Moving the password file handling into the SSL::Key class.

This was necessary because when the Indirector is used, there
isn't necessarily enough context available to know when a
password file should be used (e.g., when reading a Key from disk,
you don't know if that key was encrypted).

Now, the Key class automatically uses the right password file, and
only tries to use those files that actually exist.

This isn't very flexible, in that it only allows one CA file and
one non-CA file, but no one really uses anything but
the CA file anyway.

4 files changed, 21 insertions, 15 deletions

diff --git a/lib/puppet/ssl/base.rb b/lib/puppet/ssl/base.rb
index ab040152d..80bfcae84 100644
--- a/lib/puppet/ssl/base.rb
+++ b/lib/puppet/ssl/base.rb
@@ -13,6 +13,11 @@ class Puppet::SSL::Base
 
     attr_accessor :name, :content
 
+    # Is this file for the CA?
+    def ca?
+        name == Puppet::SSL::Host.ca_name
+    end
+
     def generate
         raise Puppet::DevError, "%s did not override 'generate'" % self.class
     end
diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index 6d5ca1bb2..2ed45e08b 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -18,6 +18,8 @@ class Puppet::SSL::CertificateAuthority
     def generate_ca_certificate
         generate_password unless password?
 
+        host.generate_key unless host.key
+
         # Create a new cert request.  We do this
         # specially, because we don't want to actually
         # save the request anywhere.
@@ -34,7 +36,6 @@ class Puppet::SSL::CertificateAuthority
         @name = Puppet[:certname]
 
         @host = Puppet::SSL::Host.new(Puppet::SSL::Host.ca_name)
-        @host.password_file = Puppet[:capass]
     end
 
     # Sign a given certificate request.
@@ -55,7 +56,7 @@ class Puppet::SSL::CertificateAuthority
 
         cert = Puppet::SSL::Certificate.new(hostname)
         cert.content = Puppet::SSL::CertificateFactory.new(cert_type, csr.content, issuer, next_serial).result
-        cert.content.sign(key, OpenSSL::Digest::SHA1.new)
+        cert.content.sign(host.key, OpenSSL::Digest::SHA1.new)
 
         Puppet.notice "Signed certificate request for %s" % hostname
 
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index a6c721b1c..42f881568 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -15,7 +15,7 @@ class Puppet::SSL::Host
     extend Puppet::Util::ConstantInflector
 
     attr_reader :name
-    attr_accessor :ca, :password_file
+    attr_accessor :ca
 
     CA_NAME = "ca"
 
@@ -114,10 +114,6 @@ class Puppet::SSL::Host
     # with no inputs.
     def generate_key
         @key = Key.new(name)
-
-        # If a password file is set, then the key will be stored
-        # encrypted by the password.
-        @key.password_file = password_file if password_file
         @key.generate
         @key.save
         true
diff --git a/lib/puppet/ssl/key.rb b/lib/puppet/ssl/key.rb
index 65294ac00..a1d436090 100644
--- a/lib/puppet/ssl/key.rb
+++ b/lib/puppet/ssl/key.rb
@@ -8,7 +8,7 @@ class Puppet::SSL::Key < Puppet::SSL::Base
     extend Puppet::Indirector
     indirects :key, :terminus_class => :file
 
-    attr_reader :password_file
+    attr_accessor :password_file
 
     # Knows how to create keys with our system defaults.
     def generate
@@ -16,23 +16,27 @@ class Puppet::SSL::Key < Puppet::SSL::Base
         @content = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
     end
 
-    def password
-        return nil unless password_file
+    def initialize(name)
+        super
 
-        ::File.read(password_file)
+        if ca?
+            @password_file = Puppet[:capass]
+        else
+            @password_file = Puppet[:passfile]
+        end
     end
 
-    # Set our password file.
-    def password_file=(file)
-        raise ArgumentError, "Password file %s does not exist" % file unless FileTest.exist?(file)
+    def password
+        return nil unless password_file and FileTest.exist?(password_file)
 
-        @password_file = file
+        ::File.read(password_file)
     end
 
     # Optionally support specifying a password file.
     def read(path)
         return super unless password_file
 
+        #@content = wrapped_class.new(::File.read(path), password)
         @content = wrapped_class.new(::File.read(path), password)
     end