Skip to content

Commit

Permalink
(puppetlabsGH-3296) Prefer cert auth to token auth for puppetdb client
Browse files Browse the repository at this point in the history
Previously regardless of using certs any puppetdb token (either read from default location OR configured in settings) would be sent in x-authentication header for puppetdb requests. In the case a cert is configured, do not include this as the puppetdb endpoint will 401 in the case a valid cert but revoked token is presented.

!bug

* **Prefer cert based auth over token for puppetdb** ([puppetlabs#3296](puppetlabs#3296))

  When both a token and cert are computed for puppetdb config, only use
  cert auth. This matches behavior of other puppetdb CLI tools.
  • Loading branch information
donoghuc committed Apr 11, 2024
1 parent 8266293 commit 6f0c8f8
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
8 changes: 7 additions & 1 deletion lib/bolt/puppetdb/config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ def self.default_config
end

def token
return @token if @token
return @token if @token_computed
# Allow nil in config to skip loading a token
if @settings.include?('token')
if @settings['token']
Expand All @@ -69,6 +69,12 @@ def token
elsif File.exist?(DEFAULT_TOKEN)
@token = File.read(DEFAULT_TOKEN)
end
# Only use cert based auth in the case token and cert are both configured
if @token && cert
Bolt::Logger.logger(self).debug("Both cert and token based auth configured, using cert only")
@token = nil
end
@token_computed = true
@token = @token.strip if @token
end

Expand Down
12 changes: 12 additions & 0 deletions spec/unit/puppetdb/config_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@
context "token" do
context "token is valid" do
before :each do
options.delete('cert')
options.delete('key')
allow(File).to receive(:read).with(token).and_return 'footoken'
allow(File).to receive(:read).with(Bolt::PuppetDB::Config::DEFAULT_TOKEN).and_return 'bartoken'
end
Expand All @@ -97,6 +99,8 @@

context "token is invalid" do
before :each do
options.delete('cert')
options.delete('key')
allow(File).to receive(:read).with(token).and_return "footoken\n"
allow(File).to receive(:read).with(Bolt::PuppetDB::Config::DEFAULT_TOKEN).and_return "bartoken\n"
end
Expand All @@ -112,6 +116,14 @@
expect(config.token).to eq('bartoken')
end
end

context "both token and cert" do
it "returns nil for token when cert is configured" do
allow(config).to receive(:validate_file_exists).with('cert').and_return true
allow(File).to receive(:read).with(token).and_return 'footoken'
expect(config.token).to be_nil
end
end
end

context "cacert" do
Expand Down

0 comments on commit 6f0c8f8

Please sign in to comment.