Skip to content

Update ca/crl last_update on HTTP 304 so refresh intervals are respected (#435) #440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SAY-5 wants to merge 1 commit into
base: main
Choose a base branch
from
+22 −0
Open

Update ca/crl last_update on HTTP 304 so refresh intervals are respected (#435) #440

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions lib/puppet/ssl/state_machine.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,10 @@ def refresh_ca(ssl_ctx, last_update)
rescue Puppet::HTTP::ResponseError => e
if e.response.code == 304
Puppet.info(_("CA certificate is unmodified, using existing CA certificate"))
# 304 confirms the local CA is current, so reset the TTL.
# Otherwise ca_last_update (backed by ca.pem mtime) never advances
# past the initial download and needs_refresh? triggers on every run.
@cert_provider.ca_last_update = Time.now
else
Puppet.info(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % { message: e.message })
end
Expand Down Expand Up @@ -219,6 +223,8 @@ def refresh_crl(ssl_ctx, last_update)
rescue Puppet::HTTP::ResponseError => e
if e.response.code == 304
Puppet.info(_("CRL is unmodified, using existing CRL"))
# 304 confirms the local CRL is current, so reset the TTL.
@cert_provider.crl_last_update = Time.now
else
Puppet.info(_("Failed to refresh CRL, using existing CRL: %{message}") % { message: e.message })
end
Expand Down
16 changes: 16 additions & 0 deletions spec/unit/ssl/state_machine_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,14 @@ def expect_lockfile_to_contain(pid)
state.next_state
end

it 'updates the `last_update` time on 304 Not Modified so ca_refresh_interval is respected' do
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 304)

expect_any_instance_of(Puppet::X509::CertProvider).to receive(:ca_last_update=).with(be_within(60).of(Time.now))

state.next_state
end

it "does not update the `last_update` time when CA refresh fails" do
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_raise(Errno::ECONNREFUSED)

Expand Down Expand Up @@ -658,6 +666,14 @@ def expect_lockfile_to_contain(pid)

state.next_state
end

it 'updates the `last_update` time on 304 Not Modified so crl_refresh_interval is respected' do
stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 304)

expect_any_instance_of(Puppet::X509::CertProvider).to receive(:crl_last_update=).with(be_within(60).of(Time.now))

state.next_state
end
end
end

Expand Down
Loading