Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8748

Puppet::Rest::Client should allow its verify mode to be configured by the caller

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide
      • Puppet::Rest::Client allows its SSL state to be configured by the caller
      • Insecure connections are only created and used once on demand, and not via an automatic downgrade
      • acceptance covered elsewhere (agent downloads cert, etc), and probably not required anyway
      • probable to cover at unit level
      Show
      Puppet::Rest::Client allows its SSL state to be configured by the caller Insecure connections are only created and used once on demand, and not via an automatic downgrade acceptance covered elsewhere (agent downloads cert, etc), and probably not required anyway probable to cover at unit level
    • Team:
      Server
    • Release Notes:
      Not Needed
    • QA Risk Assessment:
      Needs Assessment

      Description

      We need different levels of verification for HTTP requests depending on the state of the application (e.g. whether we have downloaded a CA cert or should do CRL checking). This state is known by the entity making the requests. Currently, the client tries to guess the right verify mode itself by trying to inspect the application state (e.g. looking for files on disk). Instead, we should have the caller request certain security configurations directly, via passing a context object to the client describing the kind of connection that should be used for the request. The client should then correctly handle cleaning up once the request has been made, for example by resetting all connections after downloading the CA bundle using VERIFY_NONE. This will help ensure that we don't accidentally downgrade connections that are supposed to be secure.

      as a puppet/server dev
      i want this
      so that we can be explicit about the ssl verify state

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  maggie Maggie Dreyer
                  Reporter:
                  maggie Maggie Dreyer
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: