puppet 0.13.6 → 0.16.0

data/lib/puppet/server.rb

@@ -27,6 +27,16 @@ module Puppet
         class Server < WEBrick::HTTPServer
             include Puppet::Daemon
 
+            # Create our config object if necessary.  This works even if
+            # there's no configuration file.
+            def authconfig
+                unless defined? @authconfig
+                    @authconfig = Puppet::Server::AuthConfig.new()
+                end
+
+                @authconfig
+            end
+
             def initialize(hash = {})
                 Puppet.info "Starting server for Puppet version %s" % Puppet.version
                 daemonize = nil
@@ -158,6 +168,7 @@ module Puppet
 end
 
 require 'puppet/server/authstore'
+require 'puppet/server/authconfig'
 require 'puppet/server/servlet'
 require 'puppet/server/master'
 require 'puppet/server/ca'
@@ -166,4 +177,4 @@ require 'puppet/server/filebucket'
 require 'puppet/server/logger'
 require 'puppet/client'
 
-# $Id: server.rb 873 2006-02-07 23:12:33Z luke $
+# $Id: server.rb 1129 2006-04-21 19:14:59Z luke $

data/lib/puppet/server/authconfig.rb

@@ -0,0 +1,166 @@
+require 'puppet/parsedfile'
+require 'puppet/server/rights'
+
+module Puppet
+class Server
+
+class ConfigurationError < Puppet::Error; end
+
+class AuthConfig < Puppet::ParsedFile
+    Puppet.config.setdefaults(:puppet,
+        :authconfig => [ "$confdir/namespaceauth.conf",
+            "The configuration file that defines the rights to the different
+            namespaces and methods.  This can be used as a coarse-grained
+            authorization system for both ``puppetd`` and ``puppetmasterd``."
+        ]
+    )
+
+    # Just proxy the setting methods to our rights stuff
+    [:allow, :deny].each do |method|
+        define_method(method) do |*args|
+            @rights.send(method, *args)
+        end         
+    end
+
+    # Here we add a little bit of semantics.  They can set auth on a whole namespace
+    # or on just a single method in the namespace.
+    def allowed?(name, host, ip)
+        namespace, method = name.to_s.split(".")
+        unless namespace and method
+            raise ArgumentError, "Invalid method name %s" % name
+        end
+
+        name        = name.intern if name.is_a? String
+        namespace   = namespace.intern
+        method      = method.intern
+
+        if @rights.include?(name)
+            return @rights[name].allowed?(host, ip)
+        elsif @rights.include?(namespace)
+            return @rights[namespace].allowed?(host, ip)
+        else
+            return false
+        end
+    end
+
+    # Does the file exist?  Puppetmasterd does not require it, but
+    # puppetd does.
+    def exists?
+        FileTest.exists?(@file)
+    end
+
+    def initialize(file = nil, parsenow = true)
+        @file ||= Puppet[:authconfig]
+        return unless self.exists?
+        super(file)
+        @rights = Rights.new
+        @configstamp = @configtimeout = @configstatted = nil
+
+        if parsenow
+            read()
+        end
+    end
+
+    # Read the configuration file.
+    def read
+        return unless FileTest.exists?(@file)
+
+        if @configstamp
+            if @configtimeout and @configstatted
+                if Time.now - @configstatted > @configtimeout
+                    @configstatted = Time.now
+                    tmp = File.stat(@file).ctime
+
+                    if tmp == @configstamp
+                        return
+                    end
+                else
+                    return
+                end
+            end
+        end
+
+        parse()
+
+        @configstamp = File.stat(@file).ctime
+        @configstatted = Time.now
+    end
+
+    private
+
+    def parse
+        newrights = Puppet::Server::Rights.new
+        begin
+            File.open(@file) { |f|
+                right = nil
+                count = 1
+                f.each { |line|
+                    case line
+                    when /^\s*#/: next # skip comments
+                    when /^\s*$/: next # skip blank lines
+                    when /\[([\w.]+)\]/: # "namespace" or "namespace.method"
+                        name = $1
+                        if newrights.include?(name)
+                            raise FileServerError, "%s is already set at %s" %
+                                [newrights[name], name]
+                        end
+                        newrights.newright(name)
+                        right = newrights[name]
+                    when /^\s*(\w+)\s+(.+)$/:
+                        var = $1
+                        value = $2
+                        case var
+                        when "allow":
+                            value.split(/\s*,\s*/).each { |val|
+                                begin
+                                    right.info "allowing %s access" % val
+                                    right.allow(val)
+                                rescue AuthStoreError => detail
+                                    raise ConfigurationError, "%s at line %s of %s" %
+                                        [detail.to_s, count, @config]
+                                end
+                            }
+                        when "deny":
+                            value.split(/\s*,\s*/).each { |val|
+                                begin
+                                    right.info "denying %s access" % val
+                                    right.deny(val)
+                                rescue AuthStoreError => detail
+                                    raise ConfigurationError, "%s at line %s of %s" %
+                                        [detail.to_s, count, @config]
+                                end
+                            }
+                        else
+                            raise ConfigurationError,
+                                "Invalid argument '%s' at line %s" % [var, count]
+                        end
+                    else
+                        raise ConfigurationError, "Invalid line %s: %s" % [count, line]
+                    end
+                    count += 1
+                }
+            }
+        rescue Errno::EACCES => detail
+            Puppet.err "Configuration error: Cannot read %s; cannot serve" % @file
+            #raise Puppet::Error, "Cannot read %s" % @config
+        rescue Errno::ENOENT => detail
+            Puppet.err "Configuration error: '%s' does not exit; cannot serve" %
+                @file
+            #raise Puppet::Error, "%s does not exit" % @config
+        #rescue FileServerError => detail
+        #    Puppet.err "FileServer error: %s" % detail
+        end
+
+        # Verify each of the rights are valid.
+        # We let the check raise an error, so that it can raise an error
+        # pointing to the specific problem.
+        newrights.each { |name, right|
+            right.valid?
+        }
+        @rights = newrights
+    end
+end
+end
+end
+
+# $Id: authconfig.rb 1129 2006-04-21 19:14:59Z luke $

data/lib/puppet/server/authstore.rb

@@ -9,12 +9,13 @@ class Server
     class AuthorizationError < Puppet::Error; end
 
     class AuthStore
-        ORDER = {
-            :ip => [:ip],
-            :name => [:hostname, :domain]
-        }
+        # This has to be an array, not a hash, else it loses its ordering.
+        ORDER = [
+            [:ip, [:ip]],
+            [:name, [:hostname, :domain]]
+        ]
 
-        Puppet::Util.logmethods(self, false)
+        Puppet::Util.logmethods(self, true)
 
         def allow(pattern)
             # a simple way to allow anyone at all to connect
@@ -49,6 +50,7 @@ class Server
                     value = name.split(".").reverse
                 end
 
+
                 array.each { |type|
                     [[@deny, false], [@allow, true]].each { |ary|
                         hash, retval = ary
@@ -221,4 +223,4 @@ class Server
 end
 end
 #
-# $Id: authstore.rb 826 2006-01-14 00:20:14Z luke $
+# $Id: authstore.rb 1129 2006-04-21 19:14:59Z luke $

data/lib/puppet/server/ca.rb

@@ -79,35 +79,12 @@ class Server
                 return ""
             end
 
-            # okay, we're now going to store the public key if we don't already
-            # have it
-            public_key = csr.public_key
-            #unless FileTest.directory?(Puppet[:publickeydir])
-            #    Puppet.recmkdir(Puppet[:publickeydir])
-            #end
-            pkeyfile = File.join(Puppet[:publickeydir], [hostname, "pem"].join('.'))
+            # We used to save the public key, but it's basically unnecessary
+            # and it mucks with the permissions requirements.
+            # save_pk(hostname, csr.public_key)
 
-            if FileTest.exists?(pkeyfile)
-                currentkey = File.open(pkeyfile) { |k| k.read }
-                unless currentkey == public_key.to_s
-                    raise Puppet::Error, "public keys for %s differ" % hostname
-                end
-            else
-                File.open(pkeyfile, "w", 0644) { |f|
-                    f.print public_key.to_s
-                }
-            end
-            #unless FileTest.directory?(Puppet[:certdir])
-            #    Puppet.recmkdir(Puppet[:certdir], 0770)
-            #end
             certfile = File.join(Puppet[:certdir], [hostname, "pem"].join("."))
 
-            #puts hostname
-            #puts certfile
-
-            #unless FileTest.directory?(Puppet[:csrdir])
-            #    Puppet.recmkdir(Puppet[:csrdir], 0770)
-            #end
             # first check to see if we already have a signed cert for the host
             cert, cacert = ca.getclientcert(hostname)
             if cert and cacert
@@ -139,6 +116,26 @@ class Server
                 raise "huh?"
             end
         end
+
+        private
+
+        # Save the public key.
+        def save_pk(hostname, public_key)
+            pkeyfile = File.join(Puppet[:publickeydir], [hostname, "pem"].join('.'))
+
+            if FileTest.exists?(pkeyfile)
+                currentkey = File.open(pkeyfile) { |k| k.read }
+                unless currentkey == public_key.to_s
+                    raise Puppet::Error, "public keys for %s differ" % hostname
+                end
+            else
+                File.open(pkeyfile, "w", 0644) { |f|
+                    f.print public_key.to_s
+                }
+            end
+        end
     end
 end
 end
+
+# $Id: ca.rb 1053 2006-04-02 23:39:02Z luke $

data/lib/puppet/server/filebucket.rb

@@ -3,10 +3,8 @@
 
 
 require 'webrick'
-#require 'webrick/https'
 require 'xmlrpc/server'
 require 'xmlrpc/client'
-#require 'webrick/httpstatus'
 require 'facter'
 require 'digest/md5'
 require 'puppet/base64'
@@ -29,6 +27,9 @@ class Server
             iface.add_method("string getfile(string)")
         }
 
+        Puppet::Util.logmethods(self, true)
+        attr_reader :name
+
         # this doesn't work for relative paths
         def FileBucket.paths(base,md5)
             return [
@@ -39,8 +40,6 @@ class Server
         end
 
         def initialize(hash)
-            # build our AST
-
             if hash.include?(:ConflictCheck)
                 @conflictchk = hash[:ConflictCheck]
                 hash.delete(:ConflictCheck)
@@ -59,28 +58,27 @@ class Server
                 end
             end
 
-            Puppet.recmkdir(@bucket)
+            Puppet.config.use(:filebucket)
+
+            @name = "filebucket[#{Puppet[:bucketdir]}]"
         end
 
         # accept a file from a client
         def addfile(string,path, client = nil, clientip = nil)
-            #puts "entering addfile"
             contents = Base64.decode64(string)
-            #puts "string is decoded"
-
             md5 = Digest::MD5.hexdigest(contents)
-            #puts "md5 is made"
 
             bpath, bfile, pathpath = FileBucket.paths(@bucket,md5)
 
             # if it's a new directory...
             if Puppet.recmkdir(bpath)
+                msg = "Adding %s(%s)" % [path, md5]
+                msg += " from #{client}" if client
+                self.info msg
                 # ...then just create the file
-                #puts "creating file"
-                File.open(bfile, File::WRONLY|File::CREAT) { |of|
+                File.open(bfile, File::WRONLY|File::CREAT, 0440) { |of|
                     of.print contents
                 }
-                #puts "File is created"
             else # if the dir already existed...
                 # ...we need to verify that the contents match the existing file
                 if @conflictchk
@@ -89,21 +87,23 @@ class Server
                             "No file at %s for sum %s" % [bfile,md5], caller)
                     end
 
-                    curfile = ""
-                    File.open(bfile) { |of|
-                        curfile = of.read
-                    }
+                    curfile = File.read(bfile)
 
-                    # if the contents don't match, then we've found a conflict
-                    # unlikely, but quite bad
+                    # If the contents don't match, then we've found a conflict.
+                    # Unlikely, but quite bad.
                     if curfile != contents
                         raise(BucketError,
                             "Got passed new contents for sum %s" % md5, caller)
+                    else
+                        msg = "Got duplicate %s(%s)" % [path, md5]
+                        msg += " from #{client}" if client
+                        self.info msg
                     end
                 end
-                #puts "Conflict check is done"
             end
 
+            contents = ""
+
             # in either case, add the passed path to the list of paths
             paths = nil
             addpath = false
@@ -119,14 +119,12 @@ class Server
             else
                 addpath = true
             end
-            #puts "Path is checked"
 
             # if it's a new file, or if our path isn't in the file yet, add it
             if addpath
                 File.open(pathpath, File::WRONLY|File::CREAT|File::APPEND) { |of|
                     of.puts path
                 }
-                #puts "Path is added"
             end
 
             return md5
@@ -146,9 +144,12 @@ class Server
 
             return Base64.encode64(contents)
         end
-        #---------------------------------------------------------------
+
+        def to_s
+            self.name
+        end
     end
 end
 end
 #
-# $Id: filebucket.rb 963 2006-03-01 23:09:23Z luke $
+# $Id: filebucket.rb 1113 2006-04-17 16:15:33Z luke $

data/lib/puppet/server/fileserver.rb

@@ -3,8 +3,8 @@ require 'webrick/httpstatus'
 require 'cgi'
 
 module Puppet
+class FileServerError < Puppet::Error; end
 class Server
-    class FileServerError < Puppet::Error; end
     class FileServer < Handler
         attr_accessor :local
 
@@ -16,53 +16,36 @@ class Server
         CHECKPARAMS = [:mode, :type, :owner, :group, :checksum]
 
         @interface = XMLRPC::Service::Interface.new("fileserver") { |iface|
-            iface.add_method("string describe(string)")
-            iface.add_method("string list(string, boolean, array)")
-            iface.add_method("string retrieve(string)")
+            iface.add_method("string describe(string, string)")
+            iface.add_method("string list(string, string, boolean, array)")
+            iface.add_method("string retrieve(string, string)")
         }
 
         def authcheck(file, mount, client, clientip)
             unless mount.allowed?(client, clientip)
-                Puppet.warning "%s cannot access %s in %s" %
-                    [client, mount, file]
+                mount.warning "%s cannot access %s" %
+                    [client, file]
                 raise Puppet::Server::AuthorizationError, "Cannot access %s" % mount
             end
         end
 
-        # Run 'retrieve' on a file.  This gets the actual parameters, so
-        # we can pass them to the client.
-        def check(dir)
-            unless FileTest.exists?(dir)
-                Puppet.notice "File source %s does not exist" % dir
-                return nil
-            end
-
-            obj = nil
-            unless obj = Puppet.type(:file)[dir]
-                obj = Puppet.type(:file).create(
-                    :name => dir,
-                    :check => CHECKPARAMS
-                )
-            end
-            # we should really have a timeout here -- we don't
-            # want to actually check on every connection, maybe no more
-            # than every 60 seconds or something
-            #@files[mount].evaluate
-            obj.evaluate
-
-            return obj
-        end
-
         # Describe a given file.  This returns all of the manageable aspects
         # of that file.
-        def describe(file, client = nil, clientip = nil)
+        def describe(file, links = :ignore, client = nil, clientip = nil)
             readconfig
+
+            links = links.intern if links.is_a? String
+
+            if links == :manage
+                raise Puppet::FileServerError, "Cannot currently copy links"
+            end
+
             mount, path = splitpath(file)
 
             authcheck(file, mount, client, clientip)
 
             if client
-                Puppet.debug "Describing %s for %s" % [file, client]
+                mount.debug "Describing %s for %s" % [file, client]
             end
 
             sdir = nil
@@ -73,15 +56,20 @@ class Server
             end
 
             obj = nil
-            unless obj = self.check(sdir)
+            unless obj = mount.check(sdir, links)
                 return ""
             end
 
+            #if links == :ignore and obj[:type] == "link"
+            #    mount.info "Ignoring link %s" % obj.name
+            #    return ""
+            #end
+
             desc = []
             CHECKPARAMS.each { |check|
                 if state = obj.state(check)
                     unless state.is
-                        mount.notice "Manually retrieving info for %s" % check
+                        mount.debug "Manually retrieving info for %s" % check
                         state.retrieve
                     end
                     desc << state.is
@@ -148,14 +136,14 @@ class Server
         end
 
         # List a specific directory's contents.
-        def list(dir, recurse = false, ignore = false, client = nil, clientip = nil)
+        def list(dir, links = :ignore, recurse = false, ignore = false, client = nil, clientip = nil)
             readconfig
             mount, path = splitpath(dir)
 
             authcheck(dir, mount, client, clientip)
 
             if client
-                Puppet.debug "Listing %s for %s" % [dir, client]
+                mount.debug "Listing %s for %s" % [dir, client]
             end
 
             subdir = nil
@@ -199,7 +187,7 @@ class Server
             if FileTest.directory?(path)
                 if FileTest.readable?(path)
                     @mounts[name] = Mount.new(name, path)
-                    @mounts[name].info "Mounted"
+                    @mounts[name].info "Mounted %s" % path
                 else
                     raise FileServerError, "%s is not readable" % path
                 end
@@ -311,14 +299,15 @@ class Server
 
         # Retrieve a file from the local disk and pass it to the remote
         # client.
-        def retrieve(file, client = nil, clientip = nil)
+        def retrieve(file, links = :ignore, client = nil, clientip = nil)
             readconfig
+            links = links.intern if links.is_a? String
             mount, path = splitpath(file)
 
             authcheck(file, mount, client, clientip)
 
             if client
-                Puppet.info "Sending %s to %s" % [file, client]
+                mount.info "Sending %s to %s" % [file, client]
             end
 
             fpath = nil
@@ -332,7 +321,18 @@ class Server
                 return ""
             end
 
-            str = File.read(fpath)
+            links = links.intern if links.is_a? String
+
+            if links == :ignore and FileTest.symlink?(fpath)
+                return ""
+            end
+
+            str = nil
+            if links == :manage
+                raise Puppet::Error, "Cannot copy links yet."
+            else
+                str = File.read(fpath)
+            end
 
             if @local
                 return str
@@ -353,7 +353,8 @@ class Server
             )
         end
 
-        # Recursively list the directory.
+        # Recursively list the directory. FIXME This should be using
+        # puppet objects, not directly listing.
         def reclist(mount, root, path, recurse, ignore)
             # Take out the root of the path.
             name = path.sub(root, '')
@@ -441,6 +442,10 @@ class Server
             dirname
         end
 
+        def to_s
+            "fileserver"
+        end
+
         # A simple class for wrapping mount points.  Instances of this class
         # don't know about the enclosing object; they're mainly just used for
         # authorization.
@@ -449,6 +454,31 @@ class Server
 
             Puppet::Util.logmethods(self, true)
 
+            # Run 'retrieve' on a file.  This gets the actual parameters, so
+            # we can pass them to the client.
+            def check(dir, links)
+                unless FileTest.exists?(dir)
+                    self.notice "File source %s does not exist" % dir
+                    return nil
+                end
+
+                obj = fileobj(dir, links)
+
+                # FIXME we should really have a timeout here -- we don't
+                # want to actually check on every connection, maybe no more
+                # than every 60 seconds or something.  It'd be nice if we
+                # could use the builtin scheduling to do this.
+
+                # Retrieval is enough here, because we don't want to cache
+                # any information in the state file, and we don't want to generate
+                # any state changes or anything.  We don't even need to sync
+                # the checksum, because we're always going to hit the disk
+                # directly.
+                obj.retrieve
+
+                return obj
+            end
+
             # Create out orbject.  It must have a name.
             def initialize(name, path = nil)
                 unless name =~ %r{^\w+$}
@@ -462,9 +492,44 @@ class Server
                     @path = nil
                 end
 
+                @comp = Puppet.type(:component).create(
+                    :name => "mount[#{name}]"
+                )
+                #@comp.type = "mount"
+                #@comp.name = name
+
                 super()
             end
 
+            def fileobj(path, links)
+                obj = nil
+                if obj = Puppet.type(:file)[path]
+                    # This can only happen in local fileserving, but it's an
+                    # important one.  It'd be nice if we didn't just set
+                    # the check params every time, but I'm not sure it's worth
+                    # the effort.
+                    obj[:check] = CHECKPARAMS
+                else
+                    obj = Puppet.type(:file).create(
+                        :name => path,
+                        :check => CHECKPARAMS
+                    )
+
+                    @comp.push(obj)
+                end
+
+                if links == :manage
+                    links = :follow
+                end
+
+                # This, ah, might be completely redundant
+                unless obj[:links] == links
+                    obj[:links] = links
+                end
+
+                return obj
+            end
+
             # Set the path.
             def path=(path)
                 unless FileTest.exists?(path)
@@ -474,11 +539,15 @@ class Server
             end
 
             def to_s
-                if @path
-                    @name + ":" + @path
-                else
-                    @name
-                end
+                #if @path
+                #    "mount[#{@name}]" + ":" + @path
+                #else
+                #    "mount[#{@name}]"
+                #end
+                "mount[#{@name}]"
+            end
+
+            def type?(file)
             end
 
             # Verify our configuration is valid.  This should really check to
@@ -493,4 +562,4 @@ class Server
 end
 end
 
-# $Id: fileserver.rb 962 2006-03-01 22:28:27Z luke $
+# $Id: fileserver.rb 989 2006-03-06 21:19:34Z luke $