diff options
Diffstat (limited to 'lib/puppet/server')
| -rwxr-xr-x | lib/puppet/server/authstore.rb | 1 | ||||
| -rw-r--r-- | lib/puppet/server/ca.rb | 54 | ||||
| -rw-r--r-- | lib/puppet/server/servlet.rb | 33 |
3 files changed, 41 insertions, 47 deletions
diff --git a/lib/puppet/server/authstore.rb b/lib/puppet/server/authstore.rb index 966bc8372..075f1f9a1 100755 --- a/lib/puppet/server/authstore.rb +++ b/lib/puppet/server/authstore.rb @@ -66,6 +66,7 @@ class Server } } + Puppet.info "Defaulting to false for %s" % name # default to false return false end diff --git a/lib/puppet/server/ca.rb b/lib/puppet/server/ca.rb index 04096a216..df2614e7c 100644 --- a/lib/puppet/server/ca.rb +++ b/lib/puppet/server/ca.rb @@ -19,65 +19,42 @@ class Server # FIXME autosign? should probably accept both hostnames and IP addresses def autosign?(hostname) # simple values are easy - asign = Puppet[:autosign] - if asign == true or asign == false - return asign + if @autosign == true or @autosign == false + return @autosign end # we only otherwise know how to handle files - unless asign =~ /^\// + unless @autosign =~ /^\// raise Puppet::Error, "Invalid autosign value %s" % - asign + @autosign end - unless FileTest.exists?(asign) - Puppet.warning "Autosign is enabled but %s is missing" % asign + unless FileTest.exists?(@autosign) + Puppet.info "Autosign is enabled but %s is missing" % @autosign return false end auth = Puppet::Server::AuthStore.new - File.open(asign) { |f| + File.open(@autosign) { |f| f.each { |line| auth.allow(line.chomp) -# if line =~ /^[.\w-]+$/ and line == hostname -# Puppet.info "%s exactly matched %s" % [hostname, line] -# return true -# else -# begin -# rx = Regexp.new(line) -# rescue => detail -# Puppet.err( -# "Could not create regexp out of autosign line %s: %s" % -# [line, detail] -# ) -# next -# end -# -# if hostname =~ rx -# Puppet.info "%s matched %s" % [hostname, line] -# return true -# end -# end } } # for now, just cheat and pass a fake IP address to allowed? - return auth.allowed?(hostname, "127.0.0.1") + return auth.allowed?(hostname, "127.1.1.1") end def initialize(hash = {}) + @autosign = hash[:autosign] || Puppet[:autosign] @ca = Puppet::SSLCertificates::CA.new() end # our client sends us a csr, and we either store it for later signing, # or we sign it right away def getcert(csrtext, client = nil, clientip = nil) - # okay, i need to retrieve the hostname from the csr, and then - # verify that i get the same hostname through reverse lookup or - # something - - Puppet.info "Someone's trying for a cert" csr = OpenSSL::X509::Request.new(csrtext) + # Use the hostname from the CSR, not from the network. subject = csr.subject nameary = subject.to_a.find { |ary| @@ -85,7 +62,9 @@ class Server } if nameary.nil? - Puppet.err "Invalid certificate request" + Puppet.err( + "Invalid certificate request: could not retrieve server name" + ) return "invalid" end @@ -129,10 +108,13 @@ class Server cert, cacert = ca.getclientcert(hostname) if cert and cacert Puppet.info "Retrieving existing certificate for %s" % hostname - Puppet.info "Cert: %s; Cacert: %s" % [cert.class, cacert.class] + #Puppet.info "Cert: %s; Cacert: %s" % [cert.class, cacert.class] return [cert.to_pem, cacert.to_pem] elsif @ca - if self.autosign?(hostname) + if self.autosign?(hostname) or client.nil? + if client.nil? + Puppet.info "Signing certificate for CA server" + end # okay, we don't have a signed cert # if we're a CA and autosign is turned on, then go ahead and sign # the csr and return the results diff --git a/lib/puppet/server/servlet.rb b/lib/puppet/server/servlet.rb index ce962b4ea..703e984b0 100644 --- a/lib/puppet/server/servlet.rb +++ b/lib/puppet/server/servlet.rb @@ -66,13 +66,18 @@ class Server @loadedhandlers = [] handlers.each { |handler| - Puppet.debug "adding handler for %s" % handler.class + #Puppet.debug "adding handler for %s" % handler.class self.add_handler(handler.class.interface, handler) } + # Initialize these to nil, but they will get set to values + # by the 'service' method. These have to instance variables + # because I don't have a clear line from the service method to + # the service hook. @request = nil @client = nil @clientip = nil + self.set_service_hook { |obj, *args| #raise "crap!" if @client and @clientip @@ -81,6 +86,8 @@ class Server end begin obj.call(*args) + rescue XMLRPC::FaultException + raise rescue Puppet::Server::AuthorizationError => detail #Puppet.warning obj.inspect #Puppet.warning args.inspect @@ -99,13 +106,17 @@ class Server #Puppet.warning obj.inspect #Puppet.warning args.inspect Puppet.err "Could not call: %s" % detail.to_s - raise error + raise XMLRPC::FaultException.new(1, detail.to_s) end } end + # Handle the actual request. This does some basic collection of + # data, and then just calls the parent method. def service(request, response) @request = request + + # The only way that @client can be nil is if the request is local. if peer = request.peeraddr @client = peer[2] @clientip = peer[3] @@ -120,17 +131,17 @@ class Server # then we get the hostname from the cert, instead of via IP # info if cert = request.client_cert - name = cert.subject - #Puppet.info name.inspect - if name.to_s =~ /CN=(\w+)/ - Puppet.info "Overriding %s with cert name %s" % - [@client, $1] - @client = $1 + nameary = cert.subject.to_a.find { |ary| + ary[0] == "CN" + } + + if nameary.nil? + Puppet.warning "Could not retrieve server name from cert" else - Puppet.warning "Could not match against %s(%s)" % - [name, name.class] + Puppet.debug "Overriding %s with cert name %s" % + [@client, nameary[1]] + @client = nameary[1] end - #Puppet.info "client cert is %s" % request.client_cert end #if request.server_cert # Puppet.info "server cert is %s" % @request.server_cert |