Merge remote-tracking branch 'JohnLyman/issue-156-pe-token-for-puppetdb' into kpaulisse-release-branch

Author: kpaulisse

doc/configuration-puppetdb.md

@@ -36,6 +36,7 @@ The following settings can be used in a [configuration file](/doc/configuration.
 | `settings[:puppetdb_ssl_client_key]` | TEXT of the private key of the client SSL keypair used to authenticate to PuppetDB. Note: This variable is not set to a file path, which means you will likely want to use means you will likely want to use `File.read(...)` if you are configuring this to be read from a file. |
 | `settings[:puppetdb_ssl_client_pem]` | Concatenation of the text of `puppetdb_ssl_client_key` and `puppetdb_ssl_client_cert` as previously described. This is a good alternative if your certificate chain is complex and it's easier just to put everything in a single place. Note: this option is second in precedence; if `settings[:puppetdb_ssl_client_cert]` and `settings[:puppetdb_ssl_client_key]` are both set, this will be ignored. |
 | `settings[:puppetdb_ssl_client_password]` | Plain text string containing the password to unlock the private key. For keys generated by the Puppet Master CA, this is not required and should be left undefined. |
+| `settings[:puppetdb_token]` | TEXT containing the PE RBAC token used to authenticate to PuppetDB. Note: This variable is not set to a file path, which means you will likely want to use `File.read(...)` if you are configuring this to be read from a file. |
 
 ## Supplying necessary information via the command line
 
@@ -48,6 +49,8 @@ The following arguments can be used on the command line.
 | --puppetdb-ssl-client-cert FILENAME | Path to the certificate of the client SSL keypair. |
 | --puppetdb-ssl-client-key FILENAME | Path to the private key of the client SSL keypair. |
 | --puppetdb-ssl-client-password PASSWORD_STRING | Plain text string containing the password to unlock the private key. For keys generated by the Puppet Master CA, this is not required. |
+| --puppetdb-token STRING | String containing the PE RBAC token used to authenticate to PuppetDB. |
+| --puppetdb-token-file FILENAME | Path to the PE RBAC token file used to authenticate to PuppetDB. |
 
 ## Supplying necessary information via the environment
 

lib/octocatalog-diff/cli/options/pe_enc_token_file.rb

@@ -12,7 +12,7 @@
   def parse(parser, options)
     parser.on('--pe-enc-token-file PATH', 'Path containing token for PE node classifier, relative or absolute') do |x|
       proposed_token_path = x.start_with?('/') ? x : File.join(options[:basedir], x)
-      raise Errno::ENOENT, "Provided token (#{proposed_token_path}) does not exist" unless File.file?(proposed_token_path)
+      raise Errno::ENOENT, "Provided PE ENC token (#{proposed_token_path}) does not exist" unless File.file?(proposed_token_path)
       options[:pe_enc_token] = File.read(proposed_token_path)
     end
   end

lib/octocatalog-diff/cli/options/puppetdb_token.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# Specify the PE RBAC token to access the PuppetDB API. Refer to
+# https://puppet.com/docs/pe/latest/rbac/rbac_token_auth_intro.html#generate-a-token-using-puppet-access
+# for details on generating and obtaining a token. Use this option to specify the text
+# of the token. (Use --puppetdb-token-file to read the content of the token from a file.)
+# @param parser [OptionParser object] The OptionParser argument
+# @param options [Hash] Options hash being constructed; this is modified in this method.
+OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_token) do
+  has_weight 310
+
+  def parse(parser, options)
+    parser.on('--puppetdb-token TOKEN', 'Token to access the PuppetDB API') do |token|
+      options[:puppetdb_token] = token
+    end
+  end
+end

lib/octocatalog-diff/cli/options/puppetdb_token_file.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# Specify the PE RBAC token to access the PuppetDB API. Refer to
+# https://puppet.com/docs/pe/latest/rbac/rbac_token_auth_intro.html#generate-a-token-using-puppet-access
+# for details on generating and obtaining a token. Use this option to specify the text
+# in a file, to read the content of the token from the file.
+# @param parser [OptionParser object] The OptionParser argument
+# @param options [Hash] Options hash being constructed; this is modified in this method.
+OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_token_file) do
+  has_weight 310
+
+  def parse(parser, options)
+    parser.on('--puppetdb-token-file PATH', 'Path containing token for PuppetDB API, relative or absolute') do |x|
+      proposed_token_path = x.start_with?('/') ? x : File.join(options[:basedir], x)
+      unless File.file?(proposed_token_path)
+        raise Errno::ENOENT, "Provided PuppetDB API token (#{proposed_token_path}) does not exist"
+      end
+      options[:puppetdb_token] = File.read(proposed_token_path)
+    end
+  end
+end

lib/octocatalog-diff/puppetdb.rb

@@ -42,6 +42,7 @@ class PuppetDB
     # @param :puppetdb_ssl_client_p12 [String] pkcs12-encoded client key and certificate
     # @param :puppetdb_ssl_client_password [String] Path to file containing password for SSL client key (any format)
     # @param :puppetdb_ssl_client_auth [Boolean] Override the client-auth that is guessed from parameters
+    # @param :puppetdb_token [String] PE RBAC token to authenticate to PuppetDB API
     # @param :timeout [Integer] Connection timeout for PuppetDB (default=10)
     def initialize(options = {})
       @connections =
@@ -107,7 +108,10 @@ def _get(path)
         ].join('')
 
         begin
-          more_options = { headers: { 'Accept' => 'application/json' }, timeout: @timeout }
+          headers = { 'Accept' => 'application/json' }
+          headers['X-Authentication'] = @options[:puppetdb_token] if @options[:puppetdb_token]
+          more_options = { headers: headers, timeout: @timeout }
+
           if connection[:username] || connection[:password]
             more_options[:basic_auth] = { username: connection[:username], password: connection[:password] }
           end

spec/octocatalog-diff/fixtures/configs/puppetdb-token.txt

@@ -0,0 +1 @@
+bxejuxstqwhmbrwskpfokcukvjlzmzwlouvpdcnwfypsrefnqycxezwzjiccnpnmherjhxgvrdjdhgzeaoxkjekfluyrlhxkkvllvzaunlmcqfrdnmqlovdensweblnfrgslaxcwurxeadofxlquqeercnypbuypsgnxastvuhqgxnlotrkghcvkkoyzrwmmzxocnftthosfeenxzijfnzciuukeqhmwqxnwbncxttadyrdcapokhcwykcliuhmbejdulkvxixxbcxljdvvtlbqmfqgoisadvhduoskedbykwgzfcdmfytcwkakuliytrtjpiqxaathxutizixtgbkncizjcpqiibvkjgdvblzcekqvsbyzkeaycydhxbbgmevkxzuexwdawsvanchjwzcxrrpuvwtxcsdkraluzbmozaunnfvyjoezvawxfoelmduzaqkffetecdchotxpumoxyrxeuxhxugckrfkzvapkhiniersercnemnkgspdxspfktdqrrxfpiooinqtdzvwwwyrpkzlvvxxkajgshacadawgkzpdbfarhqcflbbqtzwfshnfmpxrsuljxkdzrtxtulwoomwvykauxzxzgxqdqrbksirroxwqcveryrwfswqjmsqlddjdgvzhnsftinetaxvhfzgylxhmtammzfephrwftmudbtdkfscpxxzfudjbfzjkaozgxbxhhplddsbyhafmmvfdhqoozozwnrtjtwicxpvwdrvozrwiecxresxbuzpovfdeuxdgzqoyjzscfxrrzsvtrbtobqkscvujeqiqgiwbgjrpwslavvfldzpblhagpltlxpxwsqvgabemwfocnsugajffjtaxehaxwti

spec/octocatalog-diff/integration/puppetdb_spec.rb

@@ -139,4 +139,43 @@
       expect(result[:exception].class.to_s).to eq('OpenSSL::PKey::RSAError')
     end
   end
+
+  context 'token-based authentication' do
+    let(:s_opts) do
+      {
+        ca_file: OctocatalogDiff::Spec.fixture_path('ssl/generated/ca.crt'),
+        client_verify: false,
+        url_map: url_map,
+        require_header: { 'X-Authentication' => 'my-pdb-token-would-go-here' }
+      }
+    end
+
+    it 'should fail to connect to authenticated puppetdb with no token', retry: 3 do
+      opts = { argv: ['-n', 'rspec-node.github.net'], spec_repo: 'tiny-repo' }
+      result = OctocatalogDiff::Integration.integration_with_puppetdb(s_opts, opts)
+      expect(result[:exception].message).to match(/Fact retrieval failed .* from PuppetDB \(403/)
+    end
+
+    it 'should fail to connect to authenticated puppetdb with an invalid token', retry: 3 do
+      args = [
+        '-n', 'rspec-node.github.net',
+        '--puppetdb-token', 'my-bogus-token-here',
+        '--puppetdb-ssl-ca', OctocatalogDiff::Spec.fixture_path('ssl/generated/ca.crt')
+      ]
+      opts = { argv: args, spec_repo: 'tiny-repo' }
+      result = OctocatalogDiff::Integration.integration_with_puppetdb(s_opts, opts)
+      expect(result[:exception].message).to match(/Fact retrieval failed .* from PuppetDB \(403/)
+    end
+
+    it 'should connect to authenticated puppetdb with a token', retry: 3 do
+      args = [
+        '-n', 'rspec-node.github.net',
+        '--puppetdb-token', 'my-pdb-token-would-go-here',
+        '--puppetdb-ssl-ca', OctocatalogDiff::Spec.fixture_path('ssl/generated/ca.crt')
+      ]
+      opts = { argv: args, spec_repo: 'tiny-repo' }
+      result = OctocatalogDiff::Integration.integration_with_puppetdb(s_opts, opts)
+      expect(result[:exitcode]).to eq(0), OctocatalogDiff::Integration.format_exception(result)
+    end
+  end
 end

spec/octocatalog-diff/tests/cli/options/puppetdb_token_file_spec.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative '../options_helper'
+
+describe OctocatalogDiff::Cli::Options do
+  context 'with a relative path' do
+    describe '#opt_puppetdb_token_file' do
+      let(:basedir) { OctocatalogDiff::Spec.fixture_path('configs') }
+
+      it 'should handle --puppetdb-token-file with valid path' do
+        result = run_optparse(['--basedir', basedir, '--puppetdb-token-file', 'puppetdb-token.txt'])
+        expect(result[:puppetdb_token]).to eq(OctocatalogDiff::Spec.fixture_read('configs/puppetdb-token.txt'))
+      end
+
+      it 'should error if --puppetdb-token-file points to non-existing file' do
+        expect do
+          run_optparse(['--basedir', basedir, '--puppetdb-token-file', 'sdafjfkjlafjadsasf'])
+        end.to raise_error(Errno::ENOENT)
+      end
+
+      it 'should error if --puppetdb-token-file is not passed an argument' do
+        expect { run_optparse(['--basedir', basedir, '--puppetdb-token-file']) }.to raise_error(OptionParser::MissingArgument)
+      end
+    end
+  end
+
+  context 'with an absolute path' do
+    describe '#opt_puppetdb_token_file' do
+      it 'should handle --puppetdb-token-file with valid path' do
+        result = run_optparse(['--puppetdb-token-file', OctocatalogDiff::Spec.fixture_path('configs/puppetdb-token.txt')])
+        expect(result[:puppetdb_token]).to eq(OctocatalogDiff::Spec.fixture_read('configs/puppetdb-token.txt'))
+      end
+
+      it 'should error if --puppetdb-token-file points to non-existing file' do
+        expect do
+          run_optparse(['--puppetdb-token-file', OctocatalogDiff::Spec.fixture_path('configs/alsdkfalfdkjasdf')])
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+  end
+end

spec/octocatalog-diff/tests/cli/options/puppetdb_token_spec.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require_relative '../options_helper'
+
+describe OctocatalogDiff::Cli::Options do
+  describe '#opt_puppetdb_token' do
+    it 'should handle --puppetdb-token with a string arg' do
+      result = run_optparse(['--puppetdb-token', 'foobar'])
+      expect(result[:puppetdb_token]).to eq('foobar')
+    end
+  end
+end