Fix #5020 - Prefer finding node name from REST uri over certname

This is a behavior change. Before this patch, we always used the currently
connected node's certname to compile the catalog, despite the value of
the catalog URI REST request.
With this patch we now use the URI as the compiled node name.

This is safe because the default auth.conf (and default inserted rules
when no auth.conf is present) only allow the given connected node to
compile its own catalog.

But this also allows for greater flexibility with auth.conf. For instance
it can be used by a monitoring system to check multiple nodes catalogs
with only one certificate:

path ~ ^/catalog/([^/]+)$
method find
allow $1
allow monitoring-station.domain.com

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>

1 files changed, 8 insertions, 4 deletions

diff --git a/lib/puppet/indirector/catalog/compiler.rb b/lib/puppet/indirector/catalog/compiler.rb
index c50022fff..6375e801f 100644
--- a/lib/puppet/indirector/catalog/compiler.rb
+++ b/lib/puppet/indirector/catalog/compiler.rb
@@ -107,10 +107,14 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
       return node
     end
 
-    # If the request is authenticated, then the 'node' info will
-    # be available; if not, then we use the passed-in key.  We rely
-    # on our authorization system to determine whether this is allowed.
-    name = request.node || request.key
+    # We rely on our authorization system to determine whether the connected
+    # node is allowed to compile the catalog's node referenced by key.
+    # By default the REST authorization system makes sure only the connected node
+    # can compile his catalog.
+    # This allows for instance monitoring systems or puppet-load to check several
+    # node's catalog with only one certificate and a modification to auth.conf 
+    # If no key is provided we can only compile the currently connected node.
+    name = request.key || request.node
     if node = find_node(name)
       return node
     end