theforeman · ekohl · Oct 15, 2018 · Oct 9, 2018
diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb
@@ -134,10 +134,10 @@
         it {
           should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
             with_content(/allow-header-cert-info: false/).
-            with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/).
-            with_content(/^\s+name: "certificate_status"/).
-            with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/).
-            with_content(/^\s+name: "certificate_statuses"/).
+            with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status"/).
+            with_content(/^\s+name: "puppetlabs cert status"/).
+            with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses"/).
+            with_content(/^\s+name: "puppetlabs cert statuses"/).
             with_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/).
             with_content(/^\s+name: "environment-cache"/).
             with_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/).

diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb
@@ -7,7 +7,7 @@
 # otherwise, the general rules may "steal" requests that should be
 # governed by the specific rules.
 #
-# See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html
+# See https://puppet.com/docs/puppet/latest/config_file_auth.html
 # for a more complete description of auth.conf's behavior.
 #
 # Supported syntax:
@@ -57,6 +57,27 @@
 # (ie exactly as if auth yes was present).
 #
 
+# CONTROLLING FILE ACCESS (previously in fileserver.conf)
+
+# In previous versions of Puppet, you controlled file access by adding
+# rules to fileserver.conf. In Puppet 5 with Puppet Server, you can control
+# file access in auth.conf by controlling the /file_metadata(s)/<mount point>,
+# /file_content(s)/<mount point>, and /static_file_content/<file> paths. See the
+# Puppet Server documentation at
+# https://puppet.com/docs/puppetserver/latest/config_file_auth.html.
+#
+# If you are not using Puppet Server, or are using Puppet Server but with the
+# "jruby-puppet.use-legacy-auth-conf" setting set to "true", you could set the
+# desired file access in a new rule in this file. For example:
+#
+# path ~ ^/file_(metadata|content)s?/extra_files/
+# auth yes
+# allow /^(.+)\.example\.com$/
+# allow_ip 192.168.100.0/24
+#
+# If added to auth.conf BEFORE the default "path /file" rule, this rule
+# will add stricter restrictions to the extra_files mount point.
+
 ### Authenticated ACLs - these rules apply only when the client
 ### has a valid certificate and is thus authenticated
 
@@ -126,8 +147,8 @@ path /puppet-ca/v1/certificate_request
 auth any
 method find, save
 allow *
-
 <% if scope.lookupvar('::puppet::listen') -%>
+
 path /run
 auth any
 method save

diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb
@@ -46,23 +46,12 @@ authorization: {
             sort-order: 500
             name: "puppetlabs csr"
         },
-        {
-            # Allow unauthenticated access to the status service endpoint
-            match-request: {
-                path: "/status/v1/services"
-                type: path
-                method: get
-            }
-            allow-unauthenticated: true
-            sort-order: 500
-            name: "puppetlabs status service"
-        },
 <%- if @server_ca -%>
         {
             match-request: {
-                path: "/puppet-ca/v1/certificate_status/"
+                path: "/puppet-ca/v1/certificate_status"
                 type: path
-                method: [ get, put, delete ]
+                method: [get, put, delete]
             }
 <%- if @server_ca_auth_required == false -%>
             allow-unauthenticated: true
@@ -73,12 +62,12 @@ authorization: {
 <%- end -%>
             ]
 <%- end -%>
-            sort-order: 200
-            name: "certificate_status"
+            sort-order: 500
+            name: "puppetlabs cert status"
         },
         {
             match-request: {
-                path: "/puppet-ca/v1/certificate_statuses/"
+                path: "/puppet-ca/v1/certificate_statuses"
                 type: path
                 method: get
             }
@@ -91,10 +80,21 @@ authorization: {
 <%- end -%>
             ]
 <%- end -%>
-            sort-order: 200
-            name: "certificate_statuses"
+            sort-order: 500
+            name: "puppetlabs cert statuses"
         },
 <%- end -%>
+        {
+            # Allow unauthenticated access to the status service endpoint
+            match-request: {
+                path: "/status/v1/services"
+                type: path
+                method: get
+            }
+            allow-unauthenticated: true
+            sort-order: 500
+            name: "puppetlabs status service - full"
+        },
         {
             match-request: {
                 path: "/puppet-admin-api/v1/environment-cache"

diff --git a/templates/server/puppetserver/conf.d/metrics.conf.erb b/templates/server/puppetserver/conf.d/metrics.conf.erb
@@ -15,6 +15,7 @@ metrics: {
 <%- else -%>
             #metrics-allowed: ["compiler.compile.production"]
 <% end -%>
+
             reporters: {
                 # enable or disable JMX metrics reporter
                 jmx: {
@@ -25,6 +26,7 @@ metrics: {
                     enabled: <%= @metrics_graphite_enable %>
                 }
             }
+
         }
     }
 
@@ -55,4 +57,5 @@ metrics: {
             }
         }
     }
+
 }
diff --git a/templates/server/puppetserver/conf.d/puppetserver.conf.erb b/templates/server/puppetserver/conf.d/puppetserver.conf.erb
@@ -62,6 +62,7 @@ jruby-puppet: {
 
     # (optional) Sets the upper limit for the random sleep set as a Retry-After header on 503 responses returned when max-queued-requests is enabled.
     max-retry-delay: <%= @server_max_retry_delay %>
+
 <%- end -%>
     # (optional) Authorize access to Puppet master endpoints via rules
     # specified in the legacy Puppet auth.conf file (if true) or via rules
@@ -74,20 +75,21 @@ jruby-puppet: {
     environment-class-cache-enabled: <%= @server_environment_class_cache_enabled %>
 <%- end -%>
 <%- if @compile_mode %>
+
     compile-mode: <%= @compile_mode %>
 <%- end -%>
 }
 
-# settings related to HTTP client requests made by Puppet Server
+# settings related to HTTPS client requests made by Puppet Server
 http-client: {
-    # A list of acceptable protocols for making HTTP requests
+    # A list of acceptable protocols for making HTTPS requests
     ssl-protocols: [
     <%- @server_ssl_protocols.each do |protocol| -%>
         <%= protocol %>,
     <%- end -%>
     ]
 
-    # A list of acceptable cipher suites for making HTTP requests
+    # A list of acceptable cipher suites for making HTTPS requests
     cipher-suites: [
     <%- @server_cipher_suites.each do |cipher| -%>
         <%= cipher %>,