Use server_trusted_agents in v4 catalog endpoint #756
Conversation
| @@ -12,7 +12,7 @@ authorization: { | |||
| type: regex | |||
| method: [get, post] | |||
| } | |||
| allow: <%= @server_trusted_agents << '$1' %> | |||
| allow: <%= @server_trusted_agents + ['$1'] %> | |||
There was a problem hiding this comment.
It's not just in this template that server_trusted_agents was being mutated, but in the catalog itself. So much for puppet variables being immutable! I guess in irb, you can accidentally abuse this. ;)
There was a problem hiding this comment.
oops. That was me! 4f07b5f#diff-6775a3530d5d8059f4175382a1af402cR12
There was a problem hiding this comment.
Also, 'naming things is hard'. Maybe I should have called it trusted_compile_clients or something instead.
| deny: "*" | ||
| <%- else -%> | ||
| allow: <%= @server_trusted_agents %> |
There was a problem hiding this comment.
I also would have liked to introduce a new parameter so that certificate extensions could have been used as well as just a list of certnames. irb instead of the old way (removed in #615) makes it more difficult though. If I just append a hash to the server_trusted_agents array the outputted string isn't valid hocon. Valid configuration would look a bit like...
allow: [
"cert1",
"cert2",
{
extensions: {
pp_authorization: "catalog"
}
}
]
I might try to figure out a nice way of generating this in a separate PR.
There was a problem hiding this comment.
FYI, PE rule has additional restriction for v4 catalog query-params: {}, I presume for security reasons
here is the code snippet:
{
"allow": [
"puppet.chepkov.lan",
{
"rbac": {
"permission": "puppetserver:compile_catalog:*"
}
}
],
"match-request": {
"method": "post",
"path": "^/puppet/v4/catalog/?$",
"query-params": {},
"type": "regex"
},
"name": "puppetlabs v4 catalog",
"sort-order": 500
}
,
There was a problem hiding this comment.
It wouldn't hurt. Don't think it does much either though. The body of the post is json containing all the input data. I think any query parameters would just be ignored? https://puppet.com/docs/puppetserver/latest/puppet-api/v4/catalog.html
|
I guessed this is an enhancement, or is it a bugfix? |
|
It should have probably been part of #689?? Not sure whether I'd call that a bug though? |
|
It doesn't fix a regression, so probably |
No description provided.