summaryrefslogtreecommitdiffstats
path: root/spec/unit/ssl/host.rb
Commit message (Collapse)AuthorAgeFilesLines
* [#3994] rename the specs to have _spec.rb at the endMarkus Roberts2010-06-231-707/+0
| | | | | | | | | Some spec files like active_record.rb had names that would confuse the load path and get loaded instead of the intended implentation when the spec was run from the same directory as the file. Author: Matt Robinson <matt@puppetlabs.com> Date: Fri Jun 11 15:29:33 2010 -0700
* Fixing tests broken by Luke's CRL flag patch.Markus Roberts2010-02-171-0/+1
|
* Revert the guts of #2890Markus Roberts2010-02-171-17/+55
| | | | | | | | | | This patch reverts the semantically significant parts of #2890 due to the issues discussed on #3360 (security concerns when used with autosign, inconsistency between REST & XMLRPC semantics) but leaves the semantically neutral changes (code cleanup, added tests) in place. This patch is intended for 0.25.x, but may also be applied as a step in the resolution of #3450 (refactored #2890, add "remove_certs" flag) in Rolwf.
* Bug #3400 Bad mocks causing failing testsJesse Wolfe2010-03-221-1/+3
| | | | | | New code was calling a mocked method that was stubbed too broadly, causing the whole thing to act strangely. I've tightened the existing stub and stubbed the new method call.
* Merge branch '0.25.x'James Turnbull2010-01-131-57/+19
|\ | | | | | | | | | | Conflicts: lib/puppet/ssl/host.rb spec/spec_helper.rb
| * Fix for #2890 (the cached certificates that would not die)Markus Roberts2009-12-191-57/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch implements the two-part suggestion from the ticket; 1) a client that receives a certificate that doesn't match its current private key does not accept, store or use the certificate--instead it removes any locally cached copies and acts as if the certificate had never been found. 2) a puppetmaster that receives a csr from a client for whom it already has a signed certificate now honors the request and considers it to supercede any previously signed certificates. In order to make the cache expiration work as expected, I changed a few assumptions in the caching system: * The expiration of a cached certificate is the earlier of the envelope expiration and the certificate's expiration, as opposed to just overriding the cache value * Telling the cache to expire an item now removes it from the cache if possible, rather than just setting an expiration date in the past and hoping that somebody notices. Signed-off-by: Markus Roberts <Markus@reality.com>
| * Fix #2923 failing tests in spec/unit/ssl/host.rbJesse Wolfe2009-12-171-2/+2
| | | | | | | | | | | | | | The fix for #2661 changed the behavior of Puppet::SSL::Host enough to confuse these mocks. Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
* | Always using the CA_name constant instead of "ca"Luke Kanies2009-11-201-5/+5
|/ | | | Signed-off-by: Luke Kanies <luke@madstop.com>
* Removed extra whitespace from end of linesIan Taylor2009-06-061-1/+1
|
* Fixing #2028 - Better failures when a cert is found with no keyLuke Kanies2009-02-281-1/+77
| | | | | | | | | | | | | | | | | | The problem was that the server had a certificate for the client. Initially the client just didn't have a key, because it assumed that if it had a certificate then it had a key. Upon fixing it to create the key, the key then did not match the found certificate. This commit fixes both of those: The key is always found before the certificate, and when the certificate is found it's verified against the private key and an exception is thrown if they don't match. It's always a failure, so this just makes the failure more informative. Signed-off-by: Luke Kanies <luke@madstop.com>
* Resetting SSL cache terminii to nil when only using the caLuke Kanies2009-02-061-0/+8
| | | | | | | | This is important because puppetmasterd changes its configurations a couple of times, and we need to disable any previously-created caches. Signed-off-by: Luke Kanies <luke@madstop.com>
* Cleaning up SSL instances that can't be savedLuke Kanies2009-02-061-0/+23
| | | | | | | | | | | If the SSL Host couldn't save a CSR or key, it would still keep them in memory; this meant that, for instance, a CSR that couldn't be saved to the server was never resent. This commit removes in-memory instances that couldn't be saved, thus forcing regeneration. Signed-off-by: Luke Kanies <luke@madstop.com>
* Fixing #1729 - puppetmasterd can now read certs at startupLuke Kanies2008-12-181-0/+64
| | | | | | | | | | The main aspect of this solution is to create a site-wide Puppet::SSL::Host instance to cache ssl key and certificate, so that by the time we've switched UIDs, we've got the key and cert in memory. Then webrick just uses that, rather than creating a new Host instance. Signed-off-by: Luke Kanies <luke@madstop.com>
* Retrieving the CA certificate before the client certificate.Luke Kanies2008-11-031-8/+27
| | | | | | | | | | | We have to have a CA cert first, because the host will start using the client cert as soon as it's available, but it's not functional without a CA cert. Also removing extra stupid stuff from wait_for_cert -- the connection is now always recycled, which is much simpler. Signed-off-by: Luke Kanies <luke@madstop.com>
* Fixing the SSL::Host#waitforcert method.Luke Kanies2008-08-071-13/+37
| | | | | | | It now works the way puppetd needs it to, rather than the way I thought it would need to work. Signed-off-by: Luke Kanies <luke@madstop.com>
* Certificates now work over REST.Luke Kanies2008-08-071-0/+8
| | | | | | | | | All of the format work is done, they all support plaintext successfully, and I've got integration tests that demonstrate that it actually works. Signed-off-by: Luke Kanies <luke@madstop.com>
* Adding wait_for_cert functionality to the ssl host class.Luke Kanies2008-08-041-0/+42
| | | | | | This essentially deprecates the CertHandler module. Signed-off-by: Luke Kanies <luke@madstop.com>
* Fixing #1168 for REST -- all ssl classes downcase their names.Luke Kanies2008-06-151-0/+9
| | | | This is a much cleaner fix than the xmlrpc version, thankfully. :)
* The CRL is now automatically used or ignored.Luke Kanies2008-05-071-8/+1
| | | | | | | | | Previously, you had to configure whether you wanted the CRL or not, which resulted in errors all the time when it was configured but unavailable. Now, Puppet will always create and try to use it, but you won't get failures if it's unavailable.
* Fixing a critical problem in how CRLs were saved and moving SSL Store ↵Luke Kanies2008-05-051-0/+55
| | | | | | | | | | | | | | responsibilities to the SSL::Host class. I was previously saving invalid CRLs unless they'd had a revocation done in them; this commit fixes them so that they're always valid. Also, I've added to SSL::Host the ability to generate a valid SSL Store, suitable for validation. This is now used by Webrick and can be used by the http clients, too. This should have been two commits, but I'm kind of down the rabbit hole ATM.
* The SSL::Host class now uses the CA to generate its certificate when ↵Luke Kanies2008-05-051-3/+24
| | | | | | | | appropriate. It uses the CA singleton method to determine whether it's on valid CA host, and if so, uses the CA instance to sign its generated CSR.
* Interim commit, since I want to work but have no network available.Luke Kanies2008-04-281-0/+45
|
* Renaming the 'ca_file' ssl terminus type to 'ca'.Luke Kanies2008-04-211-4/+4
|
* Making the SSL::Host's destroy method a class method,Luke Kanies2008-04-191-16/+30
| | | | rather than an instance method.
* Finishing the interface between the CA and the CRL.Luke Kanies2008-04-191-16/+11
| | | | | | Certificate revocation now works, the CA knows how to generate the CRL, and the SSL::Host class knows how to configure the CRL class for indirection.
* Switching the SSL::Host class to return Puppet instances.Luke Kanies2008-04-171-20/+20
| | | | | | | | | Previously, the class was returning OpenSSL instances (e.g, OpenSSL::X509::Certificate) instead of Puppet instances (e.g., Puppet::SSL::Certificate). This made some things easier, but it made them asymmetric (e.g., you assigned the key as a Puppet instance but got back an OpenSSL instance), and it also reduced your flexibility and introspectiveness.
* Adding integration tests for a lot of the SSL code.Luke Kanies2008-04-171-3/+3
| | | | | This flushed out some problems, and things mostly look good now, but I don't think we're quite there yet.
* Moving the password file handling into the SSL::Key class.Luke Kanies2008-04-171-15/+0
| | | | | | | | | | | | | | This was necessary because when the Indirector is used, there isn't necessarily enough context available to know when a password file should be used (e.g., when reading a Key from disk, you don't know if that key was encrypted). Now, the Key class automatically uses the right password file, and only tries to use those files that actually exist. This isn't very flexible, in that it only allows one CA file and one non-CA file, but no one really uses anything but the CA file anyway.
* Adding SSL::Host-level support for managing the terminus andLuke Kanies2008-04-171-0/+97
| | | | | cache classes. Also, defaulting to the :file terminus for all of the SSL classes.
* Changing all of the SSL terminus classes to treat CA files specially.Luke Kanies2008-04-171-1/+16
| | | | | | | | | | | | | | | | | | | | | | This is a kind of weird design situation. For instance, we've got a collection of certificates in the :certdir, but then there's a special CA certificate off by itself. Rather than build a whole separate infrastructure for managing those separate files (cert and key, at least), I decided to add special support for specifying where to find the CA-specific bits, and then code for handling them when necessary. This requires that we have a standard way of knowing whether we should be managing the CA bits or normal host files. The Puppet::SSL::Host class now has a 'ca_name' method that returns the string we're using for the CA name; this name is currently 'ca'. We have to use a name, because the name is the only thing that all methods have access to (e.g., when trying to 'find' the right cert, we only have the name available). What this means is that if you want access to the CA key or cert, then create a Puppet::SSL::Host instance with the name 'ca'. You'll still get the CA cert created with the host's :certname; it will just be stored in a different location.
* Removing all the cases where the ssl host specifiesLuke Kanies2008-04-161-128/+6
| | | | | a terminus. Also, getting rid of some metaprogramming that wasn't really helping.
* Adding a :search method to the ssl_file terminus typeLuke Kanies2008-04-151-0/+70
| | | | and the SSL::Host class.
* Fixing a failing test that had not been updated from previous codingLuke Kanies2008-04-151-1/+1
|
* We have a basically functional CA -- it can signLuke Kanies2008-04-151-5/+82
| | | | | | requests and return certificates. There's still plenty more work to do, but I'm probably not much more than a day away from redoing puppetca to use this code.
* It looks like all of the new ssl classes for managingLuke Kanies2008-04-151-47/+107
| | | | | | | keys, certificates, and requests now work, including talking to the certificate authority. Now we just need the authority itself, along with the necessary REST terminii.
* The new SSL classes basically work, but they're notLuke Kanies2008-04-151-0/+126
functionally connected to any kind of indirection.
generated by cgit (git 2.34.1) at 2026-01-09 15:37:47 +0000