puppet 8.0.1-x64-mingw32 → 8.1.0-x64-mingw32
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CODEOWNERS +5 -5
- data/Gemfile.lock +32 -24
- data/ext/project_data.yaml +1 -1
- data/lib/puppet/defaults.rb +20 -2
- data/lib/puppet/http/service/ca.rb +7 -2
- data/lib/puppet/ssl/state_machine.rb +89 -11
- data/lib/puppet/thread_local.rb +1 -4
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet/x509/cert_provider.rb +22 -0
- data/locales/puppet.pot +2322 -2310
- data/man/man5/puppet.conf.5 +17 -3
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/integration/application/agent_spec.rb +50 -0
- data/spec/unit/application/lookup_spec.rb +1 -0
- data/spec/unit/http/service/ca_spec.rb +12 -0
- data/spec/unit/ssl/state_machine_spec.rb +69 -1
- data/spec/unit/x509/cert_provider_spec.rb +26 -0
- metadata +3 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ebcdaa27c54d6c476ae9b99f3577d837b9ef084dff162a2386bdc662e44a8cd0
|
4
|
+
data.tar.gz: 1186f83bde61e09ef1bbbfca662481e474896fe61550df9bdb9546fac8d9f524
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: be82dd001cd07bcad4d80c8bda56f513e70abac6a3a2f07166f37557ae5eb8f7870724788a7798a032a34fe9d9591e183a8e2a428ee43a021302be66bfa35bcb
|
7
|
+
data.tar.gz: 58f214114d5d8d0e7f4bace9a31618a5c9b44da188a4ab8f753295c743287f35c4f28baa82abd8c858a01f0cdb7a175fa019e4b1459bb8e88a1b3d394944f4a9
|
data/CODEOWNERS
CHANGED
@@ -1,11 +1,11 @@
|
|
1
1
|
# defaults
|
2
|
-
* @puppetlabs/phoenix
|
2
|
+
* @puppetlabs/phoenix
|
3
3
|
|
4
4
|
# PAL
|
5
5
|
/lib/puppet/pal @puppetlabs/bolt
|
6
6
|
|
7
7
|
# puppet module
|
8
|
-
/lib/puppet/application/module.rb @puppetlabs/
|
9
|
-
/lib/puppet/face/module @puppetlabs/
|
10
|
-
/lib/puppet/forge @puppetlabs/
|
11
|
-
/lib/puppet/module_tool @puppetlabs/
|
8
|
+
/lib/puppet/application/module.rb @puppetlabs/modules
|
9
|
+
/lib/puppet/face/module @puppetlabs/modules
|
10
|
+
/lib/puppet/forge @puppetlabs/modules
|
11
|
+
/lib/puppet/module_tool @puppetlabs/modules
|
data/Gemfile.lock
CHANGED
@@ -1,9 +1,23 @@
|
|
1
|
+
GIT
|
2
|
+
remote: https://github.com/puppetlabs/packaging
|
3
|
+
revision: 87a3396077f06e2341ad19e6fcd15f7c14ec02f9
|
4
|
+
branch: 1.0.x
|
5
|
+
specs:
|
6
|
+
packaging (0)
|
7
|
+
apt_stage_artifacts
|
8
|
+
artifactory (~> 3)
|
9
|
+
csv (>= 3.1.5)
|
10
|
+
google-cloud-storage
|
11
|
+
googleauth
|
12
|
+
rake (>= 12.3)
|
13
|
+
release-metrics
|
14
|
+
|
1
15
|
PATH
|
2
16
|
remote: .
|
3
17
|
specs:
|
4
|
-
puppet (8.0
|
18
|
+
puppet (8.1.0)
|
5
19
|
CFPropertyList (~> 2.2)
|
6
|
-
concurrent-ruby (~> 1.0
|
20
|
+
concurrent-ruby (~> 1.0)
|
7
21
|
deep_merge (~> 1.0)
|
8
22
|
facter (>= 4.3.0, < 5)
|
9
23
|
fast_gettext (>= 2.1, < 3)
|
@@ -14,7 +28,7 @@ PATH
|
|
14
28
|
semantic_puppet (~> 1.0)
|
15
29
|
|
16
30
|
GEM
|
17
|
-
remote: https://
|
31
|
+
remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
|
18
32
|
specs:
|
19
33
|
CFPropertyList (2.3.6)
|
20
34
|
addressable (2.8.4)
|
@@ -24,7 +38,7 @@ GEM
|
|
24
38
|
artifactory (3.0.15)
|
25
39
|
ast (2.4.2)
|
26
40
|
coderay (1.1.3)
|
27
|
-
concurrent-ruby (1.
|
41
|
+
concurrent-ruby (1.2.2)
|
28
42
|
crack (0.4.5)
|
29
43
|
rexml
|
30
44
|
csv (3.2.6)
|
@@ -38,17 +52,18 @@ GEM
|
|
38
52
|
facter (4.4.0)
|
39
53
|
hocon (~> 1.3)
|
40
54
|
thor (>= 1.0.1, < 2.0)
|
41
|
-
faraday (2.7.
|
55
|
+
faraday (2.7.6)
|
42
56
|
faraday-net_http (>= 2.0, < 3.1)
|
43
57
|
ruby2_keywords (>= 0.0.4)
|
44
58
|
faraday-net_http (3.0.2)
|
45
59
|
fast_gettext (2.3.0)
|
46
60
|
ffi (1.15.5)
|
47
61
|
forwardable (1.3.3)
|
48
|
-
gettext (3.4.
|
62
|
+
gettext (3.4.4)
|
49
63
|
erubi
|
50
64
|
locale (>= 2.0.5)
|
51
65
|
prime
|
66
|
+
racc
|
52
67
|
text (>= 1.3.0)
|
53
68
|
gettext-setup (1.1.0)
|
54
69
|
fast_gettext (~> 2.1)
|
@@ -89,7 +104,7 @@ GEM
|
|
89
104
|
os (>= 0.9, < 2.0)
|
90
105
|
signet (>= 0.16, < 2.a)
|
91
106
|
hashdiff (1.0.1)
|
92
|
-
hiera-eyaml (3.
|
107
|
+
hiera-eyaml (3.4.0)
|
93
108
|
highline
|
94
109
|
optimist
|
95
110
|
highline (2.1.0)
|
@@ -98,29 +113,22 @@ GEM
|
|
98
113
|
httpclient (2.8.3)
|
99
114
|
json-schema (2.8.1)
|
100
115
|
addressable (>= 2.4)
|
101
|
-
jwt (2.7.
|
116
|
+
jwt (2.7.1)
|
102
117
|
locale (2.1.3)
|
103
118
|
memoist (0.16.2)
|
104
119
|
memory_profiler (1.0.1)
|
105
120
|
method_source (1.0.0)
|
106
121
|
mini_mime (1.1.2)
|
107
122
|
minitar (0.9)
|
108
|
-
msgpack (1.7.
|
123
|
+
msgpack (1.7.1)
|
109
124
|
multi_json (1.15.0)
|
110
125
|
mustache (1.1.1)
|
111
126
|
optimist (3.0.1)
|
112
127
|
os (1.1.4)
|
113
|
-
packaging (0.109.7)
|
114
|
-
apt_stage_artifacts
|
115
|
-
artifactory (~> 3)
|
116
|
-
csv (>= 3.1.5)
|
117
|
-
google-cloud-storage
|
118
|
-
googleauth
|
119
|
-
rake (>= 12.3)
|
120
|
-
release-metrics
|
121
128
|
parallel (1.23.0)
|
122
|
-
parser (3.2.2.
|
129
|
+
parser (3.2.2.3)
|
123
130
|
ast (~> 2.4.1)
|
131
|
+
racc
|
124
132
|
prime (0.1.2)
|
125
133
|
forwardable
|
126
134
|
singleton
|
@@ -130,14 +138,14 @@ GEM
|
|
130
138
|
public_suffix (5.0.1)
|
131
139
|
puppet-resource_api (1.8.14)
|
132
140
|
hocon (>= 1.0)
|
133
|
-
puppetserver-ca (2.
|
141
|
+
puppetserver-ca (2.6.0)
|
134
142
|
facter (>= 2.0.1, < 5)
|
135
143
|
racc (1.5.2)
|
136
144
|
rainbow (3.1.1)
|
137
145
|
rake (13.0.6)
|
138
146
|
rdiscount (2.2.7)
|
139
147
|
rdoc (6.3.3)
|
140
|
-
regexp_parser (2.8.
|
148
|
+
regexp_parser (2.8.1)
|
141
149
|
release-metrics (1.1.0)
|
142
150
|
csv
|
143
151
|
docopt
|
@@ -176,7 +184,7 @@ GEM
|
|
176
184
|
rubocop-ast (>= 1.17.0, < 2.0)
|
177
185
|
ruby-progressbar (~> 1.7)
|
178
186
|
unicode-display_width (>= 1.4.0, < 3.0)
|
179
|
-
rubocop-ast (1.
|
187
|
+
rubocop-ast (1.29.0)
|
180
188
|
parser (>= 3.2.1.0)
|
181
189
|
rubocop-i18n (3.0.0)
|
182
190
|
rubocop (~> 1.0)
|
@@ -192,7 +200,7 @@ GEM
|
|
192
200
|
multi_json (~> 1.10)
|
193
201
|
singleton (0.1.1)
|
194
202
|
text (1.3.1)
|
195
|
-
thor (1.2.
|
203
|
+
thor (1.2.2)
|
196
204
|
trailblazer-option (0.1.2)
|
197
205
|
uber (0.1.0)
|
198
206
|
unicode-display_width (2.4.2)
|
@@ -218,7 +226,7 @@ DEPENDENCIES
|
|
218
226
|
memory_profiler
|
219
227
|
minitar (~> 0.9)
|
220
228
|
msgpack (~> 1.2)
|
221
|
-
packaging
|
229
|
+
packaging!
|
222
230
|
pry
|
223
231
|
puppet!
|
224
232
|
puppet-resource_api (~> 1.5)
|
@@ -240,4 +248,4 @@ DEPENDENCIES
|
|
240
248
|
yard
|
241
249
|
|
242
250
|
BUNDLED WITH
|
243
|
-
2.
|
251
|
+
2.4.12
|
data/ext/project_data.yaml
CHANGED
data/lib/puppet/defaults.rb
CHANGED
@@ -1212,6 +1212,24 @@ EOT
|
|
1212
1212
|
:desc => "The default TTL for new certificates.
|
1213
1213
|
#{AS_DURATION}",
|
1214
1214
|
},
|
1215
|
+
:ca_refresh_interval => {
|
1216
|
+
:default => "1d",
|
1217
|
+
:type => :duration,
|
1218
|
+
:desc => "How often the Puppet agent refreshes its local CA certs. By
|
1219
|
+
default the CA certs are refreshed once every 24 hours. If a different
|
1220
|
+
duration is specified, then the agent will refresh its CA certs whenever
|
1221
|
+
it next runs and the elapsed time since the certs were last refreshed
|
1222
|
+
exceeds the duration.
|
1223
|
+
|
1224
|
+
In general, the duration should be greater than the `runinterval`.
|
1225
|
+
Setting it to 0 or an equal or lesser value than `runinterval`,
|
1226
|
+
will cause the CA certs to be refreshed on every run.
|
1227
|
+
|
1228
|
+
If the agent downloads new CA certs, the agent will use it for subsequent
|
1229
|
+
network requests. If the refresh request fails or if the CA certs are
|
1230
|
+
unchanged on the server, then the agent run will continue using the
|
1231
|
+
local CA certs it already has. #{AS_DURATION}",
|
1232
|
+
},
|
1215
1233
|
:crl_refresh_interval => {
|
1216
1234
|
:default => "1d",
|
1217
1235
|
:type => :duration,
|
@@ -1222,8 +1240,8 @@ EOT
|
|
1222
1240
|
exceeds the duration.
|
1223
1241
|
|
1224
1242
|
In general, the duration should be greater than the `runinterval`.
|
1225
|
-
Setting it to an equal or lesser value
|
1226
|
-
refreshed on every run.
|
1243
|
+
Setting it to 0 or an equal or lesser value than `runinterval`,
|
1244
|
+
will cause the CRL to be refreshed on every run.
|
1227
1245
|
|
1228
1246
|
If the agent downloads a new CRL, the agent will use it for subsequent
|
1229
1247
|
network requests. If the refresh request fails or if the CRL is
|
@@ -28,16 +28,21 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
|
|
28
28
|
# Submit a GET request to retrieve the named certificate from the server.
|
29
29
|
#
|
30
30
|
# @param [String] name name of the certificate to request
|
31
|
+
# @param [Time] if_modified_since If not nil, only download the cert if it has
|
32
|
+
# been modified since the specified time.
|
31
33
|
# @param [Puppet::SSL::SSLContext] ssl_context
|
32
34
|
#
|
33
35
|
# @return [Array<Puppet::HTTP::Response, String>] An array containing the
|
34
36
|
# request response and the stringified body of the request response
|
35
37
|
#
|
36
38
|
# @api public
|
37
|
-
def get_certificate(name, ssl_context: nil)
|
39
|
+
def get_certificate(name, if_modified_since: nil, ssl_context: nil)
|
40
|
+
headers = add_puppet_headers(HEADERS)
|
41
|
+
headers['If-Modified-Since'] = if_modified_since.httpdate if if_modified_since
|
42
|
+
|
38
43
|
response = @client.get(
|
39
44
|
with_base_url("/certificate/#{name}"),
|
40
|
-
headers:
|
45
|
+
headers: headers,
|
41
46
|
options: {ssl_context: ssl_context}
|
42
47
|
)
|
43
48
|
|
@@ -50,14 +50,28 @@ class Puppet::SSL::StateMachine
|
|
50
50
|
def next_state
|
51
51
|
Puppet.debug("Loading CA certs")
|
52
52
|
|
53
|
+
force_crl_refresh = false
|
54
|
+
|
53
55
|
cacerts = @cert_provider.load_cacerts
|
54
56
|
if cacerts
|
55
57
|
next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
|
58
|
+
|
59
|
+
now = Time.now
|
60
|
+
last_update = @cert_provider.ca_last_update
|
61
|
+
if needs_refresh?(now, last_update)
|
62
|
+
# set last updated time first, then make a best effort to refresh
|
63
|
+
@cert_provider.ca_last_update = now
|
64
|
+
|
65
|
+
# If we refresh the CA, then we need to force the CRL to be refreshed too,
|
66
|
+
# since if there is a new CA in the chain, then we need its CRL to check
|
67
|
+
# the full chain for revocation status.
|
68
|
+
next_ctx, force_crl_refresh = refresh_ca(next_ctx, last_update)
|
69
|
+
end
|
56
70
|
else
|
57
71
|
route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
|
58
72
|
_, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
|
59
73
|
if @machine.ca_fingerprint
|
60
|
-
actual_digest =
|
74
|
+
actual_digest = @machine.digest_as_hex(pem)
|
61
75
|
expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
|
62
76
|
if actual_digest == expected_digest
|
63
77
|
Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
|
@@ -74,7 +88,7 @@ class Puppet::SSL::StateMachine
|
|
74
88
|
@cert_provider.save_cacerts(cacerts)
|
75
89
|
end
|
76
90
|
|
77
|
-
NeedCRLs.new(@machine, next_ctx)
|
91
|
+
NeedCRLs.new(@machine, next_ctx, force_crl_refresh)
|
78
92
|
rescue OpenSSL::X509::CertificateError => e
|
79
93
|
Error.new(@machine, e.message, e)
|
80
94
|
rescue Puppet::HTTP::ResponseError => e
|
@@ -84,6 +98,51 @@ class Puppet::SSL::StateMachine
|
|
84
98
|
to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
|
85
99
|
end
|
86
100
|
end
|
101
|
+
|
102
|
+
private
|
103
|
+
|
104
|
+
def needs_refresh?(now, last_update)
|
105
|
+
return true if last_update.nil?
|
106
|
+
|
107
|
+
ca_ttl = Puppet[:ca_refresh_interval]
|
108
|
+
return false unless ca_ttl
|
109
|
+
|
110
|
+
now.to_i > last_update.to_i + ca_ttl
|
111
|
+
end
|
112
|
+
|
113
|
+
def refresh_ca(ssl_ctx, last_update)
|
114
|
+
Puppet.info(_("Refreshing CA certificate"))
|
115
|
+
|
116
|
+
# return the next_ctx containing the updated ca
|
117
|
+
[download_ca(ssl_ctx, last_update), true]
|
118
|
+
rescue Puppet::HTTP::ResponseError => e
|
119
|
+
if e.response.code == 304
|
120
|
+
Puppet.info(_("CA certificate is unmodified, using existing CA certificate"))
|
121
|
+
else
|
122
|
+
Puppet.info(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % {message: e.message})
|
123
|
+
end
|
124
|
+
|
125
|
+
# return the original ssl_ctx
|
126
|
+
[ssl_ctx, false]
|
127
|
+
rescue Puppet::HTTP::HTTPError => e
|
128
|
+
Puppet.warning(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % {message: e.message})
|
129
|
+
|
130
|
+
# return the original ssl_ctx
|
131
|
+
[ssl_ctx, false]
|
132
|
+
end
|
133
|
+
|
134
|
+
def download_ca(ssl_ctx, last_update)
|
135
|
+
route = @machine.session.route_to(:ca, ssl_context: ssl_ctx)
|
136
|
+
_, pem = route.get_certificate(Puppet::SSL::CA_NAME, if_modified_since: last_update, ssl_context: ssl_ctx)
|
137
|
+
cacerts = @cert_provider.load_cacerts_from_pem(pem)
|
138
|
+
# verify cacerts before saving
|
139
|
+
next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
|
140
|
+
@cert_provider.save_cacerts(cacerts)
|
141
|
+
|
142
|
+
Puppet.info("Refreshed CA certificate: #{@machine.digest_as_hex(pem)}")
|
143
|
+
|
144
|
+
next_ctx
|
145
|
+
end
|
87
146
|
end
|
88
147
|
|
89
148
|
# If revocation is enabled, load CRLs or download them, using the CA bundle
|
@@ -93,6 +152,13 @@ class Puppet::SSL::StateMachine
|
|
93
152
|
# for which we don't have a CRL
|
94
153
|
#
|
95
154
|
class NeedCRLs < SSLState
|
155
|
+
attr_reader :force_crl_refresh
|
156
|
+
|
157
|
+
def initialize(machine, ssl_context, force_crl_refresh = false)
|
158
|
+
super(machine, ssl_context)
|
159
|
+
@force_crl_refresh = force_crl_refresh
|
160
|
+
end
|
161
|
+
|
96
162
|
def next_state
|
97
163
|
Puppet.debug("Loading CRLs")
|
98
164
|
|
@@ -102,15 +168,12 @@ class Puppet::SSL::StateMachine
|
|
102
168
|
if crls
|
103
169
|
next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
|
104
170
|
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
@cert_provider.crl_last_update = now
|
112
|
-
next_ctx = refresh_crl(next_ctx, last_update)
|
113
|
-
end
|
171
|
+
now = Time.now
|
172
|
+
last_update = @cert_provider.crl_last_update
|
173
|
+
if needs_refresh?(now, last_update)
|
174
|
+
# set last updated time first, then make a best effort to refresh
|
175
|
+
@cert_provider.crl_last_update = now
|
176
|
+
next_ctx = refresh_crl(next_ctx, last_update)
|
114
177
|
end
|
115
178
|
else
|
116
179
|
next_ctx = download_crl(@ssl_context, nil)
|
@@ -133,6 +196,15 @@ class Puppet::SSL::StateMachine
|
|
133
196
|
|
134
197
|
private
|
135
198
|
|
199
|
+
def needs_refresh?(now, last_update)
|
200
|
+
return true if @force_crl_refresh || last_update.nil?
|
201
|
+
|
202
|
+
crl_ttl = Puppet[:crl_refresh_interval]
|
203
|
+
return false unless crl_ttl
|
204
|
+
|
205
|
+
now.to_i > last_update.to_i + crl_ttl
|
206
|
+
end
|
207
|
+
|
136
208
|
def refresh_crl(ssl_ctx, last_update)
|
137
209
|
Puppet.info(_("Refreshing CRL"))
|
138
210
|
|
@@ -162,6 +234,8 @@ class Puppet::SSL::StateMachine
|
|
162
234
|
next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
|
163
235
|
@cert_provider.save_crls(crls)
|
164
236
|
|
237
|
+
Puppet.info("Refreshed CRL: #{@machine.digest_as_hex(pem)}")
|
238
|
+
|
165
239
|
next_ctx
|
166
240
|
end
|
167
241
|
end
|
@@ -441,6 +515,10 @@ class Puppet::SSL::StateMachine
|
|
441
515
|
@lockfile.unlock
|
442
516
|
end
|
443
517
|
|
518
|
+
def digest_as_hex(str)
|
519
|
+
Puppet::SSL::Digest.new(digest, str).to_hex
|
520
|
+
end
|
521
|
+
|
444
522
|
private
|
445
523
|
|
446
524
|
def run_machine(state, stop)
|
data/lib/puppet/thread_local.rb
CHANGED
@@ -1,8 +1,5 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
require 'concurrent'
|
3
3
|
|
4
|
-
|
5
|
-
# implementation of ThreadLocal, we end up leaking references to JRuby instances
|
6
|
-
# and preventing them from being garbage collected.
|
7
|
-
class Puppet::ThreadLocal < Concurrent::RubyThreadLocalVar
|
4
|
+
class Puppet::ThreadLocal < Concurrent::ThreadLocalVar
|
8
5
|
end
|
data/lib/puppet/version.rb
CHANGED
@@ -147,6 +147,28 @@ class Puppet::X509::CertProvider
|
|
147
147
|
Puppet::FileSystem.touch(@crlpath, mtime: time)
|
148
148
|
end
|
149
149
|
|
150
|
+
# Return the time when the CA bundle was last updated.
|
151
|
+
#
|
152
|
+
# @return [Time, nil] Time when the CA bundle was last updated, or nil if we don't
|
153
|
+
# have a CA bundle
|
154
|
+
#
|
155
|
+
# @api private
|
156
|
+
def ca_last_update
|
157
|
+
stat = Puppet::FileSystem.stat(@capath)
|
158
|
+
Time.at(stat.mtime)
|
159
|
+
rescue Errno::ENOENT
|
160
|
+
nil
|
161
|
+
end
|
162
|
+
|
163
|
+
# Set the CA bundle last updated time.
|
164
|
+
#
|
165
|
+
# @param time [Time] The last updated time
|
166
|
+
#
|
167
|
+
# @api private
|
168
|
+
def ca_last_update=(time)
|
169
|
+
Puppet::FileSystem.touch(@capath, mtime: time)
|
170
|
+
end
|
171
|
+
|
150
172
|
# Save named private key in the configured `privatekeydir`. For
|
151
173
|
# historical reasons, names are case insensitive.
|
152
174
|
#
|