bolt 0.23.0 → 0.24.0

data/vendored/puppet/lib/puppet/resource.rb

@@ -12,7 +12,7 @@ class Puppet::Resource
 
   include Enumerable
   attr_accessor :file, :line, :catalog, :exported, :virtual, :strict
-  attr_reader :type, :title, :parameters, :rich_data_enabled
+  attr_reader :type, :title, :parameters
 
   # @!attribute [rw] sensitive_parameters
   #   @api private
@@ -76,6 +76,13 @@ class Puppet::Resource
     "#{@type}[#{@title}]#{to_hash.inspect}"
   end
 
+  # Produces a Data compliant hash of the resource.
+  # The result depends on the --rich_data setting, and the context value
+  # for Puppet.lookup(:stringify_rich), that if it is `true` will use the
+  # ToStringifiedConverter to produce the value per parameter.
+  # (Note that the ToStringifiedConverter output is lossy and should not
+  # be used when producing a catalog serialization).
+  #
   def to_data_hash
     data = {
       'type' => type,
@@ -89,17 +96,27 @@ class Puppet::Resource
 
     data['exported'] ||= false
 
+    # To get stringified parameter values the flag :stringify_rich can be set
+    # in the puppet context.
+    #
+    stringify = Puppet.lookup(:stringify_rich) { false }
+    converter = stringify ? Puppet::Pops::Serialization::ToStringifiedConverter.new : nil
+
     params = {}
     self.to_hash.each_pair do |param, value|
       # Don't duplicate the title as the namevar
       unless param == namevar && value == title
-        params[param.to_s] = Puppet::Resource.value_to_json_data(value)
+        if stringify
+          params[param.to_s] = converter.convert(value)
+        else
+          params[param.to_s] = Puppet::Resource.value_to_json_data(value)
+        end
       end
     end
 
     unless params.empty?
       data['parameters'] = Puppet::Pops::Serialization::ToDataConverter.convert(params, {
-        :rich_data => environment.rich_data?,
+        :rich_data => Puppet.lookup(:rich_data),
         :symbol_as_string => true,
         :local_reference => false,
         :type_by_reference => true,

data/vendored/puppet/lib/puppet/resource/catalog.rb

@@ -377,8 +377,7 @@ class Puppet::Resource::Catalog < Puppet::Graph::SimpleGraph
     result = @resource_table[title_key]
     if result.nil?
       # an instance has to be created in order to construct the unique key used when
-      # searching for aliases, or when app_management is active and nothing is found in
-      # which case it is needed by the CapabilityFinder.
+      # searching for aliases, or nothing is found as it is needed by the CapabilityFinder.
       res = Puppet::Resource.new(type, title, { :environment => @environment_instance })
 
       # Must check with uniqueness key because of aliases or if resource transforms title in title
@@ -582,16 +581,7 @@ class Puppet::Resource::Catalog < Puppet::Graph::SimpleGraph
   private
 
   def prioritizer
-    @prioritizer ||= case Puppet[:ordering]
-                     when "title-hash"
-                       Puppet::Graph::TitleHashPrioritizer.new
-                     when "manifest"
-                       Puppet::Graph::SequentialPrioritizer.new
-                     when "random"
-                       Puppet::Graph::RandomPrioritizer.new
-                     else
-                       raise Puppet::DevError, _("Unknown ordering type %{ordering}") % { ordering: Puppet[:ordering] }
-                     end
+    @prioritizer = Puppet::Graph::SequentialPrioritizer.new
   end
 
   def create_transaction(options)

data/vendored/puppet/lib/puppet/rest/routes.rb

@@ -1,8 +1,12 @@
 require 'puppet/rest/route'
+require 'puppet/network/http_pool'
+require 'puppet/network/http/compression'
 
 module Puppet::Rest
   module Routes
 
+    extend Puppet::Network::HTTP::Compression.module
+
     ACCEPT_ENCODING = 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3'
 
     def self.ca
@@ -12,79 +16,138 @@ module Puppet::Rest
                         srv_service: :ca)
     end
 
-    # Make an HTTP request to fetch the named certificate, using the given
-    # HTTP client.
-    # @param [Puppet::Rest::Client] client the HTTP client to use to make the request
+    # Make an HTTP request to fetch the named certificate
     # @param [String] name the name of the certificate to fetch
+    # @param [Puppet::Rest::SSLContext] ssl_context the ssl content to use when making the request
     # @raise [Puppet::Rest::ResponseError] if the response status is not OK
     # @return [String] the PEM-encoded certificate or certificate bundle
-    def self.get_certificate(client, name)
-      ca.with_base_url(client.dns_resolver) do |url|
+    def self.get_certificate(name, ssl_context)
+      ca.with_base_url(Puppet::Network::Resolver.new) do |url|
         header = { 'Accept' => 'text/plain', 'Accept-Encoding' => ACCEPT_ENCODING }
-        body = ''
         url.path += "certificate/#{name}"
-        client.get(url, header: header) do |chunk|
-          body << chunk
+
+        use_ssl = url.is_a? URI::HTTPS
+
+        # Deeper levels of the code assume that if we have any number of
+        # certificate related files, we have all of the certificate related
+        # files. This assumption caused us to download the certificate twice.
+        # We have to hard code `verify_mode=false` so we don't attempt to
+        # download the certificate so that we can download the certificate.
+        #
+        # This is related to PUP-9094. We won't have so many issues with this
+        # once we are using the httpclient gem to handle this work. We were
+        # unable to get this work completed in time for Puppet 6.0.0, so we had
+        # to switch back to using Puppet::Network::HttpPool, which has
+        # unfortunate limitations (i.e., an all or nothing approach to cert
+        # verification).
+        verify_mode = false
+
+        client = Puppet::Network::HttpPool.http_instance(url.host, url.port, use_ssl, verify_mode)
+
+        response = client.get(url.request_uri, header)
+        unless response.code.to_i == 200
+          raise Puppet::Rest::ResponseError.new(response.message, response)
         end
+
         Puppet.info _("Downloaded certificate for %{name} from %{server}") % { name: name, server: ca.server }
-        body
+
+        uncompress_body(response)
       end
     end
 
-    # Make an HTTP request to fetch the named crl, using the given
-    # HTTP client. Accepts a block to stream responses to disk.
-    # @param [Puppet::Rest::Client] client the HTTP client to use to make the request
+    # Make an HTTP request to fetch the named crl
     # @param [String] name the crl to fetch
+    # @param [Puppet::Rest::SSLContext] ssl_context the ssl content to use when making the request
     # @raise [Puppet::Rest::ResponseError] if the response status is not OK
-    # @return nil
-    def self.get_crls(client, name, &block)
-      ca.with_base_url(client.dns_resolver) do |url|
+    # @return [String] the PEM-encoded crl
+    def self.get_crls(name, ssl_context)
+      ca.with_base_url(Puppet::Network::Resolver.new) do |url|
         header = { 'Accept' => 'text/plain', 'Accept-Encoding' => ACCEPT_ENCODING }
         url.path += "certificate_revocation_list/#{name}"
-        client.get(url, header: header) do |chunk|
-          block.call(chunk)
+
+        use_ssl = url.is_a? URI::HTTPS
+
+        # Deeper levels of the code assume that if we have any number of
+        # certificate related files, we have all of the certificate related
+        # files. Unfortunately, this causes us to get stuck in an infinite loop,
+        # so we have to hard code `verify_mode=false` so we don't attempt to use
+        # files that do not exist yet in order to download those files.
+        #
+        # This is related to PUP-9094. We won't have so many issues with this
+        # once we are using the httpclient gem to handle this work. We were
+        # unable to get this work completed in time for Puppet 6.0.0, so we had
+        # to switch back to using Puppet::Network::HttpPool, which has
+        # unfortunate limitations (i.e., an all or nothing approach to cert
+        # verification).
+        verify_mode = false
+
+        client = Puppet::Network::HttpPool.http_instance(url.host, url.port, use_ssl, verify_mode)
+
+        response = client.get(url.request_uri, header)
+        unless response.code.to_i == 200
+          raise Puppet::Rest::ResponseError.new(response.message, response)
         end
+
         Puppet.debug _("Downloaded certificate revocation list for %{name} from %{server}") % { name: name, server: ca.server }
+
+        uncompress_body(response)
       end
     end
 
-    # Make an HTTP request to send the named CSR, using the given
-    # HTTP client.
-    # @param [Puppet::Rest::Client] client the HTTP client to use to make the request
+    # Make an HTTP request to send the named CSR
     # @param [String] csr_pem the contents of the CSR to sent to the CA
     # @param [String] name the name of the host whose CSR is being submitted
+    # @param [Puppet::Rest::SSLContext] ssl_context the ssl content to use when making the request
     # @rasies [Puppet::Rest::ResponseError] if the response status is not OK
-    def self.put_certificate_request(client, csr_pem, name)
-      ca.with_base_url(client.dns_resolver) do |url|
+    def self.put_certificate_request(csr_pem, name, ssl_context)
+      ca.with_base_url(Puppet::Network::Resolver.new) do |url|
         header = { 'Accept' => 'text/plain',
                    'Accept-Encoding' => ACCEPT_ENCODING,
                    'Content-Type' => 'text/plain' }
         url.path += "certificate_request/#{name}"
-        response = client.put(url, body: csr_pem, header: header)
-        if response.ok?
+
+        use_ssl = url.is_a? URI::HTTPS
+
+        # See notes above as to why verify_mode is hardcoded to false
+        verify_mode = false
+
+        client = Puppet::Network::HttpPool.http_instance(url.host, url.port, use_ssl, verify_mode)
+
+        response = client.put(url.request_uri, csr_pem, header)
+        if response.code.to_i == 200
           Puppet.debug "Submitted certificate request to server."
         else
-          raise response.to_exception
+          raise Puppet::Rest::ResponseError.new(response.message, response)
         end
       end
     end
 
-    # Make an HTTP request to get the named CSR, using the given
-    # HTTP client.
-    # @param [Puppet::Rest::Client] client the HTTP client to use to make the request
+    # Make an HTTP request to get the named CSR
     # @param [String] name the name of the host whose CSR is being queried
+    # @param [Puppet::Rest::SSLContext] ssl_context the ssl content to use when making the request
     # @rasies [Puppet::Rest::ResponseError] if the response status is not OK
     # @return [String] the PEM encoded certificate request
-    def self.get_certificate_request(client, name)
-      ca.with_base_url(client.dns_resolver) do |url|
+    def self.get_certificate_request(name, ssl_context)
+      ca.with_base_url(Puppet::Network::Resolver.new) do |url|
         header = { 'Accept' => 'text/plain', 'Accept-Encoding' => ACCEPT_ENCODING }
-        body = ''
         url.path += "certificate_request/#{name}"
-        client.get(url, header: header) do |chunk|
-          body << chunk
+
+        use_ssl = url.is_a? URI::HTTPS
+
+        # See notes above as to why verify_mode is hardcoded to false
+        verify_mode = false
+
+        client = Puppet::Network::HttpPool.http_instance(url.host, url.port, use_ssl, verify_mode)
+
+
+        response = client.get(url.request_uri, header)
+        unless response.code.to_i == 200
+          raise Puppet::Rest::ResponseError.new(response.message, response)
         end
+
         Puppet.debug _("Downloaded existing certificate request for %{name} from %{server}") % { name: name, server: ca.server }
-        body
+
+        uncompress_body(response)
       end
     end
   end

data/vendored/puppet/lib/puppet/settings.rb

@@ -1197,7 +1197,7 @@ Generated on #{Time.now}.
 
   def add_user_resources(catalog, sections)
     return unless Puppet.features.root?
-    return if Puppet.features.microsoft_windows?
+    return if Puppet::Util::Platform.windows?
     return unless self[:mkusers]
 
     @config.each do |name, setting|

data/vendored/puppet/lib/puppet/settings/file_setting.rb

@@ -156,7 +156,7 @@ class Puppet::Settings::FileSetting < Puppet::Settings::StringSetting
       end
 
       # REMIND fails on Windows because chown/chgrp functionality not supported yet
-      if Puppet.features.root? and !Puppet.features.microsoft_windows?
+      if Puppet.features.root? and !Puppet::Util::Platform.windows?
         resource[:owner] = self.owner if self.owner
         resource[:group] = self.group if self.group
       end

data/vendored/puppet/lib/puppet/ssl/base.rb

@@ -34,11 +34,6 @@ class Puppet::SSL::Base
 
   attr_accessor :name, :content
 
-  # Is this file for the CA?
-  def ca?
-    name == Puppet::SSL::Host.ca_name
-  end
-
   def generate
     raise Puppet::DevError, _("%{class_name} did not override 'generate'") % { class_name: self.class }
   end
@@ -86,18 +81,15 @@ class Puppet::SSL::Base
 
   # Read content from disk appropriately.
   def read(path)
-    # applies to Puppet::SSL::Certificate, Puppet::SSL::CertificateRequest, Puppet::SSL::CertificateRevocationList
+    # applies to Puppet::SSL::Certificate, Puppet::SSL::CertificateRequest
     # Puppet::SSL::Key uses this, but also provides its own override
     # nothing derives from Puppet::SSL::Certificate, but it is called by a number of other SSL Indirectors:
-    # Puppet::SSL::Certificate::DisabledCa (:find, :save, :destroy)
     # Puppet::Indirector::CertificateStatus::File (.indirection.find)
     # Puppet::Network::HTTP::WEBrick (.indirection.find)
     # Puppet::Network::HTTP::RackREST (.from_instance)
     # Puppet::Network::HTTP::WEBrickREST (.from_instance)
-    # Puppet::SSL::CertificateAuthority (.new, .indirection.find, .indirection.save)
     # Puppet::SSL::Host (.indirection.find)
     # Puppet::SSL::Inventory (.indirection.search, implements its own add / rebuild / serials with encoding UTF8)
-    # Puppet::SSL::CertificateAuthority::Interface (.indirection.find)
     # Puppet::SSL::Validator::DefaultValidator (.from_instance) / Puppet::SSL::Validator::NoValidator does nothing
     @content = wrapped_class.new(Puppet::FileSystem.read(path, :encoding => Encoding::ASCII))
   end

data/vendored/puppet/lib/puppet/ssl/certificate_request.rb

@@ -30,19 +30,7 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
 
   extend Puppet::Indirector
 
-  # If auto-signing is on, sign any certificate requests as they are saved.
-  module AutoSigner
-    def save(instance, key = nil)
-      super
-
-      # Try to autosign the CSR.
-      if ca = Puppet::SSL::CertificateAuthority.instance
-        ca.autosign(instance)
-      end
-    end
-  end
-
-  indirects :certificate_request, :terminus_class => :file, :extend => AutoSigner, :doc => <<DOC
+  indirects :certificate_request, :terminus_class => :file, :doc => <<DOC
     This indirection wraps an `OpenSSL::X509::Request` object, representing a certificate signing request (CSR).
     The indirection key is the certificate CN (generally a hostname).
 DOC

data/vendored/puppet/lib/puppet/ssl/certificate_request_attributes.rb

@@ -21,7 +21,7 @@ class Puppet::SSL::CertificateRequestAttributes
   def load
     Puppet.info(_("csr_attributes file loading from %{path}") % { path: path })
     if Puppet::FileSystem.exist?(path)
-      hash = Puppet::Util::Yaml.load_file(path, {})
+      hash = Puppet::Util::Yaml.safe_load_file(path, [Symbol]) || {}
       if ! hash.is_a?(Hash)
         raise Puppet::Error, _("invalid CSR attributes, expected instance of Hash, received instance of %{klass}") % { klass: hash.class }
       end

data/vendored/puppet/lib/puppet/ssl/host.rb

@@ -1,9 +1,7 @@
-require 'puppet/indirector'
 require 'puppet/ssl'
 require 'puppet/ssl/key'
 require 'puppet/ssl/certificate'
 require 'puppet/ssl/certificate_request'
-require 'puppet/ssl/certificate_revocation_list'
 require 'puppet/ssl/certificate_request_attributes'
 require 'puppet/rest/errors'
 require 'puppet/rest/routes'
@@ -24,22 +22,11 @@ class Puppet::SSL::Host
   CA_NAME = Puppet::SSL::CA_NAME
   Certificate = Puppet::SSL::Certificate
   CertificateRequest = Puppet::SSL::CertificateRequest
-  CertificateRevocationList = Puppet::SSL::CertificateRevocationList
-
-  extend Puppet::Indirector
-  indirects :certificate_status, :terminus_class => :file, :doc => <<DOC
-    This indirection represents the host that ties a key, certificate, and certificate request together.
-    The indirection key is the certificate CN (generally a hostname).
-DOC
 
   attr_reader :name, :crl_path
-  attr_accessor :ca
 
   attr_writer :key, :certificate, :certificate_request, :crl_usage
 
-  # This accessor is used in instances for indirector requests to hold desired state
-  attr_accessor :desired_state
-
   def self.localhost
     return @localhost if @localhost
     @localhost = new
@@ -52,28 +39,10 @@ DOC
     @localhost = nil
   end
 
-  # This is the constant that people will use to mark that a given host is
-  # a certificate authority.
-  def self.ca_name
-    CA_NAME
-  end
-
-  class << self
-    attr_reader :ca_location
-  end
-
   # Configure how our various classes interact with their various terminuses.
   def self.configure_indirection(terminus, cache = nil)
     Certificate.indirection.terminus_class = terminus
     CertificateRequest.indirection.terminus_class = terminus
-    CertificateRevocationList.indirection.terminus_class = terminus
-
-    host_map = {:ca => :file, :disabled_ca => nil, :file => nil, :rest => :rest}
-    if term = host_map[terminus]
-      self.indirection.terminus_class = term
-    else
-      self.indirection.reset_terminus_class
-    end
 
     if cache
       # This is weird; we don't actually cache our keys, we
@@ -87,7 +56,6 @@ DOC
     if cache
       Certificate.indirection.cache_class = cache
       CertificateRequest.indirection.cache_class = cache
-      CertificateRevocationList.indirection.cache_class = cache
     else
       # Make sure we have no cache configured.  puppet master
       # switches the configurations around a bit, so it's important
@@ -95,39 +63,9 @@ DOC
       # time.
       Certificate.indirection.cache_class = nil
       CertificateRequest.indirection.cache_class = nil
-      CertificateRevocationList.indirection.cache_class = nil
     end
   end
 
-  CA_MODES = {
-    # Our ca is local, so we use it as the ultimate source of information
-    # And we cache files locally.
-    :local => [:ca, :file],
-    # We're a remote CA client.
-    :remote => [:rest, :file],
-    # We are the CA, so we don't have read/write access to the normal certificates.
-    :only => [:ca],
-    # We have no CA, so we just look in the local file store.
-    :none => [:disabled_ca]
-  }
-
-  # Specify how we expect to interact with our certificate authority.
-  def self.ca_location=(mode)
-    modes = CA_MODES.collect { |m, vals| m.to_s }.join(", ")
-    raise ArgumentError, _("CA Mode can only be one of: %{modes}") % { modes: modes } unless CA_MODES.include?(mode)
-
-    @ca_location = mode
-
-    configure_indirection(*CA_MODES[@ca_location])
-  end
-
-  # Puppet::SSL::Host is actually indirected now so the original implementation
-  # has been moved into the certificate_status indirector.  This method is in-use
-  # in `puppet cert -c <certname>`.
-  def self.destroy(name)
-    indirection.destroy(name)
-  end
-
   def self.from_data_hash(data)
     instance = new(data["name"])
     if data["desired_state"]
@@ -136,18 +74,6 @@ DOC
     instance
   end
 
-  # Puppet::SSL::Host is actually indirected now so the original implementation
-  # has been moved into the certificate_status indirector.  This method does not
-  # appear to be in use in `puppet cert -l`.
-  def self.search(options = {})
-    indirection.search("*", options)
-  end
-
-  # Is this a ca host, meaning that all of its files go in the CA location?
-  def ca?
-    ca
-  end
-
   def key
     @key ||= Key.indirection.find(name)
   end
@@ -175,8 +101,6 @@ DOC
       # ...add our configured dns_alt_names
       if Puppet[:dns_alt_names] and Puppet[:dns_alt_names] != ''
         options[:dns_alt_names] ||= Puppet[:dns_alt_names]
-      elsif Puppet::SSL::CertificateAuthority.ca? and fqdn = Facter.value(:fqdn) and domain = Facter.value(:domain)
-        options[:dns_alt_names] = "puppet, #{fqdn}, puppet.#{domain}"
       end
     end
 
@@ -190,6 +114,7 @@ DOC
     @certificate_request.generate(key.content, options)
     begin
       submit_certificate_request(@certificate_request)
+      save_certificate_request(@certificate_request)
     rescue
       @certificate_request = nil
       raise
@@ -208,23 +133,28 @@ DOC
 
       # get the CA cert first, since it's required for the normal cert
       # to be of any use. If we can't get it, quit.
-      if !ca? && !ensure_ca_certificate
+      if !ensure_ca_certificate
         return nil
       end
 
-      @certificate = get_host_certificate
-      return nil unless @certificate
+      cert = get_host_certificate
+      return nil unless cert
 
-      validate_certificate_with_key
+      validate_certificate_with_key(cert)
+      @certificate = cert
     end
     @certificate
   end
 
-  def validate_certificate_with_key
-    raise Puppet::Error, _("No certificate to validate.") unless certificate
-    raise Puppet::Error, _("No private key with which to validate certificate with fingerprint: %{fingerprint}") % { fingerprint: certificate.fingerprint } unless key
-    unless certificate.content.check_private_key(key.content)
-      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: certificate.fingerprint, cert_name: Puppet[:certname], ssl_dir: Puppet[:ssldir], cert_dir: Puppet[:certdir].gsub('/', '\\') }
+  # Validate that our private key matches the specified certificate.
+  #
+  # @param [Puppet::SSL::Certificate] cert the certificate to check
+  # @raises [Puppet::Error] if the private key does not match
+  def validate_certificate_with_key(cert)
+    raise Puppet::Error, _("No certificate to validate.") unless cert
+    raise Puppet::Error, _("No private key with which to validate certificate with fingerprint: %{fingerprint}") % { fingerprint: cert.fingerprint } unless key
+    unless cert.content.check_private_key(key.content)
+      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: cert.fingerprint, cert_name: Puppet[:certname], ssl_dir: Puppet[:ssldir], cert_dir: Puppet[:certdir].gsub('/', '\\') }
 The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?
 Certificate fingerprint: %{fingerprint}
 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate.
@@ -238,6 +168,15 @@ ERROR_STRING
     end
   end
 
+  def download_host_certificate
+    cert = download_certificate_from_ca(name)
+    return nil unless cert
+
+    validate_certificate_with_key(cert)
+    save_host_certificate(cert)
+    cert
+  end
+
   # Search for an existing CSR for this host either cached on
   # disk or stored by the CA. Returns nil if no request exists.
   # @return [Puppet::SSL::CertificateRequest, nil]
@@ -245,10 +184,8 @@ ERROR_STRING
     unless @certificate_request
       if csr = load_certificate_request_from_file
         @certificate_request = csr
-      elsif Puppet::SSL::Host.ca_location == :remote
-        if csr = download_csr_from_ca
-          @certificate_request = csr
-        end
+      elsif csr = download_csr_from_ca
+        @certificate_request = csr
       end
     end
     @certificate_request
@@ -262,10 +199,62 @@ ERROR_STRING
 
     # if CSR downloaded from master, but the local keypair was just generated and
     # does not match the public key in the CSR, fail hard
-    if !existing_request.nil? &&
-      (key.content.public_key.to_s != existing_request.content.public_key.to_s)
+    validate_csr_with_key(existing_request, key) if existing_request
+
+    generate_certificate_request unless existing_request
+  end
 
-      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: existing_request.fingerprint, csr_public_key: existing_request.content.public_key.to_text, agent_public_key: key.content.public_key.to_text, cert_name: Puppet[:certname], ssl_dir: Puppet[:ssldir], cert_dir: Puppet[:certdir].gsub('/', '\\') }
+  # Generate a keypair, generate a CSR, and submit it. If a local key pair
+  # already exists it will be used to generate the CSR. If a local CSR already
+  # exists and matches the key then the existing CSR will be submitted. If the
+  # CSR and key do not match an exception will be raised.
+  #
+  # @return [Puppet::SSL::CertificateRequest, nil]
+  def submit_request
+    generate_key unless key
+
+    csr = load_certificate_request_from_file
+    if csr
+      if key.content.public_key.to_s != csr.content.public_key.to_s
+        Puppet.warning("The local CSR does not match the agent's public key. Generating a new CSR.")
+
+        request_path = certificate_request_location(name)
+        Puppet::FileSystem.unlink(request_path)
+        csr = nil
+      end
+    end
+
+    if csr
+      validate_csr_with_key(csr, key)
+      submit_certificate_request(csr)
+      @certificate_request = csr
+    else
+      generate_certificate_request
+    end
+
+    @certificate_request
+  end
+
+  def validate_local_csr_with_key(csr, key)
+    if key.content.public_key.to_s != csr.content.public_key.to_s
+      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: csr.fingerprint, csr_public_key: csr.content.public_key.to_text, agent_public_key: key.content.public_key.to_text, cert_name: Puppet[:certname], ssl_dir: Puppet[:ssldir], cert_dir: Puppet[:certdir].gsub('/', '\\') }
+The local CSR does not match the agent's public key.
+CSR fingerprint: %{fingerprint}
+CSR public key: %{csr_public_key}
+Agent public key: %{agent_public_key}
+To fix this, remove the CSR from the agent and then start a puppet run, which will automatically regenerate a CSR.
+On the agent:
+  1a. On most platforms: find %{ssl_dir} -name %{cert_name}.pem -delete
+  1b. On Windows: del "%{cert_dir}\\%{cert_name}.pem" /f
+  2. puppet agent -t
+ERROR_STRING
+    end
+  end
+  private :validate_local_csr_with_key
+
+  def validate_csr_with_key(csr, key)
+    if key.content.public_key.to_s != csr.content.public_key.to_s
+      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: csr.fingerprint, csr_public_key: csr.content.public_key.to_text, agent_public_key: key.content.public_key.to_text, cert_name: Puppet[:certname], ssl_dir: Puppet[:ssldir], cert_dir: Puppet[:certdir].gsub('/', '\\') }
 The CSR retrieved from the master does not match the agent's public key.
 CSR fingerprint: %{fingerprint}
 CSR public key: %{csr_public_key}
@@ -279,21 +268,13 @@ On the agent:
   2. puppet agent -t
 ERROR_STRING
     end
-    generate_certificate_request unless existing_request
-
-    # If we can get a CA instance, then we're a valid CA, and we
-    # should use it to sign our request; else, just try to read
-    # the cert.
-    if ! certificate and ca = Puppet::SSL::CertificateAuthority.instance
-      ca.sign(self.name, {allow_dns_alt_names: true})
-    end
   end
+  private :validate_csr_with_key
 
   def initialize(name = nil)
     @name = (name || Puppet[:certname]).downcase
     Puppet::SSL::Base.validate_certname(@name)
     @key = @certificate = @certificate_request = nil
-    @ca = (name == self.class.ca_name)
     @crl_usage = Puppet.settings[:certificate_revocation]
     @crl_path = Puppet.settings[:hostcrl]
   end
@@ -320,49 +301,6 @@ ERROR_STRING
     @ssl_store
   end
 
-  def to_data_hash
-    my_cert = Puppet::SSL::Certificate.indirection.find(name)
-    result = { 'name'  => name }
-
-    my_state = state
-
-    result['state'] = my_state
-    result['desired_state'] = desired_state if desired_state
-
-    thing_to_use = (my_state == 'requested') ? certificate_request : my_cert
-
-    # this is for backwards-compatibility
-    # we should deprecate it and transition people to using
-    # json[:fingerprints][:default]
-    # It appears that we have no internal consumers of this api
-    # --jeffweiss 30 aug 2012
-    result['fingerprint'] = thing_to_use.fingerprint
-
-    # The above fingerprint doesn't tell us what message digest algorithm was used
-    # No problem, except that the default is changing between 2.7 and 3.0. Also, as
-    # we move to FIPS 140-2 compliance, MD5 is no longer allowed (and, gasp, will
-    # segfault in rubies older than 1.9.3)
-    # So, when we add the newer fingerprints, we're explicit about the hashing
-    # algorithm used.
-    # --jeffweiss 31 july 2012
-    result['fingerprints'] = {}
-    result['fingerprints']['default'] = thing_to_use.fingerprint
-
-    suitable_message_digest_algorithms.each do |md|
-      result['fingerprints'][md.to_s] = thing_to_use.fingerprint md
-    end
-    result['dns_alt_names'] = thing_to_use.subject_alt_names
-
-    result
-  end
-
-  # eventually we'll probably want to move this somewhere else or make it
-  # configurable
-  # --jeffweiss 29 aug 2012
-  def suitable_message_digest_algorithms
-    [:SHA1, :SHA224, :SHA256, :SHA384, :SHA512]
-  end
-
   # Attempt to retrieve a cert, if we don't already have one.
   def wait_for_cert(time)
     begin
@@ -396,28 +334,21 @@ ERROR_STRING
     end
   end
 
-  def state
-    if certificate_request
-      return 'requested'
-    end
-
-    begin
-      Puppet::SSL::CertificateAuthority.new.verify(name)
-      return 'signed'
-    rescue Puppet::SSL::CertificateAuthority::CertificateVerificationError
-      return 'revoked'
+  # Saves the given certificate to disc, at a location determined by this
+  # host's configuration.
+  # @param [Puppet::SSL::Certificate] cert the cert to save
+  def save_host_certificate(cert)
+    file_path = certificate_location(name)
+    Puppet::Util.replace_file(file_path, 0644) do |f|
+      f.write(cert.to_s)
     end
   end
 
   private
 
-  # Load a previously generated CSR either from memory or from disk
+  # Load a previously generated CSR from disk
   # @return [Puppet::SSL::CertificateRequest, nil]
   def load_certificate_request_from_file
-    if Puppet::SSL::CertificateRequest.indirection.terminus_class == :memory
-      return Puppet::SSL::CertificateRequest.indirection.find(cert_name)
-    end
-
     request_path = certificate_request_location(name)
     if Puppet::FileSystem.exist?(request_path)
       Puppet::SSL::CertificateRequest.from_s(Puppet::FileSystem.read(request_path))
@@ -432,38 +363,28 @@ ERROR_STRING
   def download_csr_from_ca
     begin
       body = Puppet::Rest::Routes.get_certificate_request(
-                    http_client(Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store)),
-                    name)
+                    name, Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store))
       begin
         Puppet::SSL::CertificateRequest.from_s(body)
       rescue OpenSSL::X509::RequestError => e
         raise Puppet::Error, _("Response from the CA did not contain a valid certificate request: %{message}") % { message: e.message }
       end
     rescue Puppet::Rest::ResponseError => e
-      if e.response.status_code == 404
+      if e.response.code.to_i == 404
         nil
       else
         raise Puppet::Error, _('Could not download certificate request: %{message}') % { message: e.message }
       end
     end
   end
-  # Submit the CSR to the CA, either via an HTTP PUT request, or when testing,
-  # via the indirector (needed for both memory and CA terminii). This also
-  # caches a copy of the CSR on disk.
+  # Submit the CSR to the CA via an HTTP PUT request.
   # @param [Puppet::SSL::CertificateRequest] csr the request to submit
   def submit_certificate_request(csr)
-    if Puppet::SSL::CertificateRequest.indirection.terminus_class == :memory ||
-      Puppet::SSL::CertificateRequest.indirection.terminus_class == :ca
-      Puppet::SSL::CertificateRequest.indirection.save(csr)
-      return
-    end
-
-    if Puppet::SSL::Host.ca_location == :remote
-      Puppet::Rest::Routes.put_certificate_request(
-                    http_client(Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store)),
-                    csr.render, name)
-    end
+    Puppet::Rest::Routes.put_certificate_request(
+                  csr.render, name, Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store))
+  end
 
+  def save_certificate_request(csr)
     Puppet::Util.replace_file(certificate_request_location(name), 0644) do |file|
       file.write(csr.render)
     end
@@ -495,16 +416,13 @@ ERROR_STRING
 
   # Ensures that the CA certificate is available for either generating or
   # validating the host's cert.
-  # It will first check if the cert is present in memory (used for testing),
-  # then check on disk, and finally try to download it.
+  # It will first check on disk, then try to download it.
   # @raise [Puppet::Error] if text form of found certificate bundle is invalid
   #                        and cannot be loaded into cert objects
   # @return [Boolean] true if the CA certificate was found, false otherwise
   def ensure_ca_certificate
     file_path = certificate_location(CA_NAME)
-    if check_for_certificate_in_memory(CA_NAME)
-      true
-    elsif Puppet::FileSystem.exist?(file_path)
+    if Puppet::FileSystem.exist?(file_path)
       begin
         # This load ensures that the file contents is a valid cert bundle.
         # If the text is malformed, load_certificate_bundle will raise.
@@ -522,6 +440,7 @@ ERROR_STRING
       end
     end
   end
+  public :ensure_ca_certificate
 
   # Creates an arry of SSL Certificate objects from a PEM-encoding string
   # of one or more certs.
@@ -556,13 +475,11 @@ ERROR_STRING
   # @return nil
   def download_and_save_crl_bundle(store=nil)
     begin
-      # If no SSL store was suppoed, use this host's SSL store
+      # If no SSL store was supplied, use this host's SSL store
       store ||= ssl_store
-      client = http_client(Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, store))
       Puppet::Util.replace_file(crl_path, 0644) do |file|
-        Puppet::Rest::Routes.get_crls(client, CA_NAME) do |chunk|
-          file.write(chunk)
-        end
+        result = Puppet::Rest::Routes.get_crls(CA_NAME, Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, store))
+        file.write(result)
       end
     rescue Puppet::Rest::ResponseError => e
       raise Puppet::Error, _('Could not download CRLs: %{message}') % { message: e.message }
@@ -574,12 +491,11 @@ ERROR_STRING
   #                        bundle
   # @return [[OpenSSL::X509::Certificate]] the certs loaded from the response
   def download_ca_certificate_bundle
-    return nil if Puppet::SSL::Host.ca_location != :remote
-
     begin
       cert_bundle = Puppet::Rest::Routes.get_certificate(
-                    http_client(Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_NONE)),
-                    CA_NAME)
+        CA_NAME,
+        Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_NONE)
+      )
       # This load ensures that the response body is a valid cert bundle.
       # If the text is malformed, load_certificate_bundle will raise.
       begin
@@ -606,9 +522,7 @@ ERROR_STRING
   # no certificate could be found.
   # @return [Puppet::SSL::Certificate, nil]
   def get_host_certificate
-    if cert = check_for_certificate_in_memory(name)
-      return cert
-    elsif cert = check_for_certificate_on_disk(name)
+    if cert = check_for_certificate_on_disk(name)
       return cert
     elsif cert = download_certificate_from_ca(name)
       save_host_certificate(cert)
@@ -618,17 +532,6 @@ ERROR_STRING
     end
   end
 
-  # Checks the certificate indirection for a cert stored in memory.
-  # Only relevant if the memory terminus is in use, and currently
-  # only used in testing.
-  # @param [String] name the name of the cert to look for
-  # @return [Puppet::SSL::Certificate, nil]
-  def check_for_certificate_in_memory(cert_name)
-    if Puppet::SSL::Certificate.indirection.terminus_class == :memory
-      return Puppet::SSL::Certificate.indirection.find(cert_name)
-    end
-  end
-
   # Checks for the requested certificate on disc, at a location
   # determined by this host's configuration.
   # @name [String] name the name of the cert to look for
@@ -645,6 +548,7 @@ ERROR_STRING
       end
     end
   end
+  public :check_for_certificate_on_disk
 
   # Attempts to download this host's certificate from the CA server.
   # Returns nil if the CA does not yet have a signed cert for this host.
@@ -653,19 +557,18 @@ ERROR_STRING
   #                        certificate
   # @return [Puppet::SSL::Certificate, nil]
   def download_certificate_from_ca(cert_name)
-    return nil if Puppet::SSL::Host.ca_location != :remote
-
     begin
       cert = Puppet::Rest::Routes.get_certificate(
-                    http_client(Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store)),
-                    cert_name)
+        cert_name,
+        Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store)
+      )
       begin
         Puppet::SSL::Certificate.from_s(cert)
       rescue OpenSSL::X509::CertificateError
         raise Puppet::Error, _("Response from the CA did not contain a valid certificate for %{cert_name}.") % { cert_name: cert_name }
       end
     rescue Puppet::Rest::ResponseError => e
-      if e.response.status_code == 404
+      if e.response.code.to_i == 404
         Puppet.debug _("No certificate for %{cert_name} on CA") % { cert_name: cert_name }
         nil
       else
@@ -674,38 +577,19 @@ ERROR_STRING
     end
   end
 
-  # Saves the given certificate to disc, at a location determined by this
-  # host's configuration.
-  # @param [Puppet::SSL::Certificate] cert the cert to save
-  def save_host_certificate(cert)
-    file_path = certificate_location(name)
-    Puppet::Util.replace_file(file_path, 0644) do |f|
-      f.write(cert.to_s)
-    end
-  end
-
   # Returns the file path for the named certificate, based on this host's
   # configuration.
   # @param [String] name the name of the cert to find
   # @return [String] file path to the cert's location
   def certificate_location(cert_name)
-    if Puppet::SSL::Host.ca_location == :only
-      cert_name == CA_NAME ? Puppet[:cacert] : File.join(Puppet[:signeddir], "#{cert_name}.pem")
-    else
-      cert_name == CA_NAME ? Puppet[:localcacert] : File.join(Puppet[:certdir], "#{cert_name}.pem")
-    end
+    cert_name == CA_NAME ? Puppet[:localcacert] : File.join(Puppet[:certdir], "#{cert_name}.pem")
   end
 
   # Returns the file path for the named CSR, based on this host's configuration.
   # @param [String] name the name of the CSR to find
   # @return [String] file path to the CSR's location
   def certificate_request_location(cert_name)
-    if Puppet::SSL::Host.ca_location == :only ||
-        Puppet::SSL::Host.ca_location == :local
-      File.join(Puppet[:csrdir], "#{cert_name}.pem")
-    else
-      File.join(Puppet[:requestdir], "#{cert_name}.pem")
-    end
+    File.join(Puppet[:requestdir], "#{cert_name}.pem")
   end
 
   # @param [OpenSSL::X509::PURPOSE_*] constant defining the kinds of certs
@@ -740,5 +624,3 @@ ERROR_STRING
     store
   end
 end
-
-require 'puppet/ssl/certificate_authority'