diff options
Diffstat (limited to 'lib/puppet/network')
-rw-r--r-- | lib/puppet/network/authconfig.rb | 7 | ||||
-rwxr-xr-x | lib/puppet/network/rights.rb | 30 |
2 files changed, 30 insertions, 7 deletions
diff --git a/lib/puppet/network/authconfig.rb b/lib/puppet/network/authconfig.rb index 3e40c9d7c..41f8f1c3e 100644 --- a/lib/puppet/network/authconfig.rb +++ b/lib/puppet/network/authconfig.rb @@ -111,7 +111,7 @@ module Puppet end name.chomp! right = newrights.newright(name, count, @file) - when /^\s*(allow|deny|method|environment)\s+(.+)$/ + when /^\s*(allow|deny|method|environment|auth(?:enticated)?)\s+(.+)$/ parse_right_directive(right, $1, $2, count) else raise ConfigurationError, "Invalid line %s: %s" % [count, line] @@ -155,6 +155,11 @@ module Puppet raise ConfigurationError, "'environment' directive not allowed in namespace ACL at line %s of %s" % [count, @config] end modify_right(right, :restrict_environment, value, "adding environment %s", count) + when /auth(?:enticated)?/ + unless right.acl_type == :regex + raise ConfigurationError, "'authenticated' directive not allowed in namespace ACL at line %s of %s" % [count, @config] + end + modify_right(right, :restrict_authenticated, value, "adding authentication %s", count) else raise ConfigurationError, "Invalid argument '%s' at line %s" % [var, count] diff --git a/lib/puppet/network/rights.rb b/lib/puppet/network/rights.rb index c98b84e8d..14b171081 100755 --- a/lib/puppet/network/rights.rb +++ b/lib/puppet/network/rights.rb @@ -14,7 +14,7 @@ class Rights # We basically just proxy directly to our rights. Each Right stores # its own auth abilities. - [:allow, :deny, :restrict_method, :restrict_environment].each do |method| + [:allow, :deny, :restrict_method, :restrict_environment, :restrict_authenticated].each do |method| define_method(method) do |name, *args| if obj = self[name] obj.send(method, *args) @@ -27,7 +27,7 @@ class Rights # Check that name is allowed or not def allowed?(name, *args) begin - fail_on_deny(name, *args) + fail_on_deny(name, :node => args[0], :ip => args[1]) rescue AuthorizationError return false rescue ArgumentError @@ -59,10 +59,12 @@ class Rights # if we end here, then that means we either didn't match # or failed, in any case will throw an error to the outside world - if name =~ /^\// + if name =~ /^\// or right # we're a patch ACL, let's fail msg = "%s access to %s [%s]" % [ (args[:node].nil? ? args[:ip] : "#{args[:node]}(#{args[:ip]})"), name, args[:method] ] + msg += " authenticated " if args[:authenticated] + error = AuthorizationError.new("Forbidden request: " + msg) if right error.file = right.file @@ -123,7 +125,7 @@ class Rights include Puppet::FileCollection::Lookup attr_accessor :name, :key, :acl_type - attr_accessor :methods, :environment + attr_accessor :methods, :environment, :authentication ALL = [:save, :destroy, :find, :search] @@ -132,6 +134,7 @@ class Rights def initialize(name, line, file) @methods = [] @environment = [] + @authentication = true # defaults to authenticated @name = name @line = line || 0 @file = file @@ -175,9 +178,10 @@ class Rights # if this right is too restrictive (ie we don't match this access method) # then return :dunno so that upper layers have a chance to try another right # tailored to the given method - def allowed?(name, ip, args) + def allowed?(name, ip, args = {}) return :dunno if acl_type == :regex and not @methods.include?(args[:method]) return :dunno if acl_type == :regex and @environment.size > 0 and not @environment.include?(args[:environment]) + return :dunno if acl_type == :regex and not @authentication.nil? and args[:authenticated] != @authentication begin # make sure any capture are replaced if needed @@ -218,6 +222,20 @@ class Rights @environment << env end + def restrict_authenticated(authentication) + case authentication + when "yes", "on", "true", true + authentication = true + when "no", "off", "false", false + authentication = false + when "all","any", :all, :any + authentication = nil + else + raise ArgumentError, "'%s' incorrect authenticated value: %s" % [name, authentication] + end + @authentication = authentication + end + def match?(key) # if we are a namespace compare directly return self.key == namespace_to_key(key) if acl_type == :name @@ -249,7 +267,7 @@ class Rights def ==(name) return self.key == namespace_to_key(name) if acl_type == :name - return self.name == name + return self.name == name.gsub(/^~\s+/,'') end end |