(PUP-7737) Allow http report processor to trust the system CA store

Adds a `Puppet[:report_include_system_store]` setting that defaults to false. If
set to true, the "http" report processor will trust the system certificate store
when submitting reports to an HTTPS report server. If false, then the processor
only trusts the puppet CA.

When installed from puppet-agent packages the system store is installed in
`/opt/puppetlabs/puppet/ssl/cert*` or on Windows
`C:\Program Files\Puppet Labs\Puppet\puppet\ssl\cert*`.

Note this change only affects the `http` report processor when running `puppet
apply`. A separate change is needed in puppetserver when the "http" processor
runs in puppetserver.

Skip all of the apply integration tests on jruby, like we do for agent.

Author: joshcooper

lib/puppet/defaults.rb

@@ -1795,6 +1795,16 @@ def self.initialize_default_settings!(settings)
       :type     => :boolean,
       :desc     => "Whether to send reports after every transaction.",
     },
+    :report_include_system_store => {
+      :default  => false,
+      :type     => :boolean,
+      :desc     => "Whether the 'http' report processor should include the system
+        certificate store when submitting reports to HTTPS URLs. If false, then
+        the 'http' processor will only trust HTTPS report servers whose certificates
+        are issued by the puppet CA or one of its intermediate CAs. If true, the
+        processor will additionally trust CA certificates in the system's
+        certificate store."
+    },
     :resubmit_facts => {
       :default  => false,
       :type     => :boolean,

lib/puppet/reports/http.rb

@@ -23,6 +23,7 @@ def process
     options = {
       :metric_id => [:puppet, :report, :http],
       :body => self.to_yaml,
+      :include_system_store => Puppet[:report_include_system_store],
     }
 
     if url.user && url.password

spec/integration/application/apply_spec.rb

@@ -3,7 +3,7 @@
 require 'puppet_spec/compiler'
 require 'puppet_spec/https'
 
-describe "apply" do
+describe "apply", unless: Puppet::Util::Platform.jruby? do
   include PuppetSpec::Files
 
   before :each do
@@ -258,7 +258,7 @@ class mod {
     expect(@logs.map(&:to_s)).to include(/{environment =>.*/)
   end
 
-  it "applies a given file even when an ENC is configured", :unless => Puppet::Util::Platform.windows? || RUBY_PLATFORM == 'java' do
+  it "applies a given file even when an ENC is configured", :unless => Puppet::Util::Platform.windows? || Puppet::Util::Platform.jruby? do
     manifest = file_containing("manifest.pp", "notice('specific manifest applied')")
     enc = script_containing('enc_script',
       :windows => '@echo classes: []' + "\n" + '@echo environment: special',
@@ -379,7 +379,7 @@ def init_cli_args_and_apply_app(args, execute)
     # External node script execution will fail, likely due to the tampering
     # with the basic file descriptors.
     # Workaround: Define a log destination and merely inspect logs.
-    context "with an ENC", :unless => RUBY_PLATFORM == 'java' do
+    context "with an ENC" do
       let(:logdest) { tmpfile('logdest') }
       let(:args) { ['-e', execute, '--logdest', logdest ] }
       let(:enc) do
@@ -587,6 +587,14 @@ def bogus()
     end
 
     let(:apply) { Puppet::Application[:apply] }
+    let(:unknown_server) do
+      unknown_ca_cert = cert_fixture('unknown-ca.pem')
+      PuppetSpec::HTTPSServer.new(
+        ca_cert: unknown_ca_cert,
+        server_cert: cert_fixture('unknown-127.0.0.1.pem'),
+        server_key: key_fixture('unknown-127.0.0.1-key.pem')
+      )
+    end
 
     it 'submits a report via reporturl' do
       report = nil
@@ -609,5 +617,50 @@ def bogus()
         expect(report.resource_statuses['Notify[hi]']).to be_a(Puppet::Resource::Status)
       end
     end
+
+    it 'rejects an HTTPS report server whose root cert is not the puppet CA' do
+      unknown_server.start_server do |https_port|
+        Puppet[:reporturl] = "https://127.0.0.1:#{https_port}/reports/upload"
+
+        # processing the report happens after the transaction is finished,
+        # so we expect exit code 0, with a later failure on stderr
+        expect {
+          apply.command_line.args = ['-e', 'notify { "hi": }']
+          apply.run
+        }.to exit_with(0)
+         .and output(/Applied catalog/).to_stdout
+         .and output(/Report processor failed: certificate verify failed \[self signed certificate in certificate chain for CN=Unknown CA\]/).to_stderr
+      end
+    end
+
+    it 'accepts an HTTPS report servers whose cert is in the system CA store' do
+      Puppet[:report_include_system_store] = true
+      report = nil
+
+      response_proc = -> (req, res) {
+        report = Puppet::Transaction::Report.convert_from(:yaml, req.body)
+      }
+
+      # create a temp cacert bundle
+      ssl_file = tmpfile('systemstore')
+      File.write(ssl_file, unknown_server.ca_cert.to_pem)
+
+      unknown_server.start_server(response_proc: response_proc) do |https_port|
+        Puppet[:reporturl] = "https://127.0.0.1:#{https_port}/reports/upload"
+
+        # override path to system cacert bundle, this must be done before
+        # the SSLContext is created and the call to X509::Store.set_default_paths
+        Puppet::Util.withenv("SSL_CERT_FILE" => ssl_file) do
+          expect {
+            apply.command_line.args = ['-e', 'notify { "hi": }']
+            apply.run
+          }.to exit_with(0)
+           .and output(/Applied catalog/).to_stdout
+        end
+
+        expect(report).to be_a(Puppet::Transaction::Report)
+        expect(report.resource_statuses['Notify[hi]']).to be_a(Puppet::Resource::Status)
+      end
+    end
   end
 end