(PUP-10639) Add methods for getting/setting CA last update time

This is similar to the getter/setter methods for the CRL, using the CA file's
mtime to determine the last time it was updated.

Author: joshcooper

lib/puppet/x509/cert_provider.rb

@@ -147,6 +147,28 @@ def crl_last_update=(time)
     Puppet::FileSystem.touch(@crlpath, mtime: time)
   end
 
+  # Return the time when the CA bundle was last updated.
+  #
+  # @return [Time, nil] Time when the CA bundle was last updated, or nil if we don't
+  #   have a CA bundle
+  #
+  # @api private
+  def ca_last_update
+    stat = Puppet::FileSystem.stat(@capath)
+    Time.at(stat.mtime)
+  rescue Errno::ENOENT
+    nil
+  end
+
+  # Set the CA bundle last updated time.
+  #
+  # @param time [Time] The last updated time
+  #
+  # @api private
+  def ca_last_update=(time)
+    Puppet::FileSystem.touch(@capath, mtime: time)
+  end
+
   # Save named private key in the configured `privatekeydir`. For
   # historical reasons, names are case insensitive.
   #

spec/unit/x509/cert_provider_spec.rb

@@ -586,6 +586,32 @@ def expects_private_file(path)
     end
   end
 
+  context 'CA last update time' do
+    let(:ca_path) { tmpfile('pem_ca') }
+
+    it 'returns nil if the CA does not exist' do
+      provider = create_provider(capath: '/does/not/exist')
+
+      expect(provider.ca_last_update).to be_nil
+    end
+
+    it 'returns the last update time' do
+      time = Time.now - 30
+      Puppet::FileSystem.touch(ca_path, mtime: time)
+      provider = create_provider(capath: ca_path)
+
+      expect(provider.ca_last_update).to be_within(1).of(time)
+    end
+
+    it 'sets the last update time' do
+      time = Time.now - 30
+      provider = create_provider(capath: ca_path)
+      provider.ca_last_update = time
+
+      expect(Puppet::FileSystem.stat(ca_path).mtime).to be_within(1).of(time)
+    end
+  end
+
   context 'CRL last update time' do
     let(:crl_path) { tmpfile('pem_crls') }