Class: Puppet::SSL::StateMachine::NeedCRLs Private

Inherits:

SSLState

• Object
• SSLState
• Puppet::SSL::StateMachine::NeedCRLs

Defined in:

lib/puppet/ssl/state_machine.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

If revocation is enabled, load CRLs or download them, using the CA bundle from the previous state. Transition to NeedKey. Even if Puppet is leaf or chain, disable revocation when downloading the CRL, since 1) we may not have one yet or 2) the connection will fail if NeedCACerts downloaded a new CA for which we don’t have a CRL

Instance Attribute Summary

• #force_crl_refresh ⇒ Object readonly private

Attributes inherited from SSLState

#ssl_context

Instance Method Summary

• #initialize(machine, ssl_context, force_crl_refresh = false) ⇒ NeedCRLs constructor private

  A new instance of NeedCRLs.

• #next_state ⇒ Object private

Methods inherited from SSLState

#log_error, #to_error

Constructor Details

#initialize(machine, ssl_context, force_crl_refresh = false) ⇒ NeedCRLs

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of NeedCRLs.

# File 'lib/puppet/ssl/state_machine.rb', line 160

def initialize(machine, ssl_context, force_crl_refresh = false)
  super(machine, ssl_context)
  @force_crl_refresh = force_crl_refresh
end

Instance Attribute Details

#force_crl_refresh ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 158

def force_crl_refresh
  @force_crl_refresh
end

Instance Method Details

#next_state ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/state_machine.rb', line 165

def next_state
  Puppet.debug("Loading CRLs")

  case Puppet[:certificate_revocation]
  when :chain, :leaf
    crls = @cert_provider.load_crls
    if crls
      next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)

      now = Time.now
      last_update = @cert_provider.crl_last_update
      if needs_refresh?(now, last_update)
        next_ctx = refresh_crl(next_ctx, last_update)
      end
    else
      next_ctx = download_crl(@ssl_context, nil)
    end
  else
    Puppet.info("Certificate revocation is disabled, skipping CRL download")
    next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: [])
  end

  NeedKey.new(@machine, next_ctx)
rescue OpenSSL::X509::CRLError => e
  Error.new(@machine, e.message, e)
rescue Puppet::HTTP::ResponseError => e
  if e.response.code == 404
    to_error(_('CRL is missing from the server'), e)
  else
    to_error(_('Could not download CRLs: %{message}') % { message: e.message }, e)
  end
end