1
require 'puppet/network/authconfig'
4
class Network::RestAuthConfig < Network::AuthConfig
10
{ :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
11
{ :acl => "~ ^\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
12
# this one will allow all file access, and thus delegate
15
{ :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
16
{ :acl => "/report", :method => :save, :authenticated => true },
17
# These allow `auth any`, because if you can do them anonymously you
18
# should probably also be able to do them when trusted.
19
{ :acl => "/certificate/ca", :method => :find, :authenticated => :any },
20
{ :acl => "/certificate/", :method => :find, :authenticated => :any },
21
{ :acl => "/certificate_request", :method => [:find, :save], :authenticated => :any },
22
{ :acl => "/status", :method => [:find], :authenticated => true },
29
@main.insert_default_acl if add_acl and !@main.exists?
35
Puppet.deprecation_warning "allowed? should not be called for REST authorization - use check_authorization instead"
36
check_authorization(request)
39
# check wether this request is allowed in our ACL
40
# raise an Puppet::Network::AuthorizedError if the request
42
def check_authorization(indirection, method, key, params)
45
# we're splitting the request in part because
46
# fail_on_deny could as well be called in the XMLRPC context
47
# with a ClientRequest.
49
if authorization_failure_exception = @rights.is_request_forbidden_and_why?(indirection, method, key, params)
50
Puppet.warning("Denying access: #{authorization_failure_exception}")
51
raise authorization_failure_exception
55
def initialize(file = nil, parsenow = true)
56
super(file || Puppet[:rest_authconfig], parsenow)
58
# if we didn't read a file (ie it doesn't exist)
59
# make sure we can create some default rights
60
@rights ||= Puppet::Network::Rights.new
68
# force regular ACLs to be present
69
def insert_default_acl
71
reason = "none were found in '#{@file}'"
73
reason = "#{Puppet[:rest_authconfig]} doesn't exist"
76
DEFAULT_ACL.each do |acl|
77
unless rights[acl[:acl]]
78
Puppet.info "Inserting default '#{acl[:acl]}' (auth #{acl[:authenticated]}) ACL because #{reason}"
82
# queue an empty (ie deny all) right for every other path
83
# actually this is not strictly necessary as the rights system
84
# denies not explicitely allowed paths
87
rights.restrict_authenticated("/", :any)
92
@rights.newright(acl[:acl])
93
@rights.allow(acl[:acl], acl[:allow] || "*")
95
if method = acl[:method]
96
method = [method] unless method.is_a?(Array)
97
method.each { |m| @rights.restrict_method(acl[:acl], m) }
99
@rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil?