github
/
puppetlabs-puppet
зеркало из https://github.com/github/puppetlabs-puppet.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' of ssh://reductivelabs.com/home/michael/git/puppet

This commit is contained in:
Luke Kanies 2007-08-22 19:00:48 -05:00
Родитель b9f529a063 efcd1e88f7
Коммит eeedb9200f
3 изменённых файлов: 49 добавлений и 9 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
CHANGELOG
Просмотреть файл

@ -1,4 +1,6 @@
0.23.2 (misspiggy) 0.23.2 (misspiggy)
Fixed CA race condition. (#693)
Added shortname support to config.rb and refactored addargs Added shortname support to config.rb and refactored addargs
Fixed the problem in cron jobs where environment settings Fixed the problem in cron jobs where environment settings

42
lib/puppet/sslcertificates/ca.rb
Просмотреть файл

@ -1,3 +1,5 @@
require 'sync'
class Puppet::SSLCertificates::CA class Puppet::SSLCertificates::CA
include Puppet::Util::Warnings include Puppet::Util::Warnings
@ -226,6 +228,33 @@ class Puppet::SSLCertificates::CA
} }
end end
# Create an exclusive lock for reading and writing, and do the
# writing in a tmp file.
def readwritelock(file, mode = 0600)
tmpfile = file + ".tmp"
sync = Sync.new
unless FileTest.directory?(File.dirname(tmpfile))
raise Puppet::DevError, "Cannot create %s; directory %s does not exist" %
[file, File.dirname(file)]
end
sync.synchronize(Sync::EX) do
File.open(file, "r+", mode) do |rf|
rf.lock_exclusive do
File.open(tmpfile, "w", mode) do |tf|
yield tf
end
begin
File.rename(tmpfile, file)
rescue => detail
Puppet.err "Could not rename %s to %s: %s" %
[file, tmpfile, detail]
end
end
end
end
end
# Sign a given certificate request. # Sign a given certificate request.
def sign(csr) def sign(csr)
unless csr.is_a?(OpenSSL::X509::Request) unless csr.is_a?(OpenSSL::X509::Request)
@ -238,7 +267,14 @@ class Puppet::SSLCertificates::CA
raise Puppet::Error, "CSR sign verification failed" raise Puppet::Error, "CSR sign verification failed"
end end
serial = File.read(@config[:serial]).chomp.hex serial = nil
readwritelock(@config[:serial]) { |f|
serial = File.read(@config[:serial]).chomp.hex
# increment the serial
f << "%04X" % (serial + 1)
}
newcert = Puppet::SSLCertificates.mkcert( newcert = Puppet::SSLCertificates.mkcert(
:type => :server, :type => :server,
:name => csr.subject, :name => csr.subject,
@ -248,10 +284,6 @@ class Puppet::SSLCertificates::CA
:publickey => csr.public_key :publickey => csr.public_key
) )
# increment the serial
Puppet.config.write(:serial) do |f|
f << "%04X" % (serial + 1)
end
sign_with_key(newcert) sign_with_key(newcert)

14
test/certmgr/certmgr.rb
Просмотреть файл

@ -239,14 +239,20 @@ class TestCertMgr < Test::Unit::TestCase
ca.revoke(h1.serial) ca.revoke(h1.serial)
oldcert = File.read(Puppet.config[:cacert])
oldserial = File.read(Puppet.config[:serial])
# Recreate the CA from disk # Recreate the CA from disk
ca = mkCA() ca = mkCA()
newcert = File.read(Puppet.config[:cacert])
newserial = File.read(Puppet.config[:serial])
assert_equal(oldcert, newcert, "The certs are not equal after making a new CA.")
assert_equal(oldserial, newserial, "The serials are not equal after making a new CA.")
store = mkStore(ca) store = mkStore(ca)
assert( store.verify(ca.cert)) assert( store.verify(ca.cert), "Could not verify CA certs after reloading certs.")
assert(!store.verify(h1, [ca.cert])) assert(!store.verify(h1, [ca.cert]), "Incorrectly verified revoked cert.")
assert( store.verify(h2, [ca.cert])) assert( store.verify(h2, [ca.cert]), "Could not verify certs with reloaded CA.")
Puppet.err :yay
ca.revoke(h2.serial) ca.revoke(h2.serial)
assert_equal(1, ca.crl.extensions.size) assert_equal(1, ca.crl.extensions.size)