1
require 'puppet/network/authconfig'
4
class Network::RestAuthConfig < Network::AuthConfig
10
{ :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
11
{ :acl => "~ ^\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
12
# this one will allow all file access, and thus delegate
15
{ :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
16
{ :acl => "/report", :method => :save, :authenticated => true },
17
{ :acl => "/certificate/ca", :method => :find, :authenticated => false },
18
{ :acl => "/certificate/", :method => :find, :authenticated => false },
19
{ :acl => "/certificate_request", :method => [:find, :save], :authenticated => false },
20
{ :acl => "/status", :method => [:find], :authenticated => true },
27
@main.insert_default_acl if add_acl and !@main.exists?
32
# check wether this request is allowed in our ACL
33
# raise an Puppet::Network::AuthorizedError if the request
35
def allowed?(indirection, method, key, params)
38
# we're splitting the request in part because
39
# fail_on_deny could as well be called in the XMLRPC context
40
# with a ClientRequest.
42
if authorization_failure_exception = @rights.is_request_forbidden_and_why?(indirection, method, key, params)
43
Puppet.warning("Denying access: #{authorization_failure_exception}")
44
raise authorization_failure_exception
48
def initialize(file = nil, parsenow = true)
49
super(file || Puppet[:rest_authconfig], parsenow)
51
# if we didn't read a file (ie it doesn't exist)
52
# make sure we can create some default rights
53
@rights ||= Puppet::Network::Rights.new
61
# force regular ACLs to be present
62
def insert_default_acl
63
DEFAULT_ACL.each do |acl|
64
unless rights[acl[:acl]]
65
Puppet.info "Inserting default '#{acl[:acl]}'(#{acl[:authenticated] ? "auth" : "non-auth"}) ACL because #{( !exists? ? "#{Puppet[:rest_authconfig]} doesn't exist" : "none were found in '#{@file}'")}"
69
# queue an empty (ie deny all) right for every other path
70
# actually this is not strictly necessary as the rights system
71
# denies not explicitely allowed paths
74
rights.restrict_authenticated("/", :any)
79
@rights.newright(acl[:acl])
80
@rights.allow(acl[:acl], acl[:allow] || "*")
82
if method = acl[:method]
83
method = [method] unless method.is_a?(Array)
84
method.each { |m| @rights.restrict_method(acl[:acl], m) }
86
@rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil?