Feature/master/pup 672 csr extensions as trusted#2210
Merged
jpartlow merged 12 commits intopuppetlabs:masterfrom Jan 2, 2014
Merged
Feature/master/pup 672 csr extensions as trusted#2210jpartlow merged 12 commits intopuppetlabs:masterfrom
jpartlow merged 12 commits intopuppetlabs:masterfrom
Conversation
There are other tests that use the module tool to search for modules. This kind of check is better done in one of those where the system just "has to work" as part of some larger narrative arc.
This adds a check that the certificate extensions show up as trusted data. Does not yet pass as the feature isn't implemented yet.
Using the mocks is not absolutely necessary in this case. It is easy to construct the certificate and using it makes it a little clearer what kind of object we are dealing with.
A major problem in puppet is keeping track of contextual information. The Puppet::Indirector::Request attempts to do this, but it isn't able to pass that information between indirector requests. This adds a global context system, where once a value is set it cannot be changed, but a subcontext can be created.
The master application was not using Puppet.log_exception to log out any errors that might occur during --compile. This meant that there was no backtrace information available to diagnose the problem.
Before it wasn't possible to get a value from the context that might not have the requested binding. This adds the ability to provide a default in the case where there is no finding for the name.
This pulls apart the indirector request and the trusted information. The trusted information is stored in the Puppet::Context and overridden by the remote request handler to allow the injection of various elements of trusted information. The reason to separate it from the indirector request is because the indirector requests are hard to control, as they are contstructed from hashes of information passed around and manipulated. This should provide a more straightforward mechanism for managing this kind of "contextual" information.
This extends the trusted information that is exposed to the system and manifests to include the certificate extensions that are part of the certificate provided by the agent. Only the custom extensions that are part of the puppet extension arc are included.
During implementation of the trusted extensions the layout of the trusted hash changed a little bit. This updates the acceptance test to reflect that and also changes it to be much more straightforward to read for the expected structure.
Previous implementation exposed a bind method allowing you to add bindings to the current context. This method has been removed. Now every context is generated only once, either from an initial push or override, both of which require a hash of bindings which are merged into the parent's binding state.
This is just a refactor putting Puppet::Indirector::TrustedInformation into the Puppet::Context module instead.
Contributor
Author
|
@zaphod42 I think you should do a quick review of the Puppet::Context changes to see if it lines up with what you were thinking. I also need to run the acceptance test, which I'll do after lunch. |
Contributor
Author
|
The new certificate_extensions acceptance test passed on rhel6 |
Contributor
|
@jpartlow I think it looks pretty good. I left a comment about making it a little more strict. |
|
CLA signed by all contributors. |
Rather than silently accept a root pop and return the root binding, fail fast with a StackUnderflow exception if attempt to pop the root of Puppet::Context.
jpartlow
added a commit
that referenced
this pull request
Jan 2, 2014
…ensions-as-trusted Feature/master/pup 672 csr extensions as trusted
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates Andy's PR 2195 to make Puppet::Context immutable and move TrustedInformation into it's namespace.