After talking to a follow Puppetlabs employee [Chris][chris] and reading a blog post he has been writing about security issues related to class inheritance.
This got me thinking about ways to protect your code base against this. The following blog post explains the problem as well as a hackish method to try to protect yourself against it.
The problem Lets say that you have multiple teams managing multiple modules within your puppet infrastructure.
Per my previous post, that I explained the security issue relation to using facts. A colleague of mine has found out that you can’t even trust $clientcert.
Due to this I have wrote the function below to allow you to get the actual CertName, that has been validated against the certificate.
module Puppet::Parser::Functions newfunction(:certcheck, :type => :rvalue, :doc => <<-EOS Returns the actual certname EOS ) do |arguments| return host end end This allows you to use the following Puppet code to get a variable that you can trust to identify the Puppet agent.
Introduction After working with hiera from time with every growing code bases i have decided to write a super simple function. Hiera_debug this will allow the user to create a log file with information regarding each hiera lookup. This has allowed me to find out where in my manifests i am looking up variables and what they are return on each run. Its a very simple wrapper function for hiera that will output debug information into $logidr/hiera_debug_stephensmacbook.
My first shot at a ruby gem and api client any feedback would help.
Producteev Api