Merge pull request #8789 from BobosilaVictor/PUP-8094/lookup-ignores-env

(PUP-8094) Puppet lookup ignores trusted fact rule for classifier

Author: GabrielNagy

acceptance/tests/parser_functions/puppet_lookup_cmd.rb

@@ -2075,6 +2075,7 @@ def data()
 environmentpath = #{@coderoot}/environments
 hiera_config = #{@coderoot}/hiera.yaml
 environment = env1
+server = #{master.connection.hostname}
 ",
 }
 MANI1
@@ -2094,6 +2095,7 @@ def data()
 environmentpath = #{@coderoot}/environments
 hiera_config = #{@coderoot}/hiera.yaml
 environment = env2
+server = #{master.connection.hostname}
 ",
 }
 MANI2
@@ -2113,6 +2115,7 @@ def data()
 environmentpath = #{@coderoot}/environments
 hiera_config = #{@coderoot}/hiera.yaml
 environment = env3
+server = #{master.connection.hostname}
 ",
 }
 MANI3
@@ -2132,6 +2135,7 @@ def data()
 environmentpath = #{@coderoot}/environments
 hiera_config = #{@coderoot}/hiera.yaml
 environment = env4
+server = #{master.connection.hostname}
 ",
 }
 MANI4
@@ -2167,16 +2171,38 @@ def data()
 [main]
 environmentpath = #{@coderoot}/environments
 hiera_config = #{@coderoot}/hiera.yaml
+server = #{master.connection.hostname}
 ",
 }
 MANIENC
 
+teardown do
+  on(master, "rm -f /etc/puppetlabs/puppet/ssl/certs/#{@node1}.pem")
+  on(master, "rm -f /etc/puppetlabs/puppet/ssl/certs/#{@node2}.pem")
+  on(master, "rm -f /etc/puppetlabs/puppet/ssl/ca/signed/#{@node1}.pem")
+  on(master, "rm -f /etc/puppetlabs/puppet/ssl/ca/signed/#{@node2}.pem")
+  on(master, "rm -f /etc/puppetlabs/puppet/ssl/private_keys/#{@node1}.pem")
+  on(master, "rm -f /etc/puppetlabs/puppet/ssl/private_keys/#{@node2}.pem")
+  on(master, "rm -f /etc/puppetlabs/puppet/ssl/public_keys/#{@node1}.pem")
+  on(master, "rm -f /etc/puppetlabs/puppet/ssl/public_keys/#{@node2}.pem")
+end
+
 step 'apply main manifest'
 apply_manifest_on(master, @manifest, :catch_failures => true)
 
 step 'start puppet server'
 with_puppet_running_on master, @master_opts, @coderoot do
 
+  step "handle certificate"
+  on(master, "puppetserver ca generate --certname #{@node1}")
+  on(master, "puppetserver ca generate --certname #{@node2}")
+  on(master, "mkdir -p #{@testroot}/puppet/ssl/certs")
+  on(master, "mkdir -p #{@testroot}/puppet/ssl/private_keys")
+  on(master, "cp -a /etc/puppetlabs/puppet/ssl/certs/ca.pem #{@testroot}/puppet/ssl/certs")
+  on(master, "cp -a /etc/puppetlabs/puppet/ssl/crl.pem #{@testroot}/puppet/ssl")
+  on(master, "cp -a /etc/puppetlabs/puppet/ssl/private_keys/#{master.connection.hostname}.pem #{@testroot}/puppet/ssl/private_keys")
+  on(master, "cp -a /etc/puppetlabs/puppet/ssl/certs/#{master.connection.hostname}.pem #{@testroot}/puppet/ssl/certs")
+
   step "global_key"
   rg = on(master, puppet('lookup', 'global_key'))
   result = rg.stdout

lib/puppet/application/lookup.rb

@@ -367,12 +367,21 @@ def generate_scope
       ni = Puppet::Node.indirection
       tc = ni.terminus_class
 
-      if tc == :plain || options[:compile]
-        node = ni.find(node, facts: facts)
-      else
-        ni.terminus_class = :plain
-        node = ni.find(node, facts: facts)
-        ni.terminus_class = tc
+      service = Puppet.runtime[:http]
+      session = service.create_session
+      cert = session.route_to(:ca)
+
+      cert = cert.get_certificate(node)
+      trusted = Puppet::Context::TrustedInformation.new(true, node, cert)
+
+      Puppet.override(trusted_information: trusted) do
+        if tc == :plain || options[:compile]
+          node = ni.find(node, facts: facts)
+        else
+          ni.terminus_class = :plain
+          node = ni.find(node, facts: facts)
+          ni.terminus_class = tc
+        end
       end
     else
       node.add_extra_facts(given_facts) if given_facts

spec/integration/application/lookup_spec.rb

@@ -7,6 +7,7 @@
   include PuppetSpec::Files
 
   context 'with an environment' do
+    let(:fqdn) { Puppet.runtime[:facter].value(:fqdn) }
     let(:env_name) { 'spec' }
     let(:env_dir) { tmpdir('environments') }
     let(:environment_files) do
@@ -46,15 +47,16 @@
     let(:environments) { Puppet::Environments::Directories.new(populated_env_dir, []) }
     let(:facts) { Puppet::Node::Facts.new("facts", {'my_fact' => 'my_fact_value'}) }
 
-    before do
-      allow(Puppet::Node::Facts.indirection).to receive(:find).and_return(facts)
-    end
-
     let(:populated_env_dir) do
       dir_contained_in(env_dir, environment_files)
       env_dir
     end
 
+    before do
+      stub_request(:get, "https://puppet:8140/puppet-ca/v1/certificate/#{fqdn}")
+      allow(Puppet::Node::Facts.indirection).to receive(:find).and_return(facts)
+    end
+
     def lookup(key, options = {}, explain = false)
       key = [key] unless key.is_a?(Array)
       allow(app.command_line).to receive(:args).and_return(key)
@@ -101,13 +103,17 @@ def explain(key, options = {})
       lookup('a')
     end
 
-    it 'skip loading of external facts when run with --node' do
-      app.options[:node] = "random_node"
+    describe 'when using --node' do
+      let(:fqdn) { 'random_node' }
 
-      expect(Puppet::Node::Facts.indirection).to receive(:find).and_return(facts)
-      expect(Facter).to receive(:load_external).once.with(false)
-      expect(Facter).to receive(:load_external).once.with(true)
-      lookup('a')
+      it 'skip loading of external facts' do
+        app.options[:node] = fqdn
+
+        expect(Puppet::Node::Facts.indirection).to receive(:find).and_return(facts)
+        expect(Facter).to receive(:load_external).once.with(false)
+        expect(Facter).to receive(:load_external).once.with(true)
+        lookup('a')
+      end
     end
 
     context 'uses node_terminus' do