1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
require 'puppet/network/authconfig'
module Puppet
class Network::RestAuthConfig < Network::AuthConfig
attr_accessor :rights
DEFAULT_ACL = {
:facts => { :acl => "/facts", :method => [:save, :find] },
:catalog => { :acl => "/catalog", :method => :find },
# this one will allow all file access, and thus delegate
# to fileserver.conf
:file => { :acl => "/file" },
:cert => { :acl => "/certificate", :method => :find },
:reports => { :acl => "/report", :method => :save }
}
def self.main
add_acl = @main.nil?
super
@main.insert_default_acl if add_acl and !@main.exists?
@main
end
# check wether this request is allowed in our ACL
def allowed?(request)
read()
return @rights.allowed?(build_uri(request), request.node, request.ip, request.method)
end
def initialize(file = nil, parsenow = true)
super(file || Puppet[:rest_authconfig], parsenow)
# if we didn't read a file (ie it doesn't exist)
# make sure we can create some default rights
@rights ||= Puppet::Network::Rights.new
end
def parse()
super()
insert_default_acl
end
# force regular ACLs to be present
def insert_default_acl
DEFAULT_ACL.each do |name, acl|
unless rights[acl[:acl]]
Puppet.warning "Inserting default '#{acl[:acl]}' acl because none were found in '%s'" % ( @file || "no file configured")
mk_acl(acl[:acl], acl[:method])
end
end
# queue an empty (ie deny all) right for every other path
# actually this is not strictly necessary as the rights system
# denies not explicitely allowed paths
rights.newright("/") unless rights["/"]
end
def mk_acl(path, method = nil)
@rights.newright(path)
@rights.allow(path, "*")
if method
method = [method] unless method.is_a?(Array)
method.each { |m| @rights.restrict_method(path, m) }
end
end
def build_uri(request)
"/#{request.indirection_name}/#{request.key}"
end
end
end
|
