We have to have a CA cert first, because the host will
start using the client cert as soon as it's available,
but it's not functional without a CA cert.
Also removing extra stupid stuff from wait_for_cert --
the connection is now always recycled, which is much simpler.
Signed-off-by: Luke Kanies <[EMAIL PROTECTED]>
---
bin/puppetd | 2 +-
lib/puppet/ssl/host.rb | 14 ++++++++++----
spec/unit/ssl/host.rb | 35 +++++++++++++++++++++++++++--------
3 files changed, 38 insertions(+), 13 deletions(-)
diff --git a/bin/puppetd b/bin/puppetd
index 758494c..efd1824 100755
--- a/bin/puppetd
+++ b/bin/puppetd
@@ -350,7 +350,7 @@ end
host = Puppet::SSL::Host.new
cert = host.wait_for_cert(options[:waitforcert])
-client.recycle_connection if cert == :new
+client.recycle_connection
objects = []
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index d3805eb..a750f3b 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -137,7 +137,12 @@ class Puppet::SSL::Host
end
def certificate
- return nil unless @certificate ||= Certificate.find(name)
+ unless @certificate
+ # get the CA cert first, since it's required for the normal cert
+ # to be of any use.
+ return nil unless Certificate.find("ca") unless ca?
+ @certificate = Certificate.find(name)
+ end
@certificate
end
@@ -172,6 +177,8 @@ class Puppet::SSL::Host
@ssl_store = OpenSSL::X509::Store.new
@ssl_store.purpose = purpose
+ # Use the file path here, because we don't want to cause
+ # a lookup in the middle of setting our ssl connection.
@ssl_store.add_file(Puppet[:localcacert])
# If there's a CRL, add it to our store.
@@ -186,11 +193,11 @@ class Puppet::SSL::Host
# Attempt to retrieve a cert, if we don't already have one.
def wait_for_cert(time)
- return :existing if certificate
+ return if certificate
begin
generate
- return :new if certificate
+ return if certificate
rescue StandardError => detail
Puppet.err "Could not request certificate: %s" % detail.to_s
if time < 1
@@ -216,7 +223,6 @@ class Puppet::SSL::Host
Puppet.err "Could not request certificate: %s" % detail.to_s
end
end
- return :new
end
end
diff --git a/spec/unit/ssl/host.rb b/spec/unit/ssl/host.rb
index c234585..8315689 100755
--- a/spec/unit/ssl/host.rb
+++ b/spec/unit/ssl/host.rb
@@ -267,13 +267,37 @@ describe Puppet::SSL::Host do
@cert = stub 'cert', :content => @realcert
end
+ it "should find the CA certificate if it does not have a certificate"
do
+ Puppet::SSL::Certificate.expects(:find).with("ca").returns
mock("cacert")
+ Puppet::SSL::Certificate.stubs(:find).with("myname").returns @cert
+
+ @host.certificate
+ end
+
+ it "should not find the CA certificate if it is the CA host" do
+ @host.expects(:ca?).returns true
+ Puppet::SSL::Certificate.stubs(:find)
+ Puppet::SSL::Certificate.expects(:find).with("ca").never
+
+ @host.certificate
+ end
+
+ it "should return nil if it cannot find a CA certificate" do
+ Puppet::SSL::Certificate.expects(:find).with("ca").returns nil
+ Puppet::SSL::Certificate.expects(:find).with("myname").never
+
+ @host.certificate.should be_nil
+ end
+
it "should find the certificate in the Certificate class and return
the Puppet certificate instance" do
+ Puppet::SSL::Certificate.expects(:find).with("ca").returns
mock("cacert")
Puppet::SSL::Certificate.expects(:find).with("myname").returns
@cert
@host.certificate.should equal(@cert)
end
it "should return any previously found certificate" do
+ Puppet::SSL::Certificate.expects(:find).with("ca").returns
mock("cacert")
Puppet::SSL::Certificate.expects(:find).with("myname").returns(@cert).once
@host.certificate.should equal(@cert)
@@ -451,22 +475,17 @@ describe Puppet::SSL::Host do
@host = Puppet::SSL::Host.new("me")
end
- it "should return :existing if it already has a certificate" do
- @host.expects(:certificate).returns "foo"
- @host.wait_for_cert(0).should == :existing
- end
-
it "should generate its certificate request and attempt to read the
certificate again if no certificate is found" do
@host.expects(:certificate).times(2).returns(nil).then.returns
"foo"
@host.expects(:generate)
- @host.wait_for_cert(1).should == :new
+ @host.wait_for_cert(1)
end
it "should catch and log errors during CSR saving" do
@host.expects(:certificate).times(2).returns(nil).then.returns
"foo"
@host.expects(:generate).times(2).raises(RuntimeError).then.returns nil
@host.stubs(:sleep)
- @host.wait_for_cert(1).should == :new
+ @host.wait_for_cert(1)
end
it "should sleep and retry after failures saving the CSR if
waitforcert is enabled" do
@@ -498,7 +517,7 @@ describe Puppet::SSL::Host do
@host.expects(:sleep).with(1)
- @host.wait_for_cert(1).should == :new
+ @host.wait_for_cert(1)
end
it "should catch and log exceptions during certificate retrieval" do
--
1.5.3.7
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
