| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
When using certificate chaning or otherwise generating SSL certificates
outside of Puppet, the subject often has multiple components, e.g.,
CN=hostname.foo.com,O=Foo\, Inc.,OU=Marketing
The hostname, which is later verified against a strict set of allowed
characters, is only extracted from the "CN" field, with all of the other
fields ignored.
This uses OpenSSL::X509::Name to parse the DN's, allowing both
rfc2253-formatted and openssl-formatted DNS, as seen from Apache and
nginx, respectively.
|
|
Without this patch Ruby 1.9 is still complaining loudly about trying to
parse the spec files. The previous attempt to clean up this problem in
edc3ddf works for Ruby 1.8 but not 1.9.
I'd prefer to remove the shebang lines entirely, but doing so will cause
encoding errors in Ruby 1.9. This patch strives for a happy middle
ground of convincing Ruby it is actually working with Ruby while not
confusing it to think it should exec() to rspec.
This patch is the result of the following command run against the source
tree:
find spec -type f -print0 | \
xargs -0 perl -pl -i -e 's,^\#\!\s?/(.*)rspec,\#! /usr/bin/env ruby,'
|
|
Since the digest algoritm changed between Puppet 2.7 and 3.0 from MD5 to
SHA256, there was a problem when submitting a CSR from a 2.7 agent to a 3.0
master. The agent would display the fingerprint using MD5, and the master
would display the SHA256 fingerprint, making it impossible to verify using the
normal puppet commands. This makes the default digest algorithm for each CSR
the algorithm that was used to generate the signature. This will be MD5 for a
CSR generated on 2.7, and SHA256 for a CSR generated on 3.0. When showing a
fingerprint puppet will now always print the digest algorithm that was used.
All fingerprinting commands should also accept a --digest option to specify
the digest.
It also significantly refactors and unifies the code used to generate and
display fingerprints. It introduces a new class, Puppet::SSL::Digest, to
encapsulate digest data, and uses this everywhere a digest is needed.
|
|
Instead of creating certificates by turning OpenSSL::X509::Certificate
instances into strings then back into a new instance, just reuse them.
This method is on the base SSL class, so it can be used for keys,
certificate requests, etc.
The side effect of this change is that extracting the certificate 'name'
out of its subject is abstracted (`name_from_subject()`), and it no
longer calls downcase on the name. This is safe since it's downcased in
the base class constructor, and also provides a prettier 'name' if
needed.
|
|
Without this patch some spec files are using `ruby -S rspec` and others
are using `rspec`.
We should standardize on a single form of the interpreter used for spec
files.
`ruby -S rspec` is the best choice because it correctly informs editors
such as Vim with Syntastic that the file is a Ruby file rather than an
Rspec file.
|
|
Change the default digest algorithm away from MD5
This commit is one step along the way to FIPS 140-2 compliance (#8120).
In a FIPS 140-2 environment, MD5 is not available. Older versions of
Ruby (1.8.7, 1.9.2) will SIGABRT when trying to use MD5 because they
don't properly check the return code from openssl.
Because the fingerprints between agent and master aren't
machine-verified and `puppet cert list --digest <digest>` supports any
of the digests, this commit is backwards and forwards compatibile.
Later portions of #8120 will make the default digest algorithm
configurable.
|
|
We now use a shebang of: #!/usr/bin/env rspec
This enables the direct execution of spec tests again, which was lost earlier
during the transition to more directly using the rspec2 runtime environment.
|
|
rspec2 automatically sets a bunch of load-path stuff we were by hand, so we
can just stop. As a side-effect we can now avoid a whole pile of stupid things
to try and include the spec_helper.rb file...
...and then we can stop protecting spec_helper from evaluating twice, since we
now require it with a consistent name. Yay.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
|
Doing a require to a relative path can cause files to be required more
than once when they're required from different relative paths. If you
expand the path fully, this won't happen. Ruby 1.9 also requires that
you use expand_path when doing these requires.
Paired-with: Jesse Wolfe
|
|
Replaced 106806 occurances of ^( +)(.*$) with
The ruby community almost universally (i.e. everyone but Luke, Markus, and the other eleven people
who learned ruby in the 1900s) uses two-space indentation.
3 Examples:
The code:
end
# Tell getopt which arguments are valid
def test_get_getopt_args
element = Setting.new :name => "foo", :desc => "anything", :settings => Puppet::Util::Settings.new
assert_equal([["--foo", GetoptLong::REQUIRED_ARGUMENT]], element.getopt_args, "Did not produce appropriate getopt args")
becomes:
end
# Tell getopt which arguments are valid
def test_get_getopt_args
element = Setting.new :name => "foo", :desc => "anything", :settings => Puppet::Util::Settings.new
assert_equal([["--foo", GetoptLong::REQUIRED_ARGUMENT]], element.getopt_args, "Did not produce appropriate getopt args")
The code:
assert_equal(str, val)
assert_instance_of(Float, result)
end
# Now test it with a passed object
becomes:
assert_equal(str, val)
assert_instance_of(Float, result)
end
# Now test it with a passed object
The code:
end
assert_nothing_raised do
klass[:Yay] = "boo"
klass["Cool"] = :yayness
end
becomes:
end
assert_nothing_raised do
klass[:Yay] = "boo"
klass["Cool"] = :yayness
end
|
|
Part 2 re-did the change on the spec files, which it shouldn't have.
|
|
Some spec files like active_record.rb had names that would confuse the
load path and get loaded instead of the intended implentation when the
spec was run from the same directory as the file.
Author: Matt Robinson <matt@puppetlabs.com>
Date: Fri Jun 11 15:29:33 2010 -0700
|
|
Some spec files like active_record.rb had names that would confuse the
load path and get loaded instead of the intended implentation when the
spec was run from the same directory as the file.
Author: Matt Robinson <matt@puppetlabs.com>
Date: Fri Jun 11 15:29:33 2010 -0700
|
