| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/agent.rb
lib/puppet/application/puppet.rb
lib/puppet/configurer.rb
man/man5/puppet.conf.5
spec/integration/defaults.rb
spec/unit/configurer.rb
|
| | |
| |
| |
| |
| |
| |
| | |
In my patch for #3088 I made a erroneous assumption about the ruby exception
hierarchy and thus missed the fact that Timeout::error descends from both
SignalError and Interrupt. This is a partial reversion of the patch for #3088
to let these through so that more useful error messages can be produced.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changing rescues from the default to Exception (to catch errors that don't
descend from StandardError) had the unintended consequence of catching (and
suppressing) SystemExit.
This patch restores the behavior of by reraising the exception.
Of the other exceptions that fall through the same crack (NoMemoryError,
SignalException, LoadError, Interrupt, NotImplementedError, and ScriptError)
this patch also reraises NoMemoryError, SignalException, and Interrupt in the
same way and leaves the rest captured.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
OpenSSL::Digest.hexdigest is not available on older ruby versions.
This patch accesses directly to the digest instead (which hopefully
support hexdigest).
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds several things:
* certificate fingerprinting in --list mode
* a puppetca action called "--fingerprint" to display fingerprints
of given certificates (or all including CSR)
* a --fingerprint puppetd option to display client certificates
* each time a CSR is generated, its fingerprint is displayed in the log
It is also possible to use --digest in puppetca and puppetd to specify a specific digest
algorithm.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| |
| |
| | |
This reverts commit a9fb82b0026e75a670fec553b17de3b0f091c2a5.
An older branch was pulled
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds two things:
* certificate fingerprinting in --list mode
* a puppetca action called "--fingerprint" to display fingerprints
of given certificates
It is also possible to use --digest to specify a specific digest
algorithm.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |\|
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/ssl/host.rb
spec/spec_helper.rb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch implements the two-part suggestion from the ticket;
1) a client that receives a certificate that doesn't match its current
private key does not accept, store or use the certificate--instead it
removes any locally cached copies and acts as if the certificate had
never been found.
2) a puppetmaster that receives a csr from a client for whom it already
has a signed certificate now honors the request and considers it to
supercede any previously signed certificates.
In order to make the cache expiration work as expected, I changed a few
assumptions in the caching system:
* The expiration of a cached certificate is the earlier of the envelope
expiration and the certificate's expiration, as opposed to just overriding
the cache value
* Telling the cache to expire an item now removes it from the cache if
possible, rather than just setting an expiration date in the past and
hoping that somebody notices.
Signed-off-by: Markus Roberts <Markus@reality.com>
|
| |\|
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/agent.rb
lib/puppet/application/puppetd.rb
lib/puppet/parser/ast/leaf.rb
lib/puppet/util/rdoc/parser.rb
|
| | |
| |
| |
| |
| |
| | |
This was deprecated in commit 1cfb0215 and was keeping puppetd from starting in listen mode.
Signed-off-by: John A. Barbuto <jbarbuto@corp.sourceforge.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If setup code for a process depends on network connectivity
it needs to be protected with a rescue clause as much as the
main body of the process.
Further, Timeout exceptions aren't under StandardError and thus
aren't caught by an un-typed rescue clause. This doesn't matter
if we've morphed the exception, but will cause the program to
fail if we haven't.
There are many places where these concerns _might_ cause a problem
but in most cases they never will in practice; this patch addesses
the two cases where I have been able to confirm that it actually
can cause the client daemon to exit and two more where I suspect
(but can not prove) that it could.
I'd be willing to push this patch as it stands, as it at least
fixes demonstrable problems. A more general solution would be
nice.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This allows one to specify the name to use in the
CA certificate. It defaults to the :certname,
but for those stuck using mod_ssl it can be changed.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |/
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
This patch does two things:
* it enhance puppetca to list revoked certificates (prefixed by -)
* it fixes the ca crl verification which was broken
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
|
| |
|
|
| |
requires certificate serial number to be strictly positive.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was that the server had a certificate
for the client. Initially the client just didn't have a
key, because it assumed that if it had a certificate then
it had a key. Upon fixing it to create the key, the key then
did not match the found certificate.
This commit fixes both of those: The key is always found
before the certificate, and when the certificate is found
it's verified against the private key and an exception
is thrown if they don't match.
It's always a failure, so this just makes the failure
more informative.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
This is important because puppetmasterd changes its configurations
a couple of times, and we need to disable any previously-created
caches.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the SSL Host couldn't save a CSR or key, it would still
keep them in memory; this meant that, for instance, a CSR
that couldn't be saved to the server was never resent.
This commit removes in-memory instances that couldn't be saved,
thus forcing regeneration.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
| |
The main aspect of this solution is to create a site-wide
Puppet::SSL::Host instance to cache ssl key and certificate,
so that by the time we've switched UIDs, we've got the key and
cert in memory. Then webrick just uses that, rather than creating
a new Host instance.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously you could dynamically use cached values, but the new interface
requires a single static declaration of the attribute:
cached_attr(:myattr) { my_init_code() }
This is cleaner, because it makes it easy to turn the code into an init method
and generally makes the whole thing easier to think about.
Most of this commit is going through the different classes that already using the
Caching engine.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We have to have a CA cert first, because the host will
start using the client cert as soon as it's available,
but it's not functional without a CA cert.
Also removing extra stupid stuff from wait_for_cert --
the connection is now always recycled, which is much simpler.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This happens when called over REST.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
The string format no longer provides any support methods,
which means that I had to create to_multiple_s and from_multiple_s
methods on the SSL classes. I created them in the base class
and tested them just in the cert class.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
It now works the way puppetd needs it to, rather
than the way I thought it would need to work.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
All of the format work is done, they all
support plaintext successfully, and I've got
integration tests that demonstrate that it
actually works.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
We were creating a new SSL store every time, which
caused problems during testing -- it created
an infinite loop when trying to create the
store while looking up the CRL.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
None of them actually support yaml or marshal by default,
and plaintext is easiest anyway.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This essentially deprecates the CertHandler module.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
This is a much cleaner fix than the xmlrpc version, thankfully. :)
|
| |
|
|
|
| |
This provides a single, global bit for determining whether
a given piece of cached data is still valid.
|
| |
|
|
|
|
|
|
|
| |
Previously, you had to configure whether you wanted the CRL or not,
which resulted in errors all the time when it was configured but
unavailable.
Now, Puppet will always create and try to use it, but you won't
get failures if it's unavailable.
|
| |
|
|
|
|
| |
The server is actually serving REST, but the client can't use
it until we resolve the format and security issues that REST
hasn't yet tackled.
|
| |
|
|
|
| |
Now the CSR class triggers autosigning when any CSR is
saved, if it's running on a CA host.
|
| | |
|
| |
|
|
| |
This requires less setup and configuration on the part of the user.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
responsibilities to the SSL::Host class.
I was previously saving invalid CRLs unless they'd had a revocation
done in them; this commit fixes them so that they're always valid.
Also, I've added to SSL::Host the ability to generate a valid
SSL Store, suitable for validation. This is now used by
Webrick and can be used by the http clients, too.
This should have been two commits, but I'm kind of down the
rabbit hole ATM.
|
| |
|
|
|
|
|
|
| |
appropriate.
It uses the CA singleton method to determine
whether it's on valid CA host, and if so, uses
the CA instance to sign its generated CSR.
|
| |
|
|
|
|
|
| |
I realized that it never made sense to have a CA
that didn't know how to initialize itself, so we
now have a singleton method for the CA, and it also
automatically initializes itself.
|
| |
|
|
|
| |
Now I just need to get xmlrpc working alongside REST in
both mongrel and webrick.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The CRL was not correctly being added to the Store used
for verification.
It does not appear to be working, though, since revoked
certificates still pass verification.
|
| |
|
|
|
|
|
|
|
|
| |
This class provides all of the semantics from puppetca,
and appears to entirely duplicate the behaviour of the existing
executable, with basically all of the code in a library
file, instead of the executable.
As such, I've deleted the test for the executable. We should have
one, but it's not nearly as important.
|
| |
|
|
| |
rather than an instance method.
|
| |
|
|
|
|
|
| |
This commit adds 'list' and 'print' support to the CA.
They're mostly delegator methods, but now the CA should be
the sole interface for puppetca.
|
| |
|
|
|
|
| |
Certificate revocation now works, the CA knows how
to generate the CRL, and the SSL::Host class knows
how to configure the CRL class for indirection.
|
| |
|
|
|
| |
The new-style CA now keeps track of all of its signed
certificates in its inventory file.
|
