correcting documentation on autosign in puppetmasterd, and switching the autosign.conf file to use the same authstore as fileserver.conf

git-svn-id: https://reductivelabs.com/svn/puppet/trunk@609 980ebf18-57e1-0310-9a29-db15c13687c0

4 files changed, 32 insertions, 27 deletions

diff --git a/bin/puppetmasterd b/bin/puppetmasterd
index c36a62566..df59e6430 100755
--- a/bin/puppetmasterd
+++ b/bin/puppetmasterd
@@ -20,6 +20,11 @@
 #
 # = Options
 #
+# autosign::
+#   Enable autosign (which presents a potential security problem).  If enabled,
+#   refers to the autosign configuration file at /etc/puppet/autosign.conf to
+#   determine which hosts should have their certificates signed.
+#
 # debug::
 #   Enable full debugging.  Causes the daemon not to go into the background.
 #
@@ -115,7 +120,7 @@ begin
     result.each { |opt,arg|
         case opt
             when "--autosign"
-                ca[:autosign] = true
+                ca[:autosign] = Puppet[:autosign]
             when "--debug"
                 Puppet[:debug] = true
             when "--fsconfig"
diff --git a/lib/puppet/server/ca.rb b/lib/puppet/server/ca.rb
index 669fe1290..04096a216 100644
--- a/lib/puppet/server/ca.rb
+++ b/lib/puppet/server/ca.rb
@@ -16,6 +16,7 @@ class Server
             iface.add_method("array getcert(csr)")
         }
 
+        # FIXME autosign? should probably accept both hostnames and IP addresses
         def autosign?(hostname)
             # simple values are easy
             asign = Puppet[:autosign]
@@ -33,32 +34,34 @@ class Server
                 Puppet.warning "Autosign is enabled but %s is missing" % asign
                 return false
             end
+            auth = Puppet::Server::AuthStore.new
             File.open(asign) { |f|
                 f.each { |line|
-                    line.chomp!
-                    if line =~ /^[.\w-]+$/ and line == hostname
-                        Puppet.info "%s exactly matched %s" % [hostname, line]
-                        return true
-                    else
-                        begin
-                            rx = Regexp.new(line)
-                        rescue => detail
-                            Puppet.err(
-                                "Could not create regexp out of autosign line %s: %s" %
-                                [line, detail]
-                            )
-                            next
-                        end
-
-                        if hostname =~ rx
-                            Puppet.info "%s matched %s" % [hostname, line]
-                            return true
-                        end
-                    end
+                    auth.allow(line.chomp)
+#                    if line =~ /^[.\w-]+$/ and line == hostname
+#                        Puppet.info "%s exactly matched %s" % [hostname, line]
+#                        return true
+#                    else
+#                        begin
+#                            rx = Regexp.new(line)
+#                        rescue => detail
+#                            Puppet.err(
+#                                "Could not create regexp out of autosign line %s: %s" %
+#                                [line, detail]
+#                            )
+#                            next
+#                        end
+#
+#                        if hostname =~ rx
+#                            Puppet.info "%s matched %s" % [hostname, line]
+#                            return true
+#                        end
+#                    end
                 }
             }
 
-            return false
+            # for now, just cheat and pass a fake IP address to allowed?
+            return auth.allowed?(hostname, "127.0.0.1")
         end
 
         def initialize(hash = {})
diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb
index fd26c097a..da6853a8c 100755
--- a/lib/puppet/sslcertificates.rb
+++ b/lib/puppet/sslcertificates.rb
@@ -207,7 +207,7 @@ module SSLCertificates
             :serial         => [:cadir,          "serial"],
             :privatedir     => [:ssldir,         "private"],
             :passfile       => [:privatedir,     "password"],
-            :autosign       => [:ssldir,         "autosign"],
+            :autosign       => [:ssldir,         "autosign.conf"],
             :ca_crl_days    => 365,
             :ca_days        => 1825,
             :ca_md          => "md5",
diff --git a/test/server/tc_ca.rb b/test/server/tc_ca.rb
index e3f768b39..de1ed0963 100644
--- a/test/server/tc_ca.rb
+++ b/test/server/tc_ca.rb
@@ -204,8 +204,7 @@ class TestCA < Test::Unit::TestCase
         @@tmpfiles << autosign
         File.open(autosign, "w") { |f|
             f.puts "hostmatch.domain.com"
-            f.puts ".+.other.com"
-            f.puts "hostname.+"
+            f.puts "*.other.com"
         }
 
         caserv = nil
@@ -216,8 +215,6 @@ class TestCA < Test::Unit::TestCase
 
         assert(caserv.autosign?("hostmatch.domain.com"))
         assert(caserv.autosign?("fakehost.other.com"))
-        assert(caserv.autosign?("hostname.rahtest.boo"))
-        assert(caserv.autosign?("hostname.com")) # a tricky one
         assert(!caserv.autosign?("kirby.reductivelabs.com"))
         assert(!caserv.autosign?("culain.domain.com"))
     end