Class: Puppet::SSL::StateMachine::NeedCRLs Private

Inherits:
SSLState show all
Defined in:
lib/puppet/ssl/state_machine.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

If revocation is enabled, load CRLs or download them, using the CA bundle from the previous state. Transition to NeedKey. Even if Puppet is leaf or chain, disable revocation when downloading the CRL, since 1) we may not have one yet or 2) the connection will fail if NeedCACerts downloaded a new CA for which we don’t have a CRL

Instance Attribute Summary collapse

Attributes inherited from SSLState

#ssl_context

Instance Method Summary collapse

Methods inherited from SSLState

#log_error, #to_error

Constructor Details

#initialize(machine, ssl_context, force_crl_refresh = false) ⇒ NeedCRLs

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of NeedCRLs.



160
161
162
163
# File 'lib/puppet/ssl/state_machine.rb', line 160

def initialize(machine, ssl_context, force_crl_refresh = false)
  super(machine, ssl_context)
  @force_crl_refresh = force_crl_refresh
end

Instance Attribute Details

#force_crl_refreshObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



158
159
160
# File 'lib/puppet/ssl/state_machine.rb', line 158

def force_crl_refresh
  @force_crl_refresh
end

Instance Method Details

#next_stateObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# File 'lib/puppet/ssl/state_machine.rb', line 165

def next_state
  Puppet.debug("Loading CRLs")

  case Puppet[:certificate_revocation]
  when :chain, :leaf
    crls = @cert_provider.load_crls
    if crls
      next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)

      now = Time.now
      last_update = @cert_provider.crl_last_update
      if needs_refresh?(now, last_update)
        next_ctx = refresh_crl(next_ctx, last_update)
      end
    else
      next_ctx = download_crl(@ssl_context, nil)
    end
  else
    Puppet.info("Certificate revocation is disabled, skipping CRL download")
    next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: [])
  end

  NeedKey.new(@machine, next_ctx)
rescue OpenSSL::X509::CRLError => e
  Error.new(@machine, e.message, e)
rescue Puppet::HTTP::ResponseError => e
  if e.response.code == 404
    to_error(_('CRL is missing from the server'), e)
  else
    to_error(_('Could not download CRLs: %{message}') % { message: e.message }, e)
  end
end