Add environment support in the REST authorization layer

With the help of the new auth.conf directive 'environment',
any ACL can now be restricted to a specific environment.
Omission of the directive means that the ACL will apply
to all the defined environment.

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>

3 files changed, 53 insertions, 6 deletions

diff --git a/spec/unit/network/authconfig.rb b/spec/unit/network/authconfig.rb
index d891fe45a..186d30ce3 100755
--- a/spec/unit/network/authconfig.rb
+++ b/spec/unit/network/authconfig.rb
@@ -230,6 +230,29 @@ describe Puppet::Network::AuthConfig do
             lambda { @authconfig.read }.should raise_error
         end
 
+        it "should inform the current ACL if we get the 'environment' directive" do
+            acl = stub 'acl', :info
+            acl.stubs(:acl_type).returns(:regex)
+
+            @fd.stubs(:each).multiple_yields('path /certificates', 'environment production,development')
+            @rights.stubs(:newright).with("/certificates", 1).returns(acl)
+
+            acl.expects(:restrict_environment).with('production')
+            acl.expects(:restrict_environment).with('development')
+
+            @authconfig.read
+        end
+
+        it "should raise an error if the 'environment' directive is used in a right different than a path/regex one" do
+            acl = stub 'acl', :info
+            acl.stubs(:acl_type).returns(:regex)
+
+            @fd.stubs(:each).multiple_yields('[puppetca]', 'environment env')
+            @rights.stubs(:newright).with("puppetca", 1).returns(acl)
+
+            lambda { @authconfig.read }.should raise_error
+        end
+
     end
 
 end
diff --git a/spec/unit/network/rest_authconfig.rb b/spec/unit/network/rest_authconfig.rb
index 1f98f4082..ea5a82cce 100755
--- a/spec/unit/network/rest_authconfig.rb
+++ b/spec/unit/network/rest_authconfig.rb
@@ -16,7 +16,8 @@ describe Puppet::Network::RestAuthConfig do
         @acl = stub_everything 'rights'
         @authconfig.rights = @acl
 
-        @request = stub 'request', :indirection_name => "path", :key => "to/resource", :ip => "127.0.0.1", :node => "me", :method => :save
+        @request = stub 'request', :indirection_name => "path", :key => "to/resource", :ip => "127.0.0.1", 
+                                   :node => "me", :method => :save, :environment => :env
     end
 
     it "should use the puppet default rest authorization file" do
@@ -32,7 +33,7 @@ describe Puppet::Network::RestAuthConfig do
     end
 
     it "should ask for authorization to the ACL subsystem" do
-        @acl.expects(:allowed?).with("/path/to/resource", "me", "127.0.0.1", :save)
+        @acl.expects(:allowed?).with("/path/to/resource", "me", "127.0.0.1", :save, :env)
 
         @authconfig.allowed?(@request)
     end
diff --git a/spec/unit/network/rights.rb b/spec/unit/network/rights.rb
index 6e918124f..97094f8e5 100755
--- a/spec/unit/network/rights.rb
+++ b/spec/unit/network/rights.rb
@@ -9,7 +9,7 @@ describe Puppet::Network::Rights do
         @right = Puppet::Network::Rights.new
     end
 
-    [:allow, :deny].each do |m|
+    [:allow, :deny, :restrict_method, :restrict_environment].each do |m|
         it "should have a #{m} method" do
             @right.should respond_to(m)
         end
@@ -391,23 +391,46 @@ describe Puppet::Network::Rights do
             lambda { @acl.restrict_method(:save) }.should raise_error
         end
 
+        it "should allow setting an environment filters" do
+            Puppet::Node::Environment.stubs(:new).with(:environment).returns(:env)
+
+            @acl.restrict_environment(:environment)
+
+            @acl.environment.should == [:env]
+        end
+
         describe "when checking right authorization" do
-            it "should return :dunno if this right doesn't apply" do
+            it "should return :dunno if this right is not restricted to the given method" do
                 @acl.restrict_method(:destroy)
 
                 @acl.allowed?("me","127.0.0.1", :save).should == :dunno
             end
 
+            it "should return allow/deny if this right is restricted to the given method" do
+                @acl.restrict_method(:save)
+                @acl.allow("127.0.0.1")
+
+                @acl.allowed?("me","127.0.0.1", :save).should be_true
+            end
+
+            it "should return :dunno if this right is not restricted to the given environment" do
+                Puppet::Node::Environment.stubs(:new).returns(:production)
+
+                @acl.restrict_environment(:production)
+
+                @acl.allowed?("me","127.0.0.1", :save, :development).should == :dunno
+            end
+
             it "should interpolate allow/deny patterns with the given match" do
                 @acl.expects(:interpolate).with(:match)
 
-                @acl.allowed?("me","127.0.0.1", :save, :match)
+                @acl.allowed?("me","127.0.0.1", :save, nil, :match)
             end
 
             it "should reset interpolation after the match" do
                 @acl.expects(:reset_interpolation)
 
-                @acl.allowed?("me","127.0.0.1", :save, :match)
+                @acl.allowed?("me","127.0.0.1", :save, nil, :match)
             end
 
             # mocha doesn't allow testing super...