1
require 'puppet/network/authconfig'
4
class Network::RestAuthConfig < Network::AuthConfig
10
{ :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
11
# this one will allow all file access, and thus delegate
14
{ :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
15
{ :acl => "/report", :method => :save, :authenticated => true },
16
{ :acl => "/certificate/ca", :method => :find, :authenticated => false },
17
{ :acl => "/certificate/", :method => :find, :authenticated => false },
18
{ :acl => "/certificate_request", :method => [:find, :save], :authenticated => false },
19
{ :acl => "/status", :method => [:find], :authenticated => true },
26
@main.insert_default_acl if add_acl and !@main.exists?
31
# check wether this request is allowed in our ACL
32
# raise an Puppet::Network::AuthorizedError if the request
37
# we're splitting the request in part because
38
# fail_on_deny could as well be called in the XMLRPC context
39
# with a ClientRequest.
44
:node => request.node,
46
:method => request.method,
47
:environment => request.environment,
48
:authenticated => request.authenticated)
51
def initialize(file = nil, parsenow = true)
52
super(file || Puppet[:rest_authconfig], parsenow)
54
# if we didn't read a file (ie it doesn't exist)
55
# make sure we can create some default rights
56
@rights ||= Puppet::Network::Rights.new
64
# force regular ACLs to be present
65
def insert_default_acl
66
DEFAULT_ACL.each do |acl|
67
unless rights[acl[:acl]]
68
Puppet.info "Inserting default '#{acl[:acl]}'(#{acl[:authenticated] ? "auth" : "non-auth"}) acl because #{( !exists? ? "#{Puppet[:rest_authconfig]} doesn't exist" : "none where found in '#{@file}'")}"
72
# queue an empty (ie deny all) right for every other path
73
# actually this is not strictly necessary as the rights system
74
# denies not explicitely allowed paths
77
rights.restrict_authenticated("/", :any)
82
@rights.newright(acl[:acl])
83
@rights.allow(acl[:acl], acl[:allow] || "*")
85
if method = acl[:method]
86
method = [method] unless method.is_a?(Array)
87
method.each { |m| @rights.restrict_method(acl[:acl], m) }
89
@rights.restrict_authenticated(acl[:acl], acl[:authenticated]) unless acl[:authenticated].nil?
92
def build_uri(request)
93
"/#{request.indirection_name}/#{request.key}"