(GH-3296) Prefer cert auth to token auth for puppetdb client

Previously regardless of using certs any puppetdb token (either read from default location OR configured in settings) would be sent in x-authentication header for puppetdb requests. In the case a cert is configured, do not include this as the puppetdb endpoint will 401 in the case a valid cert but revoked token is presented.
puppetlabs · Apr 11, 2024 · ef84667 · ef84667
1 parent 8266293
commit ef84667
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/lib/bolt/puppetdb/config.rb b/lib/bolt/puppetdb/config.rb
@@ -60,7 +60,7 @@ def self.default_config
       end
 
       def token
-        return @token if @token
+        return @token if @token_computed
         # Allow nil in config to skip loading a token
         if @settings.include?('token')
           if @settings['token']
@@ -69,6 +69,12 @@ def token
         elsif File.exist?(DEFAULT_TOKEN)
           @token = File.read(DEFAULT_TOKEN)
         end
+        # Only use cert based auth in the case token and cert are both configured
+        if @token && cert
+          Bolt::Logger.logger(self).debug("Both cert and token based auth configured, using cert only")
+          @token = nil
+        end
+        @token_computed = true
         @token = @token.strip if @token
       end