diff options
| author | Luke Kanies <luke@madstop.com> | 2008-12-18 18:06:45 -0600 |
|---|---|---|
| committer | Luke Kanies <luke@madstop.com> | 2008-12-18 18:06:45 -0600 |
| commit | 566bf7820e56b3be503a05645cad54152309b20f (patch) | |
| tree | f773fa8ea389790c01ae8a6eb92de7cd8a44874c /lib/puppet/ssl | |
| parent | 0cf9decfeab5a45f8457af2e51633fd6e0f877fc (diff) | |
| download | puppet-566bf7820e56b3be503a05645cad54152309b20f.tar.gz puppet-566bf7820e56b3be503a05645cad54152309b20f.tar.xz puppet-566bf7820e56b3be503a05645cad54152309b20f.zip | |
Fixing #1729 - puppetmasterd can now read certs at startup
The main aspect of this solution is to create a site-wide
Puppet::SSL::Host instance to cache ssl key and certificate,
so that by the time we've switched UIDs, we've got the key and
cert in memory. Then webrick just uses that, rather than creating
a new Host instance.
Signed-off-by: Luke Kanies <luke@madstop.com>
Diffstat (limited to 'lib/puppet/ssl')
| -rw-r--r-- | lib/puppet/ssl/host.rb | 50 |
1 files changed, 30 insertions, 20 deletions
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index a750f3b08..e8a98e9b8 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -3,7 +3,7 @@ require 'puppet/ssl/key' require 'puppet/ssl/certificate' require 'puppet/ssl/certificate_request' require 'puppet/ssl/certificate_revocation_list' -require 'puppet/util/constant_inflector' +require 'puppet/util/cacher' # The class that manages all aspects of our SSL certificates -- # private keys, public keys, requests, etc. @@ -14,15 +14,23 @@ class Puppet::SSL::Host CertificateRequest = Puppet::SSL::CertificateRequest CertificateRevocationList = Puppet::SSL::CertificateRevocationList - extend Puppet::Util::ConstantInflector - attr_reader :name attr_accessor :ca attr_writer :key, :certificate, :certificate_request - CA_NAME = "ca" + class << self + include Puppet::Util::Cacher + + cached_attr(:localhost) do + result = new() + result.generate unless result.certificate + result.key # Make sure it's read in + result + end + end + CA_NAME = "ca" # This is the constant that people will use to mark that a given host is # a certificate authority. def self.ca_name @@ -40,7 +48,7 @@ class Puppet::SSL::Host CertificateRevocationList.terminus_class = terminus if cache - # This is weird; we don't actually cache our keys or CRL, we + # This is weird; we don't actually cache our keys, we # use what would otherwise be the cache as our normal # terminus. Key.terminus_class = cache @@ -55,23 +63,25 @@ class Puppet::SSL::Host end end + CA_MODES = { + # Our ca is local, so we use it as the ultimate source of information + # And we cache files locally. + :local => [:ca, :file], + # We're a remote CA client. + :remote => [:rest, :file], + # We are the CA, so we don't have read/write access to the normal certificates. + :only => [:ca], + # We have no CA, so we just look in the local file store. + :none => [:file] + } + # Specify how we expect to interact with our certificate authority. def self.ca_location=(mode) - raise ArgumentError, "CA Mode can only be :local, :remote, or :none" unless [:local, :remote, :none].include?(mode) - - @ca_mode = mode - - case @ca_mode - when :local: - # Our ca is local, so we use it as the ultimate source of information - # And we cache files locally. - configure_indirection :ca, :file - when :remote: - configure_indirection :rest, :file - when :none: - # We have no CA, so we just look in the local file store. - configure_indirection :file - end + raise ArgumentError, "CA Mode can only be %s" % CA_MODES.collect { |m| m.to_s }.join(", ") unless CA_MODES.include?(mode) + + @ca_location = mode + + configure_indirection(*CA_MODES[@ca_location]) end # Remove all traces of a given host |