Adding SSL::Host-level support for managing the terminus and

cache classes.  Also, defaulting to the :file terminus
for all of the SSL classes.

6 files changed, 66 insertions, 21 deletions

diff --git a/lib/puppet/indirector/ssl_file.rb b/lib/puppet/indirector/ssl_file.rb
index 582d282ff..7b3561263 100644
--- a/lib/puppet/indirector/ssl_file.rb
+++ b/lib/puppet/indirector/ssl_file.rb
@@ -1,5 +1,4 @@
-require 'puppet/indirector/file'
-require 'puppet/ssl/host'
+require 'puppet/ssl'
 
 class Puppet::Indirector::SslFile < Puppet::Indirector::Terminus
     # Specify the directory in which multiple files are stored.
@@ -141,3 +140,8 @@ class Puppet::Indirector::SslFile < Puppet::Indirector::Terminus
         end
     end
 end
+
+# LAK:NOTE This has to be at the end, because classes like SSL::Key use this
+# class, and this require statement loads those, which results in a load loop
+# and lots of failures.
+require 'puppet/ssl/host'
diff --git a/lib/puppet/ssl/certificate.rb b/lib/puppet/ssl/certificate.rb
index 9b1e2a79a..4887708f8 100644
--- a/lib/puppet/ssl/certificate.rb
+++ b/lib/puppet/ssl/certificate.rb
@@ -10,20 +10,5 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
     wraps OpenSSL::X509::Certificate
 
     extend Puppet::Indirector
-    indirects :certificate
-
-    # Indicate where we should get our signed certs from.
-    def self.ca_is(dest)
-        raise(ArgumentError, "Invalid location '%s' for ca; valid values are :local and :remote" % dest) unless [:local, :remote].include?(dest)
-        @ca_location = dest
-    end
-
-    # Default to :local for the ca location.
-    def self.ca_location
-        if defined?(@ca_location) and @ca_location
-            @ca_location
-        else
-            :local
-        end
-    end
+    indirects :certificate, :terminus_class => :file
 end
diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb
index 4ca6d9899..8ef0b800e 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -5,7 +5,7 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
     wraps OpenSSL::X509::Request
 
     extend Puppet::Indirector
-    indirects :certificate_request
+    indirects :certificate_request, :terminus_class => :file
 
     # How to create a certificate request with our system defaults.
     def generate(key)
diff --git a/lib/puppet/ssl/certificate_revocation_list.rb b/lib/puppet/ssl/certificate_revocation_list.rb
index 939b48443..aab1ec5ec 100644
--- a/lib/puppet/ssl/certificate_revocation_list.rb
+++ b/lib/puppet/ssl/certificate_revocation_list.rb
@@ -6,7 +6,7 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
     wraps OpenSSL::X509::CRL
 
     extend Puppet::Indirector
-    indirects :certificate_revocation_list
+    indirects :certificate_revocation_list, :terminus_class => :file
 
     # Knows how to create a CRL with our system defaults.
     def generate(cert)
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index dbd885316..a6c721b1c 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -25,6 +25,62 @@ class Puppet::SSL::Host
         CA_NAME
     end
 
+    class << self
+        attr_reader :ca_location
+    end
+
+    # Configure how our various classes interact with their various terminuses.
+    def self.configure_indirection(terminus, cache = nil)
+        Certificate.terminus_class = terminus
+        CertificateRequest.terminus_class = terminus
+
+        if cache
+            # This is weird; we don't actually cache our keys, we
+            # use what would otherwise be the cache as our normal
+            # terminus.
+            Key.terminus_class = cache
+        else
+            Key.terminus_class = terminus
+        end
+
+        if cache
+            Certificate.cache_class = cache
+            CertificateRequest.cache_class = cache
+        end
+    end
+
+    # Specify how we expect to interact with our certificate authority.
+    def self.ca_location=(mode)
+        raise ArgumentError, "CA Mode can only be :local, :remote, or :none" unless [:local, :remote, :only, :none].include?(mode)
+
+        @ca_mode = mode
+
+        case @ca_mode
+        when :local:
+            # Our ca is local, so we use it as the ultimate source of information
+            # And we cache files locally.
+            configure_indirection :ca_file, :file
+        when :remote:
+            configure_indirection :rest, :file
+        when :only:
+            # We are the CA, so we just interact with CA stuff.
+            configure_indirection :ca_file
+        when :none:
+            # We have no CA, so we just look in the local file store.
+            configure_indirection :file
+        end
+    end
+
+    # Set the cache class for the files we manage.
+    def self.cache_class=(value)
+        [Key, CertificateRequest, Certificate].each { |klass| klass.terminus_class = value }
+    end
+
+    # Set the terminus class for the files we manage.
+    def self.terminus_class=(value)
+        [Key, CertificateRequest, Certificate].each { |klass| klass.terminus_class = value }
+    end
+
     # Search for more than one host, optionally only specifying
     # an interest in hosts with a given file type.
     # This just allows our non-indirected class to have one of
diff --git a/lib/puppet/ssl/key.rb b/lib/puppet/ssl/key.rb
index 124d4c2d7..65294ac00 100644
--- a/lib/puppet/ssl/key.rb
+++ b/lib/puppet/ssl/key.rb
@@ -6,7 +6,7 @@ class Puppet::SSL::Key < Puppet::SSL::Base
     wraps OpenSSL::PKey::RSA
 
     extend Puppet::Indirector
-    indirects :key
+    indirects :key, :terminus_class => :file
 
     attr_reader :password_file