Class: Puppet::SSL::StateMachine::NeedCRLs Private

Inherits:
SSLState show all
Defined in:
lib/puppet/ssl/state_machine.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

If revocation is enabled, load CRLs or download them, using the CA bundle from the previous state. Transition to NeedKey. Even if Puppet is leaf or chain, disable revocation when downloading the CRL, since 1) we may not have one yet or 2) the connection will fail if NeedCACerts downloaded a new CA for which we don't have a CRL

Instance Attribute Summary

Attributes inherited from SSLState

#ssl_context

Instance Method Summary collapse

Methods inherited from SSLState

#initialize, #log_error, #to_error

Constructor Details

This class inherits a constructor from Puppet::SSL::StateMachine::SSLState

Instance Method Details

#next_stateObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 


95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
# File 'lib/puppet/ssl/state_machine.rb', line 95

def next_state
  Puppet.debug("Loading CRLs")

  case Puppet[:certificate_revocation]
  when :chain, :leaf
    crls = @cert_provider.load_crls
    if crls
      next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)

      crl_ttl = Puppet[:crl_refresh_interval]
      if crl_ttl
        last_update = @cert_provider.crl_last_update
        now = Time.now
        if last_update.nil? || now.to_i > last_update.to_i + crl_ttl
          # set last updated time first, then make a best effort to refresh
          @cert_provider.crl_last_update = now
          next_ctx = refresh_crl(next_ctx, last_update)
        end
      end
    else
      next_ctx = download_crl(@ssl_context, nil)
    end
  else
    Puppet.info("Certificate revocation is disabled, skipping CRL download")
    next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: [])
  end

  NeedKey.new(@machine, next_ctx)
rescue OpenSSL::X509::CRLError => e
  Error.new(@machine, e.message, e)
rescue Puppet::HTTP::ResponseError => e
  if e.response.code == 404
    to_error(_('CRL is missing from the server'), e)
  else
    to_error(_('Could not download CRLs: %{message}') % { message: e.message }, e)
  end
end