puppet 2.6.18 → 2.7.1

data/spec/unit/ssl/base_spec.rb

@@ -1,6 +1,5 @@
-#!/usr/bin/env ruby
-
-require File.dirname(__FILE__) + '/../../spec_helper'
+#!/usr/bin/env rspec
+require 'spec_helper'
 
 require 'puppet/ssl/certificate'
 
@@ -40,4 +39,4 @@ describe Puppet::SSL::Certificate do
       @base.fingerprint(:digest).should == "DI:GE:ST"
     end
   end
-end
+end

data/spec/unit/ssl/certificate_authority/interface_spec.rb

@@ -1,6 +1,5 @@
-#!/usr/bin/env ruby
-
-require File.dirname(__FILE__) + '/../../../spec_helper'
+#!/usr/bin/env rspec
+require 'spec_helper'
 
 require 'puppet/ssl/certificate_authority'
 
@@ -32,13 +31,13 @@ describe Puppet::SSL::CertificateAuthority::Interface do
   end
   describe "when initializing" do
     it "should set its method using its settor" do
-      instance = @class.new(:generate, :to => :all)
-      instance.method.should == :generate
+      @class.any_instance.expects(:method=).with(:generate)
+      @class.new(:generate, :to => :all)
     end
 
     it "should set its subjects using the settor" do
-      instance = @class.new(:generate, :to => :all)
-      instance.subjects.should == :all
+      @class.any_instance.expects(:subjects=).with(:all)
+      @class.new(:generate, :to => :all)
     end
 
     it "should set the digest if given" do
@@ -54,27 +53,23 @@ describe Puppet::SSL::CertificateAuthority::Interface do
 
   describe "when setting the method" do
     it "should set the method" do
-      instance = @class.new(:generate, :to => :all)
-      instance.method = :list
-
-      instance.method.should == :list
+      @class.new(:generate, :to => :all).method.should == :generate
     end
 
     it "should fail if the method isn't a member of the INTERFACE_METHODS array" do
-      lambda { @class.new(:thing, :to => :all) }.should raise_error(ArgumentError, /Invalid method thing to apply/)
+      Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS.expects(:include?).with(:thing).returns false
+
+      lambda { @class.new(:thing, :to => :all) }.should raise_error(ArgumentError)
     end
   end
 
   describe "when setting the subjects" do
     it "should set the subjects" do
-      instance = @class.new(:generate, :to => :all)
-      instance.subjects = :signed
-
-      instance.subjects.should == :signed
+      @class.new(:generate, :to => :all).subjects.should == :all
     end
 
-    it "should fail if the subjects setting isn't :all or an array" do
-      lambda { @class.new(:generate, :to => "other") }.should raise_error(ArgumentError, /Subjects must be an array or :all; not other/)
+    it "should fail if the subjects setting isn't :all or an array", :'fails_on_ruby_1.9.2' => true do
+      lambda { @class.new(:generate, "other") }.should raise_error(ArgumentError)
     end
   end
 
@@ -122,8 +117,8 @@ describe Puppet::SSL::CertificateAuthority::Interface do
       it "should call :generate on the CA for each host specified" do
         @applier = @class.new(:generate, :to => %w{host1 host2})
 
-        @ca.expects(:generate).with("host1", {})
-        @ca.expects(:generate).with("host2", {})
+        @ca.expects(:generate).with("host1")
+        @ca.expects(:generate).with("host2")
 
         @applier.apply(@ca)
       end
@@ -154,24 +149,15 @@ describe Puppet::SSL::CertificateAuthority::Interface do
 
     describe ":sign" do
       describe "and an array of names was provided" do
-        let(:applier) { @class.new(:sign, @options.merge(:to => %w{host1 host2})) }
-
-        it "should sign the specified waiting certificate requests" do
-          @options = {:allow_dns_alt_names => false}
-
-          @ca.expects(:sign).with("host1", false)
-          @ca.expects(:sign).with("host2", false)
-
-          applier.apply(@ca)
+        before do
+          @applier = @class.new(:sign, :to => %w{host1 host2})
         end
 
-        it "should sign the certificate requests with alt names if specified" do
-          @options = {:allow_dns_alt_names => true}
-
-          @ca.expects(:sign).with("host1", true)
-          @ca.expects(:sign).with("host2", true)
+        it "should sign the specified waiting certificate requests" do
+          @ca.expects(:sign).with("host1")
+          @ca.expects(:sign).with("host2")
 
-          applier.apply(@ca)
+          @applier.apply(@ca)
         end
       end
 
@@ -179,8 +165,8 @@ describe Puppet::SSL::CertificateAuthority::Interface do
         it "should sign all waiting certificate requests" do
           @ca.stubs(:waiting?).returns(%w{cert1 cert2})
 
-          @ca.expects(:sign).with("cert1", nil)
-          @ca.expects(:sign).with("cert2", nil)
+          @ca.expects(:sign).with("cert1")
+          @ca.expects(:sign).with("cert2")
 
           @applier = @class.new(:sign, :to => :all)
           @applier.apply(@ca)
@@ -196,89 +182,63 @@ describe Puppet::SSL::CertificateAuthority::Interface do
     end
 
     describe ":list" do
-      before :each do
-        certish = stub('certish', :subject_alt_names => [])
-        Puppet::SSL::Certificate.indirection.stubs(:find).returns certish
-        Puppet::SSL::CertificateRequest.indirection.stubs(:find).returns certish
-
-        @ca.expects(:waiting?).returns %w{host1 host2 host3}
-        @ca.expects(:list).returns %w{host4 host5 host6}
-        @ca.stubs(:fingerprint).returns "fingerprint"
-        @ca.stubs(:verify)
-      end
-
       describe "and an empty array was provided" do
-        it "should print all certificate requests" do
-          applier = @class.new(:list, :to => [])
+        it "should print a string containing all certificate requests" do
+          @ca.expects(:waiting?).returns %w{host1 host2}
+          @ca.stubs(:verify)
 
-          applier.expects(:puts).with(<<-OUTPUT.chomp)
-  "host1" (fingerprint)
-  "host2" (fingerprint)
-  "host3" (fingerprint)
-          OUTPUT
+          @applier = @class.new(:list, :to => [])
 
-          applier.apply(@ca)
+          @applier.expects(:puts).with "host1\nhost2"
+
+          @applier.apply(@ca)
         end
       end
 
       describe "and :all was provided" do
         it "should print a string containing all certificate requests and certificates" do
-          @ca.stubs(:verify).with("host4").raises(Puppet::SSL::CertificateAuthority::CertificateVerificationError.new(23), "certificate revoked")
+          @ca.expects(:waiting?).returns %w{host1 host2}
+          @ca.expects(:list).returns %w{host3 host4}
+          @ca.stubs(:verify)
+          @ca.stubs(:fingerprint).returns "fingerprint"
+          @ca.expects(:verify).with("host3").raises(Puppet::SSL::CertificateAuthority::CertificateVerificationError.new(23), "certificate revoked")
 
-          applier = @class.new(:list, :to => :all)
+          @applier = @class.new(:list, :to => :all)
 
-          applier.expects(:puts).with(<<-OUTPUT.chomp)
-  "host1" (fingerprint)
-  "host2" (fingerprint)
-  "host3" (fingerprint)
-+ "host5" (fingerprint)
-+ "host6" (fingerprint)
-- "host4" (fingerprint) (certificate revoked)
-          OUTPUT
+          @applier.expects(:puts).with "host1 (fingerprint)"
+          @applier.expects(:puts).with "host2 (fingerprint)"
+          @applier.expects(:puts).with "- host3 (fingerprint) (certificate revoked)"
+          @applier.expects(:puts).with "+ host4 (fingerprint)"
 
-          applier.apply(@ca)
+          @applier.apply(@ca)
         end
       end
 
       describe "and :signed was provided" do
         it "should print a string containing all signed certificate requests and certificates" do
-          applier = @class.new(:list, :to => :signed)
-
-          applier.expects(:puts).with(<<-OUTPUT.chomp)
-+ "host4" (fingerprint)
-+ "host5" (fingerprint)
-+ "host6" (fingerprint)
-          OUTPUT
-
-          applier.apply(@ca)
-        end
-
-        it "should include subject alt names if they are on the certificate request" do
-          request = stub 'request', :subject_alt_names => ["DNS:foo", "DNS:bar"]
-          Puppet::SSL::CertificateRequest.indirection.stubs(:find).returns(request)
-
-          applier = @class.new(:list, :to => ['host1'])
+          @ca.expects(:list).returns %w{host1 host2}
 
-          applier.expects(:puts).with(<<-OUTPUT.chomp)
-  "host1" (fingerprint) (alt names: "DNS:foo", "DNS:bar")
-          OUTPUT
+          @applier = @class.new(:list, :to => :signed)
 
-          applier.apply(@ca)
+          @applier.apply(@ca)
         end
       end
 
       describe "and an array of names was provided" do
-        it "should print all named hosts" do
-          applier = @class.new(:list, :to => %w{host1 host2 host4 host5})
+        it "should print a string of all named hosts that have a waiting request" do
+          @ca.expects(:waiting?).returns %w{host1 host2}
+          @ca.expects(:list).returns %w{host3 host4}
+          @ca.stubs(:fingerprint).returns "fingerprint"
+          @ca.stubs(:verify)
+
+          @applier = @class.new(:list, :to => %w{host1 host2 host3 host4})
 
-          applier.expects(:puts).with(<<-OUTPUT.chomp)
-  "host1" (fingerprint)
-  "host2" (fingerprint)
-+ "host4" (fingerprint)
-+ "host5" (fingerprint)
-            OUTPUT
+          @applier.expects(:puts).with "host1 (fingerprint)"
+          @applier.expects(:puts).with "host2 (fingerprint)"
+          @applier.expects(:puts).with "+ host3 (fingerprint)"
+          @applier.expects(:puts).with "+ host4 (fingerprint)"
 
-          applier.apply(@ca)
+          @applier.apply(@ca)
         end
       end
     end

data/spec/unit/ssl/certificate_authority_spec.rb

@@ -1,6 +1,5 @@
-#!/usr/bin/env ruby
-
-require File.dirname(__FILE__) + '/../../spec_helper'
+#!/usr/bin/env rspec
+require 'spec_helper'
 
 require 'puppet/ssl/certificate_authority'
 
@@ -138,18 +137,18 @@ describe Puppet::SSL::CertificateAuthority do
 
     it "should return any found CRL instance" do
       crl = mock 'crl'
-      Puppet::SSL::CertificateRevocationList.expects(:find).returns crl
+      Puppet::SSL::CertificateRevocationList.indirection.expects(:find).returns crl
       @ca.crl.should equal(crl)
     end
 
     it "should create, generate, and save a new CRL instance of no CRL can be found" do
-      crl = mock 'crl'
-      Puppet::SSL::CertificateRevocationList.expects(:find).returns nil
+      crl = Puppet::SSL::CertificateRevocationList.new("fakename")
+      Puppet::SSL::CertificateRevocationList.indirection.expects(:find).returns nil
 
       Puppet::SSL::CertificateRevocationList.expects(:new).returns crl
 
       crl.expects(:generate).with(@ca.host.certificate.content, @ca.host.key.content)
-      crl.expects(:save)
+      Puppet::SSL::CertificateRevocationList.indirection.expects(:save).with(crl)
 
       @ca.crl.should equal(crl)
     end
@@ -200,9 +199,8 @@ describe Puppet::SSL::CertificateAuthority do
       request = mock 'request'
       Puppet::SSL::CertificateRequest.expects(:new).with(@ca.host.name).returns request
       request.expects(:generate).with(@ca.host.key)
-      request.stubs(:request_extensions => [])
 
-      @ca.expects(:sign).with(@host.name, false, request)
+      @ca.expects(:sign).with(@host.name, :ca, request)
 
       @ca.stubs :generate_password
 
@@ -236,24 +234,25 @@ describe Puppet::SSL::CertificateAuthority do
 
       @name = "myhost"
       @real_cert = stub 'realcert', :sign => nil
-      @cert = stub 'certificate', :content => @real_cert
+      @cert = Puppet::SSL::Certificate.new(@name)
+      @cert.content = @real_cert
 
       Puppet::SSL::Certificate.stubs(:new).returns @cert
 
       @cert.stubs(:content=)
-      @cert.stubs(:save)
+      Puppet::SSL::Certificate.indirection.stubs(:save)
 
       # Stub out the factory
-      Puppet::SSL::CertificateFactory.stubs(:build).returns "my real cert"
+      @factory = stub 'factory', :result => "my real cert"
+      Puppet::SSL::CertificateFactory.stubs(:new).returns @factory
 
-      @request_content = stub "request content stub", :subject => OpenSSL::X509::Name.new([['CN', @name]])
-      @request = stub 'request', :name => @name, :request_extensions => [], :subject_alt_names => [], :content => @request_content
+      @request = stub 'request', :content => "myrequest", :name => @name
 
       # And the inventory
       @inventory = stub 'inventory', :add => nil
       @ca.stubs(:inventory).returns @inventory
 
-      Puppet::SSL::CertificateRequest.stubs(:destroy)
+      Puppet::SSL::CertificateRequest.indirection.stubs(:destroy)
     end
 
     describe "and calculating the next certificate serial number" do
@@ -296,49 +295,41 @@ describe Puppet::SSL::CertificateAuthority do
       end
 
       it "should not look up a certificate request for the host" do
-        Puppet::SSL::CertificateRequest.expects(:find).never
+        Puppet::SSL::CertificateRequest.indirection.expects(:find).never
 
-        @ca.sign(@name, true, @request)
+        @ca.sign(@name, :ca, @request)
       end
 
       it "should use a certificate type of :ca" do
-        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[0].should == :ca
-        end.returns "my real cert"
+        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+          args[0] == :ca
+        end.returns @factory
         @ca.sign(@name, :ca, @request)
       end
 
       it "should pass the provided CSR as the CSR" do
-        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[1].should == @request
-        end.returns "my real cert"
+        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+          args[1] == "myrequest"
+        end.returns @factory
         @ca.sign(@name, :ca, @request)
       end
 
       it "should use the provided CSR's content as the issuer" do
-        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[2].subject.to_s.should == "/CN=myhost"
-        end.returns "my real cert"
+        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+          args[2] == "myrequest"
+        end.returns @factory
         @ca.sign(@name, :ca, @request)
       end
 
       it "should pass the next serial as the serial number" do
-        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[3].should == @serial
-        end.returns "my real cert"
+        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+          args[3] == @serial
+        end.returns @factory
         @ca.sign(@name, :ca, @request)
       end
 
-      it "should sign the certificate request even if it contains alt names" do
-        @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
-
-        expect do
-          @ca.sign(@name, false, @request)
-        end.should_not raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError)
-      end
-
       it "should save the resulting certificate" do
-        @cert.expects(:save)
+        Puppet::SSL::Certificate.indirection.expects(:save).with(@cert)
 
         @ca.sign(@name, :ca, @request)
       end
@@ -349,69 +340,41 @@ describe Puppet::SSL::CertificateAuthority do
         @serial = 10
         @ca.stubs(:next_serial).returns @serial
 
-        Puppet::SSL::CertificateRequest.stubs(:find).with(@name).returns @request
-        @cert.stubs :save
+        Puppet::SSL::CertificateRequest.indirection.stubs(:find).with(@name).returns @request
+        Puppet::SSL::CertificateRequest.indirection.stubs :save
       end
 
       it "should use a certificate type of :server" do
-        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
           args[0] == :server
-        end.returns "my real cert"
+        end.returns @factory
 
         @ca.sign(@name)
       end
 
       it "should use look up a CSR for the host in the :ca_file terminus" do
-        Puppet::SSL::CertificateRequest.expects(:find).with(@name).returns @request
+        Puppet::SSL::CertificateRequest.indirection.expects(:find).with(@name).returns @request
 
         @ca.sign(@name)
       end
 
       it "should fail if no CSR can be found for the host" do
-        Puppet::SSL::CertificateRequest.expects(:find).with(@name).returns nil
+        Puppet::SSL::CertificateRequest.indirection.expects(:find).with(@name).returns nil
 
         lambda { @ca.sign(@name) }.should raise_error(ArgumentError)
       end
 
-      it "should fail if an unknown request extension is present" do
-        @request.stubs :request_extensions => [{ "oid"   => "bananas",
-                                                 "value" => "delicious" }]
-        expect { @ca.sign(@name) }.
-          should raise_error(/CSR has request extensions that are not permitted/)
-      end
-
-      it "should fail if the CSR contains alt names and they are not expected" do
-        @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
-
-        expect do
-          @ca.sign(@name, false)
-        end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError, /CSR '#{@name}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{@name}` to sign this request./)
-      end
-
-      it "should not fail if the CSR does not contain alt names and they are expected" do
-        @request.stubs(:subject_alt_names).returns []
-        expect { @ca.sign(@name, true) }.should_not raise_error
-      end
-
-      it "should reject alt names by default" do
-        @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
-
-        expect do
-          @ca.sign(@name)
-        end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError, /CSR '#{@name}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{@name}` to sign this request./)
-      end
-
       it "should use the CA certificate as the issuer" do
-        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
           args[2] == @cacert.content
-        end.returns "my real cert"
+        end.returns @factory
         @ca.sign(@name)
       end
 
       it "should pass the next serial as the serial number" do
-        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
           args[3] == @serial
-        end.returns "my real cert"
+        end.returns @factory
         @ca.sign(@name)
       end
 
@@ -427,162 +390,23 @@ describe Puppet::SSL::CertificateAuthority do
       end
 
       it "should save the resulting certificate" do
-        @cert.expects(:save)
+        Puppet::SSL::Certificate.indirection.stubs(:save).with(@cert)
         @ca.sign(@name)
       end
 
       it "should remove the host's certificate request" do
-        Puppet::SSL::CertificateRequest.expects(:destroy).with(@name)
+        Puppet::SSL::CertificateRequest.indirection.expects(:destroy).with(@name)
 
         @ca.sign(@name)
       end
-
-      it "should check the internal signing policies" do
-        @ca.expects(:check_internal_signing_policies).returns true
-        @ca.sign(@name)
-      end
-    end
-
-    context "#check_internal_signing_policies" do
-      before do
-        @serial = 10
-        @ca.stubs(:next_serial).returns @serial
-
-        Puppet::SSL::CertificateRequest.stubs(:find).with(@name).returns @request
-        @cert.stubs :save
-      end
-
-      it "should reject CSRs whose CN doesn't match the name for which we're signing them" do
-        # Shorten this so the test doesn't take too long
-        Puppet[:keylength] = 1024
-        key = Puppet::SSL::Key.new('the_certname')
-        key.generate
-
-        csr = Puppet::SSL::CertificateRequest.new('the_certname')
-        csr.generate(key)
-
-        expect do
-          @ca.check_internal_signing_policies('not_the_certname', csr, false)
-        end.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /common name "the_certname" does not match expected certname "not_the_certname"/
-        )
-      end
-
-      describe "when validating the CN" do
-        before :all do
-          Puppet[:keylength] = 1024
-          @signing_key = Puppet::SSL::Key.new('my_signing_key')
-          @signing_key.generate
-        end
-
-        [
-         'completely_okay',
-         'sure, why not? :)',
-         'so+many(things)-are=allowed.',
-         'this"is#just&madness%you[see]',
-         'and even a (an?) \\!',
-         'waltz, nymph, for quick jigs vex bud.',
-         '{552c04ca-bb1b-11e1-874b-60334b04494e}'
-        ].each do |name|
-          it "should accept #{name.inspect}" do
-            csr = Puppet::SSL::CertificateRequest.new(name)
-            csr.generate(@signing_key)
-
-            @ca.check_internal_signing_policies(name, csr, false)
-          end
-        end
-
-        [
-         'super/bad',
-         "not\neven\tkind\rof",
-         "ding\adong\a",
-         "hidden\b\b\b\b\b\bmessage",
-         "☃ :("
-        ].each do |name|
-          it "should reject #{name.inspect}" do
-            # We aren't even allowed to make objects with these names, so let's
-            # stub that to simulate an invalid one coming from outside Puppet
-            Puppet::SSL::CertificateRequest.stubs(:validate_certname)
-            csr = Puppet::SSL::CertificateRequest.new(name)
-            csr.generate(@signing_key)
-
-            expect do
-              @ca.check_internal_signing_policies(name, csr, false)
-            end.to raise_error(
-              Puppet::SSL::CertificateAuthority::CertificateSigningError,
-              /subject contains unprintable or non-ASCII characters/
-            )
-          end
-        end
-      end
-
-      it "should reject a critical extension that isn't on the whitelist" do
-        @request.stubs(:request_extensions).returns [{ "oid" => "banana",
-                                                       "value" => "yumm",
-                                                       "critical" => true }]
-        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /request extensions that are not permitted/
-        )
-      end
-
-      it "should reject a non-critical extension that isn't on the whitelist" do
-        @request.stubs(:request_extensions).returns [{ "oid" => "peach",
-                                                       "value" => "meh",
-                                                       "critical" => false }]
-        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /request extensions that are not permitted/
-        )
-      end
-
-      it "should reject non-whitelist extensions even if a valid extension is present" do
-        @request.stubs(:request_extensions).returns [{ "oid" => "peach",
-                                                       "value" => "meh",
-                                                       "critical" => false },
-                                                     { "oid" => "subjectAltName",
-                                                       "value" => "DNS:foo",
-                                                       "critical" => true }]
-        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /request extensions that are not permitted/
-        )
-      end
-
-      it "should reject a subjectAltName for a non-DNS value" do
-        @request.stubs(:subject_alt_names).returns ['DNS:foo', 'email:bar@example.com']
-        expect { @ca.check_internal_signing_policies(@name, @request, true) }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /subjectAltName outside the DNS label space/
-        )
-      end
-
-      it "should reject a wildcard subject" do
-        @request.content.stubs(:subject).
-          returns(OpenSSL::X509::Name.new([["CN", "*.local"]]))
-
-        expect { @ca.check_internal_signing_policies('*.local', @request, false) }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /subject contains a wildcard/
-        )
-      end
-
-      it "should reject a wildcard subjectAltName" do
-        @request.stubs(:subject_alt_names).returns ['DNS:foo', 'DNS:*.bar']
-        expect { @ca.check_internal_signing_policies(@name, @request, true) }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /subjectAltName contains a wildcard/
-        )
-      end
     end
 
     it "should create a certificate instance with the content set to the newly signed x509 certificate" do
       @serial = 10
       @ca.stubs(:next_serial).returns @serial
 
-      Puppet::SSL::CertificateRequest.stubs(:find).with(@name).returns @request
-      @cert.stubs :save
+      Puppet::SSL::CertificateRequest.indirection.stubs(:find).with(@name).returns @request
+      Puppet::SSL::Certificate.indirection.stubs :save
       Puppet::SSL::Certificate.expects(:new).with(@name).returns @cert
 
       @ca.sign(@name)
@@ -590,8 +414,8 @@ describe Puppet::SSL::CertificateAuthority do
 
     it "should return the certificate instance" do
       @ca.stubs(:next_serial).returns @serial
-      Puppet::SSL::CertificateRequest.stubs(:find).with(@name).returns @request
-      @cert.stubs :save
+      Puppet::SSL::CertificateRequest.indirection.stubs(:find).with(@name).returns @request
+      Puppet::SSL::Certificate.indirection.stubs :save
       @ca.sign(@name).should equal(@cert)
     end
 
@@ -599,8 +423,8 @@ describe Puppet::SSL::CertificateAuthority do
       @ca.stubs(:next_serial).returns @serial
       @inventory.expects(:add).with(@cert)
 
-      Puppet::SSL::CertificateRequest.stubs(:find).with(@name).returns @request
-      @cert.stubs :save
+      Puppet::SSL::CertificateRequest.indirection.stubs(:find).with(@name).returns @request
+      Puppet::SSL::Certificate.indirection.stubs :save
       @ca.sign(@name)
     end
 
@@ -612,7 +436,7 @@ describe Puppet::SSL::CertificateAuthority do
       it "should do nothing if autosign is disabled" do
         Puppet.settings.expects(:value).with(:autosign).returns 'false'
 
-        Puppet::SSL::CertificateRequest.expects(:search).never
+        Puppet::SSL::CertificateRequest.indirection.expects(:search).never
         @ca.autosign
       end
 
@@ -620,7 +444,7 @@ describe Puppet::SSL::CertificateAuthority do
         Puppet.settings.expects(:value).with(:autosign).returns '/auto/sign'
         FileTest.expects(:exist?).with("/auto/sign").returns false
 
-        Puppet::SSL::CertificateRequest.expects(:search).never
+        Puppet::SSL::CertificateRequest.indirection.expects(:search).never
         @ca.autosign
       end
 
@@ -630,7 +454,7 @@ describe Puppet::SSL::CertificateAuthority do
           FileTest.stubs(:exist?).with("/auto/sign").returns true
           File.stubs(:readlines).with("/auto/sign").returns ["one\n", "two\n"]
 
-          Puppet::SSL::CertificateRequest.stubs(:search).returns []
+          Puppet::SSL::CertificateRequest.indirection.stubs(:search).returns []
 
           @store = stub 'store', :allow => nil
           Puppet::Network::AuthStore.stubs(:new).returns @store
@@ -671,13 +495,13 @@ describe Puppet::SSL::CertificateAuthority do
         it "should sign all CSRs whose hostname matches the autosign configuration" do
           csr1 = mock 'csr1'
           csr2 = mock 'csr2'
-          Puppet::SSL::CertificateRequest.stubs(:search).returns [csr1, csr2]
+          Puppet::SSL::CertificateRequest.indirection.stubs(:search).returns [csr1, csr2]
         end
 
         it "should not sign CSRs whose hostname does not match the autosign configuration" do
           csr1 = mock 'csr1'
           csr2 = mock 'csr2'
-          Puppet::SSL::CertificateRequest.stubs(:search).returns [csr1, csr2]
+          Puppet::SSL::CertificateRequest.indirection.stubs(:search).returns [csr1, csr2]
         end
       end
     end
@@ -724,7 +548,7 @@ describe Puppet::SSL::CertificateAuthority do
     it "should be able to list waiting certificate requests" do
       req1 = stub 'req1', :name => "one"
       req2 = stub 'req2', :name => "two"
-      Puppet::SSL::CertificateRequest.expects(:search).with("*").returns [req1, req2]
+      Puppet::SSL::CertificateRequest.indirection.expects(:search).with("*").returns [req1, req2]
 
       @ca.waiting?.should == %w{one two}
     end
@@ -742,19 +566,19 @@ describe Puppet::SSL::CertificateAuthority do
     it "should list certificates as the sorted list of all existing signed certificates" do
       cert1 = stub 'cert1', :name => "cert1"
       cert2 = stub 'cert2', :name => "cert2"
-      Puppet::SSL::Certificate.expects(:search).with("*").returns [cert1, cert2]
+      Puppet::SSL::Certificate.indirection.expects(:search).with("*").returns [cert1, cert2]
       @ca.list.should == %w{cert1 cert2}
     end
 
     describe "and printing certificates" do
       it "should return nil if the certificate cannot be found" do
-        Puppet::SSL::Certificate.expects(:find).with("myhost").returns nil
+        Puppet::SSL::Certificate.indirection.expects(:find).with("myhost").returns nil
         @ca.print("myhost").should be_nil
       end
 
       it "should print certificates by calling :to_text on the host's certificate" do
         cert1 = stub 'cert1', :name => "cert1", :to_text => "mytext"
-        Puppet::SSL::Certificate.expects(:find).with("myhost").returns cert1
+        Puppet::SSL::Certificate.indirection.expects(:find).with("myhost").returns cert1
         @ca.print("myhost").should == "mytext"
       end
     end
@@ -762,19 +586,19 @@ describe Puppet::SSL::CertificateAuthority do
     describe "and fingerprinting certificates" do
       before :each do
         @cert = stub 'cert', :name => "cert", :fingerprint => "DIGEST"
-        Puppet::SSL::Certificate.stubs(:find).with("myhost").returns @cert
-        Puppet::SSL::CertificateRequest.stubs(:find).with("myhost")
+        Puppet::SSL::Certificate.indirection.stubs(:find).with("myhost").returns @cert
+        Puppet::SSL::CertificateRequest.indirection.stubs(:find).with("myhost")
       end
 
       it "should raise an error if the certificate or CSR cannot be found" do
-        Puppet::SSL::Certificate.expects(:find).with("myhost").returns nil
-        Puppet::SSL::CertificateRequest.expects(:find).with("myhost").returns nil
+        Puppet::SSL::Certificate.indirection.expects(:find).with("myhost").returns nil
+        Puppet::SSL::CertificateRequest.indirection.expects(:find).with("myhost").returns nil
         lambda { @ca.fingerprint("myhost") }.should raise_error
       end
 
       it "should try to find a CSR if no certificate can be found" do
-        Puppet::SSL::Certificate.expects(:find).with("myhost").returns nil
-        Puppet::SSL::CertificateRequest.expects(:find).with("myhost").returns @cert
+        Puppet::SSL::Certificate.indirection.expects(:find).with("myhost").returns nil
+        Puppet::SSL::CertificateRequest.indirection.expects(:find).with("myhost").returns @cert
         @cert.expects(:fingerprint)
         @ca.fingerprint("myhost")
       end
@@ -799,7 +623,7 @@ describe Puppet::SSL::CertificateAuthority do
         Puppet.settings.stubs(:value).returns "crtstuff"
 
         @cert = stub 'cert', :content => "mycert"
-        Puppet::SSL::Certificate.stubs(:find).returns @cert
+        Puppet::SSL::Certificate.indirection.stubs(:find).returns @cert
 
         @crl = stub('crl', :content => "mycrl")
 
@@ -807,7 +631,7 @@ describe Puppet::SSL::CertificateAuthority do
       end
 
       it "should fail if the host's certificate cannot be found" do
-        Puppet::SSL::Certificate.expects(:find).with("me").returns(nil)
+        Puppet::SSL::Certificate.indirection.expects(:find).with("me").returns(nil)
 
         lambda { @ca.verify("me") }.should raise_error(ArgumentError)
       end
@@ -870,7 +694,7 @@ describe Puppet::SSL::CertificateAuthority do
 
         @real_cert = stub 'real_cert', :serial => 15
         @cert = stub 'cert', :content => @real_cert
-        Puppet::SSL::Certificate.stubs(:find).returns @cert
+        Puppet::SSL::Certificate.indirection.stubs(:find).returns @cert
 
       end
 
@@ -890,7 +714,7 @@ describe Puppet::SSL::CertificateAuthority do
       it "should get the serial number from the local certificate if it exists" do
         @ca.crl.expects(:revoke).with { |serial, key| serial == 15 }
 
-        Puppet::SSL::Certificate.expects(:find).with("host").returns @cert
+        Puppet::SSL::Certificate.indirection.expects(:find).with("host").returns @cert
 
         @ca.revoke('host')
       end
@@ -898,7 +722,7 @@ describe Puppet::SSL::CertificateAuthority do
       it "should get the serial number from inventory if no local certificate exists" do
         real_cert = stub 'real_cert', :serial => 15
         cert = stub 'cert', :content => real_cert
-        Puppet::SSL::Certificate.expects(:find).with("host").returns nil
+        Puppet::SSL::Certificate.indirection.expects(:find).with("host").returns nil
 
         @ca.inventory.expects(:serial).with("host").returns 16
 
@@ -915,13 +739,13 @@ describe Puppet::SSL::CertificateAuthority do
       before do
         @host = stub 'host', :generate_certificate_request => nil
         Puppet::SSL::Host.stubs(:new).returns @host
-        Puppet::SSL::Certificate.stubs(:find).returns nil
+        Puppet::SSL::Certificate.indirection.stubs(:find).returns nil
 
         @ca.stubs(:sign)
       end
 
       it "should fail if a certificate already exists for the host" do
-        Puppet::SSL::Certificate.expects(:find).with("him").returns "something"
+        Puppet::SSL::Certificate.indirection.expects(:find).with("him").returns "something"
 
         lambda { @ca.generate("him") }.should raise_error(ArgumentError)
       end
@@ -939,7 +763,8 @@ describe Puppet::SSL::CertificateAuthority do
       end
 
       it "should sign the generated request" do
-        @ca.expects(:sign).with("him", false)
+        @ca.expects(:sign).with("him")
+
         @ca.generate("him")
       end
     end