| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
These methods aren't available until Ruby 1.8.6 (Dir.mktmpdir) and Ruby 1.8.7
(Object#tap).
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This class was previously using a cached_attr for its 'localhost' attribute,
representing the Puppet::SSL::Host entry corresponding to the cert in
Puppet[:certname]. We now no longer expire this attribute. This has the effect
that a change to certname during the lifetime of an agent will not be reflected
in the certificate it uses. If this behavior is desired, it will need to be
reimplemented another way.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit introduces a new Indirector terminus, certificate_status,
which allows for signing, revoking, listing, and cleaning
SSL certificates over HTTP via REST. Documentation for these new
features can be found in our REST API documentation on the docs site:
http://docs.puppetlabs.com/guides/rest_api.html
This documentation has not been updated as of the writing of this
commit, but will be very soon. Puppet::SSL::Host is now fully integrated
into the Indirector.
Paired-with:Matt Robinson, Jacob Helwig, Jesse Wolfe, Richard Crowley,
Luke Kanies
|
| |
|
|
|
|
|
|
|
|
|
| |
This change replaces calls to <model object>.save with calls to <model
class>.indirection.save(<model object>). This makes the use of the
indirector explicit rather than implicit so that it will be easier to
search for all indirector call sites using grep. This is an
intermediate refactor on the way towards allowing indirector calls to
be explicitly routed to multiple termini.
This patch affects production code.
|
| |
|
|
|
|
| |
Replaced uses of the find, search, destroy, and expire methods on
model classes with direct calls to the indirection objects. Also
removed the old methods that delegated to the indirection object.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replaced 106806 occurances of ^( +)(.*$) with
The ruby community almost universally (i.e. everyone but Luke, Markus, and the other eleven people
who learned ruby in the 1900s) uses two-space indentation.
3 Examples:
The code:
end
# Tell getopt which arguments are valid
def test_get_getopt_args
element = Setting.new :name => "foo", :desc => "anything", :settings => Puppet::Util::Settings.new
assert_equal([["--foo", GetoptLong::REQUIRED_ARGUMENT]], element.getopt_args, "Did not produce appropriate getopt args")
becomes:
end
# Tell getopt which arguments are valid
def test_get_getopt_args
element = Setting.new :name => "foo", :desc => "anything", :settings => Puppet::Util::Settings.new
assert_equal([["--foo", GetoptLong::REQUIRED_ARGUMENT]], element.getopt_args, "Did not produce appropriate getopt args")
The code:
assert_equal(str, val)
assert_instance_of(Float, result)
end
# Now test it with a passed object
becomes:
assert_equal(str, val)
assert_instance_of(Float, result)
end
# Now test it with a passed object
The code:
end
assert_nothing_raised do
klass[:Yay] = "boo"
klass["Cool"] = :yayness
end
becomes:
end
assert_nothing_raised do
klass[:Yay] = "boo"
klass["Cool"] = :yayness
end
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Replaced 704 occurances of (.*)\b([a-z_]+)\(\) with \1\2
3 Examples:
The code:
ctx = OpenSSL::SSL::SSLContext.new()
becomes:
ctx = OpenSSL::SSL::SSLContext.new
The code:
skip()
becomes:
skip
The code:
path = tempfile()
becomes:
path = tempfile
* Replaced 31 occurances of ^( *)end *#.* with \1end
3 Examples:
The code:
becomes:
The code:
end # Dir.foreach
becomes:
end
The code:
end # def
becomes:
end
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Replaced 53 occurances of
defined\?\((.+?)\) (?:and|&&) \1( |$)
with
\1\2
In code like:
unless defined? @foo and @foo and bar("baz")
"defined? @foo and @foo" can safely be replaced with "@foo":
unless @foo and bar("baz")
Because:
* Both evaluate to false/nil when @foo is not defined
* Both evaluate to @foo when @foo is defined
3 Examples:
The code:
@sync = Sync.new unless defined?(@sync) and @sync
becomes:
@sync = Sync.new unless @sync
The code:
unless defined?(@content) and @content
becomes:
unless @content
The code:
raise(ArgumentError, "Already handling indirection for #{@indirection.name}; cannot also handle #{indirection}") if defined?(@indirection) and @indirection
becomes:
raise(ArgumentError, "Already handling indirection for #{@indirection.name}; cannot also handle #{indirection}") if @indirection
* Replaced 2 occurances of
defined\?\((.+?)\) (?:and|&&) ! *\1.nil\?
with
!\1.nil?
In code like:
while defined? @foo and ! @foo.nil? ...
"defined? @foo and ! @foo.nil?" can safely be replaced with "! @foo.nil?":
while ! @foo.nil? ...
Because:
* Both evaluate to false/nil when @foo is not defined
* Both evaluate to "! @foo.nil?" when @foo is defined
2 Examples:
The code:
!!(defined?(@value) and ! @value.nil?)
becomes:
!!(!@value.nil?)
The code:
self.init unless defined?(@@state) and ! @@state.nil?
becomes:
self.init unless !@@state.nil?
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replaced 583 occurances of
(DEF)
(LINES)
return (.*)
end
with
3 Examples:
The code:
def consolidate_failures(failed)
filters = Hash.new { |h,k| h[k] = [] }
failed.each do |spec, failed_trace|
if f = test_files_for(failed).find { |f| failed_trace =~ Regexp.new(f) }
filters[f] << spec
break
end
end
return filters
end
becomes:
def consolidate_failures(failed)
filters = Hash.new { |h,k| h[k] = [] }
failed.each do |spec, failed_trace|
if f = test_files_for(failed).find { |f| failed_trace =~ Regexp.new(f) }
filters[f] << spec
break
end
end
filters
end
The code:
def retrieve
return_value = super
return_value = return_value[0] if return_value && return_value.is_a?(Array)
return return_value
end
becomes:
def retrieve
return_value = super
return_value = return_value[0] if return_value && return_value.is_a?(Array)
return_value
end
The code:
def fake_fstab
os = Facter['operatingsystem']
if os == "Solaris"
name = "solaris.fstab"
elsif os == "FreeBSD"
name = "freebsd.fstab"
else
# Catchall for other fstabs
name = "linux.fstab"
end
oldpath = @provider_class.default_target
return fakefile(File::join("data/types/mount", name))
end
becomes:
def fake_fstab
os = Facter['operatingsystem']
if os == "Solaris"
name = "solaris.fstab"
elsif os == "FreeBSD"
name = "freebsd.fstab"
else
# Catchall for other fstabs
name = "linux.fstab"
end
oldpath = @provider_class.default_target
fakefile(File::join("data/types/mount", name))
end
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Replaced 6 occurances of (while .*?) *do$ with
The do is unneeded in the block header form and causes problems
with the block-to-one-line transformation.
3 Examples:
The code:
while line = f.gets do
becomes:
while line = f.gets
The code:
while line = shadow.gets do
becomes:
while line = shadow.gets
The code:
while wrapper = zeros.pop do
becomes:
while wrapper = zeros.pop
* Replaced 19 occurances of ((if|unless) .*?) *then$ with
The then is unneeded in the block header form and causes problems
with the block-to-one-line transformation.
3 Examples:
The code:
if f = test_files_for(failed).find { |f| failed_trace =~ Regexp.new(f) } then
becomes:
if f = test_files_for(failed).find { |f| failed_trace =~ Regexp.new(f) }
The code:
unless defined?(@spec_command) then
becomes:
unless defined?(@spec_command)
The code:
if c == ?\n then
becomes:
if c == ?\n
* Replaced 758 occurances of
((?:if|unless|while|until) .*)
(.*)
end
with
The one-line form is preferable provided:
* The condition is not used to assign a variable
* The body line is not already modified
* The resulting line is not too long
3 Examples:
The code:
if Puppet.features.libshadow?
has_feature :manages_passwords
end
becomes:
has_feature :manages_passwords if Puppet.features.libshadow?
The code:
unless (defined?(@current_pool) and @current_pool)
@current_pool = process_zpool_data(get_pool_data)
end
becomes:
@current_pool = process_zpool_data(get_pool_data) unless (defined?(@current_pool) and @current_pool)
The code:
if Puppet[:trace]
puts detail.backtrace
end
becomes:
puts detail.backtrace if Puppet[:trace]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Replaced 83 occurances of
(.*)" *[+] *([$@]?[\w_0-9.:]+?)(.to_s\b)?(?! *[*(%\w_0-9.:{\[])
with
\1#{\2}"
3 Examples:
The code:
puts "PUPPET " + status + ": " + process + ", " + state
becomes:
puts "PUPPET " + status + ": " + process + ", #{state}"
The code:
puts "PUPPET " + status + ": #{process}" + ", #{state}"
becomes:
puts "PUPPET #{status}" + ": #{process}" + ", #{state}"
The code:
}.compact.join( "\n" ) + "\n" + t + "]\n"
becomes:
}.compact.join( "\n" ) + "\n#{t}" + "]\n"
* Replaced 21 occurances of (.*)" *[+] *" with \1
3 Examples:
The code:
puts "PUPPET #{status}" + ": #{process}" + ", #{state}"
becomes:
puts "PUPPET #{status}" + ": #{process}, #{state}"
The code:
puts "PUPPET #{status}" + ": #{process}, #{state}"
becomes:
puts "PUPPET #{status}: #{process}, #{state}"
The code:
res = self.class.name + ": #{@name}" + "\n"
becomes:
res = self.class.name + ": #{@name}\n"
* Don't use string concatenation to split lines unless they would be very long.
Replaced 11 occurances of
(.*)(['"]) *[+]
*(['"])(.*)
with
3 Examples:
The code:
o.define_head "The check_puppet Nagios plug-in checks that specified " +
"Puppet process is running and the state file is no " +
becomes:
o.define_head "The check_puppet Nagios plug-in checks that specified Puppet process is running and the state file is no " +
The code:
o.separator "Mandatory arguments to long options are mandatory for " +
"short options too."
becomes:
o.separator "Mandatory arguments to long options are mandatory for short options too."
The code:
o.define_head "The check_puppet Nagios plug-in checks that specified Puppet process is running and the state file is no " +
"older than specified interval."
becomes:
o.define_head "The check_puppet Nagios plug-in checks that specified Puppet process is running and the state file is no older than specified interval."
* Replaced no occurances of do (.*?) end with {\1}
* Replaced 1488 occurances of
"([^"\n]*%s[^"\n]*)" *% *(.+?)(?=$| *\b(do|if|while|until|unless|#)\b)
with
20 Examples:
The code:
args[0].split(/\./).map do |s| "dc=%s"%[s] end.join(",")
becomes:
args[0].split(/\./).map do |s| "dc=#{s}" end.join(",")
The code:
puts "%s" % Puppet.version
becomes:
puts "#{Puppet.version}"
The code:
raise "Could not find information for %s" % node
becomes:
raise "Could not find information for #{node}"
The code:
raise Puppet::Error, "Cannot create %s: basedir %s is a file" % [dir, File.join(path)]
becomes:
raise Puppet::Error, "Cannot create #{dir}: basedir #{File.join(path)} is a file"
The code:
Puppet.err "Could not run %s: %s" % [client_class, detail]
becomes:
Puppet.err "Could not run #{client_class}: #{detail}"
The code:
raise "Could not find handler for %s" % arg
becomes:
raise "Could not find handler for #{arg}"
The code:
Puppet.err "Will not start without authorization file %s" % Puppet[:authconfig]
becomes:
Puppet.err "Will not start without authorization file #{Puppet[:authconfig]}"
The code:
raise Puppet::Error, "Could not deserialize catalog from pson: %s" % detail
becomes:
raise Puppet::Error, "Could not deserialize catalog from pson: #{detail}"
The code:
raise "Could not find facts for %s" % Puppet[:certname]
becomes:
raise "Could not find facts for #{Puppet[:certname]}"
The code:
raise ArgumentError, "%s is not readable" % path
becomes:
raise ArgumentError, "#{path} is not readable"
The code:
raise ArgumentError, "Invalid handler %s" % name
becomes:
raise ArgumentError, "Invalid handler #{name}"
The code:
debug "Executing '%s' in zone %s with '%s'" % [command, @resource[:name], str]
becomes:
debug "Executing '#{command}' in zone #{@resource[:name]} with '#{str}'"
The code:
raise Puppet::Error, "unknown cert type '%s'" % hash[:type]
becomes:
raise Puppet::Error, "unknown cert type '#{hash[:type]}'"
The code:
Puppet.info "Creating a new certificate request for %s" % Puppet[:certname]
becomes:
Puppet.info "Creating a new certificate request for #{Puppet[:certname]}"
The code:
"Cannot create alias %s: object already exists" % [name]
becomes:
"Cannot create alias #{name}: object already exists"
The code:
return "replacing from source %s with contents %s" % [metadata.source, metadata.checksum]
becomes:
return "replacing from source #{metadata.source} with contents #{metadata.checksum}"
The code:
it "should have a %s parameter" % param do
becomes:
it "should have a #{param} parameter" do
The code:
describe "when registring '%s' messages" % log do
becomes:
describe "when registring '#{log}' messages" do
The code:
paths = %w{a b c d e f g h}.collect { |l| "/tmp/iteration%stest" % l }
becomes:
paths = %w{a b c d e f g h}.collect { |l| "/tmp/iteration#{l}test" }
The code:
assert_raise(Puppet::Error, "Check '%s' did not fail on false" % check) do
becomes:
assert_raise(Puppet::Error, "Check '#{check}' did not fail on false") do
|
| | |
|
| |
|
|
|
|
|
| |
Update documentation strings everywhere to use single-executable
notation rather than the old executable names.
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Luke Kanies <luke@puppetlabs.com>
Conflicts:
lib/puppet/ssl/host.rb
|
| |
|
|
| |
Thanks to Jasper Lievisse Adriaanse for the fix.
|
| |
|
|
|
|
|
|
|
|
| |
This patch reverts the semantically significant parts of #2890 due to the
issues discussed on #3360 (security concerns when used with autosign,
inconsistency between REST & XMLRPC semantics) but leaves the semantically
neutral changes (code cleanup, added tests) in place.
This patch is intended for 0.25.x, but may also be applied as a step in the
resolution of #3450 (refactored #2890, add "remove_certs" flag) in Rolwf.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/agent.rb
lib/puppet/application/puppet.rb
lib/puppet/configurer.rb
man/man5/puppet.conf.5
spec/integration/defaults.rb
spec/unit/configurer.rb
|
| | |
| |
| |
| |
| |
| |
| | |
In my patch for #3088 I made a erroneous assumption about the ruby exception
hierarchy and thus missed the fact that Timeout::error descends from both
SignalError and Interrupt. This is a partial reversion of the patch for #3088
to let these through so that more useful error messages can be produced.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changing rescues from the default to Exception (to catch errors that don't
descend from StandardError) had the unintended consequence of catching (and
suppressing) SystemExit.
This patch restores the behavior of by reraising the exception.
Of the other exceptions that fall through the same crack (NoMemoryError,
SignalException, LoadError, Interrupt, NotImplementedError, and ScriptError)
this patch also reraises NoMemoryError, SignalException, and Interrupt in the
same way and leaves the rest captured.
|
| |\|
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/ssl/host.rb
spec/spec_helper.rb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch implements the two-part suggestion from the ticket;
1) a client that receives a certificate that doesn't match its current
private key does not accept, store or use the certificate--instead it
removes any locally cached copies and acts as if the certificate had
never been found.
2) a puppetmaster that receives a csr from a client for whom it already
has a signed certificate now honors the request and considers it to
supercede any previously signed certificates.
In order to make the cache expiration work as expected, I changed a few
assumptions in the caching system:
* The expiration of a cached certificate is the earlier of the envelope
expiration and the certificate's expiration, as opposed to just overriding
the cache value
* Telling the cache to expire an item now removes it from the cache if
possible, rather than just setting an expiration date in the past and
hoping that somebody notices.
Signed-off-by: Markus Roberts <Markus@reality.com>
|
| |\|
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/agent.rb
lib/puppet/application/puppetd.rb
lib/puppet/parser/ast/leaf.rb
lib/puppet/util/rdoc/parser.rb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If setup code for a process depends on network connectivity
it needs to be protected with a rescue clause as much as the
main body of the process.
Further, Timeout exceptions aren't under StandardError and thus
aren't caught by an un-typed rescue clause. This doesn't matter
if we've morphed the exception, but will cause the program to
fail if we haven't.
There are many places where these concerns _might_ cause a problem
but in most cases they never will in practice; this patch addesses
the two cases where I have been able to confirm that it actually
can cause the client daemon to exit and two more where I suspect
(but can not prove) that it could.
I'd be willing to push this patch as it stands, as it at least
fixes demonstrable problems. A more general solution would be
nice.
|
| |/
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was that the server had a certificate
for the client. Initially the client just didn't have a
key, because it assumed that if it had a certificate then
it had a key. Upon fixing it to create the key, the key then
did not match the found certificate.
This commit fixes both of those: The key is always found
before the certificate, and when the certificate is found
it's verified against the private key and an exception
is thrown if they don't match.
It's always a failure, so this just makes the failure
more informative.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
This is important because puppetmasterd changes its configurations
a couple of times, and we need to disable any previously-created
caches.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the SSL Host couldn't save a CSR or key, it would still
keep them in memory; this meant that, for instance, a CSR
that couldn't be saved to the server was never resent.
This commit removes in-memory instances that couldn't be saved,
thus forcing regeneration.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
| |
The main aspect of this solution is to create a site-wide
Puppet::SSL::Host instance to cache ssl key and certificate,
so that by the time we've switched UIDs, we've got the key and
cert in memory. Then webrick just uses that, rather than creating
a new Host instance.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We have to have a CA cert first, because the host will
start using the client cert as soon as it's available,
but it's not functional without a CA cert.
Also removing extra stupid stuff from wait_for_cert --
the connection is now always recycled, which is much simpler.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
It now works the way puppetd needs it to, rather
than the way I thought it would need to work.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
We were creating a new SSL store every time, which
caused problems during testing -- it created
an infinite loop when trying to create the
store while looking up the CRL.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This essentially deprecates the CertHandler module.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
This is a much cleaner fix than the xmlrpc version, thankfully. :)
|
| |
|
|
|
|
|
|
|
| |
Previously, you had to configure whether you wanted the CRL or not,
which resulted in errors all the time when it was configured but
unavailable.
Now, Puppet will always create and try to use it, but you won't
get failures if it's unavailable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
responsibilities to the SSL::Host class.
I was previously saving invalid CRLs unless they'd had a revocation
done in them; this commit fixes them so that they're always valid.
Also, I've added to SSL::Host the ability to generate a valid
SSL Store, suitable for validation. This is now used by
Webrick and can be used by the http clients, too.
This should have been two commits, but I'm kind of down the
rabbit hole ATM.
|
| |
|
|
|
|
|
|
| |
appropriate.
It uses the CA singleton method to determine
whether it's on valid CA host, and if so, uses
the CA instance to sign its generated CSR.
|
| | |
|
| | |
|
| |
|
|
| |
rather than an instance method.
|
| |
|
|
|
|
| |
Certificate revocation now works, the CA knows how
to generate the CRL, and the SSL::Host class knows
how to configure the CRL class for indirection.
|
| |
|
|
|
|
|
|
|
| |
Previously, the class was returning OpenSSL instances
(e.g, OpenSSL::X509::Certificate) instead of Puppet instances
(e.g., Puppet::SSL::Certificate). This made some things
easier, but it made them asymmetric (e.g., you assigned the
key as a Puppet instance but got back an OpenSSL instance), and
it also reduced your flexibility and introspectiveness.
|
| |
|
|
|
| |
This flushed out some problems, and things mostly look good
now, but I don't think we're quite there yet.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was necessary because when the Indirector is used, there
isn't necessarily enough context available to know when a
password file should be used (e.g., when reading a Key from disk,
you don't know if that key was encrypted).
Now, the Key class automatically uses the right password file, and
only tries to use those files that actually exist.
This isn't very flexible, in that it only allows one CA file and
one non-CA file, but no one really uses anything but
the CA file anyway.
|
| |
|
|
|
| |
cache classes. Also, defaulting to the :file terminus
for all of the SSL classes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a kind of weird design situation. For instance, we've got a
collection of certificates in the :certdir, but then there's a special
CA certificate off by itself. Rather than build a whole separate
infrastructure for managing those separate files (cert and key, at least),
I decided to add special support for specifying where to find the CA-specific
bits, and then code for handling them when necessary.
This requires that we have a standard way of knowing whether we should be
managing the CA bits or normal host files. The Puppet::SSL::Host class now has
a 'ca_name' method that returns the string we're using for the CA name; this
name is currently 'ca'. We have to use a name, because the name is the only
thing that all methods have access to (e.g., when trying to 'find' the right
cert, we only have the name available).
What this means is that if you want access to the CA key or cert, then create
a Puppet::SSL::Host instance with the name 'ca'.
You'll still get the CA cert created with the host's :certname; it will just
be stored in a different location.
|
| |
|
|
|
| |
a terminus. Also, getting rid of some metaprogramming
that wasn't really helping.
|
| |
|
|
| |
and the SSL::Host class.
|
| |
|
|
|
|
| |
requests and return certificates. There's still plenty
more work to do, but I'm probably not much more than a
day away from redoing puppetca to use this code.
|
