diff options
| author | Markus Roberts <Markus@reality.com> | 2010-03-29 17:16:05 -0700 |
|---|---|---|
| committer | test branch <puppet-dev@googlegroups.com> | 2010-02-17 06:50:53 -0800 |
| commit | 49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f (patch) | |
| tree | a3efe74b49b771200e9a45b59961266083107434 /lib/puppet/ssl | |
| parent | e69b7db9124b9b1cd65ab89a2f5c6968928f256d (diff) | |
| download | puppet-49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f.tar.gz puppet-49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f.tar.xz puppet-49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f.zip | |
Revert the guts of #2890
This patch reverts the semantically significant parts of #2890 due to the
issues discussed on #3360 (security concerns when used with autosign,
inconsistency between REST & XMLRPC semantics) but leaves the semantically
neutral changes (code cleanup, added tests) in place.
This patch is intended for 0.25.x, but may also be applied as a step in the
resolution of #3450 (refactored #2890, add "remove_certs" flag) in Rolwf.
Diffstat (limited to 'lib/puppet/ssl')
| -rw-r--r-- | lib/puppet/ssl/certificate.rb | 5 | ||||
| -rw-r--r-- | lib/puppet/ssl/host.rb | 27 |
2 files changed, 19 insertions, 13 deletions
diff --git a/lib/puppet/ssl/certificate.rb b/lib/puppet/ssl/certificate.rb index b6cba99a7..f9297f380 100644 --- a/lib/puppet/ssl/certificate.rb +++ b/lib/puppet/ssl/certificate.rb @@ -28,8 +28,7 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base end def expiration - # Our expiration is either that of the cache or the content, whichever comes first - cache_expiration = @expiration - [(content and content.not_after), cache_expiration].compact.sort.first + return nil unless content + return content.not_after end end diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index 8d44ffe9c..225c9790f 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -154,19 +154,26 @@ class Puppet::SSL::Host end def certificate - @certificate ||= ( + unless @certificate + generate_key unless key + # get the CA cert first, since it's required for the normal cert # to be of any use. - if not (key or generate_key) or not (ca? or Certificate.find("ca")) or not (cert = Certificate.find(name)) or cert.expired? - nil - elsif not cert.content.check_private_key(key.content) - Certificate.expire(name) - Puppet.warning "Retrieved certificate does not match private key" - nil - else - cert + return nil unless Certificate.find("ca") unless ca? + return nil unless @certificate = Certificate.find(name) + + unless certificate_matches_key? + raise Puppet::Error, "Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key" end - ) + end + @certificate + end + + def certificate_matches_key? + return false unless key + return false unless certificate + + return certificate.content.check_private_key(key.content) end # Generate all necessary parts of our ssl host. |