summaryrefslogtreecommitdiffstats
path: root/lib/puppet/server
diff options
context:
space:
mode:
authorluke <luke@980ebf18-57e1-0310-9a29-db15c13687c0>2005-09-23 20:42:08 +0000
committerluke <luke@980ebf18-57e1-0310-9a29-db15c13687c0>2005-09-23 20:42:08 +0000
commit8211df036e1d2d24e1084616fc3fc4891b06cfdd (patch)
tree597f8b999cf5210a7ceff5ef1e1977f1de08c241 /lib/puppet/server
parentd20ac8e0b564e5413d571f2059de559e0783b72d (diff)
downloadpuppet-8211df036e1d2d24e1084616fc3fc4891b06cfdd.tar.gz
puppet-8211df036e1d2d24e1084616fc3fc4891b06cfdd.tar.xz
puppet-8211df036e1d2d24e1084616fc3fc4891b06cfdd.zip
Many, many changes toward a completely functional system. The only current problems with my home config are that apache's stupid init script does not do status and that packages are not working as non-root users (which makes sense).
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@703 980ebf18-57e1-0310-9a29-db15c13687c0
Diffstat (limited to 'lib/puppet/server')
-rwxr-xr-xlib/puppet/server/fileserver.rb73
-rw-r--r--lib/puppet/server/master.rb4
-rw-r--r--lib/puppet/server/servlet.rb51
3 files changed, 93 insertions, 35 deletions
diff --git a/lib/puppet/server/fileserver.rb b/lib/puppet/server/fileserver.rb
index 519d4aa0c..f792c7cd3 100755
--- a/lib/puppet/server/fileserver.rb
+++ b/lib/puppet/server/fileserver.rb
@@ -205,8 +205,7 @@ class Server
end
end
- @mounts.clear
-
+ newmounts = {}
begin
File.open(@config) { |f|
mount = nil
@@ -217,24 +216,24 @@ class Server
when /^\s*$/: next # skip blank lines
when /\[(\w+)\]/:
name = $1
- if mount
- unless mount.path
- raise Puppet::Error, "Mount %s has no path specified" %
- mount.name
- end
- end
- if @mounts.include?(name)
+ if newmounts.include?(name)
raise FileServerError, "%s is already mounted at %s" %
- [@mounts[name], name]
+ [newmounts[name], name]
end
mount = Mount.new(name)
- @mounts[name] = mount
- when /\s*(\w+)\s+(.+)$/:
+ newmounts[name] = mount
+ when /^\s*(\w+)\s+(.+)$/:
var = $1
value = $2
case var
when "path":
- mount.path = value
+ begin
+ mount.path = value
+ rescue FileServerError => detail
+ Puppet.err "Removing mount %s: %s" %
+ [mount.name, detail]
+ newmounts.delete(mount.name)
+ end
when "allow":
value.split(/\s*,\s*/).each { |val|
begin
@@ -242,7 +241,7 @@ class Server
[val, mount.name]
mount.allow(val)
rescue AuthStoreError => detail
- raise Puppet::Error, "%s at line %s of %s" %
+ raise FileServerError, "%s at line %s of %s" %
[detail.to_s, count, @config]
end
}
@@ -253,27 +252,39 @@ class Server
[val, mount.name]
mount.deny(val)
rescue AuthStoreError => detail
- raise Puppet::Error, "%s at line %s of %s" %
+ raise FileServerError, "%s at line %s of %s" %
[detail.to_s, count, @config]
end
}
else
- raise Puppet::Error,
- "Invalid argument %s at line %s" % [var, count]
+ raise FileServerError,
+ "Invalid argument '%s' at line %s" % [var, count]
end
else
- raise Puppet::Error,
- "Invalid line %s: %s" % [count, line]
+ raise FileServerError, "Invalid line %s: %s" % [count, line]
end
count += 1
}
}
rescue Errno::EACCES => detail
- raise Puppet::Error, "Cannot read %s" % @config
+ Puppet.err "FileServer error: Cannot read %s; cannot serve" % @config
+ #raise Puppet::Error, "Cannot read %s" % @config
rescue Errno::ENOENT => detail
- raise Puppet::Error, "%s does not exit" % @config
+ Puppet.err "FileServer error: '%s' does not exit; cannot serve" %
+ @config
+ #raise Puppet::Error, "%s does not exit" % @config
+ #rescue FileServerError => detail
+ # Puppet.err "FileServer error: %s" % detail
end
+ # Verify each of the mounts are valid.
+ # We let the check raise an error, so that it can raise an error
+ # pointing to the specific problem.
+ newmounts.each { |name, mount|
+ mount.valid?
+ }
+ @mounts = newmounts
+
@configstamp = File.stat(@config).ctime
@configstatted = Time.now
end
@@ -283,7 +294,8 @@ class Server
mount, path = splitpath(file)
unless (@mounts.include?(mount))
- raise Puppet::Server::FileServerError, "%s not mounted" % mount
+ raise Puppet::Server::FileServerError,
+ "FileServer module '%s' not mounted" % mount
end
unless @mounts[mount].allowed?(client, clientip)
@@ -370,14 +382,15 @@ class Server
path = dir.sub(%r{/#{mount}/?}, '')
unless @mounts.include?(mount)
- raise FileServerError, "%s not mounted" % mount
+ raise FileServerError, "Fileserver module '%s' not mounted" % mount
end
unless @mounts[mount].path
- raise FileServerError, "Mount %s does not have a path set" % mount
+ raise FileServerError,
+ "Fileserver error: Mount '%s' does not have a path set" % mount
end
else
- raise FileServerError, "Invalid path '%s'" % dir
+ raise FileServerError, "Fileserver error: Invalid path '%s'" % dir
end
if path == ""
@@ -410,6 +423,8 @@ class Server
if path
self.path = path
+ else
+ @path = nil
end
super()
@@ -425,6 +440,14 @@ class Server
def to_s
@path
end
+
+ # Verify our configuration is valid. This should really check to
+ # make sure at least someone will be allowed, but, eh.
+ def valid?
+ unless @path
+ raise FileServerError, "No path specified"
+ end
+ end
end
end
end
diff --git a/lib/puppet/server/master.rb b/lib/puppet/server/master.rb
index 08706bea7..03ff7c6ac 100644
--- a/lib/puppet/server/master.rb
+++ b/lib/puppet/server/master.rb
@@ -70,6 +70,10 @@ class Server
end
end
+ unless client
+ client = facts["hostname"]
+ clientip = facts["ipaddress"]
+ end
Puppet.debug("Running interpreter")
begin
retobjects = @interpreter.run(client, facts)
diff --git a/lib/puppet/server/servlet.rb b/lib/puppet/server/servlet.rb
index 2bc2dffc1..e35a1d518 100644
--- a/lib/puppet/server/servlet.rb
+++ b/lib/puppet/server/servlet.rb
@@ -14,23 +14,46 @@ class Server
self.new(server, *options)
end
+ def add_handler(interface, handler)
+ @loadedhandlers << interface.prefix
+ super
+ end
+
+ # Verify that our client has access. We allow untrusted access to
+ # puppetca methods but none others.
def authorize(request, method)
+ namespace = method.sub(/\..+/, '')
+ client = request.peeraddr[2]
+ ip = request.peeraddr[3]
if request.client_cert
Puppet.info "Allowing %s(%s) trusted access to %s" %
- [request.peeraddr[2], request.peeraddr[3], method]
+ [client, ip, method]
return true
else
if method =~ /^puppetca\./
Puppet.notice "Allowing %s(%s) untrusted access to CA methods" %
- [request.peeraddr[2], request.peeraddr[3]]
+ [client, ip]
else
Puppet.err "Unauthenticated client %s(%s) cannot call %s" %
- [request.peeraddr[2], request.peeraddr[3], method]
+ [client, ip, method]
return false
end
end
end
+ def available?(method)
+ namespace = method.sub(/\..+/, '')
+ client = request.peeraddr[2]
+ ip = request.peeraddr[3]
+ if @loadedhandlers.include?(namespace)
+ return true
+ else
+ Puppet.warning "Client %s(%s) requested unavailable functionality %s" %
+ [client, ip, namespace]
+ return false
+ end
+ end
+
def initialize(server, handlers)
#Puppet.info server.inspect
@@ -41,6 +64,7 @@ class Server
# and we can consume them all ourselves
super()
+ @loadedhandlers = []
handlers.each { |handler|
Puppet.debug "adding handler for %s" % handler.class
self.add_handler(handler.class.interface, handler)
@@ -58,22 +82,22 @@ class Server
begin
obj.call(*args)
rescue Puppet::Server::AuthorizationError => detail
- Puppet.warning obj.inspect
- Puppet.warning args.inspect
+ #Puppet.warning obj.inspect
+ #Puppet.warning args.inspect
Puppet.err "Permission denied: %s" % detail.to_s
raise XMLRPC::FaultException.new(
1, detail.to_s
)
rescue Puppet::Error => detail
- Puppet.warning obj.inspect
- Puppet.warning args.inspect
- Puppet.err "Puppet error: %s" % detail.to_s
+ #Puppet.warning obj.inspect
+ #Puppet.warning args.inspect
+ Puppet.err detail.to_s
raise XMLRPC::FaultException.new(
1, detail.to_s
)
rescue => detail
- Puppet.warning obj.inspect
- Puppet.warning args.inspect
+ #Puppet.warning obj.inspect
+ #Puppet.warning args.inspect
Puppet.err "Could not call: %s" % detail.to_s
raise error
end
@@ -118,6 +142,13 @@ class Server
def dispatch(methodname, *args)
if defined? @request and @request
+ unless self.available?(methodname)
+ raise XMLRPC::FaultException.new(
+ ERR_UNAUTHORIZED,
+ "Functionality %s not available" %
+ methodname.sub(/\..+/, '')
+ )
+ end
unless self.authorize(@request, methodname)
raise XMLRPC::FaultException.new(
ERR_UNAUTHORIZED,
generated by cgit (git 2.34.1) at 2026-01-07 20:26:57 +0000