class Puppet::Network::Rights

Rights class manages a list of ACLs for paths.

Public Class Methods

new() click to toggle source 
# File lib/puppet/network/rights.rb, line 71
def initialize
  @rights = []
end

Public Instance Methods

[](name) click to toggle source 
# File lib/puppet/network/rights.rb, line 75
def [](name)
  @rights.find { |acl| acl == name }
end
allowed?(name, *args) click to toggle source

Check that name is allowed or not

# File lib/puppet/network/rights.rb, line 12
def allowed?(name, *args)
  !is_forbidden_and_why?(name, :node => args[0], :ip => args[1])
end
each() { |name,r| ... } click to toggle source 
# File lib/puppet/network/rights.rb, line 87
def each
  @rights.each { |r| yield r.name,r }
end
empty?() click to toggle source 
# File lib/puppet/network/rights.rb, line 79
def empty?
  @rights.empty?
end
include?(name) click to toggle source 
# File lib/puppet/network/rights.rb, line 83
def include?(name)
  @rights.include?(name)
end
is_forbidden_and_why?(name, args = {}) click to toggle source 
# File lib/puppet/network/rights.rb, line 35
def is_forbidden_and_why?(name, args = {})
  res = :nomatch
  right = @rights.find do |acl|
    found = false
    # an acl can return :dunno, which means "I'm not qualified to answer your question,
    # please ask someone else". This is used when for instance an acl matches, but not for the
    # current rest method, where we might think some other acl might be more specific.
    if match = acl.match?(name)
      args[:match] = match
      if (res = acl.allowed?(args[:node], args[:ip], args)) != :dunno
        # return early if we're allowed
        return nil if res
        # we matched, select this acl
        found = true
      end
    end
    found
  end

  # if we end up here, then that means we either didn't match or failed, in any
  # case will return an error to the outside world
  host_description = args[:node] ? "#{args[:node]}(#{args[:ip]})" : args[:ip]

  msg = "#{host_description} access to #{name} [#{args[:method]}]"

  if args[:authenticated]
    msg += " authenticated "
  end

  if right
    msg += " at #{right.file}:#{right.line}"
  end

  AuthorizationError.new("Forbidden request: #{msg}")
end
is_request_forbidden_and_why?(indirection, method, key, params) click to toggle source 
# File lib/puppet/network/rights.rb, line 16
def is_request_forbidden_and_why?(indirection, method, key, params)
  methods_to_check = if method == :head
                       # :head is ok if either :find or :save is ok.
                       [:find, :save]
                     else
                       [method]
                     end
  authorization_failure_exceptions = methods_to_check.map do |method|
    is_forbidden_and_why?("/#{indirection}/#{key}", params.merge({:method => method}))
  end
  if authorization_failure_exceptions.include? nil
    # One of the methods we checked is ok, therefore this request is ok.
    nil
  else
    # Just need to return any of the failure exceptions.
    authorization_failure_exceptions.first
  end
end
newright(name, line=nil, file=nil) click to toggle source

Define a new right to which access can be provided.

# File lib/puppet/network/rights.rb, line 92
def newright(name, line=nil, file=nil)
  add_right( Right.new(name, line, file) )
end