Class: Puppet::SSL::StateMachine Private
- Defined in:
- lib/puppet/ssl/state_machine.rb
Overview
This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.
This class implements a state machine for bootstrapping a host's CA and CRL bundles, private key and signed client certificate. Each state has a frozen SSLContext that it uses to make network connections. If a state makes progress bootstrapping the host, then the state will generate a new frozen SSLContext and pass that to the next state. For example, the NeedCACerts state will load or download a CA bundle, and generate a new SSLContext containing those CA certs. This way we're sure about which SSLContext is being used during any phase of the bootstrapping process.
Defined Under Namespace
Classes: Done, Error, KeySSLState, LockFailure, NeedCACerts, NeedCRLs, NeedCert, NeedKey, NeedLock, NeedSubmitCSR, SSLState, Wait
Instance Attribute Summary collapse
- #ca_fingerprint ⇒ Object readonly private
- #cert_provider ⇒ Object readonly private
- #digest ⇒ Object readonly private
- #session ⇒ Object private
- #ssl_provider ⇒ Object readonly private
- #wait_deadline ⇒ Object readonly private
- #waitforcert ⇒ Object readonly private
- #waitforlock ⇒ Object readonly private
- #waitlock_deadline ⇒ Object readonly private
Instance Method Summary collapse
-
#ensure_ca_certificates ⇒ Puppet::SSL::SSLContext
private
Run the state machine for CA certs and CRLs.
-
#ensure_client_certificate ⇒ Puppet::SSL::SSLContext
private
Run the state machine for CA certs and CRLs.
-
#initialize(waitforcert: Puppet[:waitforcert], maxwaitforcert: Puppet[:maxwaitforcert], waitforlock: Puppet[:waitforlock], maxwaitforlock: Puppet[:maxwaitforlock], onetime: Puppet[:onetime], cert_provider: Puppet::X509::CertProvider.new, ssl_provider: Puppet::SSL::SSLProvider.new, lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]), digest: 'SHA256', ca_fingerprint: Puppet[:ca_fingerprint]) ⇒ StateMachine
constructor
private
Construct a state machine to manage the SSL initialization process.
- #lock ⇒ Object private
- #unlock ⇒ Object private
Constructor Details
#initialize(waitforcert: Puppet[:waitforcert], maxwaitforcert: Puppet[:maxwaitforcert], waitforlock: Puppet[:waitforlock], maxwaitforlock: Puppet[:maxwaitforlock], onetime: Puppet[:onetime], cert_provider: Puppet::X509::CertProvider.new, ssl_provider: Puppet::SSL::SSLProvider.new, lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]), digest: 'SHA256', ca_fingerprint: Puppet[:ca_fingerprint]) ⇒ StateMachine
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Construct a state machine to manage the SSL initialization process. By default, if the state machine encounters an exception, it will log the exception and wait for `waitforcert` seconds and retry, restarting from the beginning of the state machine.
However, if `onetime` is true, then the state machine will raise the first error it encounters, instead of waiting. Otherwise, if `waitforcert` is 0, then then state machine will exit instead of wait.
390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 |
# File 'lib/puppet/ssl/state_machine.rb', line 390 def initialize(waitforcert: Puppet[:waitforcert], maxwaitforcert: Puppet[:maxwaitforcert], waitforlock: Puppet[:waitforlock], maxwaitforlock: Puppet[:maxwaitforlock], onetime: Puppet[:onetime], cert_provider: Puppet::X509::CertProvider.new, ssl_provider: Puppet::SSL::SSLProvider.new, lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]), digest: 'SHA256', ca_fingerprint: Puppet[:ca_fingerprint]) @waitforcert = waitforcert @wait_deadline = Time.now.to_i + maxwaitforcert @waitforlock = waitforlock @waitlock_deadline = Time.now.to_i + maxwaitforlock @onetime = onetime @cert_provider = cert_provider @ssl_provider = ssl_provider @lockfile = lockfile @digest = digest @ca_fingerprint = ca_fingerprint @session = Puppet.runtime[:http].create_session end |
Instance Attribute Details
#ca_fingerprint ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
361 362 363 |
# File 'lib/puppet/ssl/state_machine.rb', line 361 def ca_fingerprint @ca_fingerprint end |
#cert_provider ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
361 362 363 |
# File 'lib/puppet/ssl/state_machine.rb', line 361 def cert_provider @cert_provider end |
#digest ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
361 362 363 |
# File 'lib/puppet/ssl/state_machine.rb', line 361 def digest @digest end |
#session ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
362 363 364 |
# File 'lib/puppet/ssl/state_machine.rb', line 362 def session @session end |
#ssl_provider ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
361 362 363 |
# File 'lib/puppet/ssl/state_machine.rb', line 361 def ssl_provider @ssl_provider end |
#wait_deadline ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
361 362 363 |
# File 'lib/puppet/ssl/state_machine.rb', line 361 def wait_deadline @wait_deadline end |
#waitforcert ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
361 362 363 |
# File 'lib/puppet/ssl/state_machine.rb', line 361 def waitforcert @waitforcert end |
#waitforlock ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
361 362 363 |
# File 'lib/puppet/ssl/state_machine.rb', line 361 def waitforlock @waitforlock end |
#waitlock_deadline ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
361 362 363 |
# File 'lib/puppet/ssl/state_machine.rb', line 361 def waitlock_deadline @waitlock_deadline end |
Instance Method Details
#ensure_ca_certificates ⇒ Puppet::SSL::SSLContext
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Run the state machine for CA certs and CRLs.
418 419 420 421 |
# File 'lib/puppet/ssl/state_machine.rb', line 418 def ensure_ca_certificates final_state = run_machine(NeedLock.new(self), NeedKey) final_state.ssl_context end |
#ensure_client_certificate ⇒ Puppet::SSL::SSLContext
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Run the state machine for CA certs and CRLs.
428 429 430 431 432 433 |
# File 'lib/puppet/ssl/state_machine.rb', line 428 def ensure_client_certificate final_state = run_machine(NeedLock.new(self), Done) ssl_context = final_state.ssl_context @ssl_provider.print(ssl_context, @digest) ssl_context end |
#lock ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
435 436 437 |
# File 'lib/puppet/ssl/state_machine.rb', line 435 def lock @lockfile.lock end |
#unlock ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
439 440 441 |
# File 'lib/puppet/ssl/state_machine.rb', line 439 def unlock @lockfile.unlock end |