From 7fdf0a422c232816cfbc45b42d6641928b86c04a Mon Sep 17 00:00:00 2001 From: Anders Larsson Date: Mon, 19 Feb 2024 15:19:42 +0100 Subject: [PATCH] Add parameter for TLS verify mode with API --- REFERENCE.md | 17 ++++++++++++++++- lib/puppet/functions/vas/api_fetch.rb | 8 ++++++-- manifests/init.pp | 5 ++++- spec/classes/init_spec.rb | 6 +++--- spec/classes/parameter_spec.rb | 12 ++++++------ spec/functions/api_fetch_spec.rb | 4 ++-- 6 files changed, 37 insertions(+), 15 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 47c1ca2..d50b502 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -166,6 +166,7 @@ The following parameters are available in the `vas` class: * [`api_enable`](#-vas--api_enable) * [`api_users_allow_url`](#-vas--api_users_allow_url) * [`api_token`](#-vas--api_token) +* [`api_ssl_verify`](#-vas--api_ssl_verify) ##### `manage_nis` @@ -1196,6 +1197,14 @@ Security token for authenticated access to the API. Default value: `undef` +##### `api_ssl_verify` + +Data type: `Boolean` + +Whether TLS connections should be verified or not. + +Default value: `true` + ## Functions ### `vas::api_fetch` @@ -1212,7 +1221,7 @@ Query a remote HTTP-based service for entries to be added to users_allow. vas::api_fetch("https://host.domain.tld/api/${facts['trusted.certname']}") ``` -#### `vas::api_fetch(Stdlib::HTTPUrl $url, String[1] $token)` +#### `vas::api_fetch(Stdlib::HTTPUrl $url, String[1] $token, Optional[Boolean] $ssl_verify)` Query a remote HTTP-based service for entries to be added to users_allow. @@ -1238,3 +1247,9 @@ Data type: `String[1]` Token used for authentication +##### `ssl_verify` + +Data type: `Optional[Boolean]` + +Whether TLS connections should be verified or not + diff --git a/lib/puppet/functions/vas/api_fetch.rb b/lib/puppet/functions/vas/api_fetch.rb index 52c4261..5089736 100644 --- a/lib/puppet/functions/vas/api_fetch.rb +++ b/lib/puppet/functions/vas/api_fetch.rb @@ -5,6 +5,7 @@ require 'openssl' # @param url URL to connect to # @param token Token used for authentication + # @param ssl_verify Whether TLS connections should be verified or not # @return [Stdlib::Http::Status, Array[String]] If a valid response and contains entries # @return [Stdlib::Http::Status, Array[nil]] If a valid response, but no entries # @return [Stdlib::Http::Status, nil] If response is not of SUCCESS status code @@ -14,9 +15,10 @@ dispatch :api_fetch do param 'Stdlib::HTTPUrl', :url param 'String[1]', :token + optional_param 'Boolean', :ssl_verify end - def api_fetch(url, token) + def api_fetch(url, token, ssl_verify = false) uri = URI.parse(url) req = Net::HTTP::Get.new(uri.to_s) @@ -25,7 +27,9 @@ def api_fetch(url, token) https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = true - https.verify_mode = OpenSSL::SSL::VERIFY_NONE + unless ssl_verify + https.verify_mode = OpenSSL::SSL::VERIFY_NONE + end https.open_timeout = 2 https.read_timeout = 2 diff --git a/manifests/init.pp b/manifests/init.pp index 00a94ab..e833d04 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -469,6 +469,8 @@ # @param api_token # Security token for authenticated access to the API. # +# @param api_ssl_verify +# Whether TLS connections should be verified or not. class vas ( Boolean $manage_nis = true, String[1] $package_version = 'installed', @@ -587,6 +589,7 @@ Boolean $api_enable = false, Optional[Stdlib::HTTPSUrl] $api_users_allow_url = undef, Optional[String[1]] $api_token = undef, + Boolean $api_ssl_verify = false, ) { # variable preparations $once_file = '/etc/opt/quest/vas/puppet_joined' @@ -673,7 +676,7 @@ if $api_enable == true and ($api_users_allow_url == undef or $api_token == undef) { fail('vas::api_enable is set to true but required parameters vas::api_users_allow_url and/or vas::api_token missing') } elsif $api_enable == true { - $api_users_allow_data = vas::api_fetch($api_users_allow_url, $api_token) + $api_users_allow_data = vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) case $api_users_allow_data[0] { 200,'200': { # api_fetch() returns integer in Puppet 3 and string in Puppet 6 diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 4c2d561..231253e 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -317,7 +317,7 @@ context 'and returns 200' do context 'without data' do let(:pre_condition) do - 'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, undef] }' + 'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, undef] }' end users_allow_api_nodata_content = <<-END.gsub(%r{^\s+\|}, '') @@ -355,7 +355,7 @@ context 'with data' do let(:pre_condition) do - 'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, \'apiuser@example.com\'] }' + 'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, \'apiuser@example.com\'] }' end users_allow_api_data_content = <<-END.gsub(%r{^\s+\|}, '') @@ -394,7 +394,7 @@ context 'and return non-200 code' do let(:pre_condition) do - 'function vas::api_fetch($api_users_allow_url, $api_token) { return [0, undef] }' + 'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [0, undef] }' end it { diff --git a/spec/classes/parameter_spec.rb b/spec/classes/parameter_spec.rb index 3b5007c..c48ed5b 100644 --- a/spec/classes/parameter_spec.rb +++ b/spec/classes/parameter_spec.rb @@ -918,7 +918,7 @@ } end let(:pre_condition) do - 'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, undef] }' + 'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, undef] }' end it do @@ -935,7 +935,7 @@ } end let(:pre_condition) do - 'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, \'apiuser@test.ing\'] }' + 'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, \'apiuser@test.ing\'] }' end it do @@ -953,7 +953,7 @@ } end let(:pre_condition) do - 'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, undef] }' + 'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, undef] }' end it do @@ -971,7 +971,7 @@ } end let(:pre_condition) do - 'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, \'apiuser@test.ing\'] }' + 'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, \'apiuser@test.ing\'] }' end it do @@ -1007,7 +1007,7 @@ } end let(:pre_condition) do - 'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, undef] }' + 'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, undef] }' end it do @@ -1024,7 +1024,7 @@ } end let(:pre_condition) do - 'function vas::api_fetch($api_users_allow_url, $api_token) { return [200, \'apiuser@test.ing\'] }' + 'function vas::api_fetch($api_users_allow_url, $api_token, $api_ssl_verify) { return [200, \'apiuser@test.ing\'] }' end it do diff --git a/spec/functions/api_fetch_spec.rb b/spec/functions/api_fetch_spec.rb index faa7975..cf978df 100644 --- a/spec/functions/api_fetch_spec.rb +++ b/spec/functions/api_fetch_spec.rb @@ -18,7 +18,7 @@ it do is_expected.to run .with_params - .and_raise_error(ArgumentError, '\'vas::api_fetch\' expects 2 arguments, got none') + .and_raise_error(ArgumentError, '\'vas::api_fetch\' expects between 2 and 3 arguments, got none') end end @@ -26,7 +26,7 @@ it do is_expected.to run .with_params(url) - .and_raise_error(ArgumentError, '\'vas::api_fetch\' expects 2 arguments, got 1') + .and_raise_error(ArgumentError, '\'vas::api_fetch\' expects between 2 and 3 arguments, got 1') end end end