Class: Puppet::SSL::StateMachine::NeedCRLs

Inherits:
SSLState show all
Defined in:
lib/puppet/ssl/state_machine.rb

Overview

If revocation is enabled, load CRLs or download them, using the CA bundle from the previous state. Transition to NeedKey. Even if Puppet is leaf or chain, disable revocation when downloading the CRL, since 1) we may not have one yet or 2) the connection will fail if NeedCACerts downloaded a new CA for which we don’t have a CRL

Instance Attribute Summary

Attributes inherited from SSLState

#ssl_context

Instance Method Summary collapse

Methods inherited from SSLState

#initialize

Constructor Details

This class inherits a constructor from Puppet::SSL::StateMachine::SSLState

Instance Method Details

#next_stateObject 



66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'lib/puppet/ssl/state_machine.rb', line 66

def next_state
  Puppet.debug("Loading CRLs")

  case Puppet[:certificate_revocation]
  when :chain, :leaf
    crls = @cert_provider.load_crls
    if crls
      next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
    else
      pem = Puppet::Rest::Routes.get_crls(CA_NAME, @ssl_context)
      crls = @cert_provider.load_crls_from_pem(pem)
      # verify crls before saving
      next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
      @cert_provider.save_crls(crls)
    end
  else
    Puppet.info("Certificate revocation is disabled, skipping CRL download")
    next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: [])
  end

  NeedKey.new(@machine, next_ctx)
rescue Puppet::Rest::ResponseError => e
  if e.response.code.to_i == 404
    raise Puppet::Error.new(_('CRL is missing from the server'))
  else
    raise Puppet::Error.new(_('Could not download CRLs: %{message}') % { message: e.message }, e)
  end
end