316..9e3632499 100644
--- a/lib/puppet/network/rest_authconfig.rb
+++ b/lib/puppet/network/rest_authconfig.rb
@@ -17,7 +17,6 @@ module Puppet
       { :acl => "/certificate/", :method => :find, :authenticated => false },
       { :acl => "/certificate_request", :method => [:find, :save], :authenticated => false },
       { :acl => "/status", :method => [:find], :authenticated => true },
-      { :acl => "/resource", :method => [:find, :save, :search], :authenticated => true },
     ]
 
     def self.main
@@ -39,14 +38,10 @@ module Puppet
       # fail_on_deny could as well be called in the XMLRPC context
       # with a ClientRequest.
 
-      @rights.fail_on_deny(
-        build_uri(indirection, key),
-        :node => params[:node],
-        :ip => params[:ip],
-        :method => method,
-        :environment => params[:environment],
-        :authenticated => params[:authenticated]
-      )
+      if authorization_failure_exception = @rights.is_request_forbidden_and_why?(indirection, method, key, params)
+        Puppet.warning("Denying access: #{authorization_failure_exception}")
+        raise authorization_failure_exception
+      end
     end
 
     def initialize(file = nil, parsenow = true)
@@ -89,9 +84,5 @@ module Puppet
       end
       @rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil?
     end
-
-    def build_uri(indirection_name, key)
-      "/#{indirection_name}/#{key}"
-    end
   end
 end
diff --git a/lib/puppet/network/rights.rb b/lib/puppet/network/rights.rb
index e3cd3179a..56af53983 100755
--- a/lib/puppet/network/rights.rb
+++ b/lib/puppet/network/rights.rb
@@ -26,19 +26,29 @@ class Rights
 
   # Check that name is allowed or not
   def allowed?(name, *args)
-    begin
-      fail_on_deny(name, :node => args[0], :ip => args[1])
-    rescue AuthorizationError
-      return false
-    rescue ArgumentError
-      # the namespace contract says we should raise this error
-      # if we didn't find the right acl
-      raise
+    !is_forbidden_and_why?(name, :node => args[0], :ip => args[1])
+  end
+
+  def is_request_forbidden_and_why?(indirection, method, key, params)
+    methods_to_check = if method == :head
+                         # :head is ok if either :find or :save is ok.
+                         [:find, :save]
+                       else
+                         [method]
+                       end
+    authorization_failure_exceptions = methods_to_check.map do |method|
+      is_forbidden_and_why?("/#{indirection}/#{key}", params.merge({:method => method}))
+    end
+    if authorization_failure_exceptions.include? nil
+      # One of the methods we checked is ok, therefore this request is ok.
+      nil
+    else
+      # Just need to return any of the failure exceptions.
+      authorization_failure_exceptions.first
     end
-    true
   end
 
-  def fail_on_deny(name, args = {})
+  def is_forbidden_and_why?(name, args = {})
     res = :nomatch
     right = @rights.find do |acl|
       found = false
@@ -49,7 +59,7 @@ class Rights
         args[:match] = match
         if (res = acl.allowed?(args[:node], args[:ip], args)) != :dunno
           # return early if we're allowed
-          return if res
+          return nil if res
           # we matched, select this acl
           found = true
         end
@@ -70,13 +80,12 @@ class Rights
         error.file = right.file
         error.line = right.line
       end
-      Puppet.warning("Denying access: #{error}")
     else
       # there were no rights allowing/denying name
       # if name is not a path, let's throw
-      error = ArgumentError.new "Unknown namespace right '#{name}'"
+      raise ArgumentError.new "Unknown namespace right '#{name}'"
     end
-    raise error
+    error
   end
 
   def initialize