(PUP-7283) Disable CRL checking when fetching the CRL

[adrienthebo]

When we're fetching the CRL for the first time and a CRL hasn't been provided out of band, we need to disable CRL checking until that request has completed.

I've also included a graphical representation of the indirector for anyone interested.

[puppetcla]

CLA signed by all contributors.

[MosesMendoza]

Was this just a bug that already existed? This changes us from always having unique context ID in the stack to possibly having duplicates. I'm not super familiar with the system - is that safe?

[adrienthebo]

The @id field isn't directly exposed and you can only really observe it by stepping into the class via the debugger. I assumed the id was meant to indicate the context depth but it could be a unique identifier. Is that more helpful, identifying the context or stack depth?

But since this isn't exposed anywhere I can drop this commit and we can pretend this question never came up.

[MosesMendoza]

¯_(ツ)_/¯. I looked further at it and agree its innocuous.

[joshcooper]

I'm pretty sure @id is meant to be a unique id for things in the stack, not the stack depth. Although it isn't exposed outside of this class, I'm thinking we shouldn't modify it's behavior, especially since it's not meaningful to this PR.

[adrienthebo]

Removed.

[MosesMendoza]

Would we ever execute a find via the file terminus and run into the same problem?

[adrienthebo]

We have to have this guard clause because we might need to make network operations in order to configure SSL, which causes infinite recursion. With the file terminus the file is there or it's not, and we won't recurse.

[MosesMendoza]

👍 that makes sense

[MosesMendoza]

@adrienthebo are you able to do a local acceptance run against this?

[adrienthebo]

@MosesMendoza I've run the tests locally and I don't get the infinite recursion that we did last time. However I was getting a failure on the autosign command tests but that was also failing against the 4.9.4 tag, so I don't know if it's related. I'm going to investigate more and see if the failure is related or due to some precondition that another test was satisfying.

[adrienthebo]

@branan @MosesMendoza I've been getting a lot of failures when running beaker locally, and they generally seem unrelated to the changes I've made. The autosigning failure that I've seen is perplexing but it happens on master and my branch, so I'm baffled. May we try merging this and see if it works? If nothing else the infinite recursion looks fixed.

(I'd also like to get this wrapped up before the end of the sprint tomorrow)

[MosesMendoza]

@adrienthebo sounds good. puppet/master tests are currently red but good to merge when green.

[adrienthebo]

Thank you!

[joshcooper]

Is the request.method == :find check redundant?

[adrienthebo]

Thanks for catching that, I originally implemented this in #network where this check was needed. When I shifted the implementation I didn't drop this check. It's gone now.

[adrienthebo]

@MosesMendoza it looks like the puppet master component tests are passing, can this get merged today?

[branan]

Since this has a thumb from @MosesMendoza pending a green master, master is green, and I am also 👍 : I'm hitting the big green button. Nobody can stop me. NOBODY! MUAHAHAHAHAHAHAHA!