blob: 97db593387c190081824c482e5474e47b7d30214 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
require 'puppet/network/client_request'
require 'puppet/network/authconfig'
module Puppet::Network
# Most of our subclassing is just so that we can get
# access to information from the request object, like
# the client name and IP address.
class InvalidClientRequest < Puppet::Error; end
module Authorization
# Create our config object if necessary. This works even if
# there's no configuration file.
def authconfig
unless defined?(@authconfig)
@authconfig = Puppet::Network::AuthConfig.main()
end
@authconfig
end
# Verify that our client has access. We allow untrusted access to
# puppetca methods but no others.
def authorized?(request)
msg = "#{request.authenticated? ? "authenticated" : "unauthenticated"} client #{request} access to #{request.call}"
if request.authenticated?
if authconfig.exists?
if authconfig.allowed?(request)
Puppet.debug "Allowing #{msg}"
return true
else
Puppet.notice "Denying #{msg}"
return false
end
else
if Puppet.run_mode.master?
Puppet.debug "Allowing #{msg}"
return true
else
Puppet.notice "Denying #{msg}"
return false
end
end
else
if request.handler == "puppetca"
Puppet.notice "Allowing #{msg}"
else
Puppet.notice "Denying #{msg}"
return false
end
end
end
# Is this functionality available?
def available?(request)
if handler_loaded?(request.handler)
return true
else
Puppet.warning "Client #{request} requested unavailable functionality #{request.handler}"
return false
end
end
# Make sure that this method is available and authorized.
def verify(request)
unless available?(request)
raise InvalidClientRequest.new(
"Functionality #{request.handler} not available"
)
end
unless authorized?(request)
raise InvalidClientRequest.new(
"Host #{request} not authorized to call #{request.call}"
)
end
end
end
end
|