diff --git a/acceptance/tests/concurrency/ticket_2659_concurrent_catalog_requests.rb b/acceptance/tests/concurrency/ticket_2659_concurrent_catalog_requests.rb index 1a6234037..b3fec25d0 100644 --- a/acceptance/tests/concurrency/ticket_2659_concurrent_catalog_requests.rb +++ b/acceptance/tests/concurrency/ticket_2659_concurrent_catalog_requests.rb @@ -1,108 +1,108 @@ test_name "concurrent catalog requests (PUP-2659)" # we're only testing the effects of loading a master with concurrent requests confine :except, :platform => 'windows' step "setup a manifest" testdir = master.tmpdir("concurrent") apply_manifest_on(master, <<-MANIFEST, :catch_failures => true) File { ensure => directory, owner => #{master['user']}, group => #{master['group']}, mode => '750', } file { '#{testdir}': } file { '#{testdir}/busy': } file { '#{testdir}/busy/one.txt': ensure => file, mode => '640', content => "Something to read", } file { '#{testdir}/busy/two.txt': ensure => file, mode => '640', content => "Something else to read", } file { '#{testdir}/busy/three.txt': ensure => file, mode => '640', content => "Something more else to read", } file { '#{testdir}/manifests': } file { '#{testdir}/manifests/site.pp': ensure => file, content => ' $foo = inline_template(" <%- 1000.times do Dir.glob(\\'#{testdir}/busy/*.txt\\').each do |f| File.read(f) end end %> \\'touched the file system for a bit\\' ") notify { "end": message => $foo, } ', mode => '640', } MANIFEST step "start master" master_opts = { 'main' => { 'manifest' => "#{testdir}/manifests/site.pp", } } with_puppet_running_on(master, master_opts, testdir) do step "concurrent catalog curls (with alliterative alacrity)" agents.each do |agent| cert_path = on(agent, puppet('config', 'print', 'hostcert')).stdout.chomp key_path = on(agent, puppet('config', 'print', 'hostprivkey')).stdout.chomp cacert_path = on(agent, puppet('config', 'print', 'localcacert')).stdout.chomp agent_cert = on(agent, puppet('config', 'print', 'certname')).stdout.chomp run_count = 6 agent_tmpdir = agent.tmpdir("concurrent-loop-script") test_script = "#{agent_tmpdir}/loop.sh" create_remote_file(agent, test_script, <<-EOF) declare -a MYPIDS loops=#{run_count} for (( i=0; i<$loops; i++ )); do ( sleep_for="0.$(( $RANDOM % 49 ))" sleep $sleep_for url='https://#{master}:8140/production/catalog/#{agent_cert}' echo "Curling: $url" - curl -v -# -H 'Accept: text/pson' --cert #{cert_path} --key #{key_path} --cacert #{cacert_path} $url + curl --tlsv1 -v -# -H 'Accept: text/pson' --cert #{cert_path} --key #{key_path} --cacert #{cacert_path} $url echo "$PPID Completed" ) > "#{agent_tmpdir}/catalog-request-$i.out" 2>&1 & echo "Launched $!" MYPIDS[$i]=$! done for (( i=0; i<$loops; i++ )); do wait ${MYPIDS[$i]} done echo "All requests are finished" EOF on(agent, "chmod +x #{test_script}") on(agent, "#{test_script}") run_count.times do |i| step "Checking the results of catalog request ##{i}" on(agent, "cat #{agent_tmpdir}/catalog-request-#{i}.out") do assert_match(%r{< HTTP/1.* 200}, stdout) assert_match(%r{touched the file system for a bit}, stdout) end end end end diff --git a/acceptance/tests/environment/can_enumerate_environments.rb b/acceptance/tests/environment/can_enumerate_environments.rb index 6973d8bdb..47bcacc6c 100644 --- a/acceptance/tests/environment/can_enumerate_environments.rb +++ b/acceptance/tests/environment/can_enumerate_environments.rb @@ -1,68 +1,68 @@ test_name "Can enumerate environments via an HTTP endpoint" def master_port(agent) setting_on(agent, "agent", "masterport") end def setting_on(host, section, name) on(host, puppet("config", "print", name, "--section", section)).stdout.chomp end def full_path(host, path) if host['platform'] =~ /win/ on(host, "cygpath '#{path}'").stdout.chomp else path end end def curl_master_from(agent, path, headers = '', &block) url = "https://#{master}:#{master_port(agent)}#{path}" cert_path = full_path(agent, setting_on(agent, "agent", "hostcert")) key_path = full_path(agent, setting_on(agent, "agent", "hostprivkey")) - curl_base = "curl -sg --cert \"#{cert_path}\" --key \"#{key_path}\" -k -H '#{headers}'" + curl_base = "curl --tlsv1 -sg --cert \"#{cert_path}\" --key \"#{key_path}\" -k -H '#{headers}'" on agent, "#{curl_base} '#{url}'", &block end environments_dir = master.tmpdir("environments") apply_manifest_on(master, <<-MANIFEST) File { ensure => directory, owner => #{master['user']}, group => #{master['group']}, mode => 0770, } file { "#{environments_dir}":; "#{environments_dir}/env1":; "#{environments_dir}/env2":; } MANIFEST master_opts = { :master => { :environmentpath => environments_dir } } if master.is_pe? master_opts[:master][:basemodulepath] = master['sitemoduledir'] end with_puppet_running_on(master, master_opts) do agents.each do |agent| step "Ensure that an unauthenticated client cannot access the environments list" do - on agent, "curl -ksv https://#{master}:#{master_port(agent)}/v2.0/environments", :acceptable_exit_codes => [0,7] do + on agent, "curl --tlsv1 -ksv https://#{master}:#{master_port(agent)}/v2.0/environments", :acceptable_exit_codes => [0,7] do assert_match(/< HTTP\/1\.\d 403/, stderr) end end step "Ensure that an authenticated client can retrieve the list of environments" do curl_master_from(agent, '/v2.0/environments') do data = JSON.parse(stdout) assert_equal(["env1", "env2", "production"], data["environments"].keys.sort) end end end end diff --git a/acceptance/tests/security/cve-2013-1652_improper_query_params.rb b/acceptance/tests/security/cve-2013-1652_improper_query_params.rb index 1f42c307f..4c805c761 100644 --- a/acceptance/tests/security/cve-2013-1652_improper_query_params.rb +++ b/acceptance/tests/security/cve-2013-1652_improper_query_params.rb @@ -1,39 +1,39 @@ require 'json' test_name "CVE 2013-1652 Improper query parameter validation" do confine :except, :platform => 'windows' with_puppet_running_on master, {} do # Ensure each agent has a signed cert on agents, puppet('agent', "-t --server #{master}" ) agents.each do |agent| next if agent['roles'].include?( 'master' ) certname = on(agent, puppet('agent', "--configprint certname")).stdout.chomp payload = "https://#{master}:8140/production/catalog/#{certname}?use_node=" + "---%20!ruby/object:Puppet::Node%0A%20%20" + "name:%20#{master}%0A%20%20classes:%20\[\]%0A%20%20" + "parameters:%20%7B%7D%0A%20%20facts:%20%7B%7D" cert_path = on(agent, puppet('agent', "--configprint hostcert")).stdout.chomp key_path = on(agent, puppet('agent', "--configprint hostprivkey")).stdout.chomp - curl_base = "curl -g --cert \"#{cert_path}\" --key \"#{key_path}\" -k -H 'Accept: pson'" + curl_base = "curl --tlsv1 -g --cert \"#{cert_path}\" --key \"#{key_path}\" -k -H 'Accept: pson'" curl_call = "#{curl_base} '#{payload}'" step "Attempt to retrieve another nodes catalog" do on agent, curl_call do |test| begin res = JSON.parse( test.stdout ) fail_test( "Retrieved catalog for #{master} from #{agent}" ) if res['data']['name'] == master.name rescue JSON::ParserError # good, continue end end end end end end diff --git a/acceptance/tests/security/cve-2013-1652_poison_other_node_cache.rb b/acceptance/tests/security/cve-2013-1652_poison_other_node_cache.rb index f88fc6647..550b67367 100644 --- a/acceptance/tests/security/cve-2013-1652_poison_other_node_cache.rb +++ b/acceptance/tests/security/cve-2013-1652_poison_other_node_cache.rb @@ -1,40 +1,40 @@ test_name "CVE 2013-1652 Poison node cache" do step "Determine suitability of the test" do skip_test( "This test will only run on Puppet 3.x" ) if on(master, puppet('--version')).stdout =~ /\A2\./ end with_puppet_running_on( master, {} ) do # Ensure agent has a signed cert on master, puppet('agent', '-t', "--server #{master}" ) certname = on( master, puppet('agent', "--configprint certname")).stdout.chomp cert_path = on( master, puppet('agent', "--configprint hostcert")).stdout.chomp key_path = on( master, puppet('agent', "--configprint hostprivkey")).stdout.chomp - curl_base = "curl -g --cert \"#{cert_path}\" " + + curl_base = "curl --tlsv1 -g --cert \"#{cert_path}\" " + "--key \"#{key_path}\" -k -H 'Accept: pson'" step "Attempt to poison the master's node cache" do yamldir = on( master, puppet('master', '--configprint yamldir' )).stdout.chomp exploited = "#{yamldir}/node/you.lose.yaml" on master, "rm -rf #{exploited}" on master, "rm -rf #{yamldir}/node/*" payload2 = "https://#{master}:8140/production/node/#{certname}?instance=" + "---+%21ruby%2Fobject%3APuppet%3A%3ANode%0A+classes" + "%3A%0A+-+foo%0A+name%3A+you.lose%0A+parameters" + "%3A+%7B%7D%0A+time%3A+2013-02-28+15%3A12%3A30.367008+-08%3A00" on master, "#{curl_base} '#{payload2}'" fail_test( "Found exploit file #{exploited}" ) if on( master, "[ ! -f #{exploited} ]", :acceptable_exit_codes => [0,1] ).exit_code == 1 end end end diff --git a/acceptance/tests/security/cve-2013-1653_puppet_kick.rb b/acceptance/tests/security/cve-2013-1653_puppet_kick.rb index 818516aed..6320f8b32 100644 --- a/acceptance/tests/security/cve-2013-1653_puppet_kick.rb +++ b/acceptance/tests/security/cve-2013-1653_puppet_kick.rb @@ -1,113 +1,113 @@ test_name "CVE 2013-1653: Puppet Kick Remote Code Exploit" do step "Determine suitability of the test" do confine :except, :platform => 'windows' versions = on( hosts, puppet( '--version' )) skip_test( "This test will not run on Puppet 2.6" ) if versions.any? {|r| r.stdout =~ /\A2\.6\./ } end def exploit_code( exploiter, exploitee, endpoint, port, file_to_create ) certfile = on( exploiter, puppet_agent( '--configprint hostcert' )).stdout.chomp keyfile = on( exploiter, puppet_agent( '--configprint hostprivkey' )).stdout.chomp exploit = %Q[#!#{exploiter['puppetbindir']}/ruby require 'rubygems' require 'puppet' require 'openssl' require 'net/https' yaml = < 'text/yaml', 'Accept' => 'yaml'} conn = Net::HTTP.new('#{exploitee}', #{port}) conn.use_ssl = true conn.cert = OpenSSL::X509::Certificate.new(File.read('#{certfile}')) conn.key = OpenSSL::PKey::RSA.new(File.read('#{keyfile}')) conn.verify_mode = OpenSSL::SSL::VERIFY_NONE conn.request_put("/production/#{endpoint}/#{exploiter}", yaml, headers) do |response| response.read_body do |chunk| puts chunk end end ] return exploit end exploited = '/tmp/cve-2013-1653-has-worked' restauth_conf = %q[ path /run auth yes allow * ] teardown do agents.each do |agent| pidfile = on( agent, puppet_agent("--configprint pidfile") ).stdout.chomp on agent, "[ -f #{pidfile} ] && kill `cat #{pidfile}` || true" on agent, "rm -rf #{exploited}" end end agents.each do |agent| # We have to skip this case because of bug PP-436. When that gets fixed, we # can test on all nodes again. if agent == master Log.warn("This test does not support nodes that are both master and agents") next end atestdir = agent.tmpdir('puppet-kick-auth') mtestdir = master.tmpdir('puppet-kick-auth') step "Daemonize the agent" do # Lay down a tempory auth.conf that will allow the agent to be kicked create_remote_file(agent, "#{atestdir}/auth.conf", restauth_conf) # Start the agent on(agent, puppet_agent("--debug --daemonize --server #{master} --listen --no-client --rest_authconfig #{atestdir}/auth.conf")) step "Wait for agent to start listening" do timeout = 15 begin Timeout.timeout(timeout) do loop do # 7 is "Could not connect to host", which will happen before it's running - result = on(agent, "curl -k https://#{agent}:8139", :acceptable_exit_codes => [0,7]) + result = on(agent, "curl --tlsv1 -k https://#{agent}:8139", :acceptable_exit_codes => [0,7]) break if result.exit_code == 0 sleep 1 end end rescue Timeout::Error fail_test "Puppet agent #{agent} failed to start after #{timeout} seconds" end end end step "Attempt to exploit #{agent}" do # Ensure there's no stale data on agent, "rm -rf #{exploited}" on master, "rm -rf #{mtestdir}/exploit.rb" # Copy over our exploit and execute create_remote_file( master, "#{mtestdir}/exploit.rb", exploit_code( master, agent, 'run', 8139, exploited )) on master, "chmod +x #{mtestdir}/exploit.rb" on master, "#{mtestdir}/exploit.rb" # Did it work? fail_test( "Found exploit file #{exploited}" ) if on( agent, "[ ! -f #{exploited} ]", :acceptable_exit_codes => [0,1] ).exit_code == 1 end end end diff --git a/acceptance/tests/security/cve-2013-1654_sslv2_downgrade_agent.rb b/acceptance/tests/security/cve-2013-1654_sslv2_downgrade_agent.rb index a2b25d6a4..08475aa1a 100644 --- a/acceptance/tests/security/cve-2013-1654_sslv2_downgrade_agent.rb +++ b/acceptance/tests/security/cve-2013-1654_sslv2_downgrade_agent.rb @@ -1,98 +1,98 @@ test_name "CVE 2013-1654 SSL2 Downgrade of Agent connection" do require 'puppet/acceptance/windows_utils' extend Puppet::Acceptance::WindowsUtils def which_ruby(host) if host['platform'] =~ /windows/ ruby_cmd(host) else host['puppetbindir'] ? "#{host['puppetbindir']}/ruby" : 'ruby' end end def suitable?(host) cmd = </dev/null &" timeout = 15 begin Timeout.timeout(timeout) do loop do # 7 is "Could not connect to host", which will happen before it's running # 28 is "Operation timeout", which could happen if the vm was running slowly - result = on(agent, "curl -m1 -k https://#{agent}:#{port}", :acceptable_exit_codes => [0,7,28,35]) + result = on(agent, "curl --tlsv1 -m1 -k https://#{agent}:#{port}", :acceptable_exit_codes => [0,7,28,35]) break if result.exit_code == 0 or result.exit_code == 35 sleep 1 end end rescue Timeout::Error fail_test "Insecure Mock Server on #{agent} failed to start after #{timeout} seconds" end on(agent, puppet("agent --debug --test --server #{agent} --masterport #{port}"), :acceptable_exit_codes => [1]) do |test| assert_no_match(/'FOOBAR'/, test.stdout) end else logger.debug( "skipping #{agent} since SSLv2 is not available" ) end end end diff --git a/acceptance/tests/security/cve-2013-2275_report_acl.rb b/acceptance/tests/security/cve-2013-2275_report_acl.rb index f0071533b..48c158442 100644 --- a/acceptance/tests/security/cve-2013-2275_report_acl.rb +++ b/acceptance/tests/security/cve-2013-2275_report_acl.rb @@ -1,30 +1,30 @@ test_name "(#19531) report save access control" step "Verify puppet only allows saving reports from the node matching the certificate" fake_report = <<-EOYAML --- !ruby/object:Puppet::Transaction::Report host: mccune metrics: {} logs: [] kind: inspect puppet_version: "2.7.20" status: failed report_format: 3 EOYAML with_puppet_running_on(master, {}) do submit_fake_report_cmd = [ - "curl -k -X PUT", + "curl --tlsv1 -k -X PUT", "--cacert \"$(puppet master --configprint cacert)\"", "--cert \"$(puppet master --configprint hostcert)\"", "--key \"$(puppet master --configprint hostprivkey)\"", "-H 'Content-Type: text/yaml'", "-d '#{fake_report}'", "\"https://#{master}:8140/production/report/mccune\"", ].join(" ") on master, submit_fake_report_cmd, :acceptable_exit_codes => [0] do msg = "(#19531) (CVE-2013-2275) Puppet master accepted a report for a node that does not match the certname" assert_match(/Forbidden request/, stdout, msg) end end diff --git a/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb b/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb index 0526bd150..e14fd1612 100644 --- a/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb +++ b/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb @@ -1,40 +1,40 @@ test_name "CVE-2013-3567 Arbitrary YAML Deserialization" reportdir = master.tmpdir('yaml_deserialization') dangerous_yaml = "--- !ruby/object:Puppet::Transaction::Report { metrics: { resources: !ruby/object:ERB { src: 'exit 0' } }, logs: [], resource_statuses: [], host: '$(puppet master --configprint certname)' }" submit_bad_yaml = [ - "curl -k -X PUT", + "curl --tlsv1 -k -X PUT", "--cacert $(puppet master --configprint cacert)", "--cert $(puppet master --configprint hostcert)", "--key $(puppet master --configprint hostprivkey)", "-H 'Content-Type: text/yaml'", "-d \"#{dangerous_yaml}\"", "\"https://#{master}:8140/production/report/$(puppet master --configprint certname)\"" ].join(' ') master_opts = { 'master' => { 'reportdir' => reportdir, 'reports' => 'store', } } # In PE, the master is running as non-root. We need to set the # reportdir permissions correctly for it. on master, "chmod 750 #{reportdir}" if options.is_pe? on master, "chown pe-puppet:pe-puppet #{reportdir}" elsif master.is_using_passenger? on master, "chown puppet:puppet #{reportdir}" end with_puppet_running_on(master, master_opts) do on master, submit_bad_yaml on master, "cat #{reportdir}/$(puppet master --configprint certname)/*" do assert_no_match(/ERB/, stdout, "Improperly propagated ERB object from input into puppet code") end end on master, "rm -rf #{reportdir}" diff --git a/acceptance/tests/security/cve-2013-3567_yaml_parameter_deserialization.rb b/acceptance/tests/security/cve-2013-3567_yaml_parameter_deserialization.rb index d4c059018..a2b20e0d7 100644 --- a/acceptance/tests/security/cve-2013-3567_yaml_parameter_deserialization.rb +++ b/acceptance/tests/security/cve-2013-3567_yaml_parameter_deserialization.rb @@ -1,36 +1,36 @@ test_name "CVE-2013-3567 Arbitrary YAML Query Parameter Deserialization" CURL_UNABLE_TO_FETCH_PAGE = 22 require 'uri' dangerous_yaml = "--- !ruby/object:Puppet::Node::Environment { name: 'manage' }" submit_bad_yaml_as_parameter = [ - "curl -f -s -S -k -X GET", + "curl --tlsv1 -f -s -S -k -X GET", "--cacert $(puppet master --configprint cacert)", "--cert $(puppet master --configprint hostcert)", "--key $(puppet master --configprint hostprivkey)", "-H 'Accept: yaml'", "\"https://#{master}:8140/production/file_metadata/modules/testing/tested?links=#{URI.encode(dangerous_yaml)}\"" ].join(' ') modules = master.tmpdir('modules') apply_manifest_on master, < directory, owner => puppet } -> file { "#{modules}/testing": ensure => directory, owner => puppet } -> file { "#{modules}/testing/files": ensure => directory, owner => puppet } -> file { "#{modules}/testing/files/tested": ensure => file, content => "test", owner => puppet } MANIFEST master_opts = { 'master' => { 'modulepath' => modules, } } with_puppet_running_on(master, master_opts) do step "Expect the master to reject the request" on master, submit_bad_yaml_as_parameter, :acceptable_exit_codes => [CURL_UNABLE_TO_FETCH_PAGE] end diff --git a/acceptance/tests/security/cve-2013-4761_resource_type.rb b/acceptance/tests/security/cve-2013-4761_resource_type.rb index d33af1af4..24252a1d0 100644 --- a/acceptance/tests/security/cve-2013-4761_resource_type.rb +++ b/acceptance/tests/security/cve-2013-4761_resource_type.rb @@ -1,58 +1,58 @@ require 'puppet/acceptance/temp_file_utils' extend Puppet::Acceptance::TempFileUtils initialize_temp_dirs teardown do remove_temp_dirs end test_name "CVE 2013-4761 Remote code execution via REST resource_type" do confine :except, :platform => 'windows' create_test_file(master, 'auth.conf', <<-AUTH) path /resource_type method find, search auth any allow * AUTH create_remote_file(master, '/tmp/exploit.rb', <<-EXPLOIT) ::File.open('/tmp/exploited', 'w') { |f| f.puts("exploited") } EXPLOIT chmod(master, '777', '/tmp/exploit.rb') master_opts = { 'master' => { 'autosign' => true, 'rest_authconfig' => get_test_file_path(master, 'auth.conf'), }, } with_puppet_running_on(master, master_opts) do # Ensure each agent has a signed cert on agents, puppet("agent", "-t", "--server #{master}") agents.each do |agent| next if agent['roles'].include?('master') step "Ensure that the exploit marker is gone" do on master, "rm -f /tmp/exploited" end step "Request a type that maps to the exploit file" do type_name = "::..::..::..::..::..::tmp::exploit" payload = "https://#{master}:8140/production/resource_type/#{type_name}" cert_path = on(agent, puppet("agent", "--configprint hostcert")).stdout.chomp key_path = on(agent, puppet("agent", "--configprint hostprivkey")).stdout.chomp - curl_base = "curl -g --cert \"#{cert_path}\" --key \"#{key_path}\" -k -H 'Accept: pson'" + curl_base = "curl --tlsv1 -g --cert \"#{cert_path}\" --key \"#{key_path}\" -k -H 'Accept: pson'" on agent, "#{curl_base} '#{payload}'" end step "Check that the exploit marker was not created" do on master, "test ! -e /tmp/exploited" end end end end diff --git a/acceptance/tests/ticket_15717_puppet_kick.rb b/acceptance/tests/ticket_15717_puppet_kick.rb index 5daba5d8d..337020721 100644 --- a/acceptance/tests/ticket_15717_puppet_kick.rb +++ b/acceptance/tests/ticket_15717_puppet_kick.rb @@ -1,68 +1,68 @@ test_name "#15717: puppet kick" step "verify puppet kick actually triggers an agent run" confine :except, :platform => 'windows' restauth_conf = < [0,7]) + result = on(agent, "curl --tlsv1 -k https://#{agent}:8139", :acceptable_exit_codes => [0,7]) break if result.exit_code == 0 sleep 1 end end rescue Timeout::Error fail_test "Puppet agent #{agent} failed to start after #{timeout} seconds" end step "kick the agent from the master" on(master, puppet_kick("--host #{agentname}")) do |result| assert_match(/Puppet kick is deprecated/, result.stderr, "Puppet kick did not issue deprecation warning") assert_match(/status is success/, result.stdout, "Puppet kick was successful, " + "but agent #{agent} did not report success") end ensure step "kill agent" on(agent, puppet_agent("--configprint pidfile")) do |result| on(agent, "kill `cat #{result.stdout.chomp}`") end end end end diff --git a/acceptance/tests/ticket_7117_broke_env_criteria_authconf.rb b/acceptance/tests/ticket_7117_broke_env_criteria_authconf.rb index a6970d1f9..7f5f8c4d4 100644 --- a/acceptance/tests/ticket_7117_broke_env_criteria_authconf.rb +++ b/acceptance/tests/ticket_7117_broke_env_criteria_authconf.rb @@ -1,37 +1,37 @@ # Windows doesn't suppoert Facter fqdn properly confine :except, :platform => 'windows' test_name "#7117 Broke the environment criteria in auth.conf" testdir = master.tmpdir('env_in_auth_conf') # add to auth.conf add_2_authconf = %q{ path / environment override auth any allow * } step "Create a temp auth.conf" create_remote_file master, "#{testdir}/auth.conf", add_2_authconf on master, "chmod 644 #{testdir}/auth.conf" on master, "chmod 777 #{testdir}" with_puppet_running_on master, {'master' => {'rest_authconfig' => "#{testdir}/auth.conf"}}, testdir do agents.each do |agent| # Run test on Agents step "Run agent to upload facts" on agent, puppet_agent("--test --server #{master}") certname = master.is_pe? ? agent.to_s : on(agent, facter('fqdn')).stdout.chomp step "Fetch agent facts from Puppet Master" - on(agent, "curl -k -H \"Accept: yaml\" https://#{master}:8140/override/facts/#{certname}") do + on(agent, "curl --tlsv1 -k -H \"Accept: yaml\" https://#{master}:8140/override/facts/#{certname}") do assert_match(/--- !ruby\/object:Puppet::Node::Facts/, stdout, "Agent Facts not returned for #{agent}") end end end