Add parameter for TLS verify mode with API

REFERENCE.md

@@ -166,6 +166,7 @@ The following parameters are available in the `vas` class:
 * [`api_enable`](#-vas--api_enable)
 * [`api_users_allow_url`](#-vas--api_users_allow_url)
 * [`api_token`](#-vas--api_token)
+* [`api_ssl_verify`](#-vas--api_ssl_verify)
 
 ##### <a name="-vas--manage_nis"></a>`manage_nis`
 
@@ -1196,6 +1197,14 @@ Security token for authenticated access to the API.
 
 Default value: `undef`
 
+##### <a name="-vas--api_ssl_verify"></a>`api_ssl_verify`
+
+Data type: `Boolean`
+
+Whether TLS connections should be verified or not.
+
+Default value: `true`
+
 ## Functions
 
 ### <a name="vas--api_fetch"></a>`vas::api_fetch`
@@ -1212,7 +1221,7 @@ Query a remote HTTP-based service for entries to be added to users_allow.
 vas::api_fetch("https://host.domain.tld/api/${facts['trusted.certname']}")
 ```
 
-#### `vas::api_fetch(Stdlib::HTTPUrl $url, String[1] $token)`
+#### `vas::api_fetch(Stdlib::HTTPUrl $url, String[1] $token, Optional[Boolean] $ssl_verify)`
 
 Query a remote HTTP-based service for entries to be added to users_allow.
 
@@ -1238,3 +1247,9 @@ Data type: `String[1]`
 
 Token used for authentication
 
+##### `ssl_verify`
+
+Data type: `Optional[Boolean]`
+
+Whether TLS connections should be verified or not
+

lib/puppet/functions/vas/api_fetch.rb

@@ -5,6 +5,7 @@
   require 'openssl'
   # @param url URL to connect to
   # @param token Token used for authentication
+  # @param ssl_verify Whether TLS connections should be verified or not
   # @return [Stdlib::Http::Status, Array[String]] If a valid response and contains entries
   # @return [Stdlib::Http::Status, Array[nil]] If a valid response, but no entries
   # @return [Stdlib::Http::Status, nil] If response is not of SUCCESS status code
@@ -14,9 +15,10 @@
   dispatch :api_fetch do
     param 'Stdlib::HTTPUrl', :url
     param 'String[1]', :token
+    optional_param 'Boolean', :ssl_verify
   end
 
-  def api_fetch(url, token)
+  def api_fetch(url, token, ssl_verify = false)
     uri = URI.parse(url)
 
     req = Net::HTTP::Get.new(uri.to_s)
@@ -25,7 +27,9 @@ def api_fetch(url, token)
 
     https = Net::HTTP.new(uri.host, uri.port)
     https.use_ssl = true
-    https.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    unless ssl_verify
+      https.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    end
     https.open_timeout = 2
     https.read_timeout = 2
 

manifests/init.pp

@@ -469,6 +469,8 @@
 # @param api_token
 #   Security token for authenticated access to the API.
 #
+# @param api_ssl_verify
+#   Whether TLS connections should be verified or not.
 class vas (
   Boolean $manage_nis                                                     = true,
   String[1] $package_version                                              = 'installed',
@@ -587,6 +589,7 @@
   Boolean $api_enable                                                     = false,
   Optional[Stdlib::HTTPSUrl] $api_users_allow_url                         = undef,
   Optional[String[1]] $api_token                                          = undef,
+  Boolean $api_ssl_verify                                                 = false,
 ) {
   # variable preparations
   $once_file = '/etc/opt/quest/vas/puppet_joined'
@@ -673,7 +676,7 @@
   if $api_enable == true and ($api_users_allow_url == undef or $api_token == undef) {
     fail('vas::api_enable is set to true but required parameters vas::api_users_allow_url and/or vas::api_token missing')
   } elsif $api_enable == true {
-    $api_users_allow_data = vas::api_fetch($api_users_allow_url, $api_token)
+    $api_users_allow_data = vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify)
 
     case $api_users_allow_data[0] {
       200,'200': { # api_fetch() returns integer in Puppet 3 and string in Puppet 6

spec/classes/init_spec.rb

@@ -317,7 +317,7 @@
             context 'and returns 200' do
               context 'without data' do
                 let(:pre_condition) do
-                  'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, undef] }'
+                  'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, undef] }'
                 end
 
                 users_allow_api_nodata_content = <<-END.gsub(%r{^\s+\|}, '')
@@ -355,7 +355,7 @@
 
               context 'with data' do
                 let(:pre_condition) do
-                  'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, \'apiuser@example.com\'] }'
+                  'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, \'apiuser@example.com\'] }'
                 end
 
                 users_allow_api_data_content = <<-END.gsub(%r{^\s+\|}, '')
@@ -394,7 +394,7 @@
 
             context 'and return non-200 code' do
               let(:pre_condition) do
-                'function vas::api_fetch($api_users_allow_url, $api_token) { return [0, undef] }'
+                'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [0, undef] }'
               end
 
               it {

spec/classes/parameter_spec.rb

@@ -918,7 +918,7 @@
           }
         end
         let(:pre_condition) do
-          'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, undef] }'
+          'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, undef] }'
         end
 
         it do
@@ -935,7 +935,7 @@
           }
         end
         let(:pre_condition) do
-          'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, \'apiuser@test.ing\'] }'
+          'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, \'apiuser@test.ing\'] }'
         end
 
         it do
@@ -953,7 +953,7 @@
           }
         end
         let(:pre_condition) do
-          'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, undef] }'
+          'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, undef] }'
         end
 
         it do
@@ -971,7 +971,7 @@
           }
         end
         let(:pre_condition) do
-          'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, \'apiuser@test.ing\'] }'
+          'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, \'apiuser@test.ing\'] }'
         end
 
         it do
@@ -1007,7 +1007,7 @@
           }
         end
         let(:pre_condition) do
-          'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, undef] }'
+          'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, undef] }'
         end
 
         it do
@@ -1024,7 +1024,7 @@
           }
         end
         let(:pre_condition) do
-          'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, \'apiuser@test.ing\'] }'
+          'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, \'apiuser@test.ing\'] }'
         end
 
         it do

spec/functions/api_fetch_spec.rb

@@ -18,15 +18,15 @@
       it do
         is_expected.to run
           .with_params
-          .and_raise_error(ArgumentError, '\'vas::api_fetch\' expects 2 arguments, got none')
+          .and_raise_error(ArgumentError, '\'vas::api_fetch\' expects between 2 and 3 arguments, got none')
       end
     end
 
     describe 'token argument is missing' do
       it do
         is_expected.to run
           .with_params(url)
-          .and_raise_error(ArgumentError, '\'vas::api_fetch\' expects 2 arguments, got 1')
+          .and_raise_error(ArgumentError, '\'vas::api_fetch\' expects between 2 and 3 arguments, got 1')
       end
     end
   end