(PUP-11402) Puppet lookup fails when used localy

This commit moves the entire trusted information logic in the case where
we have the `compile` option enabled and we are not a `plain` terminus,
since any other case does not need the said `trusted_information`
context.

Author: BobosilaVictor

acceptance/tests/parser_functions/puppet_lookup_cmd.rb

@@ -2193,16 +2193,6 @@ def data()
 step 'start puppet server'
 with_puppet_running_on master, @master_opts, @coderoot do
 
-  step "handle certificate"
-  on(master, "puppetserver ca generate --certname #{@node1}")
-  on(master, "puppetserver ca generate --certname #{@node2}")
-  on(master, "mkdir -p #{@testroot}/puppet/ssl/certs")
-  on(master, "mkdir -p #{@testroot}/puppet/ssl/private_keys")
-  on(master, "cp -a /etc/puppetlabs/puppet/ssl/certs/ca.pem #{@testroot}/puppet/ssl/certs")
-  on(master, "cp -a /etc/puppetlabs/puppet/ssl/crl.pem #{@testroot}/puppet/ssl")
-  on(master, "cp -a /etc/puppetlabs/puppet/ssl/private_keys/#{master.connection.hostname}.pem #{@testroot}/puppet/ssl/private_keys")
-  on(master, "cp -a /etc/puppetlabs/puppet/ssl/certs/#{master.connection.hostname}.pem #{@testroot}/puppet/ssl/certs")
-
   step "global_key"
   rg = on(master, puppet('lookup', 'global_key'))
   result = rg.stdout
@@ -2587,6 +2577,25 @@ def data()
   step 'apply enc manifest'
   apply_manifest_on(master, @encmanifest, :catch_failures => true)
 
+  step "--compile uses environment specified in ENC"
+  r = on(master, puppet('lookup', '--compile', "--node #{@node1}", "--confdir #{@confdir}", "--facts #{@coderoot}/facts.yaml", 'environment_key'))
+  result = r.stdout
+  assert_match(
+    /CA is not available/,
+    result,
+    "lookup in ENC specified environment failed"
+  )
+
+  step "handle certificate"
+  on(master, "puppetserver ca generate --certname #{@node1}")
+  on(master, "puppetserver ca generate --certname #{@node2}")
+  on(master, "mkdir -p #{@testroot}/puppet/ssl/certs")
+  on(master, "mkdir -p #{@testroot}/puppet/ssl/private_keys")
+  on(master, "cp -a /etc/puppetlabs/puppet/ssl/certs/ca.pem #{@testroot}/puppet/ssl/certs")
+  on(master, "cp -a /etc/puppetlabs/puppet/ssl/crl.pem #{@testroot}/puppet/ssl")
+  on(master, "cp -a /etc/puppetlabs/puppet/ssl/private_keys/#{master.connection.hostname}.pem #{@testroot}/puppet/ssl/private_keys")
+  on(master, "cp -a /etc/puppetlabs/puppet/ssl/certs/#{master.connection.hostname}.pem #{@testroot}/puppet/ssl/certs")
+
   step "--compile uses environment specified in ENC"
   r = on(master, puppet('lookup', '--compile', "--node #{@node1}", "--confdir #{@confdir}", "--facts #{@coderoot}/facts.yaml", 'environment_key'))
   result = r.stdout

lib/puppet/application/lookup.rb

@@ -379,25 +379,31 @@ def generate_scope
       else
         ni = Puppet::Node.indirection
         tc = ni.terminus_class
-
-        service = Puppet.runtime[:http]
-        session = service.create_session
-        cert = session.route_to(:ca)
-
-        _, x509 = cert.get_certificate(node)
-        cert = OpenSSL::X509::Certificate.new(x509)
-
-        Puppet::SSL::Oids.register_puppet_oids
-        trusted = Puppet::Context::TrustedInformation.remote(true, facts.values['certname'] || node, Puppet::SSL::Certificate.from_instance(cert))
-
-        Puppet.override(trusted_information: trusted) do
-          if tc == :plain || options[:compile]
+        if options[:compile]
+          if tc == :plain
             node = ni.find(node, facts: facts)
           else
-            ni.terminus_class = :plain
-            node = ni.find(node, facts: facts)
-            ni.terminus_class = tc
+            begin
+              service = Puppet.runtime[:http]
+              session = service.create_session
+              cert = session.route_to(:ca)
+
+              _, x509 = cert.get_certificate(node)
+              cert = OpenSSL::X509::Certificate.new(x509)
+              Puppet::SSL::Oids.register_puppet_oids
+              trusted = Puppet::Context::TrustedInformation.remote(true, facts.values['certname'] || node, Puppet::SSL::Certificate.from_instance(cert))
+              Puppet.override(trusted_information: trusted) do
+                node = ni.find(node, facts: facts)
+              end
+            rescue
+              Puppet.warning _("CA is not available, the operation will continue without using trusted facts.")
+              node = ni.find(node, facts: facts)
+            end
           end
+        else
+          ni.terminus_class = :plain
+          node = ni.find(node, facts: facts)
+          ni.terminus_class = tc
         end
       end
     else

spec/integration/application/lookup_spec.rb

@@ -48,6 +48,7 @@
     let(:facts) { Puppet::Node::Facts.new("facts", {'my_fact' => 'my_fact_value'}) }
     let(:cert) { pem_content('oid.pem') }
 
+    let(:node) { Puppet::Node.new('testnode', :facts => facts, :environment => env) }
     let(:populated_env_dir) do
       dir_contained_in(env_dir, environment_files)
       env_dir
@@ -104,7 +105,9 @@ def explain(key, options = {})
         certname: fqdn,
         extensions: { "1.3.6.1.4.1.34380.1.2.1.1" => "somevalue" }))
 
-      lookup('a')
+      Puppet.settings[:node_terminus] = 'exec'
+      expect_any_instance_of(Puppet::Node::Exec).to receive(:find).and_return(node)
+      lookup('a', :compile => true)
     end
 
     it 'loads external facts when running without --node' do