diff options
| author | John A. Barbuto <jbarbuto@corp.sourceforge.com> | 2009-10-26 14:02:35 -0700 |
|---|---|---|
| committer | James Turnbull <james@lovedthanlost.net> | 2009-10-27 12:17:20 +1100 |
| commit | ff3a7bc17b66b73f5cf155a2ffb62ccd85f9e9bc (patch) | |
| tree | 25867986fbd53b50d4278750aa58a8c7221986d3 | |
| parent | 594c774dd466c85eae829eaba3898d02ae9538ca (diff) | |
| download | puppet-ff3a7bc17b66b73f5cf155a2ffb62ccd85f9e9bc.tar.gz puppet-ff3a7bc17b66b73f5cf155a2ffb62ccd85f9e9bc.tar.xz puppet-ff3a7bc17b66b73f5cf155a2ffb62ccd85f9e9bc.zip | |
Re-fixed #2750 - Stop disabling the CRL or checking for a disabled CRL
This was deprecated in commit 1cfb0215 and was keeping puppetd from starting in listen mode.
Signed-off-by: John A. Barbuto <jbarbuto@corp.sourceforge.com>
| -rw-r--r-- | lib/puppet/application/puppetd.rb | 7 | ||||
| -rw-r--r-- | lib/puppet/network/http_server/webrick.rb | 5 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_revocation_list.rb | 2 | ||||
| -rw-r--r-- | lib/puppet/sslcertificates/ca.rb | 5 | ||||
| -rwxr-xr-x | spec/unit/application/puppetd.rb | 8 | ||||
| -rwxr-xr-x | spec/unit/ssl/certificate_revocation_list.rb | 12 |
6 files changed, 1 insertions, 38 deletions
diff --git a/lib/puppet/application/puppetd.rb b/lib/puppet/application/puppetd.rb index 26c9f825e..56aaf9370 100644 --- a/lib/puppet/application/puppetd.rb +++ b/lib/puppet/application/puppetd.rb @@ -160,13 +160,6 @@ Puppet::Application.new(:puppetd) do exit(14) end - # FIXME: we should really figure out how to distribute the CRL - # to clients. In the meantime, we just disable CRL checking if - # the CRL file doesn't exist - unless File::exist?(Puppet[:cacrl]) - Puppet[:cacrl] = nil - end - handlers = nil if options[:serve].empty? diff --git a/lib/puppet/network/http_server/webrick.rb b/lib/puppet/network/http_server/webrick.rb index a863d3a20..2dae9ccd8 100644 --- a/lib/puppet/network/http_server/webrick.rb +++ b/lib/puppet/network/http_server/webrick.rb @@ -21,13 +21,10 @@ module Puppet # with them, with flags appropriate for checking client # certificates for revocation def x509store - if Puppet[:cacrl] == 'false' + unless File.exist?(Puppet[:cacrl]) # No CRL, no store needed return nil end - unless File.exist?(Puppet[:cacrl]) - raise Puppet::Error, "Could not find CRL; set 'cacrl' to 'false' to disable CRL usage" - end crl = OpenSSL::X509::CRL.new(File.read(Puppet[:cacrl])) store = OpenSSL::X509::Store.new store.purpose = OpenSSL::X509::PURPOSE_ANY diff --git a/lib/puppet/ssl/certificate_revocation_list.rb b/lib/puppet/ssl/certificate_revocation_list.rb index f3c1a348a..c725bde48 100644 --- a/lib/puppet/ssl/certificate_revocation_list.rb +++ b/lib/puppet/ssl/certificate_revocation_list.rb @@ -46,8 +46,6 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base # The name doesn't actually matter; there's only one CRL. # We just need the name so our Indirector stuff all works more easily. def initialize(fakename) - raise Puppet::Error, "Cannot manage the CRL when :cacrl is set to false" if [false, "false"].include?(Puppet[:cacrl]) - @name = "crl" end diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb index b0bcdb612..b5a246969 100644 --- a/lib/puppet/sslcertificates/ca.rb +++ b/lib/puppet/sslcertificates/ca.rb @@ -194,9 +194,6 @@ class Puppet::SSLCertificates::CA # Revoke the certificate with serial number SERIAL issued by this # CA. The REASON must be one of the OpenSSL::OCSP::REVOKED_* reasons def revoke(serial, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE) - if @config[:cacrl] == 'false' - raise Puppet::Error, "Revocation requires a CRL, but ca_crl is set to 'false'" - end time = Time.now revoked = OpenSSL::X509::Revoked.new revoked.serial = serial @@ -344,8 +341,6 @@ class Puppet::SSLCertificates::CA @crl = OpenSSL::X509::CRL.new( File.read(@config[:cacrl]) ) - elsif @config[:cacrl] == 'false' - @crl = nil else # Create new CRL @crl = OpenSSL::X509::CRL.new diff --git a/spec/unit/application/puppetd.rb b/spec/unit/application/puppetd.rb index 19dfaf3e0..e5a51675d 100755 --- a/spec/unit/application/puppetd.rb +++ b/spec/unit/application/puppetd.rb @@ -407,14 +407,6 @@ describe "puppetd" do @puppetd.setup_listen end - it "should set :cacrl to nil if no cacrl file" do - Puppet.expects(:[]).with(:cacrl).returns('cacrl') - File.expects(:exist?).with('cacrl').returns(false) - Puppet.expects(:[]=).with(:cacrl,nil) - - @puppetd.setup_listen - end - it "should create a server to listen on at least the Runner handler" do Puppet::Network::Server.expects(:new).with { |args| args[:xmlrpc_handlers] == [:Runner] } diff --git a/spec/unit/ssl/certificate_revocation_list.rb b/spec/unit/ssl/certificate_revocation_list.rb index eb25268e6..3d15db78b 100755 --- a/spec/unit/ssl/certificate_revocation_list.rb +++ b/spec/unit/ssl/certificate_revocation_list.rb @@ -46,18 +46,6 @@ describe Puppet::SSL::CertificateRevocationList do end end - describe "when initializing" do - it "should fail if :cacrl is set to false" do - Puppet.settings.expects(:value).with(:cacrl).returns false - lambda { @class.new("crl") }.should raise_error(Puppet::Error) - end - - it "should fail if :cacrl is set to the string 'false'" do - Puppet.settings.expects(:value).with(:cacrl).returns "false" - lambda { @class.new("crl") }.should raise_error(Puppet::Error) - end - end - describe "when generating the crl" do before do @real_crl = mock 'crl' |