class Puppetserver::Ca::Utils::HttpClient

Utilities for doing HTTPS against the CA that wraps Net::HTTP constructs

Constants

DEFAULT_HEADERS
Result

Just provide the bits of Net::HTTPResponse we care about

URL

Like URI, but not… maybe of suspicious value

Attributes

store[R]

Public Class Methods

new(settings, with_client_cert: true) click to toggle source

Not all connections require a client cert to be present. For example, when querying the status endpoint.

# File lib/puppetserver/ca/utils/http_client.rb, line 22
def initialize(settings, with_client_cert: true)
  @store = make_store(settings[:localcacert],
                      settings[:certificate_revocation],
                      settings[:hostcrl])

  if with_client_cert
    @cert = load_cert(settings[:hostcert])
    @key = load_key(settings[:hostprivkey])
  else
    @cert = nil
    @key = nil
  end
end

Public Instance Methods

load_cert(path) click to toggle source
# File lib/puppetserver/ca/utils/http_client.rb, line 36
def load_cert(path)
  load_with_errors(path, 'hostcert') do |content|
    OpenSSL::X509::Certificate.new(content)
  end
end
load_key(path) click to toggle source
# File lib/puppetserver/ca/utils/http_client.rb, line 42
def load_key(path)
  load_with_errors(path, 'hostprivkey') do |content|
    OpenSSL::PKey.read(content)
  end
end
with_connection(url, &block) click to toggle source

Takes an instance URL (defined lower in the file), and creates a connection. The given block is passed our own Connection object. The Connection object should have HTTP verbs defined on it that take a body (and optional overrides). Returns whatever the block given returned.

# File lib/puppetserver/ca/utils/http_client.rb, line 52
def with_connection(url, &block)
  request = ->(conn) { block.call(Connection.new(conn, url)) }

  begin
    Net::HTTP.start(url.host, url.port,
                    use_ssl: true, cert_store: @store,
                    cert: @cert, key: @key,
                    &request)
  rescue StandardError => e
    raise ConnectionFailed.create(e,
            "Failed connecting to #{url.full_url}\n" +
            "  Root cause: #{e.message}")
  end
end

Private Instance Methods

load_with_errors(path, setting, &block) click to toggle source
# File lib/puppetserver/ca/utils/http_client.rb, line 69
def load_with_errors(path, setting, &block)
   begin
     content = File.read(path)
     block.call(content)
   rescue Errno::ENOENT => e
     raise FileNotFound.create(e,
             "Could not find '#{setting}' at '#{path}'")

   rescue OpenSSL::OpenSSLError => e
     raise InvalidX509Object.create(e,
             "Could not parse '#{setting}' at '#{path}'.\n" +
             "  OpenSSL returned: #{e.message}")
   end
end
make_store(bundle, crl_usage, crls = nil) click to toggle source
# File lib/puppetserver/ca/utils/http_client.rb, line 141
def make_store(bundle, crl_usage, crls = nil)
  store = OpenSSL::X509::Store.new
  store.purpose = OpenSSL::X509::PURPOSE_ANY
  store.add_file(bundle)

  if crl_usage != :ignore

    flags = OpenSSL::X509::V_FLAG_CRL_CHECK
    if crl_usage == :chain
      flags |= OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
    end

    store.flags = flags
    delimiter = /-----BEGIN X509 CRL-----.*?-----END X509 CRL-----/m
    File.read(crls).scan(delimiter).each do |crl|
      store.add_crl(OpenSSL::X509::CRL.new(crl))
    end
  end

  store
end