Use server_trusted_agents in v4 catalog endpoint

alexjfisher · ekohl · commit ed78b93173bb · 2020-08-05T20:31:23.000+02:00
diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb
@@ -463,6 +463,13 @@
         context 'when server_puppetserver_version >= 6.3' do
           let(:params) { super().merge(server_puppetserver_version: '6.3.0') }
           it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "\^/puppet/v4/catalog/\?\$"$}) }
+          context 'by default' do
+            it { should contain_file(auth_conf).with_content(%r{^(\ *)deny: "\*"\n(\ *)sort-order: 500\n(\ *)name: "puppetlabs v4 catalog for services"}) }
+          end
+          context 'with server_trusted_agents' do
+            let(:params) { super().merge(server_puppetserver_trusted_agents: ['jenkins', 'octocatalog-diff']) }
+            it { should contain_file(auth_conf).with_content(%r{^(\ *)allow: \["jenkins", "octocatalog-diff"\]\n(\ *)sort-order: 500\n(\ *)name: "puppetlabs v4 catalog for services"}) }
+          end
         end
 
         context 'when server_puppetserver_version < 6.3' do
diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb
@@ -12,7 +12,7 @@ authorization: {
                 type: regex
                 method: [get, post]
             }
-            allow: <%= @server_trusted_agents << '$1' %>
+            allow: <%= @server_trusted_agents + ['$1'] %>
             sort-order: 500
             name: "puppetlabs v3 catalog from agents"
         },
@@ -24,7 +24,11 @@ authorization: {
                 type: regex
                 method: post
             }
+<%- if @server_trusted_agents.empty? -%>
             deny: "*"
+<%- else -%>
+            allow: <%= @server_trusted_agents %>
+<%- end -%>
             sort-order: 500
             name: "puppetlabs v4 catalog for services"
         },
