1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
require 'puppet/network/authconfig'
module Puppet
class Network::RestAuthConfig < Network::AuthConfig
extend MonitorMixin
attr_accessor :rights
DEFAULT_ACL = [
{ :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
# this one will allow all file access, and thus delegate
# to fileserver.conf
{ :acl => "/file" },
{ :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
{ :acl => "/report", :method => :save, :authenticated => true },
{ :acl => "/certificate/ca", :method => :find, :authenticated => false },
{ :acl => "/certificate/", :method => :find, :authenticated => false },
{ :acl => "/certificate_request", :method => [:find, :save], :authenticated => false },
{ :acl => "/status", :method => [:find], :authenticated => true },
]
def self.main
synchronize do
add_acl = @main.nil?
super
@main.insert_default_acl if add_acl and !@main.exists?
end
@main
end
# check wether this request is allowed in our ACL
# raise an Puppet::Network::AuthorizedError if the request
# is denied.
def allowed?(indirection, method, key, params)
read
# we're splitting the request in part because
# fail_on_deny could as well be called in the XMLRPC context
# with a ClientRequest.
@rights.fail_on_deny(
build_uri(indirection, key),
:node => params[:node],
:ip => params[:ip],
:method => method,
:environment => params[:environment],
:authenticated => params[:authenticated]
)
end
def initialize(file = nil, parsenow = true)
super(file || Puppet[:rest_authconfig], parsenow)
# if we didn't read a file (ie it doesn't exist)
# make sure we can create some default rights
@rights ||= Puppet::Network::Rights.new
end
def parse
super()
insert_default_acl
end
# force regular ACLs to be present
def insert_default_acl
DEFAULT_ACL.each do |acl|
unless rights[acl[:acl]]
Puppet.info "Inserting default '#{acl[:acl]}'(#{acl[:authenticated] ? "auth" : "non-auth"}) acl because #{( !exists? ? "#{Puppet[:rest_authconfig]} doesn't exist" : "none where found in '#{@file}'")}"
mk_acl(acl)
end
end
# queue an empty (ie deny all) right for every other path
# actually this is not strictly necessary as the rights system
# denies not explicitely allowed paths
unless rights["/"]
rights.newright("/")
rights.restrict_authenticated("/", :any)
end
end
def mk_acl(acl)
@rights.newright(acl[:acl])
@rights.allow(acl[:acl], acl[:allow] || "*")
if method = acl[:method]
method = [method] unless method.is_a?(Array)
method.each { |m| @rights.restrict_method(acl[:acl], m) }
end
@rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil?
end
def build_uri(indirection_name, key)
"/#{indirection_name}/#{key}"
end
end
end
|
