| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| | |
It was trying to use arguments but they were never actually
set.
|
| | |
| |
| |
| |
| | |
This provides a single, global bit for determining whether
a given piece of cached data is still valid.
|
| | |
| |
| |
| |
| |
| |
| | |
I keep having issues with integration tests keeping
cached values around, and this module should hopefully
give us a single place to invalidate all caches, thus
making testing this much easier.
|
| | |
| |
| |
| |
| |
| |
| | |
The HttpPool module now removes its cached ssl_host instance
when clearing its cache. This is really only useful
for testing, but it correctly causes the pool to use
new certificates when they're available.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, you had to configure whether you wanted the CRL or not,
which resulted in errors all the time when it was configured but
unavailable.
Now, Puppet will always create and try to use it, but you won't
get failures if it's unavailable.
|
| | |
| |
| |
| |
| |
| | |
The server is actually serving REST, but the client can't use
it until we resolve the format and security issues that REST
hasn't yet tackled.
|
| | |
| |
| |
| | |
class.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
We can't have the HttpPool class use the Indirector to see
if it has a cert available, because it might be being used to
try to download one, which would cause it to make an http instance,
which would cause it to... Well, you get the idea.
Adding and fixing a few other tests I ran into on the way.
|
| | | |
|
| | |
| |
| |
| |
| | |
Now the CSR class triggers autosigning when any CSR is
saved, if it's running on a CA host.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
...as far as I can tell. The client, however, is broken,
since it used the old http_pool/ssl_support stuff, which
no longer works.
I have to port puppetd over to using the new ssl stuff,
then I'll at least be able to verify that the master can
still speak xmlrpc.
|
| | |
| |
| |
| |
| |
| |
| | |
I don't think the whole thing is done, but at least the
basic flows are in place. Now it's just a question of
doing real-world tests and fleshing out the unit tests
as necessary.
|
| | |
| |
| |
| | |
This requires less setup and configuration on the part of the user.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes is so that if you, for instance, reset the vardir,
then the next time an initialization call is made, we reuse
any previously used sections, thus (hopefully) correctly
creating any newly needed directories.
This is mostly helpful during testing.
|
| | |
| |
| |
| | |
defaults section, rather than the puppetd section.
|
| | |
| |
| |
| |
| | |
It uses an instance of SSL::Host for getting its certificate
and ssl store.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
responsibilities to the SSL::Host class.
I was previously saving invalid CRLs unless they'd had a revocation
done in them; this commit fixes them so that they're always valid.
Also, I've added to SSL::Host the ability to generate a valid
SSL Store, suitable for validation. This is now used by
Webrick and can be used by the http clients, too.
This should have been two commits, but I'm kind of down the
rabbit hole ATM.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
appropriate.
It uses the CA singleton method to determine
whether it's on valid CA host, and if so, uses
the CA instance to sign its generated CSR.
|
| | |
| |
| |
| |
| |
| |
| | |
I realized that it never made sense to have a CA
that didn't know how to initialize itself, so we
now have a singleton method for the CA, and it also
automatically initializes itself.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The code is much cleaner, and it seems to be mostly
functional, but we have to pick a strategy for signing
the host's certificate on first startup. Also, I haven't
actually done end-to-end testing yet, which needs the certs
working first.
|
| | | |
|
| | |
| |
| |
| |
| | |
This provides the backward compatibility for webrick,
and only Mongrel is left.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This provides the interface for configuring backward compatibility
in the new-style server code. It requires a completely different
configuration step, in that REST and xmlrpc handlers are configured
separately, rather than using the same handler names, but this was
considered less evil than having a large abstraction layer for specifying
how the handlers are related.
|
| | |
| |
| |
| |
| | |
Now I just need to get xmlrpc working alongside REST in
both mongrel and webrick.
|
| | | |
|
| |\|
| |
| |
| |
| |
| | |
Conflicts:
bin/puppetca
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
saves to the :localcacert instead of :cacert.
This way the :ca terminus saves to :cacert and the :file
terminus saves to :localcacert.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The CRL was not correctly being added to the Store used
for verification.
It does not appear to be working, though, since revoked
certificates still pass verification.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This class provides all of the semantics from puppetca,
and appears to entirely duplicate the behaviour of the existing
executable, with basically all of the code in a library
file, instead of the executable.
As such, I've deleted the test for the executable. We should have
one, but it's not nearly as important.
|
| | |
| |
| |
| | |
rather than an instance method.
|
| | |
| |
| |
| |
| |
| |
| | |
This commit adds 'list' and 'print' support to the CA.
They're mostly delegator methods, but now the CA should be
the sole interface for puppetca.
|
| | |
| |
| |
| |
| |
| | |
Certificate revocation now works, the CA knows how
to generate the CRL, and the SSL::Host class knows
how to configure the CRL class for indirection.
|
| | |
| |
| |
| |
| | |
The new-style CA now keeps track of all of its signed
certificates in its inventory file.
|
| | | |
|
| | |
| |
| |
| | |
first cert is added, so it's easier to test.
|
| | | |
|
| | |
| |
| |
| |
| | |
This models the existing Inventory module in the sslcertificates/
directory, but does so as an instance, rather than a module.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this, then you could end up duplicating your CA
key into the normal directory depending on how caching
was set up.
Again, this design aspect isn't the most straightforward,
but at least it's functional now.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, the class was returning OpenSSL instances
(e.g, OpenSSL::X509::Certificate) instead of Puppet instances
(e.g., Puppet::SSL::Certificate). This made some things
easier, but it made them asymmetric (e.g., you assigned the
key as a Puppet instance but got back an OpenSSL instance), and
it also reduced your flexibility and introspectiveness.
|
| | |
| |
| |
| | |
cert.
|
| | |
| |
| |
| |
| | |
This flushed out some problems, and things mostly look good
now, but I don't think we're quite there yet.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This was necessary because when the Indirector is used, there
isn't necessarily enough context available to know when a
password file should be used (e.g., when reading a Key from disk,
you don't know if that key was encrypted).
Now, the Key class automatically uses the right password file, and
only tries to use those files that actually exist.
This isn't very flexible, in that it only allows one CA file and
one non-CA file, but no one really uses anything but
the CA file anyway.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
terminus classes, rather than the normal :file classes.
This is unfortunately complicated, and it means that the Key
:ca_file is only ever actually used for retrieving the CA key
itself.
|
