puppet.git/lib/puppet/ssl, branch ticket/master/7841 Puppet repo Don't use non-1.8.5-compatible methods 'Object#tap' and 'Dir.mktmpdir' 2011-07-22T04:27:42+00:00 Nick Lewis nick@puppetlabs.com 2011-07-22T04:25:21+00:00 61df3f7c39d74b82e37f48c3519293406036e1e9 These methods aren't available until Ruby 1.8.6 (Dir.mktmpdir) and Ruby 1.8.7 (Object#tap). Reviewed-By: Jacob Helwig <jacob@puppetlabs.com> 
These methods aren't available until Ruby 1.8.6 (Dir.mktmpdir) and Ruby 1.8.7
(Object#tap).

Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
Remove use of Puppet::Util::Cacher in Puppet::SSL::Host 2011-07-22T03:10:25+00:00 Nick Lewis nick@puppetlabs.com 2011-07-21T18:52:50+00:00 7048b4c4d8c4a8ad45caf6a02b263ac0a9fa333e This class was previously using a cached_attr for its 'localhost' attribute, representing the Puppet::SSL::Host entry corresponding to the cert in Puppet[:certname]. We now no longer expire this attribute. This has the effect that a change to certname during the lifetime of an agent will not be reflected in the certificate it uses. If this behavior is desired, it will need to be reimplemented another way. Reviewed-By: Jacob Helwig <jacob@puppetlabs.com> 
This class was previously using a cached_attr for its 'localhost' attribute,
representing the Puppet::SSL::Host entry corresponding to the cert in
Puppet[:certname]. We now no longer expire this attribute. This has the effect
that a change to certname during the lifetime of an agent will not be reflected
in the certificate it uses. If this behavior is desired, it will need to be
reimplemented another way.

Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
Remove Util::Cacher usage from SSL::CertificateAuthority 2011-07-22T03:10:10+00:00 Nick Lewis nick@puppetlabs.com 2011-07-21T18:38:51+00:00 fac867c7bdbfbd431b089eb1bfb6eb73230e912c Allowing the singleton_instance value to be expirable is unnecessary, because there will never be a need for a different CA instance in the lifetime of a master. Additionally, the master never expired its cache anyway. This was only using the cacher so it could be expired for tests, so it can safely be removed. Reviewed-By: Jacob Helwig <jacob@puppetlabs.com> 
Allowing the singleton_instance value to be expirable is unnecessary, because
there will never be a need for a different CA instance in the lifetime of a
master. Additionally, the master never expired its cache anyway. This was only
using the cacher so it could be expired for tests, so it can safely be removed.

Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
maint: SSL::Inventory.serial should report missing names. 2011-07-20T21:49:47+00:00 Daniel Pittman daniel@puppetlabs.com 2011-07-19T23:45:26+00:00 cc311ad3dcb70547d7249e7aec9f545672c3e8e2 Our SSL inventory was able to find the serial number of a certificate by name, but was incapable of living up to the contract it offered, that it would actually report when a certificate was missing. Now it returns `nil`, which is the same case as "no inventory", if the certificate was not found, rather than accidentally returning the entire inventory data as raw strings. Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com> 
Our SSL inventory was able to find the serial number of a certificate by name,
but was incapable of living up to the contract it offered, that it would
actually report when a certificate was missing.

Now it returns `nil`, which is the same case as "no inventory", if the
certificate was not found, rather than accidentally returning the entire
inventory data as raw strings.

Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
(#7224) Add a helper to Puppet::SSL::Certificate to retrieve alternate names 2011-06-14T23:56:17+00:00 Nick Lewis nick@puppetlabs.com 2011-06-14T21:42:21+00:00 1d867b026dbfa38d44f042680acf708b42295882 Alternate names, if present, are specified in the subjectAltName extension of the certificate. The values are in the form: "DNS:alternate_name1, DNS:alternate_name2" This helper will retrieve the value of the subjectAltName extension and extract the alternate names, returning and empty list if the extension is absent. This will make it easier to access the entire list of possible names for a certificate, rather than just the common name; this is helpful for generating more detailed SSL error messages. Paired-With: Jacob Helwig <jacob@puppetlabs.com> 
Alternate names, if present, are specified in the subjectAltName extension of
the certificate. The values are in the form:

"DNS:alternate_name1, DNS:alternate_name2"

This helper will retrieve the value of the subjectAltName extension and extract
the alternate names, returning and empty list if the extension is absent. This
will make it easier to access the entire list of possible names for a
certificate, rather than just the common name; this is helpful for generating
more detailed SSL error messages.

Paired-With: Jacob Helwig <jacob@puppetlabs.com>
(#5528) Add REST API for signing, revoking, retrieving, cleaning certs 2011-04-05T22:55:24+00:00 Max Martin max@puppetlabs.com 2011-03-23T01:36:01+00:00 e20e6185f7f26d02c7ea275f8adf43c088169129 This commit introduces a new Indirector terminus, certificate_status, which allows for signing, revoking, listing, and cleaning SSL certificates over HTTP via REST. Documentation for these new features can be found in our REST API documentation on the docs site: http://docs.puppetlabs.com/guides/rest_api.html This documentation has not been updated as of the writing of this commit, but will be very soon. Puppet::SSL::Host is now fully integrated into the Indirector. Paired-with:Matt Robinson, Jacob Helwig, Jesse Wolfe, Richard Crowley, Luke Kanies 
This commit introduces a new Indirector terminus, certificate_status,
which allows for signing, revoking, listing, and cleaning
SSL certificates over HTTP via REST. Documentation for these new
features can be found in our REST API documentation on the docs site:

http://docs.puppetlabs.com/guides/rest_api.html

This documentation has not been updated as of the writing of this
commit, but will be very soon. Puppet::SSL::Host is now fully integrated
into the Indirector.

Paired-with:Matt Robinson, Jacob Helwig, Jesse Wolfe, Richard Crowley,
Luke Kanies
Maint: Modified uses of indirector.save to call the indirection directly. 2010-11-30T22:39:39+00:00 Paul Berry paul@puppetlabs.com 2010-11-30T20:06:52+00:00 0747b58bfef9c6bb5f1f9ac1eb6a7b3955dac2af This change replaces calls to <model object>.save with calls to <model class>.indirection.save(<model object>). This makes the use of the indirector explicit rather than implicit so that it will be easier to search for all indirector call sites using grep. This is an intermediate refactor on the way towards allowing indirector calls to be explicitly routed to multiple termini. This patch affects production code. 
This change replaces calls to <model object>.save with calls to <model
class>.indirection.save(<model object>).  This makes the use of the
indirector explicit rather than implicit so that it will be easier to
search for all indirector call sites using grep.  This is an
intermediate refactor on the way towards allowing indirector calls to
be explicitly routed to multiple termini.

This patch affects production code.
Maint: Moved auto-signing logic into an indirector extension 2010-11-30T20:03:57+00:00 Paul Berry paul@puppetlabs.com 2010-11-30T00:32:41+00:00 beb85d65e4cced7691163add392f53ec58cb1a3d Autosigning was previously accomplished by overriding CertificateRequest#save. This meant that it wouldn't work if certificate requests were saved via a direct call to Indirection#save. Changed it to use the indirector :extend mechanism, which works no matter how the save is invoked. 
Autosigning was previously accomplished by overriding
CertificateRequest#save.  This meant that it wouldn't work if
certificate requests were saved via a direct call to Indirection#save.
Changed it to use the indirector :extend mechanism, which works no
matter how the save is invoked.
Maint: Refactor code to use <class>.indirection.<method> 2010-11-29T20:08:26+00:00 Paul Berry paul@puppetlabs.com 2010-11-29T19:56:40+00:00 71ecad9904c8c48c023e90e5fbea5b26b180c9cf Replaced uses of the find, search, destroy, and expire methods on model classes with direct calls to the indirection objects. Also removed the old methods that delegated to the indirection object. 
Replaced uses of the find, search, destroy, and expire methods on
model classes with direct calls to the indirection objects.  Also
removed the old methods that delegated to the indirection object.
Fix #4226 - Prepend 'Puppet CA: ' to fqdn for default root ca_name 2010-09-28T22:36:23+00:00 Jacob Helwig jacob@puppetlabs.com 2010-09-21T21:01:15+00:00 66cf3a925b4b6d9b40cbdf95f2be6575bb05a881 Having a root ca_name that matches the fqdn of the puppet master would cause certificate lookup problems on some clients, resulting in failed SSL negotiation. Signed-off-by: Jacob Helwig <jacob@puppetlabs.com> 
Having a root ca_name that matches the fqdn of the puppet master would
cause certificate lookup problems on some clients, resulting in failed SSL
negotiation.

Signed-off-by: Jacob Helwig <jacob@puppetlabs.com>