Hi all,
Here's the promised summary of how the new SSL support works.
The two biggest architectural changes are that we now have wrapper
classes, and composite classes when necessary, to model all SSL files,
and we use the Indirector code to interact with the files on the
filesystem.
For instance, to find a given host's key, you do:
key = Puppet::SSL::Key.find("host.domain.com")
This returns a key with the name set to 'host.domain.com' and the
content set to the actual OpenSSL::PKey::RSA instance.
We've also got Certificate, CertificateRequest, and
CertificateRevocationList classes. The CRL class is weird because no
matter what name you use it always looks in the same locations for the
CRL, but that's actually the easiest and least hackish way to do things.
Finally, there's a composite SSL::Host class that includes a
certificate, certificate request, and key. It knows how to generate
and save them (using the Indirector). This class is necessary because
of how interdependent all of the different classes are.
The Host class can have a special name, 'ca'; if you use this name,
then your key and cert will be the CA key and cert rather than those
of a host named 'ca'.
There's also a new CertificateAuthority class, which knows how to
create this special CA Host instance, and then knows how to use it to
do all of the CA things. If you're wondering where to start in how to
understand this new code, this is the best class to start with,
because it's got the most functionality packed into the least amount
of space -- list, revoke, sign, generate, destroy, etc. The class
does a good job of exercising the interface.
I know that I've just merged in a ton of commits, but that's because
it's taken me about six weeks to get the model right, and a lot of
that work was do/undo/redo/etc. For perspective, the whole new ssl/
directory is only 883 lines of code, and 1148 lines of code if you
include all of the Indirector terminus code (compared to 999 lines of
code for the existing sslcertificates stuff). So, it seems like a lot
of work, but it's not that much code.
A lot of the work went into the tests -- I've got more than 2x that
amount of test code.
Anyway, ping me if you have any questions.
--
Learning is not attained by chance, it must be sought for with ardor and
attended to with diligence. -- Abigail Adams
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
