Insecure Puppet Design Patterns Update

Stephen

2013-02-27

Page content

Per my previous post, that I explained the security issue relation to using facts. A colleague of mine has found out that you can’t even trust $clientcert.

Due to this I have wrote the function below to allow you to get the actual CertName, that has been validated against the certificate.

module Puppet::Parser::Functions
newfunction(:certcheck, :type => :rvalue, :doc => <<-EOS
    Returns the actual certname
    EOS
    ) do |arguments|
    return host
  end
end

This allows you to use the following Puppet code to get a variable that you can trust to identify the Puppet agent.

$actualyclientcert = certcheck()