diff options
| -rw-r--r-- | CHANGELOG | 5 | ||||
| -rw-r--r-- | lib/puppet/defaults.rb | 11 | ||||
| -rw-r--r-- | lib/puppet/network/http/webrick.rb | 4 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_authority.rb | 3 | ||||
| -rw-r--r-- | lib/puppet/util/settings.rb | 7 | ||||
| -rwxr-xr-x | spec/integration/defaults.rb | 26 | ||||
| -rw-r--r-- | spec/integration/network/server/webrick.rb | 1 | ||||
| -rwxr-xr-x | spec/integration/ssl/certificate_authority.rb | 13 | ||||
| -rw-r--r-- | spec/unit/network/http/webrick.rb | 6 | ||||
| -rwxr-xr-x | spec/unit/ssl/certificate_authority.rb | 11 |
10 files changed, 73 insertions, 14 deletions
@@ -1,3 +1,8 @@ + Added a boolean 'crl' default value. Now we have a location for + the CA CRL and the host CRL, and then a setting for configuring + whether we should even use a CRL. This way we aren't trying to + set file paths to 'false' to disable the CRL. + Added support for the --all option to puppetca --clean. If puppetca --clean --all is issued then all client certificates are removed. diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index ff302e8db..cbf608cc2 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -166,6 +166,8 @@ module Puppet If it's anything other than an empty string, it will be used as an alias in the created certificate. By default, only the server gets an alias set up, and only for 'puppet'."], :certdir => ["$ssldir/certs", "The certificate directory."], + :crl => [true, "Whether to use a certificate revocation list. If this is set to true and the CRL does not exist, + you will get a failure."], :publickeydir => ["$ssldir/public_keys", "The public key directory."], :requestdir => ["$ssldir/certificate_requests", "Where host certificate requests are stored."], :privatekeydir => { :default => "$ssldir/private_keys", @@ -236,7 +238,14 @@ module Puppet :owner => "$user", :group => "$group", :mode => 0664, - :desc => "The certificate revocation list (CRL) for the CA. Set this to 'false' if you do not want to use a CRL." + :desc => "The certificate revocation list (CRL) for the CA. You should now set 'crl' to false if you do not want to use a CRL. + Only set this to file path.", + :hook => proc do |value| + if value == 'false' + Puppet.warning "Setting the :cacrl to 'false' is deprecated; set :crl to false instead." + Puppet.settings[:crl] = false + end + end }, :caprivatedir => { :default => "$cadir/private", :owner => "$user", diff --git a/lib/puppet/network/http/webrick.rb b/lib/puppet/network/http/webrick.rb index 8ccf974c6..2b3eace48 100644 --- a/lib/puppet/network/http/webrick.rb +++ b/lib/puppet/network/http/webrick.rb @@ -108,7 +108,7 @@ class Puppet::Network::HTTP::WEBrick # LAK:NOTE I'm not sure why this is this way, actually. results[:SSLCertName] = nil - results[:SSLCertificateStore] = setup_ssl_store if Puppet[:cacrl] != 'false' + results[:SSLCertificateStore] = setup_ssl_store if Puppet[:hostcrl] != 'false' results end @@ -116,7 +116,7 @@ class Puppet::Network::HTTP::WEBrick # Create our Certificate revocation list def setup_ssl_store unless crl = Puppet::SSL::CertificateRevocationList.find("ca") - raise Puppet::Error, "Could not find CRL; set 'cacrl' to 'false' to disable CRL usage" + raise Puppet::Error, "Could not find CRL; set 'hostcrl' to 'false' to disable CRL usage" end store = OpenSSL::X509::Store.new store.purpose = OpenSSL::X509::PURPOSE_ANY diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb index 9b49c5420..42981424e 100644 --- a/lib/puppet/ssl/certificate_authority.rb +++ b/lib/puppet/ssl/certificate_authority.rb @@ -141,7 +141,7 @@ class Puppet::SSL::CertificateAuthority def crl unless defined?(@crl) # The crl is disabled. - if ["false", false].include?(Puppet[:cacrl]) + unless Puppet[:crl] @crl = nil return @crl end @@ -149,6 +149,7 @@ class Puppet::SSL::CertificateAuthority unless @crl = Puppet::SSL::CertificateRevocationList.find("whatever") @crl = Puppet::SSL::CertificateRevocationList.new("whatever") @crl.generate(host.certificate.content) + @crl.save end end @crl diff --git a/lib/puppet/util/settings.rb b/lib/puppet/util/settings.rb index e595e2eea..65668f919 100644 --- a/lib/puppet/util/settings.rb +++ b/lib/puppet/util/settings.rb @@ -585,7 +585,12 @@ Generated on #{Time.now}. catalog.host_config = false catalog.apply do |transaction| if failures = transaction.any_failed? - raise "Could not configure for running; got %s failure(s)" % failures + # LAK:NOTE We should do something like this for some cases, + # since it can otherwise be hard to know what failed. + #transaction.report.logs.find_all { |log| log.level == :err }.each do |log| + # puts log.message + #end + raise "Could not configure myself; got %s failure(s)" % failures end end end diff --git a/spec/integration/defaults.rb b/spec/integration/defaults.rb new file mode 100755 index 000000000..f6ef74715 --- /dev/null +++ b/spec/integration/defaults.rb @@ -0,0 +1,26 @@ +#!/usr/bin/env ruby + +require File.dirname(__FILE__) + '/../spec_helper' + +require 'puppet/defaults' + +describe "Puppet defaults" do + describe "when configuring the :crl" do + after { Puppet.settings.clear } + + it "should have a :crl setting" do + Puppet.settings.should be_valid(:crl) + end + + it "should warn if :cacrl is set to false" do + Puppet.expects(:warning) + Puppet.settings[:cacrl] = 'false' + end + + it "should set :crl to 'false' if :cacrl is set to false" do + crl = Puppet.settings[:cacrl] + Puppet.settings[:cacrl] = 'false' + Puppet.settings[:crl].should == false + end + end +end diff --git a/spec/integration/network/server/webrick.rb b/spec/integration/network/server/webrick.rb index bcfdc16ea..ee307bca3 100644 --- a/spec/integration/network/server/webrick.rb +++ b/spec/integration/network/server/webrick.rb @@ -7,6 +7,7 @@ describe Puppet::Network::Server do describe "when using webrick" do before :each do Puppet[:servertype] = 'webrick' + Puppet[:hostcrl] = 'false' @params = { :address => "127.0.0.1", :port => 34343, :handlers => [ :node ] } # Get a safe temporary file diff --git a/spec/integration/ssl/certificate_authority.rb b/spec/integration/ssl/certificate_authority.rb index 51e4a0aef..f7eb0f46a 100755 --- a/spec/integration/ssl/certificate_authority.rb +++ b/spec/integration/ssl/certificate_authority.rb @@ -11,7 +11,7 @@ require 'tempfile' describe Puppet::SSL::CertificateAuthority do before do # Get a safe temporary file - file = Tempfile.new("host_integration_testing") + file = Tempfile.new("ca_integration_testing") @dir = file.path file.delete @@ -60,6 +60,17 @@ describe Puppet::SSL::CertificateAuthority do end end + it "should not have a CRL when :crl is set to false" do + Puppet.settings[:crl] = false + @ca.crl.should be_nil + end + + it "should have a CRL when :crl is set to true" do + Puppet.settings[:crl] = true + @ca.generate_ca_certificate + @ca.crl.should_not be_nil + end + describe "when signing certificates" do before do @host = Puppet::SSL::Host.new("luke.madstop.com") diff --git a/spec/unit/network/http/webrick.rb b/spec/unit/network/http/webrick.rb index 1955c3e00..48b995c28 100644 --- a/spec/unit/network/http/webrick.rb +++ b/spec/unit/network/http/webrick.rb @@ -337,7 +337,7 @@ describe Puppet::Network::HTTP::WEBrick do it "should specify the path to the CA certificate" do Puppet.settings.stubs(:value).returns "whatever" - Puppet.settings.stubs(:value).with(:cacrl).returns 'false' + Puppet.settings.stubs(:value).with(:hostcrl).returns 'false' Puppet.settings.stubs(:value).with(:localcacert).returns '/ca/crt' @server.setup_ssl[:SSLCACertificateFile].should == "/ca/crt" @@ -357,7 +357,7 @@ describe Puppet::Network::HTTP::WEBrick do it "should add an x509 store if the CRL is enabled" do Puppet.settings.stubs(:value).returns "whatever" - Puppet.settings.stubs(:value).with(:cacrl).returns '/my/crl' + Puppet.settings.stubs(:value).with(:hostcrl).returns '/my/crl' @server.expects(:setup_ssl_store).returns("mystore") @@ -366,7 +366,7 @@ describe Puppet::Network::HTTP::WEBrick do it "should not add an x509 store if the CRL is disabled" do Puppet.settings.stubs(:value).returns "whatever" - Puppet.settings.stubs(:value).with(:cacrl).returns 'false' + Puppet.settings.stubs(:value).with(:hostcrl).returns 'false' @server.expects(:setup_ssl_store).never diff --git a/spec/unit/ssl/certificate_authority.rb b/spec/unit/ssl/certificate_authority.rb index 09aaeabcf..424f47512 100755 --- a/spec/unit/ssl/certificate_authority.rb +++ b/spec/unit/ssl/certificate_authority.rb @@ -72,16 +72,16 @@ describe Puppet::SSL::CertificateAuthority do end describe "and the CRL is disabled" do - it "should return nil when the :cacrl is false" do - Puppet.settings.stubs(:value).with(:cacrl).returns false + it "should return nil when the :crl is false" do + Puppet.settings.stubs(:value).with(:crl).returns false Puppet::SSL::CertificateRevocationList.expects(:new).never @ca.crl.should be_nil end - it "should return nil when the :cacrl is 'false'" do - Puppet.settings.stubs(:value).with(:cacrl).returns 'false' + it "should return nil when the :crl is 'false'" do + Puppet.settings.stubs(:value).with(:crl).returns false Puppet::SSL::CertificateRevocationList.expects(:new).never @@ -105,13 +105,14 @@ describe Puppet::SSL::CertificateAuthority do @ca.crl.should equal(crl) end - it "should create and generate a new CRL instance of no CRL can be found" do + it "should create, generate, and save a new CRL instance of no CRL can be found" do crl = mock 'crl' Puppet::SSL::CertificateRevocationList.expects(:find).returns nil Puppet::SSL::CertificateRevocationList.expects(:new).returns crl crl.expects(:generate).with(@ca.host.certificate.content) + crl.expects(:save) @ca.crl.should equal(crl) end |