| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Previously, the agent would reject an SSL connection if the CRL it
downloaded from the CA had a `last_update` time that was slightly in the
future. The agent reports this as "CRL is not yet valid." This issue can
happen when the CA's time is slightly ahead of the agent's time, the CRL
is recently updated, and the agent doesn't already have a cached version
of the CRL (due to PUP-2103).
The CRL not yet valid error sometimes happens during acceptance testing
when we delete the agent's ssl directory, revoke a cert on the master
(which updates the CRL's last_update field), and run the agent (which
downloads the latest CRL).
This commit modifies the verify callback to ignore CRL not yet valid
errors provided all of the following are true:
* current_crl is not nil
* current_crl.last_update is not nil
* current_crl.last_update is strictly less than 5 minutes from now
It also adds specs around unspecified behavior, e.g. ensure the verify
callback returns false when errors are detected.
|
|
This commit adds specs for current behavior, especially that the verify
callback rejects the connection if preverify_ok is false, and we reject
CRLs whose last_update time is more than 5 minutes in the future.
|
|
Previously, validator_spec.rb was requiring
'puppet/ssl/configuration', because puppet/ssl.rb did not require
it. Commit 658e4fd34 fixed puppet/ssl.rb, so it is no longer necessary
or desired for validator_spec.rb to require puppet/ssl/configuration.
Also, the default and no_validators were not consistent in expressing
their dependencies on openssl and puppet/ssl.
|
|
This refactors the API with an abstract superclass that contains
the API documentation and two factory methods; to obtain the no
validation implementation, and the default implementation.
Yardoc reworked.
|
|
This provides the ability to create a verifier for SSL connections
opened with puppet's Puppet::Network::HTTP::Connection. The verifier is
provided the Net::HTTP connection and it just needs to configure it for
the correct verification mode.
The new functionality can be used when puppet's standard SSL
verification rules are not suited to the needs of the caller. The
impetus for this was a requirement that a connection be able to be made,
the certificates checked, but the subject and alt name checks skipped.
Rather than put that directly into puppet, this allows a new validator
to be written that performs those checks.
|
|
Without this patch the Proc assigned to `Net::HTTP#verify_callback=` is
difficult to test. This is a problem because this Proc handles critical
behavior related to authorization and security.
This patch addresses the problem by extracting the anonymous proc into a
class named Puppet::SSL::Validator. The #call method implements the
Proc API and behaves in the same manner as the anonymous Proc.
This patch also adds explicit behavior tests to cover the #call method
and related authorization checking methods.
|
