octocatalog-diff 1.5.0 → 1.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0667ff8feb2bda55fc108e5d4809e953f53a7585
-  data.tar.gz: 1699635ec3113a19650cda0e7beeb1558d7eacc8
+  metadata.gz: 42b664636f99089e0838f35914f5cd0a89a60fe6
+  data.tar.gz: a6e77f9e6f1d50c6f9ea8219b580891574dbc31e
 SHA512:
-  metadata.gz: b10067b2f2f1ca1ea93f1fbdd2dd41385f3e71a14825c87701105e94a84e681d5327aea8401423dd6ae7e9152dd120a7d744b6bfccc70848ee16b894d842f38f
-  data.tar.gz: 3f4b1dd759791c9271ba02858834e7efef426a2a448a16089e7486c1922befb3f505f60f09ee486bf59ad1c4ea4d5f86b6dfd457a4ace44d085e3eba7278c8b0
+  metadata.gz: 223c4d52d3d7e424d28c42fb52e5185fe1dac46d9ea2dea9be7eebbace60b7d13ae376367abc29e58341f3a82f2c84cf640e540c389badf0c9e4811065b9e2a4
+  data.tar.gz: 0a821cf5bd95a83df9309de24141e21d3fadc21cb4d74b2344edcdb194c501bdb8c13bcd0db808d32ec07359fba5df6a559bdfc5c45077f7681e0d130d187b9c

data/.version

@@ -1 +1 @@
-1.5.0
+1.5.1

data/doc/CHANGELOG.md

@@ -7,6 +7,15 @@
 <th>Description / Changes</th>
 </tr>
 </thead><tbody>
+
+<tr valign=top>
+<td>1.5.1</td>
+<td>2017-11-16</td>
+<td>
+<li><a href="https://github.com/github/octocatalog-diff/pull/159">#159</a>: (Enhancement) Add support for puppetdb behind basic auth</li>
+</td>
+</tr>
+
 <tr valign=top>
 <td>1.5.0</td>
 <td>2017-10-18</td>

data/doc/configuration-puppetdb.md

@@ -8,13 +8,19 @@ octocatalog-diff can interact with PuppetDB in the following ways:
 
 For this to work, you will need to configure or provide information about your PuppetDB server to octocatalog-diff. You can provide this information via a [configuration file](/doc/configuration.md), via environment variables, or via command line parameters.
 
-## Required information
+# Required information
 
 - **Version of PuppetDB**: octocatalog-diff supports PuppetDB's query API v4, which requires that you be running PuppetDB 2.3 or higher.
 
 - **URL to PuppetDB**: This is the URL with the host name and port number to reach your PuppetDB instance. If you have already set up your Puppet master to communicate with PuppetDB, you can see the URL by reviewing `/etc/puppetlabs/puppet/puppetdb.conf` (on Puppet Server) or `/etc/puppet/puppetdb.conf` (on Puppet Master 3.x). The URL (or URLs) to your PuppetDB installation are visible in the `server_urls` configuration setting.
 
-- **SSL Authentication Information**: Whether your PuppetDB instance requires clients to authenticate via SSL certificates. Unless you have made a special effort to configure your PuppetDB instance not to require client certificates, it is likely that client certificate authentication is required.
+  To use basic authentication, place the username and password in the URL, e.g.:
+
+  ```
+  https://username:password@puppetdb.example.net:8081
+  ```
+
+- **SSL Authentication Information**: Whether your PuppetDB instance requires clients to authenticate via SSL certificates. Unless you have made a special effort to configure your PuppetDB instance not to require client certificates, it is likely that client certificate authentication is required. Please see the separate section below concerning SSL certificates.
 
 NOTE: In certain situations, you may need to define or alter the `certificate-whitelist` setting in your PuppetDB configuration to whitelist the certificate used by octocatalog-diff. Please see [Configuring PuppetDB](https://docs.puppet.com/puppetdb/latest/configure.html#certificate-whitelist) in the Puppet documentation for additional information.
 
@@ -25,9 +31,9 @@ The following settings can be used in a [configuration file](/doc/configuration.
 | Setting | Description |
 | --- | --- |
 | `settings[:puppetdb_url]` | PuppetDB URL settings. If this is a string, it will set a single PuppetDB URL. If it is an array, it will set multiple URLs, which will be tried in a random order until one responds. |
-| `settings[:puppetdb_ssl_ca]` | Path to the certificate of the CA that signed PuppetDB's certificate. This file is typically found in `/etc/puppetlabs/puppetdb/ssl/ca.pem` on your PuppetDB server. This file should contain only the public certificate, so it is safe to distribute to developer workstations or CI environments. |
-| `settings[:puppetdb_ssl_client_cert]` | TEXT of the certificate of the client SSL keypair. You should generate a keypair specifically for this client (or if you are running this on a machine managed by Puppet, you may be able to use the keypair for the client machine). You should **NOT** copy the certificate from your PuppetDB server itself. Note: This variable needs to be set to the TEXT of the certificate, and not the file path. This means you will likely want to use `File.read(...)` if you are configuring this to be read from a file. |
-| `settings[:puppetdb_ssl_client_key]` | Path to the private key of the client SSL keypair. You should generate a keypair specifically for this client (or if you are running this on a machine managed by Puppet, you may be able to use the keypair for the client machine). You should **NOT** copy the private key from your PuppetDB server itself.  Note: This variable needs to be set to the TEXT of the key, and not the file path. This means you will likely want to use `File.read(...)` if you are configuring this to be read from a file. |
+| `settings[:puppetdb_ssl_ca]` | Path to the certificate of the CA that signed PuppetDB's certificate. This file should contain only the public certificate, so it is safe to distribute to developer workstations or CI environments. |
+| `settings[:puppetdb_ssl_client_cert]` | TEXT of the certificate of the client SSL keypair used to authenticate to PuppetDB. Note: This variable is not set to a file path, which means you will likely want to use `File.read(...)` if you are configuring this to be read from a file. |
+| `settings[:puppetdb_ssl_client_key]` | TEXT of the private key of the client SSL keypair used to authenticate to PuppetDB. Note: This variable is not set to a file path, which means you will likely want to use means you will likely want to use `File.read(...)` if you are configuring this to be read from a file. |
 | `settings[:puppetdb_ssl_client_pem]` | Concatenation of the text of `puppetdb_ssl_client_key` and `puppetdb_ssl_client_cert` as previously described. This is a good alternative if your certificate chain is complex and it's easier just to put everything in a single place. Note: this option is second in precedence; if `settings[:puppetdb_ssl_client_cert]` and `settings[:puppetdb_ssl_client_key]` are both set, this will be ignored. |
 | `settings[:puppetdb_ssl_client_password]` | Plain text string containing the password to unlock the private key. For keys generated by the Puppet Master CA, this is not required and should be left undefined. |
 
@@ -38,9 +44,9 @@ The following arguments can be used on the command line.
 | Setting | Description |
 | --- | --- |
 | --puppetdb-url https://puppetdb.example.net:8081 | PuppetDB URL. The argument should match the `server_urls` configuration setting as described previously. Please note that only one URL is supported via the command line method, so if you have multiple `server_urls` URLs specified, you can only choose one. To use multiple URLs for failover purposes, please configure via configuration files. |
-| --puppetdb-ssl-ca FILENAME | Path to the certificate of the CA that signed PuppetDB's certificate. This file is typically found in `/etc/puppetlabs/puppetdb/ssl/ca.pem` on your PuppetDB server. This file should contain only the public certificate, so it is safe to distribute to developer workstations or CI environments. |
-| --puppetdb-ssl-client-cert FILENAME | Path to the certificate of the client SSL keypair. You should generate a keypair specifically for this client (or if you are running this on a machine managed by Puppet, you may be able to use the keypair for the client machine). You should **NOT** copy the certificate from your PuppetDB server itself. |
-| --puppetdb-ssl-client-key FILENAME | Path to the private key of the client SSL keypair. You should generate a keypair specifically for this client (or if you are running this on a machine managed by Puppet, you may be able to use the keypair for the client machine). You should **NOT** copy the private key from your PuppetDB server itself. |
+| --puppetdb-ssl-ca FILENAME | Path to the certificate of the CA that signed PuppetDB's certificate. This file should contain only the public certificate, so it is safe to distribute to developer workstations or CI environments. |
+| --puppetdb-ssl-client-cert FILENAME | Path to the certificate of the client SSL keypair. |
+| --puppetdb-ssl-client-key FILENAME | Path to the private key of the client SSL keypair. |
 | --puppetdb-ssl-client-password PASSWORD_STRING | Plain text string containing the password to unlock the private key. For keys generated by the Puppet Master CA, this is not required. |
 
 ## Supplying necessary information via the environment
@@ -50,3 +56,11 @@ The following arguments can be used on the command line.
 Set the environment variable `PUPPETDB_URL` to match the `server_urls` configuration setting as described previously. Please note that only one URL is supported via the environment variable method, so if you have multiple `server_urls` URLs specified, you can only choose one. To use multiple URLs for failover purposes, please configure via configuration files.
 
 Environment variable support is not currently available for SSL client authentication settings.
+
+# Notes about SSL certificates
+
+SSL support is enabled via any of the `--puppetdb-ssl-...` command line options or `puppetdb_ssl_...` configuration settings as described above. Please note the following concerning these SSL certificates.
+
+- The CA certificate should be the public certificate of the CA that signed your PuppetDB server's certificate. This file can be found in `/etc/puppetlabs/puppetdb/ssl/ca.pem` on a PuppetDB server. Since this is a public certificate, it is safe (and recommended) to distribute this file to any clients that may connect to this PuppetDB instance.
+
+- The client keypair (key, certificate, and optionally password) should be generated individually for each client. You should NOT copy SSL keypairs from your PuppetDB server (or anywhere else) to your clients. If you are using `octocatalog-diff` on a system that is managed by Puppet, you may wish to use the same SSL credentials that the system uses to authenticate to Puppet. With recent versions of the Puppet agent, those certificates are found in `/etc/puppetlabs/puppet/ssl`.

data/doc/optionsref.md

@@ -87,16 +87,16 @@ Usage: octocatalog-diff [command line options]
         --to-puppet-binary STRING    Full path to puppet binary for the to branch
         --from-puppet-binary STRING  Full path to puppet binary for the from branch
         --facts-terminus STRING      Facts terminus: one of yaml, facter
+        --puppetdb-url URL           PuppetDB base URL
         --puppetdb-ssl-ca FILENAME   CA certificate that signed the PuppetDB certificate
         --puppetdb-ssl-client-cert FILENAME
                                      SSL client certificate to connect to PuppetDB
-        --puppetdb-ssl-client-password PASSWORD
-                                     Password for SSL client key to connect to PuppetDB
         --puppetdb-ssl-client-key FILENAME
                                      SSL client key to connect to PuppetDB
+        --puppetdb-ssl-client-password PASSWORD
+                                     Password for SSL client key to connect to PuppetDB
         --puppetdb-ssl-client-password-file FILENAME
                                      Read password for SSL client key from a file
-        --puppetdb-url URL           PuppetDB base URL
         --puppetdb-api-version N     Version of PuppetDB API (3 or 4)
         --fact-override STRING1[,STRING2[,...]]
                                      Override fact globally

data/lib/octocatalog-diff/cli/options.rb

@@ -28,8 +28,18 @@ module OctocatalogDiff
           @weight = w
         end
 
+        def self.order_within_weight(w) # rubocop:disable Style/TrivialAccessors
+          @order_within_weight = w
+        end
+
         def self.weight
-          @weight || DEFAULT_WEIGHT
+          if @weight && @order_within_weight
+            @weight + (@order_within_weight / 100.0)
+          elsif @weight
+            @weight
+          else
+            DEFAULT_WEIGHT
+          end
         end
 
         def self.name

data/lib/octocatalog-diff/cli/options/puppet_master_ssl_ca.rb

@@ -7,6 +7,7 @@
 # @param options [Hash] Options hash being constructed; this is modified in this method.
 OctocatalogDiff::Cli::Options::Option.newoption(:puppet_master_ssl_ca) do
   has_weight 320
+  order_within_weight 30
 
   def parse(parser, options)
     OctocatalogDiff::Cli::Options.option_globally_or_per_branch(

data/lib/octocatalog-diff/cli/options/puppet_master_ssl_client_cert.rb

@@ -6,6 +6,7 @@
 # @param options [Hash] Options hash being constructed; this is modified in this method.
 OctocatalogDiff::Cli::Options::Option.newoption(:puppet_master_ssl_client_cert) do
   has_weight 320
+  order_within_weight 40
 
   def parse(parser, options)
     OctocatalogDiff::Cli::Options.option_globally_or_per_branch(

data/lib/octocatalog-diff/cli/options/puppet_master_ssl_client_key.rb

@@ -6,6 +6,7 @@
 # @param options [Hash] Options hash being constructed; this is modified in this method.
 OctocatalogDiff::Cli::Options::Option.newoption(:puppet_master_ssl_client_key) do
   has_weight 320
+  order_within_weight 50
 
   def parse(parser, options)
     OctocatalogDiff::Cli::Options.option_globally_or_per_branch(

data/lib/octocatalog-diff/cli/options/puppetdb_ssl_ca.rb

@@ -7,6 +7,7 @@
 # @param options [Hash] Options hash being constructed; this is modified in this method.
 OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_ssl_ca) do
   has_weight 310
+  order_within_weight 10
 
   def parse(parser, options)
     parser.on('--puppetdb-ssl-ca FILENAME', 'CA certificate that signed the PuppetDB certificate') do |x|

data/lib/octocatalog-diff/cli/options/puppetdb_ssl_client_cert.rb

@@ -6,6 +6,7 @@
 # @param options [Hash] Options hash being constructed; this is modified in this method.
 OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_ssl_client_cert) do
   has_weight 310
+  order_within_weight 20
 
   def parse(parser, options)
     parser.on('--puppetdb-ssl-client-cert FILENAME', 'SSL client certificate to connect to PuppetDB') do |x|

data/lib/octocatalog-diff/cli/options/puppetdb_ssl_client_key.rb

@@ -6,6 +6,7 @@
 # @param options [Hash] Options hash being constructed; this is modified in this method.
 OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_ssl_client_key) do
   has_weight 310
+  order_within_weight 30
 
   def parse(parser, options)
     parser.on('--puppetdb-ssl-client-key FILENAME', 'SSL client key to connect to PuppetDB') do |x|

data/lib/octocatalog-diff/cli/options/puppetdb_ssl_client_password.rb

@@ -7,6 +7,7 @@
 # @param options [Hash] Options hash being constructed; this is modified in this method.
 OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_ssl_client_cert) do
   has_weight 310
+  order_within_weight 35
 
   def parse(parser, options)
     parser.on('--puppetdb-ssl-client-password PASSWORD', 'Password for SSL client key to connect to PuppetDB') do |x|

data/lib/octocatalog-diff/cli/options/puppetdb_ssl_client_password_file.rb

@@ -5,6 +5,7 @@
 # @param options [Hash] Options hash being constructed; this is modified in this method.
 OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_ssl_client_password_file) do
   has_weight 310
+  order_within_weight 37
 
   def parse(parser, options)
     parser.on('--puppetdb-ssl-client-password-file FILENAME', 'Read password for SSL client key from a file') do |x|

data/lib/octocatalog-diff/cli/options/puppetdb_url.rb

@@ -7,6 +7,7 @@ require 'uri'
 # @param options [Hash] Options hash being constructed; this is modified in this method.
 OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_url) do
   has_weight 310
+  order_within_weight 1
 
   def parse(parser, options)
     parser.on('--puppetdb-url URL', 'PuppetDB base URL') do |url|

data/lib/octocatalog-diff/puppetdb.rb

@@ -108,6 +108,9 @@ module OctocatalogDiff
 
         begin
           more_options = { headers: { 'Accept' => 'application/json' }, timeout: @timeout }
+          if connection[:username] || connection[:password]
+            more_options[:basic_auth] = { username: connection[:username], password: connection[:password] }
+          end
           response = OctocatalogDiff::Util::HTTParty.get(complete_url, @options.merge(more_options), 'puppetdb')
 
           # Handle all non-200's from PuppetDB
@@ -153,7 +156,13 @@ module OctocatalogDiff
       end
 
       raise ArgumentError, "URL #{url} has invalid scheme" unless uri.scheme =~ /^https?$/
-      { ssl: uri.scheme == 'https', host: uri.host, port: uri.port }
+      parsed_url = { ssl: uri.scheme == 'https', host: uri.host, port: uri.port }
+      if uri.user || uri.password
+        parsed_url[:username] = uri.user
+        parsed_url[:password] = uri.password
+      end
+
+      parsed_url
     rescue URI::InvalidURIError => exc
       raise exc.class, "Invalid URL: #{url} (#{exc.message})"
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: octocatalog-diff
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.5.1
 platform: ruby
 authors:
 - GitHub, Inc.
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-18 00:00:00.000000000 Z
+date: 2017-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: diffy
@@ -67,20 +67,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.25.0b2
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 1.15.4
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 1.15.4
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement