Class: Puppet::Network::Rights

Inherits:
Object
  • Object
show all
Defined in:
lib/vendor/puppet/network/rights.rb

Overview

Define a set of rights and who has access to them. There are two types of rights:

* named rights (ie a common string)
* path based rights (which are matched on a longest prefix basis)

Defined Under Namespace

Classes: Right

Instance Method Summary collapse

Constructor Details

#initializeRights

Returns a new instance of Rights.



91
92
93
 
# File 'lib/vendor/puppet/network/rights.rb', line 91

def initialize
  @rights = []
end

Instance Method Details

#[](name) ⇒ Object 



95
96
97
 
# File 'lib/vendor/puppet/network/rights.rb', line 95

def [](name)
  @rights.find { |acl| acl == name }
end

#allowed?(name, *args) ⇒ Boolean

Check that name is allowed or not

Returns:

  • (Boolean) 


28
29
30
 
# File 'lib/vendor/puppet/network/rights.rb', line 28

def allowed?(name, *args)
  !is_forbidden_and_why?(name, :node => args[0], :ip => args[1])
end

#eachObject 



103
104
105
 
# File 'lib/vendor/puppet/network/rights.rb', line 103

def each
  @rights.each { |r| yield r.name,r }
end

#include?(name) ⇒ Boolean

Returns:

  • (Boolean) 


99
100
101
 
# File 'lib/vendor/puppet/network/rights.rb', line 99

def include?(name)
  @rights.include?(name)
end

#is_forbidden_and_why?(name, args = {}) ⇒ Boolean

Returns:

  • (Boolean) 


51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
# File 'lib/vendor/puppet/network/rights.rb', line 51

def is_forbidden_and_why?(name, args = {})
  res = :nomatch
  right = @rights.find do |acl|
    found = false
    # an acl can return :dunno, which means "I'm not qualified to answer your question,
    # please ask someone else". This is used when for instance an acl matches, but not for the
    # current rest method, where we might think some other acl might be more specific.
    if match = acl.match?(name)
      args[:match] = match
      if (res = acl.allowed?(args[:node], args[:ip], args)) != :dunno
        # return early if we're allowed
        return nil if res
        # we matched, select this acl
        found = true
      end
    end
    found
  end

  # if we end here, then that means we either didn't match
  # or failed, in any case will throw an error to the outside world
  if name =~ /^\// or right
    # we're a patch ACL, let's fail
    msg = "#{(args[:node].nil? ? args[:ip] : "#{args[:node]}(#{args[:ip]})")} access to #{name} [#{args[:method]}]"

    msg += " authenticated " if args[:authenticated]

    error = AuthorizationError.new("Forbidden request: #{msg}")
    if right
      error.file = right.file
      error.line = right.line
    end
  else
    # there were no rights allowing/denying name
    # if name is not a path, let's throw
    raise ArgumentError, "Unknown namespace right '#{name}'"
  end
  error
end

#is_request_forbidden_and_why?(indirection, method, key, params) ⇒ Boolean

Returns:

  • (Boolean) 


32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
# File 'lib/vendor/puppet/network/rights.rb', line 32

def is_request_forbidden_and_why?(indirection, method, key, params)
  methods_to_check = if method == :head
                       # :head is ok if either :find or :save is ok.
                       [:find, :save]
                     else
                       [method]
                     end
  authorization_failure_exceptions = methods_to_check.map do |method|
    is_forbidden_and_why?("/#{indirection}/#{key}", params.merge({:method => method}))
  end
  if authorization_failure_exceptions.include? nil
    # One of the methods we checked is ok, therefore this request is ok.
    nil
  else
    # Just need to return any of the failure exceptions.
    authorization_failure_exceptions.first
  end
end

#newright(name, line = nil, file = nil) ⇒ Object

Define a new right to which access can be provided.



108
109
110
 
# File 'lib/vendor/puppet/network/rights.rb', line 108

def newright(name, line=nil, file=nil)
  add_right( Right.new(name, line, file) )
end