(PUP-11428) Reload default and system ssl_context for each run

joshcooper · joshcooper · commit 5d78d0e51cfc · 2022-04-05T09:52:11.000-07:00
Previously if the `default_ssl_context` or `default_system_ssl_context` were set
they could be reused across agent runs. The `default_ssl_context` is normally
only set during tests. The `default_system_ssl_context` is the memoized version
of the ssl context creating when the agent connects to non-puppet "https"
servers. It is also set during tests.

The Puppet::HTTP::Client#close method now clears both default ssl contexts,
along with the persistent HTTP pool. The client can safely reload the
context(s), the next time a connection is made.
diff --git a/lib/puppet/agent.rb b/lib/puppet/agent.rb
@@ -94,6 +94,8 @@ def run(client_options = {})
           rescue StandardError => detail
             Puppet.log_exception(detail, _("Could not run %{client_class}: %{detail}") % { client_class: client_class, detail: detail })
             nil
+          ensure
+            Puppet.runtime[:http].close
           end
         end
       end
diff --git a/lib/puppet/http/client.rb b/lib/puppet/http/client.rb
@@ -272,6 +272,8 @@ def delete(url, headers: {}, params: {}, options: {})
   #
   def close
     @pool.close
+    @default_ssl_context = nil
+    @default_system_ssl_context = nil
   end
 
   def default_ssl_context
diff --git a/lib/puppet/ssl/state_machine.rb b/lib/puppet/ssl/state_machine.rb
@@ -278,7 +278,7 @@ def next_state
       else
         Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
 
-        # close persistent connections and session state before sleeping
+        # close http/tls and session state before sleeping
         Puppet.runtime[:http].close
         @machine.session = Puppet.runtime[:http].create_session
 
diff --git a/spec/unit/http/client_spec.rb b/spec/unit/http/client_spec.rb
@@ -120,6 +120,24 @@ def expect_http_error(cause, expected_message)
 
       client.close
     end
+
+    it 'reloads the default ssl context' do
+      expect(client.pool).to receive(:with_connection) do |_, verifier|
+        expect(verifier.ssl_context).to_not equal(puppet_context)
+      end
+
+      client.close
+      client.connect(uri)
+    end
+
+    it 'reloads the default system ssl context' do
+      expect(client.pool).to receive(:with_connection) do |_, verifier|
+        expect(verifier.ssl_context).to_not equal(system_context)
+      end
+
+      client.close
+      client.connect(uri, options: {include_system_store: true})
+    end
   end
 
   context "for GET requests" do

Original file line number	Diff line number	Diff line change
`@@ -272,6 +272,8 @@ def delete(url, headers: {}, params: {}, options: {})`
`272`	`272`	`#`
`273`	`273`	`def close`
`274`	`274`	`@pool.close`
	`275`	`+ @default_ssl_context = nil`
	`276`	`+ @default_system_ssl_context = nil`
`275`	`277`	`end`
`276`	`278`
`277`	`279`	`def default_ssl_context`