summaryrefslogtreecommitdiffstats
path: root/lib/puppet/network/rest_authconfig.rb
blob: b22a314613390cdf0704abdc477a8b94be91ae17 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
require 'puppet/network/authconfig'

module Puppet
    class Network::RestAuthConfig < Network::AuthConfig

        attr_accessor :rights

        DEFAULT_ACL = [
            { :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
            # this one will allow all file access, and thus delegate
            # to fileserver.conf
            { :acl => "/file" },
            { :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
            { :acl => "/report", :method => :save, :authenticated => true },
            { :acl => "/certificate/ca", :method => :find, :authenticated => false },
            { :acl => "/certificate/", :method => :find, :authenticated => false },
            { :acl => "/certificate_request", :method => [:find, :save], :authenticated => false },
            { :acl => "/status", :method => [:find], :authenticated => true },
            { :acl => "/resource", :method => [:find, :save, :search], :authenticated => true },
        ]

        def self.main
            add_acl = @main.nil?
            super
            @main.insert_default_acl if add_acl and !@main.exists?
            @main
        end

        # check wether this request is allowed in our ACL
        # raise an Puppet::Network::AuthorizedError if the request
        # is denied.
        def allowed?(request)
            read()

            # we're splitting the request in part because
            # fail_on_deny could as well be called in the XMLRPC context
            # with a ClientRequest.

                        @rights.fail_on_deny(
                build_uri(request),
        
                                    :node => request.node,
                                    :ip => request.ip,
                                    :method => request.method,
                                    :environment => request.environment,
                                    :authenticated => request.authenticated)
        end

        def initialize(file = nil, parsenow = true)
            super(file || Puppet[:rest_authconfig], parsenow)

            # if we didn't read a file (ie it doesn't exist)
            # make sure we can create some default rights
            @rights ||= Puppet::Network::Rights.new
        end

        def parse()
            super()
            insert_default_acl
        end

        # force regular ACLs to be present
        def insert_default_acl
            DEFAULT_ACL.each do |acl|
                unless rights[acl[:acl]]
                    Puppet.info "Inserting default '#{acl[:acl]}'(#{acl[:authenticated] ? "auth" : "non-auth"}) acl because #{( !exists? ? "#{Puppet[:rest_authconfig]} doesn't exist" : "none where found in '#{@file}'")}"
                    mk_acl(acl)
                end
            end
            # queue an empty (ie deny all) right for every other path
            # actually this is not strictly necessary as the rights system
            # denies not explicitely allowed paths
            unless rights["/"]
                rights.newright("/")
                rights.restrict_authenticated("/", :any)
            end
        end

        def mk_acl(acl)
            @rights.newright(acl[:acl])
            @rights.allow(acl[:acl], acl[:allow] || "*")

            if method = acl[:method]
                method = [method] unless method.is_a?(Array)
                method.each { |m| @rights.restrict_method(acl[:acl], m) }
            end
            @rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil?
        end

        def build_uri(request)
            "/#{request.indirection_name}/#{request.key}"
        end
    end
end