Class: Puppet::SSL::StateMachine

Inherits:

Object

• Object
• Puppet::SSL::StateMachine

Defined in:

lib/puppet/ssl/state_machine.rb

Overview

This class implements a state machine for bootstrapping a host’s CA and CRL bundles, private key and signed client certificate. Each state has a frozen SSLContext that it uses to make network connections. If a state makes progress bootstrapping the host, then the state will generate a new frozen SSLContext and pass that to the next state. For example, the NeedCACerts state will load or download a CA bundle, and generate a new SSLContext containing those CA certs. This way we’re sure about which SSLContext is being used during any phase of the bootstrapping process.

Defined Under Namespace

Classes: Done, KeySSLState, NeedCACerts, NeedCRLs, NeedCert, NeedKey, NeedSubmitCSR, SSLState, Wait

Constant Summary

CA_NAME =

'ca'.freeze

Instance Attribute Summary

• #onetime ⇒ Object readonly

  Returns the value of attribute onetime.

• #waitforcert ⇒ Object readonly

  Returns the value of attribute waitforcert.

Instance Method Summary

• #ensure_ca_certificates ⇒ Puppet::SSL::SSLContext

  Run the state machine for CA certs and CRLs.

• #ensure_client_certificate ⇒ Puppet::SSL::SSLContext

  Run the state machine for CA certs and CRLs.

• #initialize(onetime: , waitforcert: ) ⇒ StateMachine constructor

  A new instance of StateMachine.

Constructor Details

#initialize(onetime: , waitforcert: ) ⇒ StateMachine

Returns a new instance of StateMachine.

# File 'lib/puppet/ssl/state_machine.rb', line 210

def initialize(onetime: Puppet[:onetime], waitforcert: Puppet[:waitforcert])
  @onetime = onetime
  @waitforcert = waitforcert
end

Instance Attribute Details

#onetime ⇒ Object (readonly)

Returns the value of attribute onetime.

# File 'lib/puppet/ssl/state_machine.rb', line 208

def onetime
  @onetime
end

#waitforcert ⇒ Object (readonly)

Returns the value of attribute waitforcert.

# File 'lib/puppet/ssl/state_machine.rb', line 208

def waitforcert
  @waitforcert
end

Instance Method Details

#ensure_ca_certificates ⇒ Puppet::SSL::SSLContext

Run the state machine for CA certs and CRLs

Returns:

• (Puppet::SSL::SSLContext) —

  initialized SSLContext

# File 'lib/puppet/ssl/state_machine.rb', line 218

def ensure_ca_certificates
  final_state = run_machine(NeedCACerts.new(self), NeedKey)
  final_state.ssl_context
end

#ensure_client_certificate ⇒ Puppet::SSL::SSLContext

Run the state machine for CA certs and CRLs

Returns:

• (Puppet::SSL::SSLContext) —

  initialized SSLContext

# File 'lib/puppet/ssl/state_machine.rb', line 226

def ensure_client_certificate
  final_state = run_machine(NeedCACerts.new(self), Done)
  ssl_context = final_state.ssl_context

  if Puppet::Util::Log.sendlevel?(:debug)
    chain = ssl_context.client_chain
    # print from root to client
    chain.reverse.each_with_index do |cert, i|
      digest = Puppet::SSL::Digest.new('SHA256', cert.to_der)
      if i == chain.length - 1
        Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_s, digest: digest})
      else
        Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_s, digest: digest})
      end
    end
  end

  ssl_context
end