Skip to content

Commit 5d78d0e

Browse files
committed
(PUP-11428) Reload default and system ssl_context for each run
Previously if the `default_ssl_context` or `default_system_ssl_context` were set they could be reused across agent runs. The `default_ssl_context` is normally only set during tests. The `default_system_ssl_context` is the memoized version of the ssl context creating when the agent connects to non-puppet "https" servers. It is also set during tests. The Puppet::HTTP::Client#close method now clears both default ssl contexts, along with the persistent HTTP pool. The client can safely reload the context(s), the next time a connection is made.
1 parent 21bccfb commit 5d78d0e

File tree

4 files changed

+23
-1
lines changed

4 files changed

+23
-1
lines changed

lib/puppet/agent.rb

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,8 @@ def run(client_options = {})
9494
rescue StandardError => detail
9595
Puppet.log_exception(detail, _("Could not run %{client_class}: %{detail}") % { client_class: client_class, detail: detail })
9696
nil
97+
ensure
98+
Puppet.runtime[:http].close
9799
end
98100
end
99101
end

lib/puppet/http/client.rb

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -272,6 +272,8 @@ def delete(url, headers: {}, params: {}, options: {})
272272
#
273273
def close
274274
@pool.close
275+
@default_ssl_context = nil
276+
@default_system_ssl_context = nil
275277
end
276278

277279
def default_ssl_context

lib/puppet/ssl/state_machine.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -278,7 +278,7 @@ def next_state
278278
else
279279
Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
280280

281-
# close persistent connections and session state before sleeping
281+
# close http/tls and session state before sleeping
282282
Puppet.runtime[:http].close
283283
@machine.session = Puppet.runtime[:http].create_session
284284

spec/unit/http/client_spec.rb

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,24 @@ def expect_http_error(cause, expected_message)
120120

121121
client.close
122122
end
123+
124+
it 'reloads the default ssl context' do
125+
expect(client.pool).to receive(:with_connection) do |_, verifier|
126+
expect(verifier.ssl_context).to_not equal(puppet_context)
127+
end
128+
129+
client.close
130+
client.connect(uri)
131+
end
132+
133+
it 'reloads the default system ssl context' do
134+
expect(client.pool).to receive(:with_connection) do |_, verifier|
135+
expect(verifier.ssl_context).to_not equal(system_context)
136+
end
137+
138+
client.close
139+
client.connect(uri, options: {include_system_store: true})
140+
end
123141
end
124142

125143
context "for GET requests" do

0 commit comments

Comments
 (0)