Merge pull request puppetlabs#3430 from rlinehan/feature/master/PUP-3…

…644-move-urls-to-v3

(PUP-3644) Move urls to v3

acceptance/tests/allow_arbitrary_node_name_fact_for_agent.rb

@@ -14,15 +14,15 @@
 authfile = "#{testdir}/auth.conf"
 authconf = node_names.map do |node_name|
   %Q[
-path /catalog/#{node_name}
+path /v3/catalog/#{node_name}
 auth yes
 allow *
 
-path /node/#{node_name}
+path /v3/node/#{node_name}
 auth yes
 allow *
 
-path /report/#{node_name}
+path /v3/report/#{node_name}
 auth yes
 allow *
 ]

acceptance/tests/allow_arbitrary_node_name_for_agent.rb

@@ -5,15 +5,15 @@
 
 authfile = "#{in_testdir}/auth.conf"
 authconf = <<-AUTHCONF
-path /catalog/specified_node_name
+path /v3/catalog/specified_node_name
 auth yes
 allow *
 
-path /node/specified_node_name
+path /v3/node/specified_node_name
 auth yes
 allow *
 
-path /report/specified_node_name
+path /v3/report/specified_node_name
 auth yes
 allow *
 AUTHCONF

acceptance/tests/concurrency/ticket_2659_concurrent_catalog_requests.rb

@@ -82,7 +82,7 @@
         (
           sleep_for="0.$(( $RANDOM % 49 ))"
           sleep $sleep_for
-          url='https://#{master}:8140/catalog/#{agent_cert}?environment=production'
+          url='https://#{master}:8140/v3/catalog/#{agent_cert}?environment=production'
           echo "Curling: $url"
           curl --tlsv1 -v -# -H 'Accept: text/pson' --cert #{cert_path} --key #{key_path} --cacert #{cacert_path} $url
           echo "$PPID Completed"

acceptance/tests/external_ca_support/fixtures/auth.conf

@@ -2,24 +2,24 @@
 # external ca testing.
 
 # allow nodes to retrieve their own catalog
-path ~ ^/catalog/([^/]+)$
+path ~ ^/v3/catalog/([^/]+)$
 method find
 allow *.example.org
 allow $1
 
 # allow nodes to retrieve their own node definition
-path ~ ^/node/([^/]+)$
+path ~ ^/v3/node/([^/]+)$
 method find
 allow *.example.org
 allow $1
 
 # allow all nodes to access the certificates services
-path /certificate_revocation_list/ca
+path /v3/certificate_revocation_list/ca
 method find
 allow *
 
 # allow all nodes to store their own reports
-path ~ ^/report/([^/]+)$
+path ~ ^/v3/report/([^/]+)$
 method save
 allow *.example.org
 allow $1
@@ -29,27 +29,27 @@ allow $1
 # mount points (see fileserver.conf). Note that the `/file` prefix matches
 # requests to both the file_metadata and file_content paths. See "Examples"
 # above if you need more granular access control for custom mount points.
-path /file
+path /v3/file
 allow *
 
 ### Unauthenticated ACLs, for clients without valid certificates; authenticated
 ### clients can also access these paths, though they rarely need to.
 
 # allow access to the CA certificate; unauthenticated nodes need this
 # in order to validate the puppet master's certificate
-path /certificate/ca
+path /v3/certificate/ca
 auth any
 method find
 allow *
 
 # allow nodes to retrieve the certificate they requested earlier
-path /certificate/
+path /v3/certificate/
 auth any
 method find
 allow *
 
 # allow nodes to request a new certificate
-path /certificate_request
+path /v3/certificate_request
 auth any
 method find, save
 allow *

acceptance/tests/node/check_woy_cache_works.rb

@@ -7,15 +7,15 @@
 
 node_name = "woy_node_#{SecureRandom.hex}"
 auth_contents = <<AUTHCONF
-path /catalog/#{node_name}
+path /v3/catalog/#{node_name}
 auth yes
 allow *
 
-path /node/#{node_name}
+path /v3/node/#{node_name}
 auth yes
 allow *
 
-path /report/#{node_name}
+path /v3/report/#{node_name}
 auth yes
 allow *
 AUTHCONF

acceptance/tests/security/cve-2013-1652_improper_query_params.rb

@@ -12,7 +12,7 @@
 
       certname = on(agent, puppet('agent', "--configprint certname")).stdout.chomp
 
-      payload = "https://#{master}:8140/production/catalog/#{certname}?use_node=" +
+      payload = "https://#{master}:8140/v3/catalog/#{certname}?environment=production&use_node=" +
                 "---%20!ruby/object:Puppet::Node%0A%20%20" +
                 "name:%20#{master}%0A%20%20classes:%20\[\]%0A%20%20" +
                 "parameters:%20%7B%7D%0A%20%20facts:%20%7B%7D"

acceptance/tests/security/cve-2013-2275_report_acl.rb

@@ -20,7 +20,7 @@
     "--key \"$(puppet master --configprint hostprivkey)\"",
     "-H 'Content-Type: text/yaml'",
     "-d '#{fake_report}'",
-    "\"https://#{master}:8140/report/mccune?environment=production\"",
+    "\"https://#{master}:8140/v3/report/mccune?environment=production\"",
   ].join(" ")
 
   on master, submit_fake_report_cmd, :acceptable_exit_codes => [0] do

conf/auth.conf

@@ -61,22 +61,22 @@
 ### has a valid certificate and is thus authenticated
 
 # allow nodes to retrieve their own catalog
-path ~ ^/catalog/([^/]+)$
+path ~ ^/v3/catalog/([^/]+)$
 method find
 allow $1
 
 # allow nodes to retrieve their own node definition
-path ~ ^/node/([^/]+)$
+path ~ ^/v3/node/([^/]+)$
 method find
 allow $1
 
 # allow all nodes to access the certificates services
-path /certificate_revocation_list/ca
+path /v3/certificate_revocation_list/ca
 method find
 allow *
 
 # allow all nodes to store their own reports
-path ~ ^/report/([^/]+)$
+path ~ ^/v3/report/([^/]+)$
 method save
 allow $1
 
@@ -85,27 +85,27 @@ allow $1
 # mount points (see fileserver.conf). Note that the `/file` prefix matches
 # requests to both the file_metadata and file_content paths. See "Examples"
 # above if you need more granular access control for custom mount points.
-path /file
+path /v3/file
 allow *
 
 ### Unauthenticated ACLs, for clients without valid certificates; authenticated
 ### clients can also access these paths, though they rarely need to.
 
 # allow access to the CA certificate; unauthenticated nodes need this
 # in order to validate the puppet master's certificate
-path /certificate/ca
+path /v3/certificate/ca
 auth any
 method find
 allow *
 
 # allow nodes to retrieve the certificate they requested earlier
-path /certificate/
+path /v3/certificate/
 auth any
 method find
 allow *
 
 # allow nodes to request a new certificate
-path /certificate_request
+path /v3/certificate_request
 auth any
 method find, save
 allow *
@@ -114,6 +114,10 @@ path /v2.0/environments
 method find
 allow *
 
+path /v3/environments
+method find
+allow *
+
 # deny everything else; this ACL is not strictly necessary, but
 # illustrates the default policy.
 path /

lib/puppet/indirector/request.rb

@@ -176,10 +176,6 @@ def to_hash
     result
   end
 
-  def to_s
-    return(uri ? uri : "/#{indirection_name}/#{key}")
-  end
-
   def do_request(srv_service=:puppet, default_server=Puppet.settings[:server], default_port=Puppet.settings[:masterport], &block)
     # We were given a specific server to use, so just use that one.
     # This happens if someone does something like specifying a file

lib/puppet/indirector/rest.rb

@@ -2,12 +2,15 @@
 require 'uri'
 
 require 'puppet/network/http'
+require 'puppet/network/http/api/v3/indirected_routes'
 require 'puppet/network/http_pool'
 
 # Access objects via REST
 class Puppet::Indirector::REST < Puppet::Indirector::Terminus
   include Puppet::Network::HTTP::Compression.module
 
+  IndirectedRoutes = Puppet::Network::HTTP::API::V3::IndirectedRoutes
+
   class << self
     attr_reader :server_setting, :port_setting
   end
@@ -82,7 +85,7 @@ def http_request(method, request, *args)
   end
 
   def find(request)
-    uri, body = Puppet::Network::HTTP::API::V1.request_to_uri_and_body(request)
+    uri, body = IndirectedRoutes.request_to_uri_and_body(request)
     uri_with_query_string = "#{uri}?#{body}"
 
     response = do_request(request) do |req|
@@ -120,7 +123,7 @@ def find(request)
 
   def head(request)
     response = do_request(request) do |req|
-      http_head(req, Puppet::Network::HTTP::API::V1.request_to_uri(req), headers)
+      http_head(req, IndirectedRoutes.request_to_uri(req), headers)
     end
 
     if is_http_200?(response)
@@ -132,7 +135,7 @@ def head(request)
 
   def search(request)
     response = do_request(request) do |req|
-      http_get(req, Puppet::Network::HTTP::API::V1.request_to_uri(req), headers)
+      http_get(req, IndirectedRoutes.request_to_uri(req), headers)
     end
 
     if is_http_200?(response)
@@ -147,7 +150,7 @@ def destroy(request)
     raise ArgumentError, "DELETE does not accept options" unless request.options.empty?
 
     response = do_request(request) do |req|
-      http_delete(req, Puppet::Network::HTTP::API::V1.request_to_uri(req), headers)
+      http_delete(req, IndirectedRoutes.request_to_uri(req), headers)
     end
 
     if is_http_200?(response)
@@ -162,7 +165,7 @@ def save(request)
     raise ArgumentError, "PUT does not accept options" unless request.options.empty?
 
     response = do_request(request) do |req|
-      http_put(req, Puppet::Network::HTTP::API::V1.request_to_uri(req), req.instance.render, headers.merge({ "Content-Type" => req.instance.mime }))
+      http_put(req, IndirectedRoutes.request_to_uri(req), req.instance.render, headers.merge({ "Content-Type" => req.instance.mime }))
     end
 
     if is_http_200?(response)

lib/puppet/network/authconfig.rb

@@ -6,22 +6,24 @@ class Network::AuthConfig
     attr_accessor :rights
 
     DEFAULT_ACL = [
-      { :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
-      { :acl => "~ ^\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
+      # API V2.0
+      { :acl => "/v2.0/environments", :method => :find, :allow => '*', :authenticated => true },
+
+      # API V3
+      { :acl => "~ ^\/v3\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
+      { :acl => "~ ^\/v3\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
       # this one will allow all file access, and thus delegate
       # to fileserver.conf
-      { :acl => "/file" },
-      { :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
-      { :acl => "~ ^\/report\/([^\/]+)$", :method => :save, :allow => '$1', :authenticated => true },
+      { :acl => "/v3/file" },
+      { :acl => "/v3/certificate_revocation_list/ca", :method => :find, :authenticated => true },
+      { :acl => "~ ^\/v3\/report\/([^\/]+)$", :method => :save, :allow => '$1', :authenticated => true },
       # These allow `auth any`, because if you can do them anonymously you
       # should probably also be able to do them when trusted.
-      { :acl => "/certificate/ca", :method => :find, :authenticated => :any },
-      { :acl => "/certificate/", :method => :find, :authenticated => :any },
-      { :acl => "/certificate_request", :method => [:find, :save], :authenticated => :any },
-      { :acl => "/status", :method => [:find], :authenticated => true },
-
-      # API V2.0
-      { :acl => "/v2.0/environments", :method => :find, :allow => '*', :authenticated => true },
+      { :acl => "/v3/certificate/ca", :method => :find, :authenticated => :any },
+      { :acl => "/v3/certificate/", :method => :find, :authenticated => :any },
+      { :acl => "/v3/certificate_request", :method => [:find, :save], :authenticated => :any },
+      { :acl => "/v3/status", :method => [:find], :authenticated => true },
+      { :acl => "/v3/environments", :method => :find, :allow => '*', :authenticated => true },
     ]
 
     # Just proxy the setting methods to our rights stuff

lib/puppet/network/http.rb

@@ -2,12 +2,13 @@ module Puppet::Network::HTTP
   HEADER_ENABLE_PROFILING = "X-Puppet-Profiling"
   HEADER_PUPPET_VERSION = "X-Puppet-Version"
 
+  require 'puppet/network/authorization'
   require 'puppet/network/http/issues'
   require 'puppet/network/http/error'
   require 'puppet/network/http/route'
   require 'puppet/network/http/api'
-  require 'puppet/network/http/api/v1'
   require 'puppet/network/http/api/v2'
+  require 'puppet/network/http/api/v3'
   require 'puppet/network/http/handler'
   require 'puppet/network/http/response'
   require 'puppet/network/http/request'

lib/puppet/network/http/api/v3.rb

@@ -0,0 +1,22 @@
+class Puppet::Network::HTTP::API::V3
+  require 'puppet/network/http/api/v3/authorization'
+  require 'puppet/network/http/api/v3/environments'
+  require 'puppet/network/http/api/v3/indirected_routes'
+
+  AUTHZ = Authorization.new
+
+  INDIRECTED = Puppet::Network::HTTP::Route.
+      path(/.*/).
+      any(Puppet::Network::HTTP::API::V3::IndirectedRoutes.new)
+
+  ENVIRONMENTS = Puppet::Network::HTTP::Route.
+      path(%r{^/environments$}).get(AUTHZ.wrap do
+    Environments.new(Puppet.lookup(:environments))
+  end)
+
+  def self.routes
+    Puppet::Network::HTTP::Route.path(%r{/v3}).
+        any.
+        chain(ENVIRONMENTS, INDIRECTED)
+  end
+end

lib/puppet/network/http/api/v3/authorization.rb

@@ -0,0 +1,18 @@
+require 'puppet/network/authorization'
+
+class Puppet::Network::HTTP::API::V3::Authorization
+  include Puppet::Network::Authorization
+
+  def wrap(&block)
+    lambda do |request, response|
+      begin
+        authconfig.check_authorization(:find, request.path, request.params)
+      rescue Puppet::Network::AuthorizationError => e
+        raise Puppet::Network::HTTP::Error::HTTPNotAuthorizedError.new(e.message, Puppet::Network::HTTP::Issues::FAILED_AUTHORIZATION)
+      end
+
+      block.call.call(request, response)
+    end
+  end
+
+end