Revision 7697116c
Added by Dominic Cleal over 11 years ago
templates/external_node.rb.erb | ||
---|---|---|
:facts => <%= @facts %>,
|
||
:storeconfigs => <%= @storeconfigs %>,
|
||
:timeout => 3,
|
||
# if CA is specified, remote Foreman host will be verified
|
||
:ssl_ca => "<%= @ssl_ca -%>",
|
||
# ssl_cert and key are required if require_ssl_puppetmasters is enabled in Foreman
|
||
:ssl_cert => "<%= @ssl_cert -%>",
|
||
:ssl_key => "<%= @ssl_key -%>"
|
||
}
|
||
|
||
### Do not edit below this line
|
||
... | ... | |
req.set_form_data('facts' => fact)
|
||
res = Net::HTTP.new(uri.host, uri.port)
|
||
res.use_ssl = uri.scheme == 'https'
|
||
res.verify_mode = OpenSSL::SSL::VERIFY_NONE if res.use_ssl?
|
||
if res.use_ssl?
|
||
if SETTINGS[:ssl_ca]
|
||
res.ca_file = SETTINGS[:ssl_ca]
|
||
res.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
||
else
|
||
res.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
||
end
|
||
if SETTINGS[:ssl_cert] and SETTINGS[:ssl_key]
|
||
res.cert = OpenSSL::X509::Certificate.new(File.read(SETTINGS[:ssl_cert]))
|
||
res.key = OpenSSL::PKey::RSA.new(File.read(SETTINGS[:ssl_key]), nil)
|
||
end
|
||
end
|
||
res.start { |http| http.request(req) }
|
||
rescue => e
|
||
raise "Could not send facts to Foreman: #{e}"
|
||
... | ... | |
req = Net::HTTP::Get.new(foreman_url)
|
||
http = Net::HTTP.new(uri.host, uri.port)
|
||
http.use_ssl = uri.scheme == 'https'
|
||
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl?
|
||
res = http.start { |http| http.request(req) }
|
||
if http.use_ssl?
|
||
if SETTINGS[:ssl_ca]
|
||
http.ca_file = SETTINGS[:ssl_ca]
|
||
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
||
else
|
||
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
||
end
|
||
if SETTINGS[:ssl_cert] and SETTINGS[:ssl_key]
|
||
http.cert = OpenSSL::X509::Certificate.new(File.read(SETTINGS[:ssl_cert]))
|
||
http.key = OpenSSL::PKey::RSA.new(File.read(SETTINGS[:ssl_key]), nil)
|
||
end
|
||
end
|
||
res = http.start { |http| http.request(req) }
|
||
|
||
raise "Error retrieving node #{certname}: #{res.class}" unless res.code == "200"
|
||
res.body
|
Also available in: Unified diff
fixes #2121, #2069 - authenticate to Foreman with SSL certificate
CVE-2013-0171 and CVE-2013-0174 were resolved by verifying client SSL
certificates on Foreman interfaces used by puppetmasters. This change updates
the ENC and report processors to provide and verify certificates by default.