From 6f0c8f812a8cf245f6724c396269b21bd21b1c9c Mon Sep 17 00:00:00 2001 From: donoghuc Date: Thu, 11 Apr 2024 15:07:26 -0700 Subject: [PATCH] (GH-3296) Prefer cert auth to token auth for puppetdb client Previously regardless of using certs any puppetdb token (either read from default location OR configured in settings) would be sent in x-authentication header for puppetdb requests. In the case a cert is configured, do not include this as the puppetdb endpoint will 401 in the case a valid cert but revoked token is presented. !bug * **Prefer cert based auth over token for puppetdb** ([#3296](#3296)) When both a token and cert are computed for puppetdb config, only use cert auth. This matches behavior of other puppetdb CLI tools. --- lib/bolt/puppetdb/config.rb | 8 +++++++- spec/unit/puppetdb/config_spec.rb | 12 ++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/lib/bolt/puppetdb/config.rb b/lib/bolt/puppetdb/config.rb index 9b0b3bbf51..914ac196da 100644 --- a/lib/bolt/puppetdb/config.rb +++ b/lib/bolt/puppetdb/config.rb @@ -60,7 +60,7 @@ def self.default_config end def token - return @token if @token + return @token if @token_computed # Allow nil in config to skip loading a token if @settings.include?('token') if @settings['token'] @@ -69,6 +69,12 @@ def token elsif File.exist?(DEFAULT_TOKEN) @token = File.read(DEFAULT_TOKEN) end + # Only use cert based auth in the case token and cert are both configured + if @token && cert + Bolt::Logger.logger(self).debug("Both cert and token based auth configured, using cert only") + @token = nil + end + @token_computed = true @token = @token.strip if @token end diff --git a/spec/unit/puppetdb/config_spec.rb b/spec/unit/puppetdb/config_spec.rb index 005a3cee9a..e003b131f2 100644 --- a/spec/unit/puppetdb/config_spec.rb +++ b/spec/unit/puppetdb/config_spec.rb @@ -72,6 +72,8 @@ context "token" do context "token is valid" do before :each do + options.delete('cert') + options.delete('key') allow(File).to receive(:read).with(token).and_return 'footoken' allow(File).to receive(:read).with(Bolt::PuppetDB::Config::DEFAULT_TOKEN).and_return 'bartoken' end @@ -97,6 +99,8 @@ context "token is invalid" do before :each do + options.delete('cert') + options.delete('key') allow(File).to receive(:read).with(token).and_return "footoken\n" allow(File).to receive(:read).with(Bolt::PuppetDB::Config::DEFAULT_TOKEN).and_return "bartoken\n" end @@ -112,6 +116,14 @@ expect(config.token).to eq('bartoken') end end + + context "both token and cert" do + it "returns nil for token when cert is configured" do + allow(config).to receive(:validate_file_exists).with('cert').and_return true + allow(File).to receive(:read).with(token).and_return 'footoken' + expect(config.token).to be_nil + end + end end context "cacert" do