2 files changed, 39 insertions, 23 deletions

diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index 9385110d2..0329f5354 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -42,37 +42,44 @@ class Puppet::SSL::CertificateAuthority
         applier.apply(self)
     end
 
-    # FIXME autosign? should probably accept both hostnames and IP addresses
-    def autosign?(hostname)
-        # simple values are easy
-        if autosign == true or autosign == false
-            return autosign
+    # If autosign is configured, then autosign all CSRs that match our configuration.
+    def autosign
+        return unless auto = autosign?
+
+        store = nil
+        if auto != true
+            store = autosign_store(auto)
         end
 
-        # we only otherwise know how to handle files
-        unless autosign =~ /^\//
-            raise Puppet::Error, "Invalid autosign value %s" %
-                autosign.inspect
+        Puppet::SSL::CertificateRequest.search("*").each do |csr|
+            sign(csr.name) if auto == true or store.allowed?(csr.name, "127.1.1.1")
         end
+    end
 
-        unless FileTest.exists?(autosign)
-            unless defined? @@warnedonautosign
-                @@warnedonautosign = true
-                Puppet.info "Autosign is enabled but %s is missing" % autosign
-            end
+    # Do we autosign?  This returns true, false, or a filename.
+    def autosign?
+        auto = Puppet[:autosign]
+        return false if ['false', false].include?(auto)
+        return true if ['true', true].include?(auto)
+
+        raise ArgumentError, "The autosign configuration '%s' must be a fully qualified file" % auto unless auto =~ /^\//
+        if FileTest.exist?(auto)
+            return auto
+        else
             return false
         end
+    end
+
+    # Create an AuthStore for autosigning.
+    def autosign_store(file)
         auth = Puppet::Network::AuthStore.new
-        File.open(autosign) { |f|
-            f.each { |line|
-                next if line =~ /^\s*#/
-                next if line =~ /^\s*$/
-                auth.allow(line.chomp)
-            }
-        }
+        File.readlines(file).each do |line|
+            next if line =~ /^\s*#/
+            next if line =~ /^\s*$/
+            auth.allow(line.chomp)
+        end
 
-        # for now, just cheat and pass a fake IP address to allowed?
-        return auth.allowed?(hostname, "127.1.1.1")
+        auth
     end
 
     # Retrieve (or create, if necessary) the certificate revocation list.
diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb
index 2c93a9c56..34cae5a3e 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -24,4 +24,13 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
 
         @content = csr
     end
+
+    def save
+        super()
+
+        # Try to autosign the CSR.
+        if ca = Puppet::SSL::CertificateAuthority.instance
+            ca.autosign
+        end
+    end
 end