| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
As discussed in the ticket this will add the authorityKeyIdentifier that
is not required, but recommended to add to certs signed by a CA
conforming to RFC 5280. This extension takes the subjectKeyIdentifier of
the CA certificate and adds it as keyid to authorityKeyIdentifier. This
PR also adds a test to make sure the extension is correctly added to the
resulting certificate.
|
|
this fixes the regression that appeared when the arguments to
ExtensionFactory where accidentally swapped.
Also added a test case to check if the subjectKeyIdentifier is present.
|
|
|
|
Without this patch Ruby 1.9 is still complaining loudly about trying to
parse the spec files. The previous attempt to clean up this problem in
edc3ddf works for Ruby 1.8 but not 1.9.
I'd prefer to remove the shebang lines entirely, but doing so will cause
encoding errors in Ruby 1.9. This patch strives for a happy middle
ground of convincing Ruby it is actually working with Ruby while not
confusing it to think it should exec() to rspec.
This patch is the result of the following command run against the source
tree:
find spec -type f -print0 | \
xargs -0 perl -pl -i -e 's,^\#\!\s?/(.*)rspec,\#! /usr/bin/env ruby,'
|
|
The DurationSetting converts strings with units into a number of
seconds, but more importantly guarantees that the setting will be an
integer. The following settings can now be specified as durations:
configtimeout
filetimeout
waitforcert
splaylimit
runinterval
rrdinterval
ca_ttl
Since multiple settings can use this format, the description was removed
from `ca_ttl` to be added to the config section of puppet-docs.
Also note, since many of these settings specify sub-hour times, the unit
'm' was added for specifying times in minutes.
|
|
Without this patch some spec files are using `ruby -S rspec` and others
are using `rspec`.
We should standardize on a single form of the interpreter used for spec
files.
`ruby -S rspec` is the best choice because it correctly informs editors
such as Vim with Syntastic that the file is a Ruby file rather than an
Rspec file.
|
|
Some of the certificate factory spec tests were trying to ensure that
the certificate factory's ttl was being applied when signing a
certificate's `not_after` time. However, the tests did not take into
account the amount of time it takes to sign the certificate, which can
be non-negligible.
As a result, the absolute difference between `not_after` and `Time.now +
ttl` was somtimes greater than or equal to 1 second, causing sporadic
test failures.
This commit changes the tests to be less time dependent by ensuring the
difference is within 30 seconds (for both `not_before` and `not_after)
|
|
A handful of methods, like Array#count and String#start_with? don't exist in
older versions of Ruby, and have sufficiently complex semantics that
rebuilding them seems less than worthwhile.
This rewrites the small points of code to avoid those methods, retaining
compatibility with 1.8.5 and 1.8.6 across the board.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
Now that `dns_alt_names` applies to local CSR generation, there is no need
for a special configuration option only applied to a master certificate.
Eliminating that option allows us to simplify the overall model, and provide
more uniform access to the `subjectAltName` setting when required.
Documentation about the option is also updated.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
The name of the option for adding subjectAltName fields to the request didn't
really indicate what it actually did: we forced the names into the DNS label
space, and generally imposed a bunch of additional behaviours.
This renames the option to better match the intended use.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
As part of the update to SSL the behaviour of the `certdnsnames` options
changed sufficiently that it would be terribly confusing to retain it.
Instead, modify the setting to warn that it is ignored, and add a new setting
to set the default subjectAltName value for bootstrapping a master
certificate.
This retains the one really useful part of the feature, without the risk that
someone will accidentally use the old name and receive a nasty surprise.
It should also draw more attention to formerly insecure configurations.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
The puppet cert application now supports the --allow-subject-alt-names command
line flag to specify that the certificate to sign should contain a
subjectAltName extension request.
If the option is not specified, an attempt to sign a certificate with alt
names will fail. Similarly, if the option is specified, an attempt to sign a
certificate without alt names will fail.
The latter behavior is deliberate, and is intended to help stop users from
developing a habit of always supplying the option, and thus accidentally
signing a dangerous certificate without realizing it when one comes along.
It also adds the `--subject-alt-name` option that will add a `subjectAltName`
extension request to a CSR when it is generated. This allows an additional
service to be bootstrapped with those names.
Generally only one of the two options should be required, as the CSR and the
signing process are distinct.
Mostly by Nick Lewis, additional code by Daniel Pittman
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
This is a major rewrite of the SSL CertificateFactory, which transforms the
way that we build the certificate we are about to sign in response to a CSR.
The main body of rework is to clean up the code and make it easier to manage
and validate, but there are two essential changes:
1. We no longer inject `subjectAltName` from local `certdnsnames`
configuration option into every certificate we generate. This fixes
CVE-2011-3872, and prevents issuing client certificates that can
impersonate the master.
2. *All* request extensions from the CSR are transported into the final
certificate. This includes `basicConstraints`; we rely on other layers of
the Puppet stack having validated the code to this point.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
We now use a shebang of: #!/usr/bin/env rspec
This enables the direct execution of spec tests again, which was lost earlier
during the transition to more directly using the rspec2 runtime environment.
|
|
rspec2 automatically sets a bunch of load-path stuff we were by hand, so we
can just stop. As a side-effect we can now avoid a whole pile of stupid things
to try and include the spec_helper.rb file...
...and then we can stop protecting spec_helper from evaluating twice, since we
now require it with a consistent name. Yay.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
|
Doing a require to a relative path can cause files to be required more
than once when they're required from different relative paths. If you
expand the path fully, this won't happen. Ruby 1.9 also requires that
you use expand_path when doing these requires.
Paired-with: Jesse Wolfe
|
|
Replaced 106806 occurances of ^( +)(.*$) with
The ruby community almost universally (i.e. everyone but Luke, Markus, and the other eleven people
who learned ruby in the 1900s) uses two-space indentation.
3 Examples:
The code:
end
# Tell getopt which arguments are valid
def test_get_getopt_args
element = Setting.new :name => "foo", :desc => "anything", :settings => Puppet::Util::Settings.new
assert_equal([["--foo", GetoptLong::REQUIRED_ARGUMENT]], element.getopt_args, "Did not produce appropriate getopt args")
becomes:
end
# Tell getopt which arguments are valid
def test_get_getopt_args
element = Setting.new :name => "foo", :desc => "anything", :settings => Puppet::Util::Settings.new
assert_equal([["--foo", GetoptLong::REQUIRED_ARGUMENT]], element.getopt_args, "Did not produce appropriate getopt args")
The code:
assert_equal(str, val)
assert_instance_of(Float, result)
end
# Now test it with a passed object
becomes:
assert_equal(str, val)
assert_instance_of(Float, result)
end
# Now test it with a passed object
The code:
end
assert_nothing_raised do
klass[:Yay] = "boo"
klass["Cool"] = :yayness
end
becomes:
end
assert_nothing_raised do
klass[:Yay] = "boo"
klass["Cool"] = :yayness
end
|
|
Part 2 re-did the change on the spec files, which it shouldn't have.
|
|
Some spec files like active_record.rb had names that would confuse the
load path and get loaded instead of the intended implentation when the
spec was run from the same directory as the file.
Author: Matt Robinson <matt@puppetlabs.com>
Date: Fri Jun 11 15:29:33 2010 -0700
|
|
Some spec files like active_record.rb had names that would confuse the
load path and get loaded instead of the intended implentation when the
spec was run from the same directory as the file.
Author: Matt Robinson <matt@puppetlabs.com>
Date: Fri Jun 11 15:29:33 2010 -0700
|
