Merge pull request #7982 from justinstoller/PUP-10238

joshcooper · web-flow · commit c08b9fda717b · 2020-02-11T17:05:11.000-08:00
(PUP-10238) Change default value of strict_hostname_checking to true
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
@@ -1297,13 +1297,23 @@ def self.initialize_default_settings!(settings)
       overridden by more specific settings (see `ca_port`, `report_port`).",
     },
     :node_name => {
-      :default    => "cert",
+      :default    => 'cert',
+      :type       => :enum,
+      :values     => ['cert', 'facter'],
+      :deprecated => :completely,
+      :hook       => proc { |val|
+        if val != 'cert'
+          Puppet.deprecation_warning("The node_name setting is deprecated and will be removed in a future release.")
+        end
+      },
       :desc       => "How the puppet master determines the client's identity
       and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest,
       in particular for determining which 'node' statement applies to the client.
       Possible values are 'cert' (use the subject's CN in the client's
       certificate) and 'facter' (use the hostname that the client
-      reported in its facts)",
+      reported in its facts).
+
+      This setting is deprecated, please use explicit fact matching for classification.",
     },
     :bucketdir => {
       :default => "$vardir/bucket",
@@ -1432,10 +1442,19 @@ def self.initialize_default_settings!(settings)
       :desc       => "Where the fileserver configuration is stored.",
     },
     :strict_hostname_checking => {
-      :default    => false,
+      :default    => true,
+      :type       => :boolean,
       :desc       => "Whether to only search for the complete
-            hostname as it is in the certificate when searching for node information
-            in the catalogs.",
+        hostname as it is in the certificate when searching for node information
+        in the catalogs or to match dot delimited segments of the cert's certname
+        and the hostname, fqdn, and/or domain facts.
+
+        This setting is deprecated and will be removed in a future release.",
+      :hook => proc { |val|
+        if val != true
+          Puppet.deprecation_warning("Setting strict_hostname_checking to false is deprecated and will be removed in a future release. Please use regular expressions in your node declarations or explicit fact matching for classification (though be warned that fact based classification may be considered insecure).")
+        end
+      }
     }
   )
 
diff --git a/spec/unit/node_spec.rb b/spec/unit/node_spec.rb
@@ -414,7 +414,9 @@ def from_json(json)
 
 describe Puppet::Node, "when generating the list of names to search through" do
   before do
-    @node = Puppet::Node.new("foo.domain.com", :parameters => {"hostname" => "yay", "domain" => "domain.com"})
+    Puppet[:strict_hostname_checking] = false
+    @node = Puppet::Node.new("foo.domain.com",
+                             :parameters => {"hostname" => "yay", "domain" => "domain.com"})
   end
 
   it "returns an array of names" do
@@ -445,7 +447,6 @@ def from_json(json)
 
   describe "and :node_name is set to 'cert'" do
     before do
-      Puppet[:strict_hostname_checking] = false
       Puppet[:node_name] = "cert"
     end
 
@@ -454,16 +455,18 @@ def from_json(json)
     end
 
     describe "and strict hostname checking is enabled" do
-      it "only uses the passed-in key" do
+      before do
         Puppet[:strict_hostname_checking] = true
+      end
+
+      it "only uses the passed-in key" do
         expect(@node.names).to eq(["foo.domain.com"])
       end
     end
   end
 
   describe "and :node_name is set to 'facter'" do
     before do
-      Puppet[:strict_hostname_checking] = false
       Puppet[:node_name] = "facter"
     end
 
