Merge pull request #238 from joshcooper/2.6.x

(#10739) Provide default subjectAltNames while bootstrapping master
puppetlabs · Nov 29, 2011 · ef1e700 · ef1e700
2 parents e29b5df + e4ee794
commit ef1e700
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 9 deletions.
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
@@ -151,6 +151,8 @@ def generate_certificate_request(options = {})
       # ...add our configured dns_alt_names
       if Puppet[:dns_alt_names] and Puppet[:dns_alt_names] != ''
         options[:dns_alt_names] ||= Puppet[:dns_alt_names]
+      elsif Puppet::SSL::CertificateAuthority.ca? and fqdn = Facter.value(:fqdn) and domain = Facter.value(:domain)
+        options[:dns_alt_names] = "puppet, #{fqdn}, puppet.#{domain}"
       end
     end
 

diff --git a/spec/unit/ssl/host_spec.rb b/spec/unit/ssl/host_spec.rb
@@ -82,8 +82,6 @@
 
   context "with dns_alt_names" do
     before :each do
-      Puppet[:dns_alt_names] = 'one, two'
-
       @key = stub('key content')
       key = stub('key', :generate => true, :save => true, :content => @key)
       Puppet::SSL::Key.stubs(:new).returns key
@@ -92,17 +90,68 @@
       Puppet::SSL::CertificateRequest.stubs(:new).returns @cr
     end
 
-    it "should not include subjectAltName if not the local node" do
-      @cr.expects(:generate).with(@key, {})
+    describe "explicitly specified" do
+      before :each do
+        Puppet[:dns_alt_names] = 'one, two'
+      end
+
+      it "should not include subjectAltName if not the local node" do
+        @cr.expects(:generate).with(@key, {})
 
-      Puppet::SSL::Host.new('not-the-' + Puppet[:certname]).generate
+        Puppet::SSL::Host.new('not-the-' + Puppet[:certname]).generate
+      end
+
+      it "should include subjectAltName if I am a CA" do
+        @cr.expects(:generate).
+          with(@key, { :dns_alt_names => Puppet[:dns_alt_names] })
+
+        Puppet::SSL::Host.localhost
+      end
     end
 
-    it "should include subjectAltName if I am a CA" do
-      @cr.expects(:generate).
-        with(@key, { :dns_alt_names => Puppet[:dns_alt_names] })
+    describe "implicitly defaulted" do
+      let(:ca) { stub('ca', :sign => nil) }
 
-      Puppet::SSL::Host.localhost
+      before :each do
+        Puppet[:dns_alt_names] = ''
+
+        Puppet::SSL::CertificateAuthority.stubs(:instance).returns ca
+      end
+
+      it "should not include defaults if we're not the CA" do
+        Puppet::SSL::CertificateAuthority.stubs(:ca?).returns false
+
+        @cr.expects(:generate).with(@key, {})
+
+        Puppet::SSL::Host.localhost
+      end
+
+      it "should not include defaults if not the local node" do
+        Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true
+
+        @cr.expects(:generate).with(@key, {})
+
+        Puppet::SSL::Host.new('not-the-' + Puppet[:certname]).generate
+      end
+
+      it "should not include defaults if we can't resolve our fqdn" do
+        Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true
+        Facter.stubs(:value).with(:fqdn).returns nil
+
+        @cr.expects(:generate).with(@key, {})
+
+        Puppet::SSL::Host.localhost
+      end
+
+      it "should provide defaults if we're bootstrapping the local master" do
+        Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true
+        Facter.stubs(:value).with(:fqdn).returns 'web.foo.com'
+        Facter.stubs(:value).with(:domain).returns 'foo.com'
+
+        @cr.expects(:generate).with(@key, {:dns_alt_names => "puppet, web.foo.com, puppet.foo.com"})
+
+        Puppet::SSL::Host.localhost
+      end
     end
   end