diff options
| author | luke <luke@980ebf18-57e1-0310-9a29-db15c13687c0> | 2005-09-23 20:42:08 +0000 |
|---|---|---|
| committer | luke <luke@980ebf18-57e1-0310-9a29-db15c13687c0> | 2005-09-23 20:42:08 +0000 |
| commit | 8211df036e1d2d24e1084616fc3fc4891b06cfdd (patch) | |
| tree | 597f8b999cf5210a7ceff5ef1e1977f1de08c241 /lib/puppet/server/servlet.rb | |
| parent | d20ac8e0b564e5413d571f2059de559e0783b72d (diff) | |
| download | puppet-8211df036e1d2d24e1084616fc3fc4891b06cfdd.tar.gz puppet-8211df036e1d2d24e1084616fc3fc4891b06cfdd.tar.xz puppet-8211df036e1d2d24e1084616fc3fc4891b06cfdd.zip | |
Many, many changes toward a completely functional system. The only current problems with my home config are that apache's stupid init script does not do status and that packages are not working as non-root users (which makes sense).
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@703 980ebf18-57e1-0310-9a29-db15c13687c0
Diffstat (limited to 'lib/puppet/server/servlet.rb')
| -rw-r--r-- | lib/puppet/server/servlet.rb | 51 |
1 files changed, 41 insertions, 10 deletions
diff --git a/lib/puppet/server/servlet.rb b/lib/puppet/server/servlet.rb index 2bc2dffc1..e35a1d518 100644 --- a/lib/puppet/server/servlet.rb +++ b/lib/puppet/server/servlet.rb @@ -14,23 +14,46 @@ class Server self.new(server, *options) end + def add_handler(interface, handler) + @loadedhandlers << interface.prefix + super + end + + # Verify that our client has access. We allow untrusted access to + # puppetca methods but none others. def authorize(request, method) + namespace = method.sub(/\..+/, '') + client = request.peeraddr[2] + ip = request.peeraddr[3] if request.client_cert Puppet.info "Allowing %s(%s) trusted access to %s" % - [request.peeraddr[2], request.peeraddr[3], method] + [client, ip, method] return true else if method =~ /^puppetca\./ Puppet.notice "Allowing %s(%s) untrusted access to CA methods" % - [request.peeraddr[2], request.peeraddr[3]] + [client, ip] else Puppet.err "Unauthenticated client %s(%s) cannot call %s" % - [request.peeraddr[2], request.peeraddr[3], method] + [client, ip, method] return false end end end + def available?(method) + namespace = method.sub(/\..+/, '') + client = request.peeraddr[2] + ip = request.peeraddr[3] + if @loadedhandlers.include?(namespace) + return true + else + Puppet.warning "Client %s(%s) requested unavailable functionality %s" % + [client, ip, namespace] + return false + end + end + def initialize(server, handlers) #Puppet.info server.inspect @@ -41,6 +64,7 @@ class Server # and we can consume them all ourselves super() + @loadedhandlers = [] handlers.each { |handler| Puppet.debug "adding handler for %s" % handler.class self.add_handler(handler.class.interface, handler) @@ -58,22 +82,22 @@ class Server begin obj.call(*args) rescue Puppet::Server::AuthorizationError => detail - Puppet.warning obj.inspect - Puppet.warning args.inspect + #Puppet.warning obj.inspect + #Puppet.warning args.inspect Puppet.err "Permission denied: %s" % detail.to_s raise XMLRPC::FaultException.new( 1, detail.to_s ) rescue Puppet::Error => detail - Puppet.warning obj.inspect - Puppet.warning args.inspect - Puppet.err "Puppet error: %s" % detail.to_s + #Puppet.warning obj.inspect + #Puppet.warning args.inspect + Puppet.err detail.to_s raise XMLRPC::FaultException.new( 1, detail.to_s ) rescue => detail - Puppet.warning obj.inspect - Puppet.warning args.inspect + #Puppet.warning obj.inspect + #Puppet.warning args.inspect Puppet.err "Could not call: %s" % detail.to_s raise error end @@ -118,6 +142,13 @@ class Server def dispatch(methodname, *args) if defined? @request and @request + unless self.available?(methodname) + raise XMLRPC::FaultException.new( + ERR_UNAUTHORIZED, + "Functionality %s not available" % + methodname.sub(/\..+/, '') + ) + end unless self.authorize(@request, methodname) raise XMLRPC::FaultException.new( ERR_UNAUTHORIZED, |