Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8950

Fix external_ca_support tests in puppet server master

    XMLWordPrintable

    Details

    • Type: CI Blocker
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.0.0
    • Component/s: None
    • Labels:
      None
    • CI Pipeline/s:
      platform puppetserver
    • Team:
      Froyo
    • Release Notes:
      Not Needed
    • QA Risk Assessment:
      Needs Assessment

      Description

      There are at least three problems currently exposed by this test:

      1. When trying to download a CA cert from a not CA, when we get a response that is a 404, we print out the #inspect output of an object. We need to clean that up and return an error similar to what we returned previously. (This may overlap with PUP-8906 that Tony Vu is working on)
      2. There is a method missing << on nil error. This is coming from here. Working with Maggie Dreyer we realized that this is because when we load the httpclient it monkey patches OpenSSL::X509::Store. We create our Store prior to loading httpclient, but then the monkey patched methods are missing state (an initialized instance variable) that would have come if the class was monkey patched prior to instantiation. Attempting to load httpclient when Puppet::SSL::Host is required should resolve this issue, we previously didn't do this so that we would not error when running in puppet server. It would appear that doing something like catching a LoadError or conditionally requiring httpclient would be better than lazily loading it.
      3. Finally, we're failing our peer verification, properly, but we are no longer producing the correct error message, this is because the first operation of an agent run, hitting the node endpoint, makes a request through the indirector. The indirector sets up its connection, with its own validator, but in doing so calls Host.localhost, which, in this test, causes us to try to download our CA information. That download uses a different connection, with a different validator, and that validator properly fails, with the correct errors, but it raises an OpenSSL exception that the new client doesn't catch. So the validation exception rises up to the indirector's error handling code, which looks to its validator for the errors. But its validator isn't the validator used to for the connection, so its errors array is empty.

        Attachments

          Activity

            People

            Assignee:
            justin Justin Stoller
            Reporter:
            justin Justin Stoller
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support