(SERVER-2550) Add auth.conf rule for CRL update endpoint

This rule requires that the cert querying has the `cli_auth` extension, the same as is required to use the `certificate_status` enpdoint.
puppetlabs · May 21, 2021 · 22ac4e5 · 22ac4e5
1 parent 9204d12
commit 22ac4e5
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/ezbake/config/conf.d/auth.conf b/ezbake/config/conf.d/auth.conf
@@ -71,6 +71,20 @@ authorization: {
             sort-order: 500
             name: "puppetlabs cert status"
         },
+        {
+            match-request: {
+                path: "^/puppet-ca/v1/certificate_revocation_list$"
+                type: path
+                method: put
+            }
+            allow: {
+               extensions: {
+                   pp_cli_auth: "true"
+               }
+            }
+            sort-order: 500
+            name: "puppetlabs CRL update"
+        },
         {
             # Allow the CA CLI to access the certificate_statuses endpoint
             match-request: {