On Sep 18, 2009, at 9:37 AM, Markus Roberts wrote:
> > I think I remember the following cause for the bug:
> * 0.24 generates a CA whose CN=$ca_fqdn.
> * upgrade to 0.25
> * 0.25 client connects to master, ask for "ca" cert
> * master send cert whose CN=$ca_fqdn
> * Clients wants to locally write it as $ca_fqdn.pem, so
> thinks it is a normal cert, not a CA.
> * Clients can not authenticate the server because
> there is no "ca.pem" file.
>
> But if Luke found his patch fixes #2617, it might be that I didn't get
> exactly the issue and the above is wrong.
>
> Another possibility would be that our testing was flawed (I don't
> think it was, but it's a logical possibility). If that's the case,
> the most obvious difference would be that we were testing on a
> single machine--this could conceivably lead to the client seeing
> some file that was "on the master" if they shared a confdir, or some
> other such mechanism.
>
> Probably the easiest way to rule out all these possibilities in one
> go is to try it in an environment that was known to fail for you
> with 25.0; if it still fails, we haven't fixed the problem, while if
> it no longer exhibits the symptoms the chances are good that the
> ticket is fixed.
Ok, I looked into this more closely. The following code fixes it for
me:
diff --git a/lib/puppet/indirector/rest.rb b/lib/puppet/indirector/
rest.rb
index e1ee89f..ec3f70f 100644
--- a/lib/puppet/indirector/rest.rb
+++ b/lib/puppet/indirector/rest.rb
@@ -66,7 +66,11 @@ class Puppet::Indirector::REST <
Puppet::Indirector::Terminus
end
def find(request)
- deserialize network(request).get(indirection2uri(request),
headers)
+ return nil unless result =
deserialize(network(request).get(indirection2uri(request), headers))
+ unless result.name == request.key
+ result.name = request.key
+ end
+ result
end
def search(request)
In other words, when we find a cert via REST, we're converting it to
the PEM-formatted cert, with just the cert name, which may or may not
be equal to the name we asked for. This basically just makes sure
that we return an instance whose name matches the requested name,
regardless of what's used internally.
I think this is actually the right behaviour, because it allows some
separation between internals and the envelope (which separation is the
problem here). The only question is whether this is the right
behaviour for everything, and it's a potentially large change in
behaviour, at least in terms of the number of classes it could affect.
--
I never did give anybody hell. I just told the truth, and they thought
it was hell. -- Harry S Truman
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
