From ef84667051444d7ae6de515baabb8e474fbc7a17 Mon Sep 17 00:00:00 2001
From: donoghuc <cas.donoghue@gmail.com>
Date: Thu, 11 Apr 2024 15:07:26 -0700
Subject: [PATCH] (GH-3296) Prefer cert auth to token auth for puppetdb client

Previously regardless of using certs any puppetdb token (either read from default location OR configured in settings) would be sent in x-authentication header for puppetdb requests. In the case a cert is configured, do not include this as the puppetdb endpoint will 401 in the case a valid cert but revoked token is presented.
---
 lib/bolt/puppetdb/config.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/bolt/puppetdb/config.rb b/lib/bolt/puppetdb/config.rb
index 9b0b3bbf51..914ac196da 100644
--- a/lib/bolt/puppetdb/config.rb
+++ b/lib/bolt/puppetdb/config.rb
@@ -60,7 +60,7 @@ def self.default_config
       end
 
       def token
-        return @token if @token
+        return @token if @token_computed
         # Allow nil in config to skip loading a token
         if @settings.include?('token')
           if @settings['token']
@@ -69,6 +69,12 @@ def token
         elsif File.exist?(DEFAULT_TOKEN)
           @token = File.read(DEFAULT_TOKEN)
         end
+        # Only use cert based auth in the case token and cert are both configured
+        if @token && cert
+          Bolt::Logger.logger(self).debug("Both cert and token based auth configured, using cert only")
+          @token = nil
+        end
+        @token_computed = true
         @token = @token.strip if @token
       end