Class: Puppet::SSL::Configuration

Inherits:

Object

• Object
• Puppet::SSL::Configuration

Defined in:

lib/puppet/ssl/configuration.rb

Overview

Puppet::SSL::Configuration is intended to separate out the following concerns:

• CA certificates that authenticate peers (ca_auth_file)

• CA certificates that build trust but do not authenticate (ca_chain_file)

• Who clients trust as distinct from who servers trust. We should not assume one single self signed CA cert for everyone.

Instance Method Summary

• #ca_auth_certificates ⇒ Array<OpenSSL::X509::Certificate> private

  ca_auth_certificates returns an Array of OpenSSL::X509::Certificate instances intended to be used in the connection verify_callback.

• #ca_auth_file ⇒ Object

  The ca_auth_file method is intended to return the PEM bundle of CA certs used to authenticate peer connections.

• #ca_chain_file ⇒ Object

  The ca_chain_file method is intended to return the PEM bundle of CA certs establishing trust but not used for peer authentication.

• #initialize(localcacert, options = {}) ⇒ Configuration constructor

  A new instance of Configuration.

Constructor Details

#initialize(localcacert, options = {}) ⇒ Configuration

Returns a new instance of Configuration.

# File 'lib/puppet/ssl/configuration.rb', line 11

def initialize(localcacert, options={})
  if (options[:ca_chain_file] and not options[:ca_auth_file])
    raise ArgumentError, "The CA auth chain is required if the chain file is provided"
  end
  @localcacert = localcacert
  @ca_chain_file = options[:ca_chain_file]
  @ca_auth_file = options[:ca_auth_file]
end

Instance Method Details

#ca_auth_certificates ⇒ Array<OpenSSL::X509::Certificate>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

ca_auth_certificates returns an Array of OpenSSL::X509::Certificate instances intended to be used in the connection verify_callback. This method loads and parses the #ca_auth_file from the filesystem.

Returns:

• (Array<OpenSSL::X509::Certificate>)

# File 'lib/puppet/ssl/configuration.rb', line 40

def ca_auth_certificates
  @ca_auth_certificates ||= decode_cert_bundle(read_file(ca_auth_file))
end

#ca_auth_file ⇒ Object

The ca_auth_file method is intended to return the PEM bundle of CA certs used to authenticate peer connections.

# File 'lib/puppet/ssl/configuration.rb', line 28

def ca_auth_file
  @ca_auth_file || @localcacert
end

#ca_chain_file ⇒ Object

The ca_chain_file method is intended to return the PEM bundle of CA certs establishing trust but not used for peer authentication.

# File 'lib/puppet/ssl/configuration.rb', line 22

def ca_chain_file
  @ca_chain_file || ca_auth_file
end