Refs #36620 - Replace whitelist with allowlist

treydock · ekohl · commit 482367903aeb · 2023-08-08T14:54:43.000+02:00
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -409,14 +409,14 @@
 #
 # $server_ruby_load_paths::                 List of ruby paths
 #
-# $server_ca_client_whitelist::             The whitelist of client certificates that
+# $server_ca_client_allowlist::             The allowlist of client certificates that
 #                                           can query the certificate-status endpoint
 #                                           Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
 #
 # $server_custom_trusted_oid_mapping::      A hash of custom trusted oid mappings. Defaults to undef
 #                                           Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } }
 #
-# $server_admin_api_whitelist::             The whitelist of clients that
+# $server_admin_api_allowlist::             The allowlist of clients that
 #                                           can query the puppet-admin-api endpoint
 #                                           Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
 #
@@ -546,7 +546,7 @@
 #                                           invokes when on static_file_content requests.
 #                                           Defaults to undef
 #
-# $server_jolokia_metrics_whitelist::       The whitelist of clients that
+# $server_jolokia_metrics_allowlist::       The allowlist of clients that
 #                                           can query the jolokia /metrics/v2 endpoint
 #
 # === Usage:
@@ -636,7 +636,7 @@
   Optional[String] $syslogfacility = $puppet::params::syslogfacility,
   String $environment = $puppet::params::environment,
   Boolean $server = $puppet::params::server,
-  Array[String] $server_admin_api_whitelist = $puppet::params::server_admin_api_whitelist,
+  Array[String] $server_admin_api_allowlist = $puppet::params::server_admin_api_allowlist,
   Boolean $server_manage_user = $puppet::params::manage_user,
   String $server_user = $puppet::params::user,
   String $server_group = $puppet::params::group,
@@ -648,7 +648,7 @@
   Optional[Boolean] $server_crl_enable = $puppet::params::server_crl_enable,
   Boolean $server_ca_auth_required = $puppet::params::server_ca_auth_required,
   Boolean $server_ca_client_self_delete = $puppet::params::server_ca_client_self_delete,
-  Array[String] $server_ca_client_whitelist = $puppet::params::server_ca_client_whitelist,
+  Array[String] $server_ca_client_allowlist = $puppet::params::server_ca_client_allowlist,
   Optional[Puppet::Custom_trusted_oid_mapping] $server_custom_trusted_oid_mapping = $puppet::params::server_custom_trusted_oid_mapping,
   Boolean $server_http = $puppet::params::server_http,
   Stdlib::Port $server_http_port = $puppet::params::server_http_port,
@@ -747,7 +747,7 @@
   Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files,
   Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef,
   Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef,
-  Array[String[1]] $server_jolokia_metrics_whitelist = [],
+  Array[String[1]] $server_jolokia_metrics_allowlist = [],
   Stdlib::Filemode $puppetconf_mode = $puppet::params::puppetconf_mode,
 ) inherits puppet::params {
   contain puppet::config
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -385,8 +385,8 @@
   $server_connect_timeout                 = 120000
   $server_ca_auth_required                = true
   $server_ca_client_self_delete           = false
-  $server_admin_api_whitelist             = ['localhost', $lower_fqdn]
-  $server_ca_client_whitelist             = ['localhost', $lower_fqdn]
+  $server_admin_api_allowlist             = ['localhost', $lower_fqdn]
+  $server_ca_client_allowlist             = ['localhost', $lower_fqdn]
   $server_cipher_suites                   = [
     'TLS_AES_128_GCM_SHA256',
     'TLS_AES_256_GCM_SHA384',
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -232,14 +232,14 @@
 #
 # $ruby_load_paths::                   List of ruby paths
 #
-# $ca_client_whitelist::               The whitelist of client certificates that
+# $ca_client_allowlist::               The allowlist of client certificates that
 #                                      can query the certificate-status endpoint
 #                                      Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
 #
 # $custom_trusted_oid_mapping::        A hash of custom trusted oid mappings.
 #                                      Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } }
 #
-# $admin_api_whitelist::               The whitelist of clients that
+# $admin_api_allowlist::               The allowlist of clients that
 #                                      can query the puppet-admin-api endpoint
 #                                      Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
 #
@@ -335,7 +335,7 @@
 #                                      a static_file_content API request for the contents of a file resource that
 #                                      has a source attribute with a puppet:/// URI value.
 #
-# $jolokia_metrics_whitelist::         The whitelist of clients that
+# $jolokia_metrics_allowlist::         The allowlist of clients that
 #                                      can query the jolokia /metrics/v2 endpoint
 class puppet::server (
   Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::autosign,
@@ -344,7 +344,7 @@
   Optional[String] $autosign_content = $puppet::autosign_content,
   Optional[String] $autosign_source = $puppet::autosign_source,
   String $hiera_config = $puppet::hiera_config,
-  Array[String] $admin_api_whitelist = $puppet::server_admin_api_whitelist,
+  Array[String] $admin_api_allowlist = $puppet::server_admin_api_allowlist,
   Boolean $manage_user = $puppet::server_manage_user,
   String $user = $puppet::server_user,
   String $group = $puppet::server_group,
@@ -358,7 +358,7 @@
   Optional[Boolean] $crl_enable = $puppet::server_crl_enable,
   Boolean $ca_auth_required = $puppet::server_ca_auth_required,
   Boolean $ca_client_self_delete = $puppet::server_ca_client_self_delete,
-  Array[String] $ca_client_whitelist = $puppet::server_ca_client_whitelist,
+  Array[String] $ca_client_allowlist = $puppet::server_ca_client_allowlist,
   Optional[Puppet::Custom_trusted_oid_mapping] $custom_trusted_oid_mapping = $puppet::server_custom_trusted_oid_mapping,
   Boolean $http = $puppet::server_http,
   Stdlib::Port $http_port = $puppet::server_http_port,
@@ -457,7 +457,7 @@
   Optional[Integer[1]] $max_open_files = $puppet::server_max_open_files,
   Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id,
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content,
-  Array[String[1]] $jolokia_metrics_whitelist = $puppet::server_jolokia_metrics_whitelist,
+  Array[String[1]] $jolokia_metrics_allowlist = $puppet::server_jolokia_metrics_allowlist,
 ) {
   $cadir = "${puppetserver_dir}/ca"
 
diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
@@ -111,8 +111,8 @@
   Integer[0] $server_connect_timeout = $puppet::server::connect_timeout,
   Boolean $server_ca_auth_required = $puppet::server::ca_auth_required,
   Boolean $server_ca_client_self_delete = $puppet::server::ca_client_self_delete,
-  Array[String] $server_ca_client_whitelist = $puppet::server::ca_client_whitelist,
-  Array[String] $server_admin_api_whitelist = $puppet::server::admin_api_whitelist,
+  Array[String] $server_ca_client_allowlist = $puppet::server::ca_client_allowlist,
+  Array[String] $server_admin_api_allowlist = $puppet::server::admin_api_allowlist,
   Boolean $server_check_for_updates = $puppet::server::check_for_updates,
   Boolean $server_environment_class_cache_enabled = $puppet::server::environment_class_cache_enabled,
   Optional[Boolean] $server_metrics = $puppet::server::puppetserver_metrics,
@@ -143,7 +143,7 @@
   Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server::versioned_code_id,
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server::versioned_code_content,
   Boolean $disable_fips = $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8',
-  Array[String[1]] $jolokia_metrics_whitelist = $puppet::server::jolokia_metrics_whitelist,
+  Array[String[1]] $jolokia_metrics_allowlist = $puppet::server::jolokia_metrics_allowlist,
 ) {
   include puppet::server
 
diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb
@@ -561,7 +561,7 @@
         end
       end
 
-      describe 'jolokia_metrics_whitelist' do
+      describe 'jolokia_metrics_allowlist' do
         let(:content) { catalogue.resource('file', auth_conf).send(:parameters)[:content] }
         let(:rules) { Hocon.parse(content)['authorization']['rules'] }
         let(:rule) { rules.find {|rule| rule['name'] == 'jolokia metrics' } }
@@ -571,7 +571,7 @@
         end
 
         context 'when set' do
-          let(:params) { super().merge(server_jolokia_metrics_whitelist: ['localhost', 'host.example.com']) }
+          let(:params) { super().merge(server_jolokia_metrics_allowlist: ['localhost', 'host.example.com']) }
 
           it { expect(rule['match-request']['path']).to eq('/metrics/v2') }
           it { expect(rule['allow']).to eq(['localhost', 'host.example.com']) }
diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb
@@ -88,7 +88,7 @@ authorization: {
             allow-unauthenticated: true
 <%- else -%>
             allow: [
-<%- @server_ca_client_whitelist.each do |client| -%>
+<%- @server_ca_client_allowlist.each do |client| -%>
                 "<%= client %>",
 <%- end -%>
                 {
@@ -126,7 +126,7 @@ authorization: {
             allow-unauthenticated: true
 <%- else -%>
             allow: [
-<%- @server_ca_client_whitelist.each do |client| -%>
+<%- @server_ca_client_allowlist.each do |client| -%>
                 "<%= client %>",
 <%- end -%>
                 {
@@ -149,7 +149,7 @@ authorization: {
             },
             allow: [
                 "$2",
-<%- @server_admin_api_whitelist.each do |client| -%>
+<%- @server_admin_api_allowlist.each do |client| -%>
                 "<%= client %>",
 <%- end -%>
                 {
@@ -216,7 +216,7 @@ authorization: {
                 method: delete
             }
             allow: [
-<%- @server_admin_api_whitelist.each do |client| -%>
+<%- @server_admin_api_allowlist.each do |client| -%>
                 "<%= client %>",
 <%- end -%>
             ]
@@ -230,7 +230,7 @@ authorization: {
                 method: delete
             }
             allow: [
-<%- @server_admin_api_whitelist.each do |client| -%>
+<%- @server_admin_api_allowlist.each do |client| -%>
                 "<%= client %>",
 <%- end -%>
             ]
@@ -361,14 +361,14 @@ authorization: {
             name: "puppetlabs experimental"
         },
 <%- end -%>
-<%- unless @jolokia_metrics_whitelist.empty? -%>
+<%- unless @jolokia_metrics_allowlist.empty? -%>
         {
             match-request: {
                 path: "/metrics/v2"
                 type: path
             }
             allow: [
-<%- @jolokia_metrics_whitelist.each do |client| -%>
+<%- @jolokia_metrics_allowlist.each do |client| -%>
                 "<%= client %>",
 <%- end -%>
             ]
