| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit includes multiple, related changes, all
in one commit because the whole thing was necessary to
reach a functional tree again:
* The URI starts with the environment, so:
/production/certificate/foo
/development/file_content/path/to/your/file
* All REST handling is done by a single instance mounted
at / for webrick and Mongrel, rather than having individual
instances mounted at, say, /certificate.
* All REST URI translation is done by an API module. Currently
only the 'v1' module exists with no support for additional modules,
but it's well-separated and will be easy to expand as we need it.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was that the server had a certificate
for the client. Initially the client just didn't have a
key, because it assumed that if it had a certificate then
it had a key. Upon fixing it to create the key, the key then
did not match the found certificate.
This commit fixes both of those: The key is always found
before the certificate, and when the certificate is found
it's verified against the private key and an exception
is thrown if they don't match.
It's always a failure, so this just makes the failure
more informative.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
It wasn't a terribly useful test anyway, since
no one depends on that individual configuration.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
This is important because puppetmasterd changes its configurations
a couple of times, and we need to disable any previously-created
caches.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the SSL Host couldn't save a CSR or key, it would still
keep them in memory; this meant that, for instance, a CSR
that couldn't be saved to the server was never resent.
This commit removes in-memory instances that couldn't be saved,
thus forcing regeneration.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
| |
The main aspect of this solution is to create a site-wide
Puppet::SSL::Host instance to cache ssl key and certificate,
so that by the time we've switched UIDs, we've got the key and
cert in memory. Then webrick just uses that, rather than creating
a new Host instance.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Conflicts:
bin/puppetca
lib/puppet/type/group.rb
lib/puppet/type/tidy.rb
lib/puppet/util/settings.rb
Also edited the following files so tests will pass:
lib/puppet/type/component.rb
spec/unit/ssl/certificate_request.rb
spec/unit/type/computer.rb
spec/unit/type/mcx.rb
spec/unit/type/resources.rb
spec/unit/util/settings.rb
spec/unit/util/storage.rb
test/ral/type/zone.rb
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We have to have a CA cert first, because the host will
start using the client cert as soon as it's available,
but it's not functional without a CA cert.
Also removing extra stupid stuff from wait_for_cert --
the connection is now always recycled, which is much simpler.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This happens when called over REST.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
The string format no longer provides any support methods,
which means that I had to create to_multiple_s and from_multiple_s
methods on the SSL classes. I created them in the base class
and tested them just in the cert class.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
It now works the way puppetd needs it to, rather
than the way I thought it would need to work.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
All of the format work is done, they all
support plaintext successfully, and I've got
integration tests that demonstrate that it
actually works.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
We were creating a new SSL store every time, which
caused problems during testing -- it created
an infinite loop when trying to create the
store while looking up the CRL.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
None of them actually support yaml or marshal by default,
and plaintext is easiest anyway.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This essentially deprecates the CertHandler module.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
This is a much cleaner fix than the xmlrpc version, thankfully. :)
|
| |
|
|
|
| |
I've set the default cadir and vardir to /dev/null, to
hopefully catch this kind of test sooner next time.
|
| |
|
|
|
| |
I was previously not clearing the cache using the Cacher.invalidate
method, which caused a test to fail.
|
| |
|
|
|
|
|
|
|
| |
Previously, you had to configure whether you wanted the CRL or not,
which resulted in errors all the time when it was configured but
unavailable.
Now, Puppet will always create and try to use it, but you won't
get failures if it's unavailable.
|
| |
|
|
|
|
| |
The server is actually serving REST, but the client can't use
it until we resolve the format and security issues that REST
hasn't yet tackled.
|
| |
|
|
|
| |
Now the CSR class triggers autosigning when any CSR is
saved, if it's running on a CA host.
|
| | |
|
| |
|
|
| |
This requires less setup and configuration on the part of the user.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
responsibilities to the SSL::Host class.
I was previously saving invalid CRLs unless they'd had a revocation
done in them; this commit fixes them so that they're always valid.
Also, I've added to SSL::Host the ability to generate a valid
SSL Store, suitable for validation. This is now used by
Webrick and can be used by the http clients, too.
This should have been two commits, but I'm kind of down the
rabbit hole ATM.
|
| |
|
|
|
|
|
|
| |
appropriate.
It uses the CA singleton method to determine
whether it's on valid CA host, and if so, uses
the CA instance to sign its generated CSR.
|
| |
|
|
|
|
|
| |
I realized that it never made sense to have a CA
that didn't know how to initialize itself, so we
now have a singleton method for the CA, and it also
automatically initializes itself.
|
| |
|
|
|
| |
Now I just need to get xmlrpc working alongside REST in
both mongrel and webrick.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The CRL was not correctly being added to the Store used
for verification.
It does not appear to be working, though, since revoked
certificates still pass verification.
|
| |
|
|
|
|
|
|
|
|
| |
This class provides all of the semantics from puppetca,
and appears to entirely duplicate the behaviour of the existing
executable, with basically all of the code in a library
file, instead of the executable.
As such, I've deleted the test for the executable. We should have
one, but it's not nearly as important.
|
| |
|
|
| |
rather than an instance method.
|
| |
|
|
|
|
|
| |
This commit adds 'list' and 'print' support to the CA.
They're mostly delegator methods, but now the CA should be
the sole interface for puppetca.
|
| |
|
|
|
|
| |
Certificate revocation now works, the CA knows how
to generate the CRL, and the SSL::Host class knows
how to configure the CRL class for indirection.
|
| |
|
|
|
| |
The new-style CA now keeps track of all of its signed
certificates in its inventory file.
|
| | |
|
| |
|
|
| |
first cert is added, so it's easier to test.
|
| |
|
|
|
| |
This models the existing Inventory module in the sslcertificates/
directory, but does so as an instance, rather than a module.
|
| |
|
|
|
|
|
|
|
| |
Previously, the class was returning OpenSSL instances
(e.g, OpenSSL::X509::Certificate) instead of Puppet instances
(e.g., Puppet::SSL::Certificate). This made some things
easier, but it made them asymmetric (e.g., you assigned the
key as a Puppet instance but got back an OpenSSL instance), and
it also reduced your flexibility and introspectiveness.
|
| |
|
|
| |
cert.
|
| |
|
|
|
| |
This flushed out some problems, and things mostly look good
now, but I don't think we're quite there yet.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was necessary because when the Indirector is used, there
isn't necessarily enough context available to know when a
password file should be used (e.g., when reading a Key from disk,
you don't know if that key was encrypted).
Now, the Key class automatically uses the right password file, and
only tries to use those files that actually exist.
This isn't very flexible, in that it only allows one CA file and
one non-CA file, but no one really uses anything but
the CA file anyway.
|
| |
|
|
|
| |
cache classes. Also, defaulting to the :file terminus
for all of the SSL classes.
|
| | |
|
| |
|
|
|
|
| |
It previously was a subclass of Host, but this should make it
easier to separate between the thing doing the signing and the
thing managing the necessary files.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a kind of weird design situation. For instance, we've got a
collection of certificates in the :certdir, but then there's a special
CA certificate off by itself. Rather than build a whole separate
infrastructure for managing those separate files (cert and key, at least),
I decided to add special support for specifying where to find the CA-specific
bits, and then code for handling them when necessary.
This requires that we have a standard way of knowing whether we should be
managing the CA bits or normal host files. The Puppet::SSL::Host class now has
a 'ca_name' method that returns the string we're using for the CA name; this
name is currently 'ca'. We have to use a name, because the name is the only
thing that all methods have access to (e.g., when trying to 'find' the right
cert, we only have the name available).
What this means is that if you want access to the CA key or cert, then create
a Puppet::SSL::Host instance with the name 'ca'.
You'll still get the CA cert created with the host's :certname; it will just
be stored in a different location.
|
| | |
|
| |
|
|
|
| |
a terminus. Also, getting rid of some metaprogramming
that wasn't really helping.
|
