diff --git a/lib/bolt/puppetdb/config.rb b/lib/bolt/puppetdb/config.rb index 9b0b3bbf51..914ac196da 100644 --- a/lib/bolt/puppetdb/config.rb +++ b/lib/bolt/puppetdb/config.rb @@ -60,7 +60,7 @@ def self.default_config end def token - return @token if @token + return @token if @token_computed # Allow nil in config to skip loading a token if @settings.include?('token') if @settings['token'] @@ -69,6 +69,12 @@ def token elsif File.exist?(DEFAULT_TOKEN) @token = File.read(DEFAULT_TOKEN) end + # Only use cert based auth in the case token and cert are both configured + if @token && cert + Bolt::Logger.logger(self).debug("Both cert and token based auth configured, using cert only") + @token = nil + end + @token_computed = true @token = @token.strip if @token end diff --git a/spec/unit/puppetdb/config_spec.rb b/spec/unit/puppetdb/config_spec.rb index 005a3cee9a..e003b131f2 100644 --- a/spec/unit/puppetdb/config_spec.rb +++ b/spec/unit/puppetdb/config_spec.rb @@ -72,6 +72,8 @@ context "token" do context "token is valid" do before :each do + options.delete('cert') + options.delete('key') allow(File).to receive(:read).with(token).and_return 'footoken' allow(File).to receive(:read).with(Bolt::PuppetDB::Config::DEFAULT_TOKEN).and_return 'bartoken' end @@ -97,6 +99,8 @@ context "token is invalid" do before :each do + options.delete('cert') + options.delete('key') allow(File).to receive(:read).with(token).and_return "footoken\n" allow(File).to receive(:read).with(Bolt::PuppetDB::Config::DEFAULT_TOKEN).and_return "bartoken\n" end @@ -112,6 +116,14 @@ expect(config.token).to eq('bartoken') end end + + context "both token and cert" do + it "returns nil for token when cert is configured" do + allow(config).to receive(:validate_file_exists).with('cert').and_return true + allow(File).to receive(:read).with(token).and_return 'footoken' + expect(config.token).to be_nil + end + end end context "cacert" do