Adding SSL::Host-level support for managing the terminus and

cache classes.  Also, defaulting to the :file terminus
for all of the SSL classes.

11 files changed, 177 insertions, 28 deletions

diff --git a/lib/puppet/indirector/ssl_file.rb b/lib/puppet/indirector/ssl_file.rb
index 582d282ff..7b3561263 100644
--- a/lib/puppet/indirector/ssl_file.rb
+++ b/lib/puppet/indirector/ssl_file.rb
@@ -1,5 +1,4 @@
-require 'puppet/indirector/file'
-require 'puppet/ssl/host'
+require 'puppet/ssl'
 
 class Puppet::Indirector::SslFile < Puppet::Indirector::Terminus
     # Specify the directory in which multiple files are stored.
@@ -141,3 +140,8 @@ class Puppet::Indirector::SslFile < Puppet::Indirector::Terminus
         end
     end
 end
+
+# LAK:NOTE This has to be at the end, because classes like SSL::Key use this
+# class, and this require statement loads those, which results in a load loop
+# and lots of failures.
+require 'puppet/ssl/host'
diff --git a/lib/puppet/ssl/certificate.rb b/lib/puppet/ssl/certificate.rb
index 9b1e2a79a..4887708f8 100644
--- a/lib/puppet/ssl/certificate.rb
+++ b/lib/puppet/ssl/certificate.rb
@@ -10,20 +10,5 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
     wraps OpenSSL::X509::Certificate
 
     extend Puppet::Indirector
-    indirects :certificate
-
-    # Indicate where we should get our signed certs from.
-    def self.ca_is(dest)
-        raise(ArgumentError, "Invalid location '%s' for ca; valid values are :local and :remote" % dest) unless [:local, :remote].include?(dest)
-        @ca_location = dest
-    end
-
-    # Default to :local for the ca location.
-    def self.ca_location
-        if defined?(@ca_location) and @ca_location
-            @ca_location
-        else
-            :local
-        end
-    end
+    indirects :certificate, :terminus_class => :file
 end
diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb
index 4ca6d9899..8ef0b800e 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -5,7 +5,7 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
     wraps OpenSSL::X509::Request
 
     extend Puppet::Indirector
-    indirects :certificate_request
+    indirects :certificate_request, :terminus_class => :file
 
     # How to create a certificate request with our system defaults.
     def generate(key)
diff --git a/lib/puppet/ssl/certificate_revocation_list.rb b/lib/puppet/ssl/certificate_revocation_list.rb
index 939b48443..aab1ec5ec 100644
--- a/lib/puppet/ssl/certificate_revocation_list.rb
+++ b/lib/puppet/ssl/certificate_revocation_list.rb
@@ -6,7 +6,7 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
     wraps OpenSSL::X509::CRL
 
     extend Puppet::Indirector
-    indirects :certificate_revocation_list
+    indirects :certificate_revocation_list, :terminus_class => :file
 
     # Knows how to create a CRL with our system defaults.
     def generate(cert)
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index dbd885316..a6c721b1c 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -25,6 +25,62 @@ class Puppet::SSL::Host
         CA_NAME
     end
 
+    class << self
+        attr_reader :ca_location
+    end
+
+    # Configure how our various classes interact with their various terminuses.
+    def self.configure_indirection(terminus, cache = nil)
+        Certificate.terminus_class = terminus
+        CertificateRequest.terminus_class = terminus
+
+        if cache
+            # This is weird; we don't actually cache our keys, we
+            # use what would otherwise be the cache as our normal
+            # terminus.
+            Key.terminus_class = cache
+        else
+            Key.terminus_class = terminus
+        end
+
+        if cache
+            Certificate.cache_class = cache
+            CertificateRequest.cache_class = cache
+        end
+    end
+
+    # Specify how we expect to interact with our certificate authority.
+    def self.ca_location=(mode)
+        raise ArgumentError, "CA Mode can only be :local, :remote, or :none" unless [:local, :remote, :only, :none].include?(mode)
+
+        @ca_mode = mode
+
+        case @ca_mode
+        when :local:
+            # Our ca is local, so we use it as the ultimate source of information
+            # And we cache files locally.
+            configure_indirection :ca_file, :file
+        when :remote:
+            configure_indirection :rest, :file
+        when :only:
+            # We are the CA, so we just interact with CA stuff.
+            configure_indirection :ca_file
+        when :none:
+            # We have no CA, so we just look in the local file store.
+            configure_indirection :file
+        end
+    end
+
+    # Set the cache class for the files we manage.
+    def self.cache_class=(value)
+        [Key, CertificateRequest, Certificate].each { |klass| klass.terminus_class = value }
+    end
+
+    # Set the terminus class for the files we manage.
+    def self.terminus_class=(value)
+        [Key, CertificateRequest, Certificate].each { |klass| klass.terminus_class = value }
+    end
+
     # Search for more than one host, optionally only specifying
     # an interest in hosts with a given file type.
     # This just allows our non-indirected class to have one of
diff --git a/lib/puppet/ssl/key.rb b/lib/puppet/ssl/key.rb
index 124d4c2d7..65294ac00 100644
--- a/lib/puppet/ssl/key.rb
+++ b/lib/puppet/ssl/key.rb
@@ -6,7 +6,7 @@ class Puppet::SSL::Key < Puppet::SSL::Base
     wraps OpenSSL::PKey::RSA
 
     extend Puppet::Indirector
-    indirects :key
+    indirects :key, :terminus_class => :file
 
     attr_reader :password_file
 
diff --git a/spec/unit/ssl/certificate.rb b/spec/unit/ssl/certificate.rb
index 7aaf8534d..a30591946 100755
--- a/spec/unit/ssl/certificate.rb
+++ b/spec/unit/ssl/certificate.rb
@@ -21,13 +21,8 @@ describe Puppet::SSL::Certificate do
         @class.indirection.name.should == :certificate
     end
 
-    it "should default to a local certificate authority" do
-        @class.ca_location.should == :local
-    end
-
-    it "should allow overriding the ca location" do
-        @class.ca_is :remote
-        @class.ca_location.should == :remote
+    it "should default to the :file terminus" do
+        @class.indirection.terminus_class.should == :file
     end
 
     describe "when managing instances" do
diff --git a/spec/unit/ssl/certificate_request.rb b/spec/unit/ssl/certificate_request.rb
index 19e72d65e..169cb64b9 100755
--- a/spec/unit/ssl/certificate_request.rb
+++ b/spec/unit/ssl/certificate_request.rb
@@ -22,6 +22,10 @@ describe Puppet::SSL::CertificateRequest do
         @class.new("myname").name.should == "myname"
     end
 
+    it "should default to the :file terminus" do
+        @class.indirection.terminus_class.should == :file
+    end
+
     describe "when managing instances" do
         before do
             @request = @class.new("myname")
diff --git a/spec/unit/ssl/certificate_revocation_list.rb b/spec/unit/ssl/certificate_revocation_list.rb
index 01c197b25..3513607d9 100755
--- a/spec/unit/ssl/certificate_revocation_list.rb
+++ b/spec/unit/ssl/certificate_revocation_list.rb
@@ -11,6 +11,10 @@ describe Puppet::SSL::CertificateRevocationList do
         @class = Puppet::SSL::CertificateRevocationList
     end
 
+    it "should default to the :file terminus" do
+        @class.indirection.terminus_class.should == :file
+    end
+
     describe "when an instance" do
         before do
             @class.any_instance.stubs(:read_or_generate)
diff --git a/spec/unit/ssl/host.rb b/spec/unit/ssl/host.rb
index 97d6c27d8..e1d6b5c9e 100755
--- a/spec/unit/ssl/host.rb
+++ b/spec/unit/ssl/host.rb
@@ -37,6 +37,103 @@ describe Puppet::SSL::Host do
         lambda { @host.password_file = "/my/file" }.should_not raise_error
     end
 
+    it "should have a method for determining the CA location" do
+        Puppet::SSL::Host.should respond_to(:ca_location)
+    end
+
+    it "should have a method for specifying the CA location" do
+        Puppet::SSL::Host.should respond_to(:ca_location=)
+    end
+
+    describe "when specifying the CA location" do
+        before do
+            [Puppet::SSL::Key, Puppet::SSL::Certificate, Puppet::SSL::CertificateRequest].each do |klass|
+                klass.stubs(:terminus_class=)
+                klass.stubs(:cache_class=)
+            end
+        end
+
+        it "should support the location ':local'" do
+            lambda { Puppet::SSL::Host.ca_location = :local }.should_not raise_error
+        end
+
+        it "should support the location ':remote'" do
+            lambda { Puppet::SSL::Host.ca_location = :remote }.should_not raise_error
+        end
+
+        it "should support the location ':none'" do
+            lambda { Puppet::SSL::Host.ca_location = :none }.should_not raise_error
+        end
+
+        it "should not support other modes" do
+            lambda { Puppet::SSL::Host.ca_location = :whatever }.should raise_error(ArgumentError)
+        end
+
+        describe "as 'local'" do
+            it "should set the cache class for Certificate and CertificateRequest as :file" do
+                Puppet::SSL::Certificate.expects(:cache_class=).with :file
+                Puppet::SSL::CertificateRequest.expects(:cache_class=).with :file
+
+                Puppet::SSL::Host.ca_location = :local
+            end
+
+            it "should set the terminus class for Key as :file" do
+                Puppet::SSL::Key.expects(:terminus_class=).with :file
+
+                Puppet::SSL::Host.ca_location = :local
+            end
+
+            it "should set the terminus class for Certificate and CertificateRequest as :ca_file" do
+                Puppet::SSL::Certificate.expects(:terminus_class=).with :ca_file
+                Puppet::SSL::CertificateRequest.expects(:terminus_class=).with :ca_file
+
+                Puppet::SSL::Host.ca_location = :local
+            end
+        end
+
+        describe "as 'remote'" do
+            it "should set the cache class for Certificate and CertificateRequest as :file" do
+                Puppet::SSL::Certificate.expects(:cache_class=).with :file
+                Puppet::SSL::CertificateRequest.expects(:cache_class=).with :file
+
+                Puppet::SSL::Host.ca_location = :remote
+            end
+
+            it "should set the terminus class for Key as :file" do
+                Puppet::SSL::Key.expects(:terminus_class=).with :file
+
+                Puppet::SSL::Host.ca_location = :remote
+            end
+
+            it "should set the terminus class for Certificate and CertificateRequest as :rest" do
+                Puppet::SSL::Certificate.expects(:terminus_class=).with :rest
+                Puppet::SSL::CertificateRequest.expects(:terminus_class=).with :rest
+
+                Puppet::SSL::Host.ca_location = :remote
+            end
+        end
+
+        describe "as 'only'" do
+            it "should set the terminus class for Key, Certificate, and CertificateRequest as :ca_file" do
+                Puppet::SSL::Key.expects(:terminus_class=).with :ca_file
+                Puppet::SSL::Certificate.expects(:terminus_class=).with :ca_file
+                Puppet::SSL::CertificateRequest.expects(:terminus_class=).with :ca_file
+
+                Puppet::SSL::Host.ca_location = :only
+            end
+        end
+
+        describe "as 'none'" do
+            it "should set the terminus class for Key, Certificate, and CertificateRequest as :file" do
+                Puppet::SSL::Key.expects(:terminus_class=).with :file
+                Puppet::SSL::Certificate.expects(:terminus_class=).with :file
+                Puppet::SSL::CertificateRequest.expects(:terminus_class=).with :file
+
+                Puppet::SSL::Host.ca_location = :none
+            end
+        end
+    end
+
     describe "when managing its private key" do
         before do
             @realkey = "mykey"
diff --git a/spec/unit/ssl/key.rb b/spec/unit/ssl/key.rb
index 98b7e8a2b..8d89c0039 100755
--- a/spec/unit/ssl/key.rb
+++ b/spec/unit/ssl/key.rb
@@ -17,6 +17,10 @@ describe Puppet::SSL::Key do
         @class.indirection.name.should == :key
     end
 
+    it "should default to the :file terminus" do
+        @class.indirection.terminus_class.should == :file
+    end
+
     describe "when managing instances" do
         before do
             @key = @class.new("myname")