Class: Puppet::Network::DefaultAuthProvider

Inherits:
Object
  • Object
show all
Defined in:
lib/puppet/network/authconfig.rb

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(rights = nil) ⇒ DefaultAuthProvider

Returns a new instance of DefaultAuthProvider.



87
88
89
90
 
# File 'lib/puppet/network/authconfig.rb', line 87

def initialize(rights=nil)
  @rights = rights || Puppet::Network::Rights.new
  insert_default_acl
end

Instance Attribute Details

#rightsObject

Returns the value of attribute rights.



7
8
9
 
# File 'lib/puppet/network/authconfig.rb', line 7

def rights
  @rights
end

Class Method Details

.ca_url_prefixObject 



13
14
15
 
# File 'lib/puppet/network/authconfig.rb', line 13

def self.ca_url_prefix
  Puppet::Network::HTTP::CA_URL_PREFIX
end

.default_aclObject 



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/puppet/network/authconfig.rb', line 17

def self.default_acl
[
# Master API V3
{ :acl => "#{master_url_prefix}/v3/environments", :method => :find, :allow => '*', :authenticated => true },

{ :acl => "~ ^#{master_url_prefix}\/v3\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
{ :acl => "~ ^#{master_url_prefix}\/v3\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
{ :acl => "~ ^#{master_url_prefix}\/v3\/report\/([^\/]+)$", :method => :save, :allow => '$1', :authenticated => true },

# this one will allow all file access, and thus delegate
# to fileserver.conf
{ :acl => "#{master_url_prefix}/v3/file" },

{ :acl => "#{master_url_prefix}/v3/status", :method => [:find], :authenticated => true },

# CA API V1
{ :acl => "#{ca_url_prefix}/v1/certificate_revocation_list/ca", :method => :find, :authenticated => true },

# These allow `auth any`, because if you can do them anonymously you
# should probably also be able to do them when trusted.
{ :acl => "#{ca_url_prefix}/v1/certificate/ca", :method => :find, :authenticated => :any },
{ :acl => "#{ca_url_prefix}/v1/certificate/", :method => :find, :authenticated => :any },
{ :acl => "#{ca_url_prefix}/v1/certificate_request", :method => [:find, :save], :authenticated => :any },
]
end

.master_url_prefixObject 



9
10
11
 
# File 'lib/puppet/network/authconfig.rb', line 9

def self.master_url_prefix
  Puppet::Network::HTTP::MASTER_URL_PREFIX
end

Instance Method Details

#check_authorization(method, path, params) ⇒ Object

check whether this request is allowed in our ACL raise an Puppet::Network::AuthorizedError if the request is denied.



80
81
82
83
84
85
 
# File 'lib/puppet/network/authconfig.rb', line 80

def check_authorization(method, path, params)
  if authorization_failure_exception = @rights.is_request_forbidden_and_why?(method, path, params)
    Puppet.warning(_("Denying access: %{authorization_failure_exception}") % { authorization_failure_exception: authorization_failure_exception })
    raise authorization_failure_exception
  end
end

#insert_default_aclObject

force regular ACLs to be present



51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
# File 'lib/puppet/network/authconfig.rb', line 51

def insert_default_acl
  self.class.default_acl.each do |acl|
    unless rights[acl[:acl]]
      Puppet.info _("Inserting default '%{acl}' (auth %{auth}) ACL") % { acl: acl[:acl], auth: acl[:authenticated] }
      mk_acl(acl)
    end
  end
  # queue an empty (ie deny all) right for every other path
  # actually this is not strictly necessary as the rights system
  # denies not explicitly allowed paths
  unless rights["/"]
    rights.newright("/").restrict_authenticated(:any)
  end
end

#mk_acl(acl) ⇒ Object 



66
67
68
69
70
71
72
73
74
75
 
# File 'lib/puppet/network/authconfig.rb', line 66

def mk_acl(acl)
  right = @rights.newright(acl[:acl])
  right.allow(acl[:allow] || "*")

  if method = acl[:method]
    method = [method] unless method.is_a?(Array)
    method.each { |m| right.restrict_method(m) }
  end
  right.restrict_authenticated(acl[:authenticated]) unless acl[:authenticated].nil?
end