From b6dc81d76ccda2ef1f71a7042083d25bc428d953 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thore=20B=C3=B6decker?= <me@foxxx0.de>
Date: Tue, 2 Jun 2020 16:37:28 +0200
Subject: [PATCH] also allow whitelisted admin clients to clean certs

During #728 a regression was introduced, denying the other whitelisted
admin clients cleaning/deletion of certificates:

```
2020-06-02T16:30:47.856+02:00 ERROR [qtp1105504743-114201] [p.t.a.rules] Forbidden request: puppetserver01.[...] access to /puppet-ca/v1/certificate_status/my.fancy.hostname (method :delete) (authenticated: true) denied by rule 'Allow nodes to delete their own certificates'.
```

The solution is to re-allow the entries within
`@server_admin_api_whitelist`, which usually contain "localhost" and the
fqdn of the puppetserver CA system.
---
 templates/server/puppetserver/conf.d/auth.conf.erb | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb
index deff354f..d3a8dbd7 100644
--- a/templates/server/puppetserver/conf.d/auth.conf.erb
+++ b/templates/server/puppetserver/conf.d/auth.conf.erb
@@ -119,7 +119,17 @@ authorization: {
                 type: regex
                 method: [delete]
             },
-            allow: "$2"
+            allow: [
+                "$2",
+<%- @server_admin_api_whitelist.each do |client| -%>
+                "<%= client %>",
+<%- end -%>
+                {
+                    extensions: {
+                        pp_cli_auth: "true"
+                    }
+                }
+            ]
             sort-order: 500
         },
 <%- end -%>