Class: Puppet::SSL::StateMachine Private
- Defined in:
- lib/puppet/ssl/state_machine.rb
Overview
This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.
This class implements a state machine for bootstrapping a host's CA and CRL bundles, private key and signed client certificate. Each state has a frozen SSLContext that it uses to make network connections. If a state makes progress bootstrapping the host, then the state will generate a new frozen SSLContext and pass that to the next state. For example, the NeedCACerts state will load or download a CA bundle, and generate a new SSLContext containing those CA certs. This way we're sure about which SSLContext is being used during any phase of the bootstrapping process.
Defined Under Namespace
Classes: Done, Error, KeySSLState, LockFailure, NeedCACerts, NeedCRLs, NeedCert, NeedKey, NeedLock, NeedRenewedCert, NeedSubmitCSR, SSLState, Wait
Instance Attribute Summary collapse
- #ca_fingerprint ⇒ Object readonly private
- #cert_provider ⇒ Object readonly private
- #digest ⇒ Object readonly private
- #session ⇒ Object private
- #ssl_provider ⇒ Object readonly private
- #wait_deadline ⇒ Object readonly private
- #waitforcert ⇒ Object readonly private
- #waitforlock ⇒ Object readonly private
- #waitlock_deadline ⇒ Object readonly private
Instance Method Summary collapse
- #digest_as_hex(str) ⇒ Object private
-
#ensure_ca_certificates ⇒ Puppet::SSL::SSLContext
private
Run the state machine for CA certs and CRLs.
-
#ensure_client_certificate ⇒ Puppet::SSL::SSLContext
private
Run the state machine for client certs.
-
#initialize(waitforcert: , maxwaitforcert: , waitforlock: , maxwaitforlock: , onetime: , cert_provider: Puppet::X509::CertProvider.new, ssl_provider: Puppet::SSL::SSLProvider.new, lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]), digest: 'SHA256', ca_fingerprint: ) ⇒ StateMachine
constructor
private
Construct a state machine to manage the SSL initialization process.
- #lock ⇒ Object private
- #unlock ⇒ Object private
Constructor Details
#initialize(waitforcert: , maxwaitforcert: , waitforlock: , maxwaitforlock: , onetime: , cert_provider: Puppet::X509::CertProvider.new, ssl_provider: Puppet::SSL::SSLProvider.new, lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]), digest: 'SHA256', ca_fingerprint: ) ⇒ StateMachine
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Construct a state machine to manage the SSL initialization process. By
default, if the state machine encounters an exception, it will log the
exception and wait for waitforcert seconds and retry, restarting from the
beginning of the state machine.
However, if onetime is true, then the state machine will raise the first
error it encounters, instead of waiting. Otherwise, if waitforcert is 0,
then then state machine will exit instead of wait.
523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 |
# File 'lib/puppet/ssl/state_machine.rb', line 523 def initialize(waitforcert: Puppet[:waitforcert], maxwaitforcert: Puppet[:maxwaitforcert], waitforlock: Puppet[:waitforlock], maxwaitforlock: Puppet[:maxwaitforlock], onetime: Puppet[:onetime], cert_provider: Puppet::X509::CertProvider.new, ssl_provider: Puppet::SSL::SSLProvider.new, lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]), digest: 'SHA256', ca_fingerprint: Puppet[:ca_fingerprint]) @waitforcert = waitforcert @wait_deadline = Time.now.to_i + maxwaitforcert @waitforlock = waitforlock @waitlock_deadline = Time.now.to_i + maxwaitforlock @onetime = onetime @cert_provider = cert_provider @ssl_provider = ssl_provider @lockfile = lockfile @digest = digest @ca_fingerprint = ca_fingerprint @session = Puppet.runtime[:http].create_session end |
Instance Attribute Details
#ca_fingerprint ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
494 495 496 |
# File 'lib/puppet/ssl/state_machine.rb', line 494 def ca_fingerprint @ca_fingerprint end |
#cert_provider ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
494 495 496 |
# File 'lib/puppet/ssl/state_machine.rb', line 494 def cert_provider @cert_provider end |
#digest ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
494 495 496 |
# File 'lib/puppet/ssl/state_machine.rb', line 494 def digest @digest end |
#session ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
495 496 497 |
# File 'lib/puppet/ssl/state_machine.rb', line 495 def session @session end |
#ssl_provider ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
494 495 496 |
# File 'lib/puppet/ssl/state_machine.rb', line 494 def ssl_provider @ssl_provider end |
#wait_deadline ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
494 495 496 |
# File 'lib/puppet/ssl/state_machine.rb', line 494 def wait_deadline @wait_deadline end |
#waitforcert ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
494 495 496 |
# File 'lib/puppet/ssl/state_machine.rb', line 494 def waitforcert @waitforcert end |
#waitforlock ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
494 495 496 |
# File 'lib/puppet/ssl/state_machine.rb', line 494 def waitforlock @waitforlock end |
#waitlock_deadline ⇒ Object (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
494 495 496 |
# File 'lib/puppet/ssl/state_machine.rb', line 494 def waitlock_deadline @waitlock_deadline end |
Instance Method Details
#digest_as_hex(str) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
576 577 578 |
# File 'lib/puppet/ssl/state_machine.rb', line 576 def digest_as_hex(str) Puppet::SSL::Digest.new(digest, str).to_hex end |
#ensure_ca_certificates ⇒ Puppet::SSL::SSLContext
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Run the state machine for CA certs and CRLs.
551 552 553 554 |
# File 'lib/puppet/ssl/state_machine.rb', line 551 def ensure_ca_certificates final_state = run_machine(NeedLock.new(self), NeedKey) final_state.ssl_context end |
#ensure_client_certificate ⇒ Puppet::SSL::SSLContext
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Run the state machine for client certs.
561 562 563 564 565 566 |
# File 'lib/puppet/ssl/state_machine.rb', line 561 def ensure_client_certificate final_state = run_machine(NeedLock.new(self), Done) ssl_context = final_state.ssl_context @ssl_provider.print(ssl_context, @digest) ssl_context end |
#lock ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
568 569 570 |
# File 'lib/puppet/ssl/state_machine.rb', line 568 def lock @lockfile.lock end |
#unlock ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
572 573 574 |
# File 'lib/puppet/ssl/state_machine.rb', line 572 def unlock @lockfile.unlock end |