summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--lib/puppet/application/puppetca.rb8
-rw-r--r--lib/puppet/ssl/certificate_authority.rb23
-rw-r--r--lib/puppet/ssl/certificate_authority/interface.rb24
-rwxr-xr-xsbin/puppetca11
-rw-r--r--spec/unit/application/puppetca.rb15
-rwxr-xr-xspec/unit/ssl/certificate_authority.rb38
-rwxr-xr-xspec/unit/ssl/certificate_authority/interface.rb105
7 files changed, 39 insertions, 185 deletions
diff --git a/lib/puppet/application/puppetca.rb b/lib/puppet/application/puppetca.rb
index 6ef867762..adc1a6ff5 100644
--- a/lib/puppet/application/puppetca.rb
+++ b/lib/puppet/application/puppetca.rb
@@ -6,7 +6,7 @@ Puppet::Application.new(:puppetca) do
should_parse_config
- attr_accessor :mode, :all, :ca, :digest
+ attr_accessor :mode, :all, :ca
def find_mode(opt)
modes = Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS
@@ -22,10 +22,6 @@ Puppet::Application.new(:puppetca) do
@all = true
end
- option("--digest DIGEST", "-d") do |arg|
- @digest = arg
- end
-
option("--debug", "-d") do |arg|
Puppet::Util::Log.level = :debug
end
@@ -48,7 +44,7 @@ Puppet::Application.new(:puppetca) do
end
begin
@ca.apply(:revoke, :to => hosts) if @mode == :destroy
- @ca.apply(@mode, :to => hosts, :digest => @digest)
+ @ca.apply(@mode, :to => hosts)
rescue => detail
puts detail.backtrace if Puppet[:trace]
puts detail.to_s
diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index f2213707d..8e4fd7a08 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -53,7 +53,7 @@ class Puppet::SSL::CertificateAuthority
unless options[:to]
raise ArgumentError, "You must specify the hosts to apply to; valid values are an array or the symbol :all"
end
- applier = Interface.new(method, options)
+ applier = Interface.new(method, options[:to])
applier.apply(self)
end
@@ -291,27 +291,6 @@ class Puppet::SSL::CertificateAuthority
end
end
- def fingerprint(name, md = :MD5)
- unless cert = Puppet::SSL::Certificate.find(name)
- raise ArgumentError, "Could not find a certificate for %s" % name
- end
-
- require 'openssl/digest'
-
- # ruby 1.8.x openssl digest constants are string
- # but in 1.9.x they are symbols
- mds = md.to_s.upcase
- if OpenSSL::Digest.constants.include?(mds)
- md = mds
- elsif OpenSSL::Digest.constants.include?(mds.to_sym)
- md = mds.to_sym
- else
- raise ArgumentError, "#{md} is not a valid digest algorithm for fingerprinting certificate #{name}"
- end
-
- OpenSSL::Digest.hexdigest(md, cert.content.to_der).scan(/../).join(':').upcase
- end
-
# List the waiting certificate requests.
def waiting?
Puppet::SSL::CertificateRequest.search("*").collect { |r| r.name }
diff --git a/lib/puppet/ssl/certificate_authority/interface.rb b/lib/puppet/ssl/certificate_authority/interface.rb
index 0023808f2..3f91434e3 100644
--- a/lib/puppet/ssl/certificate_authority/interface.rb
+++ b/lib/puppet/ssl/certificate_authority/interface.rb
@@ -2,11 +2,11 @@
# on the CA. It's only used by the 'puppetca' executable, and its
# job is to provide a CLI-like interface to the CA class.
class Puppet::SSL::CertificateAuthority::Interface
- INTERFACE_METHODS = [:destroy, :list, :revoke, :generate, :sign, :print, :verify, :fingerprint]
+ INTERFACE_METHODS = [:destroy, :list, :revoke, :generate, :sign, :print, :verify]
class InterfaceError < ArgumentError; end
- attr_reader :method, :subjects, :digest
+ attr_reader :method, :subjects
# Actually perform the work.
def apply(ca)
@@ -38,10 +38,9 @@ class Puppet::SSL::CertificateAuthority::Interface
end
end
- def initialize(method, options)
+ def initialize(method, subjects)
self.method = method
- self.subjects = options[:to]
- @digest = options[:digest] || :MD5
+ self.subjects = subjects
end
# List the hosts.
@@ -68,9 +67,9 @@ class Puppet::SSL::CertificateAuthority::Interface
invalid = details.to_s
end
if not invalid and signed.include?(host)
- puts "+ #{host} (#{ca.fingerprint(host, @digest)})"
+ puts "+ " + host
elsif invalid
- puts "- #{host} (#{ca.fingerprint(host, @digest)}) (#{invalid})"
+ puts "- " + host + " (" + invalid + ")"
else
puts host
end
@@ -94,17 +93,6 @@ class Puppet::SSL::CertificateAuthority::Interface
end
end
- # Print certificate information.
- def fingerprint(ca)
- (subjects == :all ? ca.list : subjects).each do |host|
- if value = ca.fingerprint(host, @digest)
- puts "#{host} #{value}"
- else
- Puppet.err "Could not find certificate for %s" % host
- end
- end
- end
-
# Sign a given certificate.
def sign(ca)
list = subjects == :all ? ca.waiting? : subjects
diff --git a/sbin/puppetca b/sbin/puppetca
index eab594ba6..27ba916b5 100755
--- a/sbin/puppetca
+++ b/sbin/puppetca
@@ -10,8 +10,7 @@
#
# puppetca [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
# [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke]
-# [-p|--print] [-c|--clean] [--verify] [--digest DIGEST]
-# [--fingerprint] [host]
+# [-p|--print] [-c|--clean] [--verify] [host]
#
# = Description
#
@@ -36,11 +35,6 @@
# Operate on all items. Currently only makes sense with '--sign',
# '--clean', or '--list'.
#
-# digest::
-# Set the digest for fingerprinting (defaults to md5). Valid values depends
-# on your openssl and openssl ruby extension version, but should contain at
-# least md5, sha1, md2, sha256.
-#
# clean::
# Remove all files related to a host from puppetca's storage. This is
# useful when rebuilding hosts, since new certificate signing requests
@@ -68,9 +62,6 @@
# print::
# Print the full-text version of a host's certificate.
#
-# fingerprint::
-# Print the DIGEST (defaults to md5) fingerprint of a host's certificate.
-#
# revoke::
# Revoke the certificate of a client. The certificate can be specified
# either by its serial number, given as a decimal number or a hexadecimal
diff --git a/spec/unit/application/puppetca.rb b/spec/unit/application/puppetca.rb
index 132a03c1f..3a535f394 100644
--- a/spec/unit/application/puppetca.rb
+++ b/spec/unit/application/puppetca.rb
@@ -39,12 +39,6 @@ describe "PuppetCA" do
@puppetca.handle_debug(0)
end
- it "should set the fingerprint digest with the --digest option" do
- @puppetca.handle_digest(:digest)
-
- @puppetca.digest.should == :digest
- end
-
it "should set mode to :destroy for --clean" do
@puppetca.handle_clean(0)
@puppetca.mode.should == :destroy
@@ -135,15 +129,6 @@ describe "PuppetCA" do
@puppetca.main
end
- it "should send the currently set digest" do
- ARGV.stubs(:collect).returns(["host"])
- @puppetca.handle_digest(:digest)
-
- @ca.expects(:apply).with { |mode,to| to[:digest] == :digest}
-
- @puppetca.main
- end
-
it "should delegate to ca.apply with current set mode" do
@puppetca.mode = "currentmode"
ARGV.stubs(:collect).returns(["host"])
diff --git a/spec/unit/ssl/certificate_authority.rb b/spec/unit/ssl/certificate_authority.rb
index 6c917ff2d..80114300e 100755
--- a/spec/unit/ssl/certificate_authority.rb
+++ b/spec/unit/ssl/certificate_authority.rb
@@ -532,9 +532,9 @@ describe Puppet::SSL::CertificateAuthority do
lambda { @ca.apply(:generate) }.should raise_error(ArgumentError)
end
- it "should create an Interface instance with the specified method and the options" do
- Puppet::SSL::CertificateAuthority::Interface.expects(:new).with(:generate, :to => :host).returns(stub('applier', :apply => nil))
- @ca.apply(:generate, :to => :host)
+ it "should create an Interface instance with the specified method and the subjects" do
+ Puppet::SSL::CertificateAuthority::Interface.expects(:new).with(:generate, :hosts).returns(stub('applier', :apply => nil))
+ @ca.apply(:generate, :to => :hosts)
end
it "should apply the Interface with itself as the argument" do
@@ -583,38 +583,6 @@ describe Puppet::SSL::CertificateAuthority do
end
end
- describe "and fingerprinting certificates" do
- before :each do
- @der = stub 'der', :to_der => "DER"
- @cert = stub 'cert', :name => "cert", :content => @der
- Puppet::SSL::Certificate.stubs(:find).with("myhost").returns @cert
- OpenSSL::Digest.stubs(:constants).returns ["MD5", "DIGEST"]
- end
-
- it "should raise an error if the certificate cannot be found" do
- Puppet::SSL::Certificate.expects(:find).with("myhost").returns nil
- lambda { @ca.fingerprint("myhost") }.should raise_error
- end
-
- it "should digest the certificate DER value and return a ':' seperated nibblet string" do
- OpenSSL::Digest.expects(:hexdigest).with("MD5", "DER").returns "digest"
-
- @ca.fingerprint("myhost").should == "DI:GE:ST"
- end
-
- it "should raise an error if the digest algorithm is not defined" do
- OpenSSL::Digest.expects(:constants).returns []
-
- lambda { @ca.fingerprint("myhost") }.should raise_error
- end
-
- it "should use the given digest algorithm" do
- OpenSSL::Digest.expects(:hexdigest).with("DIGEST", "DER").returns "digest"
-
- @ca.fingerprint("myhost", :digest).should == "DI:GE:ST"
- end
- end
-
describe "and verifying certificates" do
before do
@store = stub 'store', :verify => true, :add_file => nil, :purpose= => nil, :add_crl => true, :flags= => nil
diff --git a/spec/unit/ssl/certificate_authority/interface.rb b/spec/unit/ssl/certificate_authority/interface.rb
index 4b0a4ef51..d741ec400 100755
--- a/spec/unit/ssl/certificate_authority/interface.rb
+++ b/spec/unit/ssl/certificate_authority/interface.rb
@@ -9,7 +9,7 @@ describe "a normal interface method", :shared => true do
@ca.expects(@method).with("host1")
@ca.expects(@method).with("host2")
- @applier = Puppet::SSL::CertificateAuthority::Interface.new(@method, :to => %w{host1 host2})
+ @applier = Puppet::SSL::CertificateAuthority::Interface.new(@method, %w{host1 host2})
@applier.apply(@ca)
end
@@ -20,7 +20,7 @@ describe "a normal interface method", :shared => true do
@ca.expects(@method).with("host1")
@ca.expects(@method).with("host2")
- @applier = Puppet::SSL::CertificateAuthority::Interface.new(@method, :to => :all)
+ @applier = Puppet::SSL::CertificateAuthority::Interface.new(@method, :all)
@applier.apply(@ca)
end
@@ -33,40 +33,30 @@ describe Puppet::SSL::CertificateAuthority::Interface do
describe "when initializing" do
it "should set its method using its settor" do
@class.any_instance.expects(:method=).with(:generate)
- @class.new(:generate, :to => :all)
+ @class.new(:generate, :all)
end
it "should set its subjects using the settor" do
@class.any_instance.expects(:subjects=).with(:all)
- @class.new(:generate, :to => :all)
- end
-
- it "should set the digest if given" do
- interface = @class.new(:generate, :to => :all, :digest => :digest)
- interface.digest.should == :digest
- end
-
- it "should set the digest to md5 if none given" do
- interface = @class.new(:generate, :to => :all)
- interface.digest.should == :MD5
+ @class.new(:generate, :all)
end
end
describe "when setting the method" do
it "should set the method" do
- @class.new(:generate, :to => :all).method.should == :generate
+ @class.new(:generate, :all).method.should == :generate
end
it "should fail if the method isn't a member of the INTERFACE_METHODS array" do
Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS.expects(:include?).with(:thing).returns false
- lambda { @class.new(:thing, :to => :all) }.should raise_error(ArgumentError)
+ lambda { @class.new(:thing, :all) }.should raise_error(ArgumentError)
end
end
describe "when setting the subjects" do
it "should set the subjects" do
- @class.new(:generate, :to => :all).subjects.should == :all
+ @class.new(:generate, :all).subjects.should == :all
end
it "should fail if the subjects setting isn't :all or an array" do
@@ -75,7 +65,7 @@ describe Puppet::SSL::CertificateAuthority::Interface do
end
it "should have a method for triggering the application" do
- @class.new(:generate, :to => :all).should respond_to(:apply)
+ @class.new(:generate, :all).should respond_to(:apply)
end
describe "when applying" do
@@ -85,7 +75,7 @@ describe Puppet::SSL::CertificateAuthority::Interface do
end
it "should raise InterfaceErrors" do
- @applier = @class.new(:revoke, :to => :all)
+ @applier = @class.new(:revoke, :all)
@ca.expects(:list).raises Puppet::SSL::CertificateAuthority::Interface::InterfaceError
@@ -93,7 +83,7 @@ describe Puppet::SSL::CertificateAuthority::Interface do
end
it "should log non-Interface failures rather than failing" do
- @applier = @class.new(:revoke, :to => :all)
+ @applier = @class.new(:revoke, :all)
@ca.expects(:list).raises ArgumentError
@@ -104,19 +94,19 @@ describe Puppet::SSL::CertificateAuthority::Interface do
describe "with an empty array specified and the method is not list" do
it "should fail" do
- @applier = @class.new(:sign, :to => [])
+ @applier = @class.new(:sign, [])
lambda { @applier.apply(@ca) }.should raise_error(ArgumentError)
end
end
describe ":generate" do
it "should fail if :all was specified" do
- @applier = @class.new(:generate, :to => :all)
+ @applier = @class.new(:generate, :all)
lambda { @applier.apply(@ca) }.should raise_error(ArgumentError)
end
it "should call :generate on the CA for each host specified" do
- @applier = @class.new(:generate, :to => %w{host1 host2})
+ @applier = @class.new(:generate, %w{host1 host2})
@ca.expects(:generate).with("host1")
@ca.expects(:generate).with("host2")
@@ -151,7 +141,7 @@ describe Puppet::SSL::CertificateAuthority::Interface do
describe ":sign" do
describe "and an array of names was provided" do
before do
- @applier = @class.new(:sign, :to => %w{host1 host2})
+ @applier = @class.new(:sign, %w{host1 host2})
end
it "should sign the specified waiting certificate requests" do
@@ -169,14 +159,14 @@ describe Puppet::SSL::CertificateAuthority::Interface do
@ca.expects(:sign).with("cert1")
@ca.expects(:sign).with("cert2")
- @applier = @class.new(:sign, :to => :all)
+ @applier = @class.new(:sign, :all)
@applier.apply(@ca)
end
it "should fail if there are no waiting certificate requests" do
@ca.stubs(:waiting?).returns([])
- @applier = @class.new(:sign, :to => :all)
+ @applier = @class.new(:sign, :all)
lambda { @applier.apply(@ca) }.should raise_error(Puppet::SSL::CertificateAuthority::Interface::InterfaceError)
end
end
@@ -188,7 +178,7 @@ describe Puppet::SSL::CertificateAuthority::Interface do
@ca.expects(:waiting?).returns %w{host1 host2}
@ca.stubs(:verify)
- @applier = @class.new(:list, :to => [])
+ @applier = @class.new(:list, [])
@applier.expects(:puts).with "host1\nhost2"
@@ -201,15 +191,14 @@ describe Puppet::SSL::CertificateAuthority::Interface do
@ca.expects(:waiting?).returns %w{host1 host2}
@ca.expects(:list).returns %w{host3 host4}
@ca.stubs(:verify)
- @ca.stubs(:fingerprint).returns "fingerprint"
@ca.expects(:verify).with("host3").raises(Puppet::SSL::CertificateAuthority::CertificateVerificationError.new(23), "certificate revoked")
- @applier = @class.new(:list, :to => :all)
+ @applier = @class.new(:list, :all)
@applier.expects(:puts).with "host1"
@applier.expects(:puts).with "host2"
- @applier.expects(:puts).with "- host3 (fingerprint) (certificate revoked)"
- @applier.expects(:puts).with "+ host4 (fingerprint)"
+ @applier.expects(:puts).with "- host3 (certificate revoked)"
+ @applier.expects(:puts).with "+ host4"
@applier.apply(@ca)
end
@@ -219,15 +208,14 @@ describe Puppet::SSL::CertificateAuthority::Interface do
it "should print a string of all named hosts that have a waiting request" do
@ca.expects(:waiting?).returns %w{host1 host2}
@ca.expects(:list).returns %w{host3 host4}
- @ca.stubs(:fingerprint).returns "fingerprint"
@ca.stubs(:verify)
- @applier = @class.new(:list, :to => %w{host1 host2 host3 host4})
+ @applier = @class.new(:list, %w{host1 host2 host3 host4})
@applier.expects(:puts).with "host1"
@applier.expects(:puts).with "host2"
- @applier.expects(:puts).with "+ host3 (fingerprint)"
- @applier.expects(:puts).with "+ host4 (fingerprint)"
+ @applier.expects(:puts).with "+ host3"
+ @applier.expects(:puts).with "+ host4"
@applier.apply(@ca)
end
@@ -239,7 +227,7 @@ describe Puppet::SSL::CertificateAuthority::Interface do
it "should print all certificates" do
@ca.expects(:list).returns %w{host1 host2}
- @applier = @class.new(:print, :to => :all)
+ @applier = @class.new(:print, :all)
@ca.expects(:print).with("host1").returns "h1"
@applier.expects(:puts).with "h1"
@@ -253,7 +241,7 @@ describe Puppet::SSL::CertificateAuthority::Interface do
describe "and an array of names was provided" do
it "should print each named certificate if found" do
- @applier = @class.new(:print, :to => %w{host1 host2})
+ @applier = @class.new(:print, %w{host1 host2})
@ca.expects(:print).with("host1").returns "h1"
@applier.expects(:puts).with "h1"
@@ -265,7 +253,7 @@ describe Puppet::SSL::CertificateAuthority::Interface do
end
it "should log any named but not found certificates" do
- @applier = @class.new(:print, :to => %w{host1 host2})
+ @applier = @class.new(:print, %w{host1 host2})
@ca.expects(:print).with("host1").returns "h1"
@applier.expects(:puts).with "h1"
@@ -277,46 +265,5 @@ describe Puppet::SSL::CertificateAuthority::Interface do
end
end
end
-
- describe ":fingerprint" do
- it "should fingerprint with the set digest algorithm" do
- @applier = @class.new(:fingerprint, :to => %w{host1}, :digest => :digest)
-
- @ca.expects(:fingerprint).with("host1", :digest).returns "fingerprint1"
- @applier.expects(:puts).with "host1 fingerprint1"
-
- @applier.apply(@ca)
- end
-
- describe "and :all was provided" do
- it "should fingerprint all certificates" do
- @ca.expects(:list).returns %w{host1 host2}
-
- @applier = @class.new(:fingerprint, :to => :all)
-
- @ca.expects(:fingerprint).with("host1", :MD5).returns "fingerprint1"
- @applier.expects(:puts).with "host1 fingerprint1"
-
- @ca.expects(:fingerprint).with("host2", :MD5).returns "fingerprint2"
- @applier.expects(:puts).with "host2 fingerprint2"
-
- @applier.apply(@ca)
- end
- end
-
- describe "and an array of names was provided" do
- it "should print each named certificate if found" do
- @applier = @class.new(:fingerprint, :to => %w{host1 host2})
-
- @ca.expects(:fingerprint).with("host1", :MD5).returns "fingerprint1"
- @applier.expects(:puts).with "host1 fingerprint1"
-
- @ca.expects(:fingerprint).with("host2", :MD5).returns "fingerprint2"
- @applier.expects(:puts).with "host2 fingerprint2"
-
- @applier.apply(@ca)
- end
- end
- end
end
end
generated by cgit (git 2.34.1) at 2025-10-04 11:02:36 +0000