Enhance authconfig format to support uri paths and regex

This patch introduces a new set of directive to the authconfig
parser/file format:

path /uripath or patch ~ <regex>
This directive declares a new kind of ACL based on the uri path.

method save, find
This directive which is to be used under path directive restricts a
path ACL to only some REST verbs.

The ACL path system matches on path prefix possible, or
on regex matches (first match wins).
If no path are matching, then the authorization is not allowed.
The same if no ACL matches for the given REST verb.

The old namespace right matching still works as usual.

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>

1 files changed, 72 insertions, 10 deletions

diff --git a/spec/unit/network/authconfig.rb b/spec/unit/network/authconfig.rb
index 9d5f6154d..d891fe45a 100755
--- a/spec/unit/network/authconfig.rb
+++ b/spec/unit/network/authconfig.rb
@@ -28,7 +28,7 @@ describe Puppet::Network::AuthConfig do
             Puppet::Network::AuthConfig.new
         end
 
-        it "should raise an error if no file is defined in fine" do
+        it "should raise an error if no file is defined finally" do
             Puppet.stubs(:[]).with(:authconfig).returns(nil)
 
             lambda { Puppet::Network::AuthConfig.new }.should raise_error(Puppet::DevError)
@@ -111,6 +111,14 @@ describe Puppet::Network::AuthConfig do
             @authconfig.read
         end
 
+        it "should increment line number even on commented lines" do
+            @fd.stubs(:each).multiple_yields('  # comment','[puppetca]')
+
+            @rights.expects(:newright).with('[puppetca]', 2)
+
+            @authconfig.read
+        end
+
         it "should skip blank lines" do
             @fd.stubs(:each).yields('  ')
 
@@ -119,7 +127,15 @@ describe Puppet::Network::AuthConfig do
             @authconfig.read
         end
 
-        it "should throw an error if read rights already exist" do
+        it "should increment line number even on blank lines" do
+            @fd.stubs(:each).multiple_yields('  ','[puppetca]')
+
+            @rights.expects(:newright).with('[puppetca]', 2)
+
+            @authconfig.read
+        end
+
+        it "should throw an error if the current namespace right already exist" do
             @fd.stubs(:each).yields('[puppetca]')
 
             @rights.stubs(:include?).with("puppetca").returns(true)
@@ -127,10 +143,19 @@ describe Puppet::Network::AuthConfig do
             lambda { @authconfig.read }.should raise_error
         end
 
+        it "should not throw an error if the current path right already exist" do
+            @fd.stubs(:each).yields('path /hello')
+
+            @rights.stubs(:newright).with("/hello",1)
+            @rights.stubs(:include?).with("/hello").returns(true)
+
+            lambda { @authconfig.read }.should_not raise_error
+        end
+
         it "should create a new right for found namespaces" do
             @fd.stubs(:each).yields('[puppetca]')
 
-            @rights.expects(:newright).with("puppetca")
+            @rights.expects(:newright).with("[puppetca]", 1)
 
             @authconfig.read
         end
@@ -138,8 +163,24 @@ describe Puppet::Network::AuthConfig do
         it "should create a new right for each found namespace line" do
             @fd.stubs(:each).multiple_yields('[puppetca]', '[fileserver]')
 
-            @rights.expects(:newright).with("puppetca")
-            @rights.expects(:newright).with("fileserver")
+            @rights.expects(:newright).with("[puppetca]", 1)
+            @rights.expects(:newright).with("[fileserver]", 2)
+
+            @authconfig.read
+        end
+
+        it "should create a new right for each found path line" do
+            @fd.stubs(:each).multiple_yields('path /certificates')
+
+            @rights.expects(:newright).with("/certificates", 1)
+
+            @authconfig.read
+        end
+
+        it "should create a new right for each found regex line" do
+            @fd.stubs(:each).multiple_yields('path ~ .rb$')
+
+            @rights.expects(:newright).with("~ .rb$", 1)
 
             @authconfig.read
         end
@@ -148,26 +189,47 @@ describe Puppet::Network::AuthConfig do
             acl = stub 'acl', :info
 
             @fd.stubs(:each).multiple_yields('[puppetca]', 'allow 127.0.0.1')
-            @rights.stubs(:newright).with("puppetca")
-            @rights.stubs(:[]).returns(acl)
+            @rights.stubs(:newright).with("[puppetca]", 1).returns(acl)
 
             acl.expects(:allow).with('127.0.0.1')
 
             @authconfig.read
         end
 
-        it "should create a deny ACE on each subsequent allow" do
+        it "should create a deny ACE on each subsequent deny" do
             acl = stub 'acl', :info
 
             @fd.stubs(:each).multiple_yields('[puppetca]', 'deny 127.0.0.1')
-            @rights.stubs(:newright).with("puppetca")
-            @rights.stubs(:[]).returns(acl)
+            @rights.stubs(:newright).with("[puppetca]", 1).returns(acl)
 
             acl.expects(:deny).with('127.0.0.1')
 
             @authconfig.read
         end
 
+        it "should inform the current ACL if we get the 'method' directive" do
+            acl = stub 'acl', :info
+            acl.stubs(:acl_type).returns(:regex)
+
+            @fd.stubs(:each).multiple_yields('path /certificates', 'method search,find')
+            @rights.stubs(:newright).with("/certificates", 1).returns(acl)
+
+            acl.expects(:restrict_method).with('search')
+            acl.expects(:restrict_method).with('find')
+
+            @authconfig.read
+        end
+
+        it "should raise an error if the 'method' directive is used in a right different than a path/regex one" do
+            acl = stub 'acl', :info
+            acl.stubs(:acl_type).returns(:regex)
+
+            @fd.stubs(:each).multiple_yields('[puppetca]', 'method search,find')
+            @rights.stubs(:newright).with("puppetca", 1).returns(acl)
+
+            lambda { @authconfig.read }.should raise_error
+        end
+
     end
 
 end