| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Unmunge is the reverse of munge.
While munge allows the type to return a different parameter value
or properties should than the one it was created with, unmunge
does the reverse.
It can be used for instance to store a value in a different
representation but still be able to return genuine value to the
outside world.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because of ruby bug:
http://rubyforge.org/tracker/?group_id=426&atid=1698&func=detail&aid=8886
and
http://redmine.ruby-lang.org/issues/show/1331
YAML dump of hashes using ruby objects as keys is incorrect leading
to an error when deserializing the YAML in puppetd.
The error is easy to correct by a post-process fix-up of
the generated YAML, which transforms:
&id004 !ruby/object:Puppet::Relationship ?
to the correct:
? &id004 !ruby/object:Puppet::Relationship
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This patch moves Type to use Puppet::Util::Tagging as the other
part of Puppet. This brings uniformity and consistency in the
way the tags are used and/or compared to each other.
Type was storing tags in Symbol format, which produced #2207.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We previously used and expected Puppet::Parser::Resource
instances, but 0.25 converts them all to Puppet::Resource
instances before they're passed out of the compiler,
so the Rails integration had to be changed to expect that.
There's still some muddling, because the rails resources
only generate parser resources, but that works for now
because that's what we expect when collecting resources.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This is required for Rails support.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The cert name should be searched first in default
circumstances, even if it disagrees with the hostname.
Brice's change to the way catalogs are searched for didn't
quite work when the hostname and certname didn't agree *and*
the certname was fully qualified.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
If we don't do this, there's a chance we'll get hit
by the ruby yaml bug again.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
Unfortunately, again because of a Ruby bug
(http://rubyforge.org/tracker/?group_id=426&atid=1698&func=detail&aid=8886)
Ruby can't print yaml that it can read, if custom
classes are used as keys in hashes, which Sets use internally.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This is the last step to fixing #2189.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
I'd made the argument no longer optional
because I thought the method was rarely used,
but it's used in puppetd a good bit.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| | |
|
| | |
|
| |
|
|
|
| |
Adds manifest param for service type, defines a command or manifest to set up a service
Add service setup (import) support
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rationale:
Before this change, the catalog was retrived with this uri:
/catalog/hostname
On the server side, the corresponding node was found by using the
request node, then finding if this node also match hostname
(which it does of course).
But it is not possible to have an ACL matching the hostname part
of the uri, because it:
* it would be compared to the node name (certname), which obviously
is not the same
* it is not possible to create a dynamic allow/deny rule on a non-fqdn
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Before this change, unauthenticated REST requests where inconditionnaly
allowed, as long as they were to the certificate terminus.
This could be a security hole, so now the REST requests, authenticated
or unauthenticated are all submitted to the REST authorization
layer.
The default authorizations now contains directives to allow unauthenticated
requests to the various certificate terminus to allow new hosts.
The conf/auth.conf file has been modified to match such defaults.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
unauthenticated request
Introduces a new auth.conf directive (auth or authenticated) which
takes an argument (on,yes/off,no/all,any).
This can be used to restrict an ACL to only some state of
authentication of a REST request, or any.
If no auth directive is given, the ACL will only trigger for
authenticated requests.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
| |
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The idea is to raise an AuthorizationException at the same place
we check the authorization instead of in an upper level to be
able to spot where the authorization took place in the exception
backtrace.
Moreover, this changes also makes Rights::allowed? to return
the matching acl so that the upper layer can have a chance to
report which ACL resulted in the match.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
| |
With the help of the new auth.conf directive 'environment',
any ACL can now be restricted to a specific environment.
Omission of the directive means that the ACL will apply
to all the defined environment.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
| |
The authorization system should stubbed to let all the rest tests
to succeed :-)
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new configuration file (and configuration
setting to set it).
Each REST request is checked against this configuration file, and is
either allowed or denied.
The configuration file has the following format:
path /uripath
method <methods>
allow <ip> or <name>
deny <ip> or <name>
or
path ~ <regex>
method <methods>
allow <ip> or <name>
deny <ip> or <name>
where regex is a ruby regex.
This last syntax allows deny/allow interpolation from
the regex captures:
path ~ /files[^/]+/files/([^/]+)/([^/])/
method find
allow $2.$1
If you arrange your files/ directory to have files in
'domain.com/host/', then only the referenced host will
be able to access their files, other hosts will be denied.
For instance:
files/reductivelabs.com/dns/...
files/reductivelabs.com/www/...
then only files in dns can be accessible by dns.reductivelabs.com
and so on...
If the auth.conf file doesn't exist puppet uses sane defaults that allows
clients to check-in and ask for their configurations...
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new set of directive to the authconfig
parser/file format:
path /uripath or patch ~ <regex>
This directive declares a new kind of ACL based on the uri path.
method save, find
This directive which is to be used under path directive restricts a
path ACL to only some REST verbs.
The ACL path system matches on path prefix possible, or
on regex matches (first match wins).
If no path are matching, then the authorization is not allowed.
The same if no ACL matches for the given REST verb.
The old namespace right matching still works as usual.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The idea is to have allow/deny authorization directives
that are dynamic: their evaluation is deferred until
we perform the authorization checking in allowed?.
This is done to allow replacing backreferences in allow/deny
directives by parameters of the match that selected this right.
For instance, it is possible to:
allow $1.$2
And using Right::interpolate() with the result of a regex match
using 2 captures, will evaluate $1.$2 to those captures.
For instance, if we captured [host, reductivelabs.com], then the
allow directive is replaced by:
allow host.reductivelabs.com
It is then safe to call allowed?, after which we can reset the
interpolation.
This interpolation is thread-safe.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
authconfig regex support
|
| |
|
|
| |
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
| |
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
| |
This isn't that great, but at least it provides
basic tuning of the format.
Also removing the catalog_format default, since it's
no longer used.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
Formats guarantee that symbols are used, so it makes sense
for the tests to do so.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes the requirement of shared fact caching
on the servers, since the server responding to the catalog
request will receive the facts as part of the request.
The facts are serialized as a parameter to the request,
rather than each being set as a separate request parameter.
This hard-codes yaml as the serialization format for the
facts, because I couldn't get marshal to work and it's just not
as big a deal for such a small amount of data.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
It was previously recursive, and was causing
significant performance problems for large, wide
graphs.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This can cause a huge speedup for large numbers of edges.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
| |
I missed some of the Catalog mentions, and its
constant changed.
I've also added tests so this will get caught
next time.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
They don't work with the modified code, and we
rely almost entirely on manual integration testing
for this stuff anyway.
We definitely need to add tests where we can, but
these tests are totally useless.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
At least, I think they're fixed; it's hard to test.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
