Class: Puppet::SSL::StateMachine Private

Inherits:

Object

• Object
• Puppet::SSL::StateMachine

Defined in:

lib/puppet/ssl/state_machine.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

This class implements a state machine for bootstrapping a host’s CA and CRL bundles, private key and signed client certificate. Each state has a frozen SSLContext that it uses to make network connections. If a state makes progress bootstrapping the host, then the state will generate a new frozen SSLContext and pass that to the next state. For example, the NeedCACerts state will load or download a CA bundle, and generate a new SSLContext containing those CA certs. This way we’re sure about which SSLContext is being used during any phase of the bootstrapping process.

Defined Under Namespace

Classes: Done, Error, KeySSLState, LockFailure, NeedCACerts, NeedCRLs, NeedCert, NeedKey, NeedLock, NeedRenewedCert, NeedSubmitCSR, SSLState, Wait

Instance Attribute Summary

• #ca_fingerprint ⇒ Object readonly private
• #cert_provider ⇒ Object readonly private
• #digest ⇒ Object readonly private
• #session ⇒ Object private
• #ssl_provider ⇒ Object readonly private
• #wait_deadline ⇒ Object readonly private
• #waitforcert ⇒ Object readonly private
• #waitforlock ⇒ Object readonly private
• #waitlock_deadline ⇒ Object readonly private

Instance Method Summary

• #digest_as_hex(str) ⇒ Object private
• #ensure_ca_certificates ⇒ Puppet::SSL::SSLContext private

  Run the state machine for CA certs and CRLs.

• #ensure_client_certificate ⇒ Puppet::SSL::SSLContext private

  Run the state machine for client certs.

• #initialize(waitforcert: , maxwaitforcert: , waitforlock: , maxwaitforlock: , onetime: , cert_provider: Puppet::X509::CertProvider.new, ssl_provider: Puppet::SSL::SSLProvider.new, lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]), digest: 'SHA256', ca_fingerprint: ) ⇒ StateMachine constructor private

  Construct a state machine to manage the SSL initialization process.

• #lock ⇒ Object private
• #unlock ⇒ Object private

Constructor Details

#initialize(waitforcert: , maxwaitforcert: , waitforlock: , maxwaitforlock: , onetime: , cert_provider: Puppet::X509::CertProvider.new, ssl_provider: Puppet::SSL::SSLProvider.new, lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]), digest: 'SHA256', ca_fingerprint: ) ⇒ StateMachine

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Construct a state machine to manage the SSL initialization process. By default, if the state machine encounters an exception, it will log the exception and wait for waitforcert seconds and retry, restarting from the beginning of the state machine.

However, if onetime is true, then the state machine will raise the first error it encounters, instead of waiting. Otherwise, if waitforcert is 0, then then state machine will exit instead of wait.

Parameters:

• waitforcert (Integer) (defaults to: ) —

  how many seconds to wait between attempts

• maxwaitforcert (Integer) (defaults to: ) —

  maximum amount of seconds to wait for the server to sign the certificate request

• waitforlock (Integer) (defaults to: ) —

  how many seconds to wait between attempts for acquiring the ssl lock

• maxwaitforlock (Integer) (defaults to: ) —

  maximum amount of seconds to wait for an already running process to release the ssl lock

• onetime (Boolean) (defaults to: ) —

  whether to run onetime

• lockfile (Puppet::Util::Pidlock) (defaults to: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile])) —

  lockfile to protect against concurrent modification by multiple processes

• cert_provider (Puppet::X509::CertProvider) (defaults to: Puppet::X509::CertProvider.new) —

  cert provider to use to load and save X509 objects.

• ssl_provider (Puppet::SSL::SSLProvider) (defaults to: Puppet::SSL::SSLProvider.new) —

  ssl provider to use to construct ssl contexts.

• digest (String) (defaults to: 'SHA256') —

  digest algorithm to use for certificate fingerprinting

• ca_fingerprint (String) (defaults to: ) —

  optional fingerprint to verify the downloaded CA bundle

# File 'lib/puppet/ssl/state_machine.rb', line 516

def initialize(waitforcert: Puppet[:waitforcert],
               maxwaitforcert: Puppet[:maxwaitforcert],
               waitforlock: Puppet[:waitforlock],
               maxwaitforlock: Puppet[:maxwaitforlock],
               onetime: Puppet[:onetime],
               cert_provider: Puppet::X509::CertProvider.new,
               ssl_provider: Puppet::SSL::SSLProvider.new,
               lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]),
               digest: 'SHA256',
               ca_fingerprint: Puppet[:ca_fingerprint])
  @waitforcert = waitforcert
  @wait_deadline = Time.now.to_i + maxwaitforcert
  @waitforlock = waitforlock
  @waitlock_deadline = Time.now.to_i + maxwaitforlock
  @onetime = onetime
  @cert_provider = cert_provider
  @ssl_provider = ssl_provider
  @lockfile = lockfile
  @digest = digest
  @ca_fingerprint = ca_fingerprint
  @session = Puppet.runtime[:http].create_session
end

Instance Attribute Details

#ca_fingerprint ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 487

def ca_fingerprint
  @ca_fingerprint
end

#cert_provider ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 487

def cert_provider
  @cert_provider
end

#digest ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 487

def digest
  @digest
end

#session ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 488

def session
  @session
end

#ssl_provider ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 487

def ssl_provider
  @ssl_provider
end

#wait_deadline ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 487

def wait_deadline
  @wait_deadline
end

#waitforcert ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 487

def waitforcert
  @waitforcert
end

#waitforlock ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 487

def waitforlock
  @waitforlock
end

#waitlock_deadline ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 487

def waitlock_deadline
  @waitlock_deadline
end

Instance Method Details

#digest_as_hex(str) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 569

def digest_as_hex(str)
  Puppet::SSL::Digest.new(digest, str).to_hex
end

#ensure_ca_certificates ⇒ Puppet::SSL::SSLContext

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Run the state machine for CA certs and CRLs.

Returns:

• (Puppet::SSL::SSLContext) —

  initialized SSLContext

Raises:

• (Puppet::Error) —

  If we fail to generate an SSLContext

# File 'lib/puppet/ssl/state_machine.rb', line 544

def ensure_ca_certificates
  final_state = run_machine(NeedLock.new(self), NeedKey)
  final_state.ssl_context
end

#ensure_client_certificate ⇒ Puppet::SSL::SSLContext

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Run the state machine for client certs.

Returns:

• (Puppet::SSL::SSLContext) —

  initialized SSLContext

Raises:

• (Puppet::Error) —

  If we fail to generate an SSLContext

# File 'lib/puppet/ssl/state_machine.rb', line 554

def ensure_client_certificate
  final_state = run_machine(NeedLock.new(self), Done)
  ssl_context = final_state.ssl_context
  @ssl_provider.print(ssl_context, @digest)
  ssl_context
end

#lock ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 561

def lock
  @lockfile.lock
end

#unlock ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 565

def unlock
  @lockfile.unlock
end