Fix #1875 - Add a REST authorization system

This patch introduces a new configuration file (and configuration
setting to set it).
Each REST request is checked against this configuration file, and is
either allowed or denied.

The configuration file has the following format:

path /uripath
method <methods>
allow <ip> or <name>
deny <ip> or <name>

or
path ~ <regex>
method <methods>
allow <ip> or <name>
deny <ip> or <name>

where regex is a ruby regex.
This last syntax allows deny/allow interpolation from
the regex captures:

path ~ /files[^/]+/files/([^/]+)/([^/])/
method find
allow $2.$1

If you arrange your files/ directory to have files in
'domain.com/host/', then only the referenced host will
be able to access their files, other hosts will be denied.

For instance:
files/reductivelabs.com/dns/...
files/reductivelabs.com/www/...
then only files in dns can be accessible by dns.reductivelabs.com
and so on...

If the auth.conf file doesn't exist puppet uses sane defaults that allows
clients to check-in and ask for their configurations...

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>

1 files changed, 33 insertions, 0 deletions

diff --git a/spec/unit/network/http/handler.rb b/spec/unit/network/http/handler.rb
index 84b87025f..7b7ef4722 100755
--- a/spec/unit/network/http/handler.rb
+++ b/spec/unit/network/http/handler.rb
@@ -2,6 +2,7 @@
 
 require File.dirname(__FILE__) + '/../../../spec_helper'
 require 'puppet/network/http/handler'
+require 'puppet/network/rest_authorization'
 
 class HttpHandled
     include Puppet::Network::HTTP::Handler
@@ -16,6 +17,10 @@ describe Puppet::Network::HTTP::Handler do
         Puppet::Network::HTTP::Handler.ancestors.should be_include(Puppet::Network::HTTP::API::V1)
     end
 
+    it "should include the Rest Authorization system" do
+        Puppet::Network::HTTP::Handler.ancestors.should be_include(Puppet::Network::RestAuthorization)
+    end
+
     it "should have a method for initializing" do
         @handler.should respond_to(:initialize_for_puppet)
     end
@@ -44,6 +49,8 @@ describe Puppet::Network::HTTP::Handler do
 
             @result = stub 'result', :render => "mytext"
 
+            @handler.stubs(:authorized?).returns(true)
+
             stub_server_interface
         end
 
@@ -82,6 +89,32 @@ describe Puppet::Network::HTTP::Handler do
             @handler.process(@request, @response)
         end
 
+        it "should delegate authorization to the RestAuthorization layer" do
+            request = stub 'request'
+            @handler.expects(:uri2indirection).returns request
+
+            request.expects(:method).returns "mymethod"
+
+            @handler.expects(:do_mymethod).with(request, @request, @response)
+
+            @handler.expects(:authorized?).with(request).returns(true)
+
+            @handler.process(@request, @response)
+        end
+
+        it "should return 403 if the request is not authorized" do
+            request = stub 'request'
+            @handler.expects(:uri2indirection).returns request
+
+            @handler.expects(:do_mymethod).never
+
+            @handler.expects(:authorized?).with(request).returns(false)
+
+            @handler.expects(:set_response)#.with { |response, body, status| status == 403 }
+
+            @handler.process(@request, @response)
+        end
+
         it "should serialize a controller exception when an exception is thrown while finding the model instance" do
             @handler.expects(:uri2indirection).returns stub("request", :method => :find)