Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7737

Add HTTP report processor setting for including system truststore

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.15.0
    • Component/s: None
    • Template:
    • Acceptance Criteria:
      Hide

      Add a report_include_system_store puppet setting to include the system CA store when posting the report to an HTTPS URL. It should default to false.

      If enabled, update the http report processor to pass include_system_store: true in the call to Client#post. Update the `spec/integration/application/apply_spec.rb` to verify this works when the HTTPS server is not the puppet CA, but is in the system store.

      For this ticket, it will only affect when the http report processor is used in puppet apply. A separate SERVER ticket will be needed to update puppetserver's HTTP client implementation.

      Show
      Add a report_include_system_store puppet setting to include the system CA store when posting the report to an HTTPS URL. It should default to false. If enabled, update the http report processor to pass include_system_store: true in the call to Client#post . Update the `spec/integration/application/apply_spec.rb` to verify this works when the HTTPS server is not the puppet CA, but is in the system store. For this ticket, it will only affect when the http report processor is used in puppet apply. A separate SERVER ticket will be needed to update puppetserver's HTTP client implementation.
    • Epic Link:
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      Hide
      The "http" report processor forwards puppet reports to the report server based on the Puppet[:reporturl] setting. If an HTTPS URL is specified, then up until now, the processor would only trust the puppet CA when verifying the server's SSL certificate. This change adds a Puppet[:report_include_system_store] setting, which defaults to false. If set to true, the report processor will trust CA certificates in the puppet-agent CA bundle in addition to the puppet CA. This change only affects the "http" processor when running in the context of "puppet apply". A separate change will be made in puppetserver, so that the "http" processor behaves the same as "puppet apply".
      Show
      The "http" report processor forwards puppet reports to the report server based on the Puppet[:reporturl] setting. If an HTTPS URL is specified, then up until now, the processor would only trust the puppet CA when verifying the server's SSL certificate. This change adds a Puppet[:report_include_system_store] setting, which defaults to false. If set to true, the report processor will trust CA certificates in the puppet-agent CA bundle in addition to the puppet CA. This change only affects the "http" processor when running in the context of "puppet apply". A separate change will be made in puppetserver, so that the "http" processor behaves the same as "puppet apply".
    • QA Risk Assessment:
      Needs Assessment

      Description

      This ticket is dependent upon the work being discussed in SERVER-1543 and PUP-5069 to enhance Puppet::Network::HttpPool with configurable support for setting whether or not the "system" truststore should be included for HTTP client requests. For this ticket, we would introduce a new Puppet setting that the HTTP report processor would use to control how the corresponding HttpPool setting is configured.

      We'll need to decide what the default for the setting would be. As Charlie Sharpsteen argued in this comment in SERVER-1543, it may make set to set this to "true" by default to make it easier for users to use the HTTP report processor with an externally hosted receiver which is using a cert issued outside of Puppet's PKI, e.g., on a public AWS instance. Defaulting to "true" may constitute a security risk for users accustomed to only having the Puppet PKI cert bundle used.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              josh Josh Cooper
              Reporter:
              jeremy.barlow Jeremy Barlow
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support