summaryrefslogtreecommitdiffstats
path: root/lib/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'lib/puppet')
-rw-r--r--lib/puppet/network/authconfig.rb82
-rwxr-xr-xlib/puppet/network/rights.rb202
2 files changed, 220 insertions, 64 deletions
diff --git a/lib/puppet/network/authconfig.rb b/lib/puppet/network/authconfig.rb
index dc67723c4..f78cdc621 100644
--- a/lib/puppet/network/authconfig.rb
+++ b/lib/puppet/network/authconfig.rb
@@ -44,7 +44,7 @@ module Puppet
end
def initialize(file = nil, parsenow = true)
- @file ||= Puppet[:authconfig]
+ @file = file || Puppet[:authconfig]
unless @file
raise Puppet::DevError, "No authconfig file defined"
@@ -99,44 +99,21 @@ module Puppet
count = 1
f.each { |line|
case line
- when /^\s*#/; next # skip comments
- when /^\s*$/; next # skip blank lines
- when /\[([\w.]+)\]/ # "namespace" or "namespace.method"
- name = $1
- if newrights.include?(name)
- raise FileServerError, "%s is already set at %s" %
- [newrights[name], name]
- end
- newrights.newright(name)
- right = newrights[name]
- when /^\s*(\w+)\s+(.+)$/
- var = $1
- value = $2
- case var
- when "allow"
- value.split(/\s*,\s*/).each { |val|
- begin
- right.info "allowing %s access" % val
- right.allow(val)
- rescue AuthStoreError => detail
- raise ConfigurationError, "%s at line %s of %s" %
- [detail.to_s, count, @config]
- end
- }
- when "deny"
- value.split(/\s*,\s*/).each { |val|
- begin
- right.info "denying %s access" % val
- right.deny(val)
- rescue AuthStoreError => detail
- raise ConfigurationError, "%s at line %s of %s" %
- [detail.to_s, count, @config]
- end
- }
- else
- raise ConfigurationError,
- "Invalid argument '%s' at line %s" % [var, count]
+ when /^\s*#/ # skip comments
+ count += 1
+ next
+ when /^\s*$/ # skip blank lines
+ count += 1
+ next
+ when /^(?:(\[[\w.]+\])|(path)\s+((?:~\s+)?[^ ]+))\s*$/ # "namespace" or "namespace.method" or "path /path" or "path ~ regex"
+ name = $1
+ if $2 == "path"
+ name = $3
end
+ name.chomp!
+ right = newrights.newright(name, count)
+ when /^\s*(allow|deny|method)\s+(.+)$/
+ parse_right_directive(right, $1, $2, count)
else
raise ConfigurationError, "Invalid line %s: %s" % [count, line]
end
@@ -162,6 +139,35 @@ module Puppet
}
@rights = newrights
end
+
+ def parse_right_directive(right, var, value, count)
+ case var
+ when "allow"
+ modify_right(right, :allow, value, "allowing %s access", count)
+ when "deny"
+ modify_right(right, :deny, value, "denying %s access", count)
+ when "method"
+ unless right.acl_type == :regex
+ raise ConfigurationError, "'method' directive not allowed in namespace ACL at line %s of %s" % [count, @config]
+ end
+ modify_right(right, :restrict_method, value, "allowing method %s access", count)
+ else
+ raise ConfigurationError,
+ "Invalid argument '%s' at line %s" % [var, count]
+ end
+ end
+
+ def modify_right(right, method, value, msg, count)
+ value.split(/\s*,\s*/).each do |val|
+ begin
+ right.info msg % val
+ right.send(method, val)
+ rescue AuthStoreError => detail
+ raise ConfigurationError, "%s at line %s of %s" % [detail.to_s, count, @file]
+ end
+ end
+ end
+
end
end
diff --git a/lib/puppet/network/rights.rb b/lib/puppet/network/rights.rb
index a4133f22c..6b2082cdb 100755
--- a/lib/puppet/network/rights.rb
+++ b/lib/puppet/network/rights.rb
@@ -1,15 +1,16 @@
-require 'ipaddr'
require 'puppet/network/authstore'
# Define a set of rights and who has access to them.
-class Puppet::Network::Rights < Hash
+# There are two types of rights:
+# * named rights (ie a common string)
+# * path based rights (which are matched on a longest prefix basis)
+class Puppet::Network::Rights
+
# We basically just proxy directly to our rights. Each Right stores
# its own auth abilities.
- [:allow, :allowed?, :deny].each do |method|
+ [:allow, :deny].each do |method|
define_method(method) do |name, *args|
- name = name.intern if name.is_a? String
-
- if obj = right(name)
+ if obj = self[name]
obj.send(method, *args)
else
raise ArgumentError, "Unknown right '%s'" % name
@@ -17,45 +18,115 @@ class Puppet::Network::Rights < Hash
end
end
+ # this method is used to add a new allowed +method+ to +name+
+ # method applies only to path rights
+ def restrict_method(name, *args)
+ if right = self[name]
+ right.restrict_method(*args)
+ else
+ raise ArgumentError, "'%s' right is not allowing method specification" % name
+ end
+ end
+
+ def allowed?(name, *args)
+ res = :nomatch
+ right = @rights.find do |acl|
+ # an acl can return :dunno, which means "I'm not qualified to answer your question,
+ # please ask someone else". This is used when for instance an acl matches, but not for the
+ # current rest method, where we might think some other acl might be more specific.
+ if match = acl.match?(name)
+ args << match
+ if (res = acl.allowed?(*args)) != :dunno
+ return res
+ end
+ end
+ false
+ end
+
+ # if allowed or denied, tell it to the world
+ return res unless res == :nomatch
+
+ # there were no rights allowing/denying name
+ # if name is not a path, let's throw
+ raise ArgumentError, "Unknown namespace right '%s'" % name unless name =~ /^\//
+
+ # but if this was a path, we implement a deny all policy by default
+ # on unknown rights.
+ return false
+ end
+
+ def initialize()
+ @rights = []
+ end
+
def [](name)
- name = name.intern if name.is_a? String
- super(name)
+ @rights.find { |acl| acl == name }
+ end
+
+ def include?(name)
+ @rights.include?(name)
+ end
+
+ def each
+ @rights.each { |r| yield r.name,r }
end
# Define a new right to which access can be provided.
- def newright(name)
- name = name.intern if name.is_a? String
- shortname = Right.shortname(name)
- if self.include? name
- raise ArgumentError, "Right '%s' is already defined" % name
- else
- self[name] = Right.new(name, shortname)
- end
+ def newright(name, line=nil)
+ add_right( Right.new(name, line) )
end
private
+ def add_right(right)
+ if right.acl_type == :name and include?(right.key)
+ raise ArgumentError, "Right '%s' already exists"
+ end
+ @rights << right
+ sort_rights
+ right
+ end
+
+ def sort_rights
+ @rights.sort!
+ end
+
# Retrieve a right by name.
def right(name)
- name = name.intern if name.is_a? String
self[name]
end
# A right.
class Right < Puppet::Network::AuthStore
- attr_accessor :name, :shortname
+ attr_accessor :name, :key, :acl_type, :line
+ attr_accessor :methods, :length
- Puppet::Util.logmethods(self, true)
+ ALL = [:save, :destroy, :find, :search]
- def self.shortname(name)
- name.to_s[0..0]
- end
+ Puppet::Util.logmethods(self, true)
- def initialize(name, shortname = nil)
+ def initialize(name, line)
+ @methods = []
@name = name
- @shortname = shortname
- unless @shortname
- @shortname = Right.shortname(name)
+ @line = line || 0
+ case name
+ when Symbol
+ @acl_type = :name
+ @key = name
+ when /^\[(.+)\]$/
+ @acl_type = :name
+ @key = $1.intern if name.is_a?(String)
+ when /^\//
+ @acl_type = :regex
+ @key = Regexp.new("^" + Regexp.escape(name))
+ @methods = ALL
+ when /^~/ # this is a regex
+ @acl_type = :regex
+ @name = name.gsub(/^~\s+/,'')
+ @key = Regexp.new(@name)
+ @methods = ALL
+ else
+ raise ArgumentError, "Unknown right type '%s'" % name
end
super()
end
@@ -68,6 +139,85 @@ class Puppet::Network::Rights < Hash
def valid?
true
end
+
+ def regex?
+ acl_type == :regex
+ end
+
+ # does this right is allowed for this triplet?
+ # if this right is too restrictive (ie we don't match this access method)
+ # then return :dunno so that upper layers have a chance to try another right
+ # tailored to the given method
+ def allowed?(name, ip, method = nil, match = nil)
+ return :dunno if acl_type == :regex and not @methods.include?(method)
+
+ if acl_type == :regex and match # make sure any capture are replaced
+ interpolate(match)
+ end
+
+ res = super(name,ip)
+
+ if acl_type == :regex
+ reset_interpolation
+ end
+ res
+ end
+
+ # restrict this right to some method only
+ def restrict_method(m)
+ m = m.intern if m.is_a?(String)
+
+ unless ALL.include?(m)
+ raise ArgumentError, "'%s' is not an allowed value for method directive" % m
+ end
+
+ # if we were allowing all methods, then starts from scratch
+ if @methods === ALL
+ @methods = []
+ end
+
+ if @methods.include?(m)
+ raise ArgumentError, "'%s' is already in the '%s' ACL" % [m, name]
+ end
+
+ @methods << m
+ end
+
+ def match?(key)
+ # if we are a namespace compare directly
+ return self.key == namespace_to_key(key) if acl_type == :name
+
+ # otherwise match with the regex
+ return self.key.match(key)
+ end
+
+ def namespace_to_key(key)
+ key = key.intern if key.is_a?(String)
+ key
+ end
+
+ # this is where all the magic happens.
+ # we're sorting the rights array with this scheme:
+ # * namespace rights are all in front
+ # * regex path rights are then all queued in file order
+ def <=>(rhs)
+ # move namespace rights at front
+ if self.acl_type != rhs.acl_type
+ return self.acl_type == :name ? -1 : 1
+ end
+
+ # sort by creation order (ie first match appearing in the file will win)
+ # that is don't sort, in which case the sort algorithm will order in the
+ # natural array order (ie the creation order)
+ return 0
+ end
+
+ def ==(name)
+ return self.key == namespace_to_key(name) if acl_type == :name
+ return self.name == name
+ end
+
end
+
end
generated by cgit (git 2.34.1) at 2025-10-04 03:45:39 +0000