Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8950

Fix external_ca_support tests in puppet server master



    • CI Blocker
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • PUP 6.0.0
    • None
    • None
    • platform puppetserver
    • Froyo
    • Not Needed
    • Needs Assessment


      There are at least three problems currently exposed by this test:

      1. When trying to download a CA cert from a not CA, when we get a response that is a 404, we print out the #inspect output of an object. We need to clean that up and return an error similar to what we returned previously. (This may overlap with PUP-8906 that tony.vu is working on)
      2. There is a method missing << on nil error. This is coming from here. Working with maggie we realized that this is because when we load the httpclient it monkey patches OpenSSL::X509::Store. We create our Store prior to loading httpclient, but then the monkey patched methods are missing state (an initialized instance variable) that would have come if the class was monkey patched prior to instantiation. Attempting to load httpclient when Puppet::SSL::Host is required should resolve this issue, we previously didn't do this so that we would not error when running in puppet server. It would appear that doing something like catching a LoadError or conditionally requiring httpclient would be better than lazily loading it.
      3. Finally, we're failing our peer verification, properly, but we are no longer producing the correct error message, this is because the first operation of an agent run, hitting the node endpoint, makes a request through the indirector. The indirector sets up its connection, with its own validator, but in doing so calls Host.localhost, which, in this test, causes us to try to download our CA information. That download uses a different connection, with a different validator, and that validator properly fails, with the correct errors, but it raises an OpenSSL exception that the new client doesn't catch. So the validation exception rises up to the indirector's error handling code, which looks to its validator for the errors. But its validator isn't the validator used to for the connection, so its errors array is empty.




            justin Justin Stoller
            justin Justin Stoller
            0 Vote for this issue
            2 Start watching this issue



              Zendesk Support