$OpenBSD: patch-lib_puppet_network_http_rack_rest_rb,v 1.1 2016/06/13 17:48:53 sebastia Exp $

Pass SSL-Client-Cert to the Puppetmaster behind unicorn backend
See https://tickets.puppetlabs.com/browse/PUP-6366

--- lib/puppet/network/http/rack/rest.rb.orig	Wed Jun  1 20:10:18 2016
+++ lib/puppet/network/http/rack/rest.rb	Fri Jun 10 23:38:51 2016
@@ -103,7 +103,21 @@ class Puppet::Network::HTTP::RackREST
     # NOTE: The SSL_CLIENT_CERT environment variable will be the empty string
     # when Puppet agent nodes have not yet obtained a signed certificate.
     if cert.nil? || cert.empty?
-      nil
+      # When running with unicorn, the SSL_CLIENT_CERT variable is not available
+      # in the environment, therefore we have to pass a header: 'X-SSL-Client-Cert'
+      cert = request.env['HTTP_X_SSL_CLIENT_CERT']
+      if cert.nil? || cert.empty?
+        nil
+      else
+        # in contrast to the environment variable, the client cert is passed in
+        # as single string, therefore restore the certificate to a valid pem
+        # encoded certificate
+        cert.gsub!(/ /, "\n")
+        cert.gsub!(/BEGIN\nCERT/, "BEGIN CERT")
+        cert.gsub!(/END\nCERT/, "END CERT")
+        cert = Puppet::SSL::Certificate.from_instance(OpenSSL::X509::Certificate.new(cert))
+        cert
+      end
     else
       Puppet::SSL::Certificate.from_instance(OpenSSL::X509::Certificate.new(cert))
     end
