puppet 2.6.18 → 2.7.1

data/spec/unit/ssl/certificate_factory_spec.rb

@@ -1,127 +1,106 @@
-#!/usr/bin/env ruby
-
-require File.dirname(__FILE__) + '/../../spec_helper'
+#!/usr/bin/env rspec
+require 'spec_helper'
 
 require 'puppet/ssl/certificate_factory'
 
 describe Puppet::SSL::CertificateFactory do
-  let :serial    do OpenSSL::BN.new('12') end
-  let :name      do "example.local" end
-  let :x509_name do OpenSSL::X509::Name.new([['CN', name]]) end
-  let :key       do Puppet::SSL::Key.new(name).generate end
-  let :csr       do
-    csr = Puppet::SSL::CertificateRequest.new(name)
-    csr.generate(key)
-    csr
-  end
-  let :issuer do
-    cert = OpenSSL::X509::Certificate.new
-    cert.subject = OpenSSL::X509::Name.new([["CN", 'issuer.local']])
-    cert
+  before do
+    @cert_type = mock 'cert_type'
+    @name = mock 'name'
+    @csr = stub 'csr', :subject => @name
+    @issuer = mock 'issuer'
+    @serial = mock 'serial'
+
+    @factory = Puppet::SSL::CertificateFactory.new(@cert_type, @csr, @issuer, @serial)
   end
 
-  describe "when generating the certificate" do
-    it "should return a new X509 certificate" do
-      subject.build(:server, csr, issuer, serial).should_not ==
-        subject.build(:server, csr, issuer, serial)
+  describe "when initializing" do
+    it "should set its :cert_type to its first argument" do
+      @factory.cert_type.should equal(@cert_type)
     end
 
-    it "should set the certificate's version to 2" do
-      subject.build(:server, csr, issuer, serial).version.should == 2
+    it "should set its :csr to its second argument" do
+      @factory.csr.should equal(@csr)
     end
 
-    it "should set the certificate's subject to the CSR's subject" do
-      cert = subject.build(:server, csr, issuer, serial)
-      cert.subject.should eql x509_name
+    it "should set its :issuer to its third argument" do
+      @factory.issuer.should equal(@issuer)
     end
 
-    it "should set the certificate's issuer to the Issuer's subject" do
-      cert = subject.build(:server, csr, issuer, serial)
-      cert.issuer.should eql issuer.subject
+    it "should set its :serial to its fourth argument" do
+      @factory.serial.should equal(@serial)
     end
 
-    it "should set the certificate's public key to the CSR's public key" do
-      cert = subject.build(:server, csr, issuer, serial)
-      cert.public_key.should be_public
-      cert.public_key.to_s.should == csr.content.public_key.to_s
+    it "should set its name to the subject of the csr" do
+      @factory.name.should equal(@name)
     end
+  end
 
-    it "should set the certificate's serial number to the provided serial number" do
-      cert = subject.build(:server, csr, issuer, serial)
-      cert.serial.should == serial
-    end
+  describe "when generating the certificate" do
+    before do
+      @cert = mock 'cert'
 
-    it "should have 24 hours grace on the start of the cert" do
-      cert = subject.build(:server, csr, issuer, serial)
-      cert.not_before.should be_within(1).of(Time.now - 24*60*60)
-    end
+      @cert.stub_everything
 
-    it "should set the default TTL of the certificate" do
-      ttl  = Puppet::SSL::CertificateFactory.ttl
-      cert = subject.build(:server, csr, issuer, serial)
-      cert.not_after.should be_within(1).of(Time.now + ttl)
-    end
+      @factory.stubs :build_extensions
 
-    it "should respect a custom TTL for the CA" do
-      Puppet[:ca_ttl] = 12
-      cert = subject.build(:server, csr, issuer, serial)
-      cert.not_after.should be_within(1).of(Time.now + 12)
-    end
+      @factory.stubs :set_ttl
 
-    it "should build extensions for the certificate" do
-      cert = subject.build(:server, csr, issuer, serial)
-      cert.extensions.map {|x| x.to_h }.find {|x| x["oid"] == "nsComment" }.should ==
-        { "oid"      => "nsComment",
-          "value"    => "Puppet Ruby/OpenSSL Internal Certificate",
-          "critical" => false }
+      @issuer_name = mock 'issuer_name'
+      @issuer.stubs(:subject).returns @issuer_name
+
+      @public_key = mock 'public_key'
+      @csr.stubs(:public_key).returns @public_key
+
+      OpenSSL::X509::Certificate.stubs(:new).returns @cert
     end
 
-    # See #2848 for why we are doing this: we need to make sure that
-    # subjectAltName is set if the CSR has it, but *not* if it is set when the
-    # certificate is built!
-    it "should not add subjectAltNames from dns_alt_names" do
-      Puppet[:dns_alt_names] = 'one, two'
-      # Verify the CSR still has no extReq, just in case...
-      csr.request_extensions.should == []
-      cert = subject.build(:server, csr, issuer, serial)
+    it "should return a new X509 certificate" do
+      OpenSSL::X509::Certificate.expects(:new).returns @cert
+      @factory.result.should equal(@cert)
+    end
 
-      cert.extensions.find {|x| x.oid == 'subjectAltName' }.should be_nil
+    it "should set the certificate's version to 2" do
+      @cert.expects(:version=).with 2
+      @factory.result
     end
 
-    it "should add subjectAltName when the CSR requests them" do
-      Puppet[:dns_alt_names] = ''
+    it "should set the certificate's subject to the CSR's subject" do
+      @cert.expects(:subject=).with @name
+      @factory.result
+    end
 
-      expect = %w{one two} + [name]
+    it "should set the certificate's issuer to the Issuer's subject" do
+      @cert.expects(:issuer=).with @issuer_name
+      @factory.result
+    end
 
-      csr = Puppet::SSL::CertificateRequest.new(name)
-      csr.generate(key, :dns_alt_names => expect.join(', '))
+    it "should set the certificate's public key to the CSR's public key" do
+      @cert.expects(:public_key=).with @public_key
+      @factory.result
+    end
 
-      csr.request_extensions.should_not be_nil
-      csr.subject_alt_names.should =~ expect.map{|x| "DNS:#{x}"}
+    it "should set the certificate's serial number to the provided serial number" do
+      @cert.expects(:serial=).with @serial
+      @factory.result
+    end
 
-      cert = subject.build(:server, csr, issuer, serial)
-      san = cert.extensions.find {|x| x.oid == 'subjectAltName' }
-      san.should_not be_nil
-      expect.each do |name|
-        san.value.should =~ /DNS:#{name}\b/i
-      end
+    it "should build extensions for the certificate" do
+      @factory.expects(:build_extensions)
+      @factory.result
     end
 
-    # Can't check the CA here, since that requires way more infrastructure
-    # that I want to build up at this time.  We can verify the critical
-    # values, though, which are non-CA certs. --daniel 2011-10-11
-    { :ca            => 'CA:TRUE',
-      :terminalsubca => ['CA:TRUE', 'pathlen:0'],
-      :server        => 'CA:FALSE',
-      :ocsp          => 'CA:FALSE',
-      :client        => 'CA:FALSE',
-    }.each do |name, value|
-      it "should set basicConstraints for #{name} #{value.inspect}" do
-        cert = subject.build(name, csr, issuer, serial)
-        bc = cert.extensions.find {|x| x.oid == 'basicConstraints' }
-        bc.should be
-        bc.value.split(/\s*,\s*/).should =~ Array(value)
-      end
+    it "should set the ttl of the certificate" do
+      @factory.expects(:set_ttl)
+      @factory.result
     end
   end
+
+  describe "when building extensions" do
+    it "should have tests"
+  end
+
+  describe "when setting the ttl" do
+    it "should have tests"
+  end
 end

data/spec/unit/ssl/certificate_request_spec.rb

@@ -1,6 +1,5 @@
-#!/usr/bin/env ruby
-
-require File.dirname(__FILE__) + '/../../spec_helper'
+#!/usr/bin/env rspec
+require 'spec_helper'
 
 require 'puppet/ssl/certificate_request'
 require 'puppet/ssl/key'
@@ -126,7 +125,7 @@ describe Puppet::SSL::CertificateRequest do
 
     it "should set the CN to the :ca_name setting when the CSR is for a CA" do
       subject = mock 'subject'
-      Puppet[:ca_name] = "mycertname"
+      Puppet.settings.expects(:value).with(:ca_name).returns "mycertname"
       OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == "mycertname" }.returns(subject)
       @request.expects(:subject=).with(subject)
       Puppet::SSL::CertificateRequest.new(Puppet::SSL::CA_NAME).generate(@key)
@@ -145,67 +144,6 @@ describe Puppet::SSL::CertificateRequest do
       @instance.generate(@key)
     end
 
-    context "without subjectAltName / dns_alt_names" do
-      before :each do
-        Puppet[:dns_alt_names] = ""
-      end
-
-      ["extreq", "msExtReq"].each do |name|
-        it "should not add any #{name} attribute" do
-          @request.expects(:add_attribute).never
-          @request.expects(:attributes=).never
-          @instance.generate(@key)
-        end
-
-        it "should return no subjectAltNames" do
-          @instance.generate(@key)
-          @instance.subject_alt_names.should be_empty
-        end
-      end
-    end
-
-    context "with dns_alt_names" do
-      before :each do
-        Puppet[:dns_alt_names] = "one, two, three"
-      end
-
-      ["extreq", "msExtReq"].each do |name|
-        it "should not add any #{name} attribute" do
-          @request.expects(:add_attribute).never
-          @request.expects(:attributes=).never
-          @instance.generate(@key)
-        end
-
-        it "should return no subjectAltNames" do
-          @instance.generate(@key)
-          @instance.subject_alt_names.should be_empty
-        end
-      end
-    end
-
-    context "with subjectAltName to generate request" do
-      before :each do
-        Puppet[:dns_alt_names] = ""
-      end
-
-      it "should add an extreq attribute" do
-        @request.expects(:add_attribute).with do |arg|
-          arg.value.value.all? do |x|
-            x.value.all? do |y|
-              y.value[0].value == "subjectAltName"
-            end
-          end
-        end
-
-        @instance.generate(@key, :dns_alt_names => 'one, two')
-      end
-
-      it "should return the subjectAltName values" do
-        @instance.generate(@key, :dns_alt_names => 'one,two')
-        @instance.subject_alt_names.should =~ ["DNS:myname", "DNS:one", "DNS:two"]
-      end
-    end
-
     it "should sign the csr with the provided key and a digest" do
       digest = mock 'digest'
       OpenSSL::Digest::MD5.expects(:new).returns(digest)
@@ -248,22 +186,17 @@ describe Puppet::SSL::CertificateRequest do
   end
 
   describe "when a CSR is saved" do
-    it "should allow arguments" do
-      csr = Puppet::SSL::CertificateRequest.new("me")
-      csr.class.indirection.stubs(:save)
-
-      lambda { csr.save :ipaddress => "foo" }.should_not raise_error
-    end
-
     describe "and a CA is available" do
       it "should save the CSR and trigger autosigning" do
         ca = mock 'ca', :autosign
         Puppet::SSL::CertificateAuthority.expects(:instance).returns ca
 
         csr = Puppet::SSL::CertificateRequest.new("me")
-        Puppet::SSL::CertificateRequest.indirection.expects(:save).with(nil, csr)
+        terminus = mock 'terminus'
+        Puppet::SSL::CertificateRequest.indirection.expects(:prepare).returns(terminus)
+        terminus.expects(:save).with { |request| request.instance == csr && request.key == "me" }
 
-        csr.save
+        Puppet::SSL::CertificateRequest.indirection.save(csr)
       end
     end
 
@@ -272,9 +205,11 @@ describe Puppet::SSL::CertificateRequest do
         Puppet::SSL::CertificateAuthority.expects(:instance).returns nil
 
         csr = Puppet::SSL::CertificateRequest.new("me")
-        Puppet::SSL::CertificateRequest.indirection.expects(:save).with(nil, csr)
+        terminus = mock 'terminus'
+        Puppet::SSL::CertificateRequest.indirection.expects(:prepare).returns(terminus)
+        terminus.expects(:save).with { |request| request.instance == csr && request.key == "me" }
 
-        csr.save
+        Puppet::SSL::CertificateRequest.indirection.save(csr)
       end
     end
   end

data/spec/unit/ssl/certificate_revocation_list_spec.rb

@@ -1,6 +1,5 @@
-#!/usr/bin/env ruby
-
-require File.dirname(__FILE__) + '/../../spec_helper'
+#!/usr/bin/env rspec
+require 'spec_helper'
 
 require 'puppet/ssl/certificate_revocation_list'
 
@@ -119,7 +118,7 @@ describe Puppet::SSL::CertificateRevocationList do
       @crl.generate(@cert, @key)
       @crl.content.stubs(:sign)
 
-      @crl.stubs :save
+      Puppet::SSL::CertificateRevocationList.indirection.stubs :save
 
       @key = mock 'key'
     end
@@ -161,7 +160,7 @@ describe Puppet::SSL::CertificateRevocationList do
     end
 
     it "should save the CRL" do
-      @crl.expects :save
+      Puppet::SSL::CertificateRevocationList.indirection.expects(:save).with(@crl, nil)
       @crl.revoke(1, @key)
     end
   end

data/spec/unit/ssl/certificate_spec.rb

@@ -1,6 +1,5 @@
-#!/usr/bin/env ruby
-
-require File.dirname(__FILE__) + '/../../spec_helper'
+#!/usr/bin/env rspec
+require 'spec_helper'
 
 require 'puppet/ssl/certificate'
 
@@ -90,37 +89,6 @@ describe Puppet::SSL::Certificate do
       @certificate.should respond_to(:content)
     end
 
-    describe "#subject_alt_names" do
-      it "should list all alternate names when the extension is present" do
-        key = Puppet::SSL::Key.new('quux')
-        key.generate
-
-        csr = Puppet::SSL::CertificateRequest.new('quux')
-        csr.generate(key, :dns_alt_names => 'foo, bar,baz')
-
-        raw_csr = csr.content
-
-        cert = Puppet::SSL::CertificateFactory.build('server', csr, raw_csr, 14)
-        certificate = @class.from_s(cert.to_pem)
-        certificate.subject_alt_names.
-          should =~ ['DNS:foo', 'DNS:bar', 'DNS:baz', 'DNS:quux']
-      end
-
-      it "should return an empty list of names if the extension is absent" do
-        key = Puppet::SSL::Key.new('quux')
-        key.generate
-
-        csr = Puppet::SSL::CertificateRequest.new('quux')
-        csr.generate(key)
-
-        raw_csr = csr.content
-
-        cert = Puppet::SSL::CertificateFactory.build('client', csr, raw_csr, 14)
-        certificate = @class.from_s(cert.to_pem)
-        certificate.subject_alt_names.should be_empty
-      end
-    end
-
     it "should return a nil expiration if there is no actual certificate" do
       @certificate.stubs(:content).returns nil
 

data/spec/unit/ssl/host_spec.rb

@@ -1,20 +1,20 @@
-#!/usr/bin/env ruby
-
-require File.dirname(__FILE__) + '/../../spec_helper'
+#!/usr/bin/env rspec
+require 'spec_helper'
 
 require 'puppet/ssl/host'
+require 'puppet/sslcertificates'
+require 'puppet/sslcertificates/ca'
 
 describe Puppet::SSL::Host do
-  include PuppetSpec::Files
-
   before do
-    @class = Puppet::SSL::Host
-    @host = @class.new("myname")
+    Puppet::SSL::Host.indirection.terminus_class = :file
+    @host = Puppet::SSL::Host.new("myname")
   end
 
   after do
     # Cleaned out any cached localhost instance.
     Puppet::Util::Cacher.expire
+    Puppet::SSL::Host.ca_location = :none
   end
 
   it "should use any provided name as its name" do
@@ -24,7 +24,7 @@ describe Puppet::SSL::Host do
   it "should retrieve its public key from its private key" do
     realkey = mock 'realkey'
     key = stub 'key', :content => realkey
-    Puppet::SSL::Key.stubs(:find).returns(key)
+    Puppet::SSL::Key.indirection.stubs(:find).returns(key)
     pubkey = mock 'public_key'
     realkey.expects(:public_key).returns pubkey
 
@@ -66,95 +66,6 @@ describe Puppet::SSL::Host do
     Puppet::SSL::Host.localhost.should equal(host)
   end
 
-  it "should create a localhost cert if no cert is available and it is a CA with autosign and it is using DNS alt names" do
-    Puppet[:autosign] = true
-    Puppet[:confdir] = tmpdir('conf')
-    Puppet[:dns_alt_names] = "foo,bar,baz"
-    ca = Puppet::SSL::CertificateAuthority.new
-    Puppet::SSL::CertificateAuthority.stubs(:instance).returns ca
-
-    localhost = Puppet::SSL::Host.localhost
-    cert = localhost.certificate
-
-    cert.should be_a(Puppet::SSL::Certificate)
-    cert.subject_alt_names.should =~ %W[DNS:#{Puppet[:certname]} DNS:foo DNS:bar DNS:baz]
-  end
-
-  context "with dns_alt_names" do
-    before :each do
-      @key = stub('key content')
-      key = stub('key', :generate => true, :save => true, :content => @key)
-      Puppet::SSL::Key.stubs(:new).returns key
-
-      @cr = stub('certificate request', :save => true)
-      Puppet::SSL::CertificateRequest.stubs(:new).returns @cr
-    end
-
-    describe "explicitly specified" do
-      before :each do
-        Puppet[:dns_alt_names] = 'one, two'
-      end
-
-      it "should not include subjectAltName if not the local node" do
-        @cr.expects(:generate).with(@key, {})
-
-        Puppet::SSL::Host.new('not-the-' + Puppet[:certname]).generate
-      end
-
-      it "should include subjectAltName if I am a CA" do
-        @cr.expects(:generate).
-          with(@key, { :dns_alt_names => Puppet[:dns_alt_names] })
-
-        Puppet::SSL::Host.localhost
-      end
-    end
-
-    describe "implicitly defaulted" do
-      let(:ca) { stub('ca', :sign => nil) }
-
-      before :each do
-        Puppet[:dns_alt_names] = ''
-
-        Puppet::SSL::CertificateAuthority.stubs(:instance).returns ca
-      end
-
-      it "should not include defaults if we're not the CA" do
-        Puppet::SSL::CertificateAuthority.stubs(:ca?).returns false
-
-        @cr.expects(:generate).with(@key, {})
-
-        Puppet::SSL::Host.localhost
-      end
-
-      it "should not include defaults if not the local node" do
-        Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true
-
-        @cr.expects(:generate).with(@key, {})
-
-        Puppet::SSL::Host.new('not-the-' + Puppet[:certname]).generate
-      end
-
-      it "should not include defaults if we can't resolve our fqdn" do
-        Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true
-        Facter.stubs(:value).with(:fqdn).returns nil
-
-        @cr.expects(:generate).with(@key, {})
-
-        Puppet::SSL::Host.localhost
-      end
-
-      it "should provide defaults if we're bootstrapping the local master" do
-        Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true
-        Facter.stubs(:value).with(:fqdn).returns 'web.foo.com'
-        Facter.stubs(:value).with(:domain).returns 'foo.com'
-
-        @cr.expects(:generate).with(@key, {:dns_alt_names => "puppet, web.foo.com, puppet.foo.com"})
-
-        Puppet::SSL::Host.localhost
-      end
-    end
-  end
-
   it "should always read the key for the localhost instance in from disk" do
     host = stub 'host', :certificate => "eh"
     Puppet::SSL::Host.expects(:new).returns host
@@ -231,13 +142,6 @@ describe Puppet::SSL::Host do
   end
 
   describe "when specifying the CA location" do
-    before do
-      [Puppet::SSL::Key, Puppet::SSL::Certificate, Puppet::SSL::CertificateRequest, Puppet::SSL::CertificateRevocationList].each do |klass|
-        klass.stubs(:terminus_class=)
-        klass.stubs(:cache_class=)
-      end
-    end
-
     it "should support the location ':local'" do
       lambda { Puppet::SSL::Host.ca_location = :local }.should_not raise_error
     end
@@ -259,80 +163,88 @@ describe Puppet::SSL::Host do
     end
 
     describe "as 'local'" do
-      it "should set the cache class for Certificate, CertificateRevocationList, and CertificateRequest as :file" do
-        Puppet::SSL::Certificate.expects(:cache_class=).with :file
-        Puppet::SSL::CertificateRequest.expects(:cache_class=).with :file
-        Puppet::SSL::CertificateRevocationList.expects(:cache_class=).with :file
-
+      before do
         Puppet::SSL::Host.ca_location = :local
       end
 
-      it "should set the terminus class for Key as :file" do
-        Puppet::SSL::Key.expects(:terminus_class=).with :file
+      it "should set the cache class for Certificate, CertificateRevocationList, and CertificateRequest as :file" do
+        Puppet::SSL::Certificate.indirection.cache_class.should == :file
+        Puppet::SSL::CertificateRequest.indirection.cache_class.should == :file
+        Puppet::SSL::CertificateRevocationList.indirection.cache_class.should == :file
+      end
 
-        Puppet::SSL::Host.ca_location = :local
+      it "should set the terminus class for Key and Host as :file" do
+        Puppet::SSL::Key.indirection.terminus_class.should == :file
+        Puppet::SSL::Host.indirection.terminus_class.should == :file
       end
 
       it "should set the terminus class for Certificate, CertificateRevocationList, and CertificateRequest as :ca" do
-        Puppet::SSL::Certificate.expects(:terminus_class=).with :ca
-        Puppet::SSL::CertificateRequest.expects(:terminus_class=).with :ca
-        Puppet::SSL::CertificateRevocationList.expects(:terminus_class=).with :ca
-
-        Puppet::SSL::Host.ca_location = :local
+        Puppet::SSL::Certificate.indirection.terminus_class.should == :ca
+        Puppet::SSL::CertificateRequest.indirection.terminus_class.should == :ca
+        Puppet::SSL::CertificateRevocationList.indirection.terminus_class.should == :ca
       end
     end
 
     describe "as 'remote'" do
-      it "should set the cache class for Certificate, CertificateRevocationList, and CertificateRequest as :file" do
-        Puppet::SSL::Certificate.expects(:cache_class=).with :file
-        Puppet::SSL::CertificateRequest.expects(:cache_class=).with :file
-        Puppet::SSL::CertificateRevocationList.expects(:cache_class=).with :file
-
+      before do
         Puppet::SSL::Host.ca_location = :remote
       end
 
-      it "should set the terminus class for Key as :file" do
-        Puppet::SSL::Key.expects(:terminus_class=).with :file
-
-        Puppet::SSL::Host.ca_location = :remote
+      it "should set the cache class for Certificate, CertificateRevocationList, and CertificateRequest as :file" do
+        Puppet::SSL::Certificate.indirection.cache_class.should == :file
+        Puppet::SSL::CertificateRequest.indirection.cache_class.should == :file
+        Puppet::SSL::CertificateRevocationList.indirection.cache_class.should == :file
       end
 
-      it "should set the terminus class for Certificate, CertificateRevocationList, and CertificateRequest as :rest" do
-        Puppet::SSL::Certificate.expects(:terminus_class=).with :rest
-        Puppet::SSL::CertificateRequest.expects(:terminus_class=).with :rest
-        Puppet::SSL::CertificateRevocationList.expects(:terminus_class=).with :rest
+      it "should set the terminus class for Key as :file" do
+        Puppet::SSL::Key.indirection.terminus_class.should == :file
+      end
 
-        Puppet::SSL::Host.ca_location = :remote
+      it "should set the terminus class for Host, Certificate, CertificateRevocationList, and CertificateRequest as :rest" do
+        Puppet::SSL::Host.indirection.terminus_class.should == :rest
+        Puppet::SSL::Certificate.indirection.terminus_class.should == :rest
+        Puppet::SSL::CertificateRequest.indirection.terminus_class.should == :rest
+        Puppet::SSL::CertificateRevocationList.indirection.terminus_class.should == :rest
       end
     end
 
     describe "as 'only'" do
-      it "should set the terminus class for Key, Certificate, CertificateRevocationList, and CertificateRequest as :ca" do
-        Puppet::SSL::Key.expects(:terminus_class=).with :ca
-        Puppet::SSL::Certificate.expects(:terminus_class=).with :ca
-        Puppet::SSL::CertificateRequest.expects(:terminus_class=).with :ca
-        Puppet::SSL::CertificateRevocationList.expects(:terminus_class=).with :ca
-
+      before do
         Puppet::SSL::Host.ca_location = :only
       end
 
-      it "should reset the cache class for Certificate, CertificateRevocationList, and CertificateRequest to nil" do
-        Puppet::SSL::Certificate.expects(:cache_class=).with nil
-        Puppet::SSL::CertificateRequest.expects(:cache_class=).with nil
-        Puppet::SSL::CertificateRevocationList.expects(:cache_class=).with nil
+      it "should set the terminus class for Key, Certificate, CertificateRevocationList, and CertificateRequest as :ca" do
+        Puppet::SSL::Key.indirection.terminus_class.should == :ca
+        Puppet::SSL::Certificate.indirection.terminus_class.should == :ca
+        Puppet::SSL::CertificateRequest.indirection.terminus_class.should == :ca
+        Puppet::SSL::CertificateRevocationList.indirection.terminus_class.should == :ca
+      end
 
-        Puppet::SSL::Host.ca_location = :only
+      it "should set the cache class for Certificate, CertificateRevocationList, and CertificateRequest to nil" do
+        Puppet::SSL::Certificate.indirection.cache_class.should be_nil
+        Puppet::SSL::CertificateRequest.indirection.cache_class.should be_nil
+        Puppet::SSL::CertificateRevocationList.indirection.cache_class.should be_nil
+      end
+
+      it "should set the terminus class for Host to :file" do
+        Puppet::SSL::Host.indirection.terminus_class.should == :file
       end
     end
 
     describe "as 'none'" do
+      before do
+        Puppet::SSL::Host.ca_location = :none
+      end
+
       it "should set the terminus class for Key, Certificate, CertificateRevocationList, and CertificateRequest as :file" do
-        Puppet::SSL::Key.expects(:terminus_class=).with :file
-        Puppet::SSL::Certificate.expects(:terminus_class=).with :file
-        Puppet::SSL::CertificateRequest.expects(:terminus_class=).with :file
-        Puppet::SSL::CertificateRevocationList.expects(:terminus_class=).with :file
+        Puppet::SSL::Key.indirection.terminus_class.should == :file
+        Puppet::SSL::Certificate.indirection.terminus_class.should == :file
+        Puppet::SSL::CertificateRequest.indirection.terminus_class.should == :file
+        Puppet::SSL::CertificateRevocationList.indirection.terminus_class.should == :file
+      end
 
-        Puppet::SSL::Host.ca_location = :none
+      it "should set the terminus class for Host to 'none'" do
+        lambda { Puppet::SSL::Host.indirection.terminus_class }.should raise_error(Puppet::DevError)
       end
     end
   end
@@ -343,27 +255,27 @@ describe Puppet::SSL::Host do
 
   describe "when destroying a host's SSL files" do
     before do
-      Puppet::SSL::Key.stubs(:destroy).returns false
-      Puppet::SSL::Certificate.stubs(:destroy).returns false
-      Puppet::SSL::CertificateRequest.stubs(:destroy).returns false
+      Puppet::SSL::Key.indirection.stubs(:destroy).returns false
+      Puppet::SSL::Certificate.indirection.stubs(:destroy).returns false
+      Puppet::SSL::CertificateRequest.indirection.stubs(:destroy).returns false
     end
 
     it "should destroy its certificate, certificate request, and key" do
-      Puppet::SSL::Key.expects(:destroy).with("myhost")
-      Puppet::SSL::Certificate.expects(:destroy).with("myhost")
-      Puppet::SSL::CertificateRequest.expects(:destroy).with("myhost")
+      Puppet::SSL::Key.indirection.expects(:destroy).with("myhost")
+      Puppet::SSL::Certificate.indirection.expects(:destroy).with("myhost")
+      Puppet::SSL::CertificateRequest.indirection.expects(:destroy).with("myhost")
 
       Puppet::SSL::Host.destroy("myhost")
     end
 
     it "should return true if any of the classes returned true" do
-      Puppet::SSL::Certificate.expects(:destroy).with("myhost").returns true
+      Puppet::SSL::Certificate.indirection.expects(:destroy).with("myhost").returns true
 
       Puppet::SSL::Host.destroy("myhost").should be_true
     end
 
-    it "should return false if none of the classes returned true" do
-      Puppet::SSL::Host.destroy("myhost").should be_false
+    it "should report that nothing was deleted if none of the classes returned true" do
+      Puppet::SSL::Host.destroy("myhost").should == "Nothing was deleted"
     end
   end
 
@@ -392,16 +304,17 @@ describe Puppet::SSL::Host do
   describe "when managing its private key" do
     before do
       @realkey = "mykey"
-      @key = stub 'key', :content => @realkey
+      @key = Puppet::SSL::Key.new("mykey")
+      @key.content = @realkey
     end
 
     it "should return nil if the key is not set and cannot be found" do
-      Puppet::SSL::Key.expects(:find).with("myname").returns(nil)
+      Puppet::SSL::Key.indirection.expects(:find).with("myname").returns(nil)
       @host.key.should be_nil
     end
 
     it "should find the key in the Key class and return the Puppet instance" do
-      Puppet::SSL::Key.expects(:find).with("myname").returns(@key)
+      Puppet::SSL::Key.indirection.expects(:find).with("myname").returns(@key)
       @host.key.should equal(@key)
     end
 
@@ -409,7 +322,7 @@ describe Puppet::SSL::Host do
       Puppet::SSL::Key.expects(:new).with("myname").returns(@key)
 
       @key.expects(:generate)
-      @key.expects(:save)
+      Puppet::SSL::Key.indirection.expects(:save)
 
       @host.generate_key.should be_true
       @host.key.should equal(@key)
@@ -419,14 +332,14 @@ describe Puppet::SSL::Host do
       Puppet::SSL::Key.expects(:new).with("myname").returns(@key)
 
       @key.stubs(:generate)
-      @key.expects(:save).raises "eh"
+      Puppet::SSL::Key.indirection.expects(:save).raises "eh"
 
       lambda { @host.generate_key }.should raise_error
       @host.key.should be_nil
     end
 
     it "should return any previously found key without requerying" do
-      Puppet::SSL::Key.expects(:find).with("myname").returns(@key).once
+      Puppet::SSL::Key.indirection.expects(:find).with("myname").returns(@key).once
       @host.key.should equal(@key)
       @host.key.should equal(@key)
     end
@@ -435,16 +348,17 @@ describe Puppet::SSL::Host do
   describe "when managing its certificate request" do
     before do
       @realrequest = "real request"
-      @request = stub 'request', :content => @realrequest
+      @request = Puppet::SSL::CertificateRequest.new("myname")
+      @request.content = @realrequest
     end
 
     it "should return nil if the key is not set and cannot be found" do
-      Puppet::SSL::CertificateRequest.expects(:find).with("myname").returns(nil)
+      Puppet::SSL::CertificateRequest.indirection.expects(:find).with("myname").returns(nil)
       @host.certificate_request.should be_nil
     end
 
     it "should find the request in the Key class and return it and return the Puppet SSL request" do
-      Puppet::SSL::CertificateRequest.expects(:find).with("myname").returns @request
+      Puppet::SSL::CertificateRequest.indirection.expects(:find).with("myname").returns @request
 
       @host.certificate_request.should equal(@request)
     end
@@ -458,7 +372,7 @@ describe Puppet::SSL::Host do
       @host.expects(:generate_key).returns(key)
 
       @request.stubs(:generate)
-      @request.stubs(:save)
+      Puppet::SSL::CertificateRequest.indirection.stubs(:save)
 
       @host.generate_certificate_request
     end
@@ -468,15 +382,15 @@ describe Puppet::SSL::Host do
 
       key = stub 'key', :public_key => mock("public_key"), :content => "mycontent"
       @host.stubs(:key).returns(key)
-      @request.expects(:generate).with("mycontent", {})
-      @request.expects(:save)
+      @request.expects(:generate).with("mycontent")
+      Puppet::SSL::CertificateRequest.indirection.expects(:save).with(@request)
 
       @host.generate_certificate_request.should be_true
       @host.certificate_request.should equal(@request)
     end
 
     it "should return any previously found request without requerying" do
-      Puppet::SSL::CertificateRequest.expects(:find).with("myname").returns(@request).once
+      Puppet::SSL::CertificateRequest.indirection.expects(:find).with("myname").returns(@request).once
 
       @host.certificate_request.should equal(@request)
       @host.certificate_request.should equal(@request)
@@ -488,11 +402,14 @@ describe Puppet::SSL::Host do
       key = stub 'key', :public_key => mock("public_key"), :content => "mycontent"
       @host.stubs(:key).returns(key)
       @request.stubs(:generate)
-      @request.expects(:save).raises "eh"
+      @request.stubs(:name).returns("myname")
+      terminus = stub 'terminus'
+      Puppet::SSL::CertificateRequest.indirection.expects(:prepare).returns(terminus)
+      terminus.expects(:save).with { |req| req.instance == @request && req.key == "myname" }.raises "eh"
 
       lambda { @host.generate_certificate_request }.should raise_error
 
-      @host.certificate_request.should be_nil
+      @host.instance_eval { @certificate_request }.should be_nil
     end
   end
 
@@ -506,36 +423,36 @@ describe Puppet::SSL::Host do
     end
 
     it "should find the CA certificate if it does not have a certificate" do
-      Puppet::SSL::Certificate.expects(:find).with(Puppet::SSL::CA_NAME).returns mock("cacert")
-      Puppet::SSL::Certificate.stubs(:find).with("myname").returns @cert
+      Puppet::SSL::Certificate.indirection.expects(:find).with(Puppet::SSL::CA_NAME).returns mock("cacert")
+      Puppet::SSL::Certificate.indirection.stubs(:find).with("myname").returns @cert
 
       @host.certificate
     end
 
     it "should not find the CA certificate if it is the CA host" do
       @host.expects(:ca?).returns true
-      Puppet::SSL::Certificate.stubs(:find)
-      Puppet::SSL::Certificate.expects(:find).with(Puppet::SSL::CA_NAME).never
+      Puppet::SSL::Certificate.indirection.stubs(:find)
+      Puppet::SSL::Certificate.indirection.expects(:find).with(Puppet::SSL::CA_NAME).never
 
       @host.certificate
     end
 
     it "should return nil if it cannot find a CA certificate" do
-      Puppet::SSL::Certificate.expects(:find).with(Puppet::SSL::CA_NAME).returns nil
-      Puppet::SSL::Certificate.expects(:find).with("myname").never
+      Puppet::SSL::Certificate.indirection.expects(:find).with(Puppet::SSL::CA_NAME).returns nil
+      Puppet::SSL::Certificate.indirection.expects(:find).with("myname").never
 
       @host.certificate.should be_nil
     end
 
     it "should find the key if it does not have one" do
-      Puppet::SSL::Certificate.stubs(:find)
+      Puppet::SSL::Certificate.indirection.stubs(:find)
       @host.expects(:key).returns mock("key")
 
       @host.certificate
     end
 
     it "should generate the key if one cannot be found" do
-      Puppet::SSL::Certificate.stubs(:find)
+      Puppet::SSL::Certificate.indirection.stubs(:find)
 
       @host.expects(:key).returns nil
       @host.expects(:generate_key)
@@ -544,8 +461,8 @@ describe Puppet::SSL::Host do
     end
 
     it "should find the certificate in the Certificate class and return the Puppet certificate instance" do
-      Puppet::SSL::Certificate.expects(:find).with(Puppet::SSL::CA_NAME).returns mock("cacert")
-      Puppet::SSL::Certificate.expects(:find).with("myname").returns @cert
+      Puppet::SSL::Certificate.indirection.expects(:find).with(Puppet::SSL::CA_NAME).returns mock("cacert")
+      Puppet::SSL::Certificate.indirection.expects(:find).with("myname").returns @cert
 
       @host.certificate.should equal(@cert)
     end
@@ -553,14 +470,14 @@ describe Puppet::SSL::Host do
     it "should fail if the found certificate does not match the private key" do
       @host.expects(:certificate_matches_key?).returns false
 
-      Puppet::SSL::Certificate.stubs(:find).returns @cert
+      Puppet::SSL::Certificate.indirection.stubs(:find).returns @cert
 
       lambda { @host.certificate }.should raise_error(Puppet::Error)
     end
 
     it "should return any previously found certificate" do
-      Puppet::SSL::Certificate.expects(:find).with(Puppet::SSL::CA_NAME).returns mock("cacert")
-      Puppet::SSL::Certificate.expects(:find).with("myname").returns(@cert).once
+      Puppet::SSL::Certificate.indirection.expects(:find).with(Puppet::SSL::CA_NAME).returns mock("cacert")
+      Puppet::SSL::Certificate.indirection.expects(:find).with("myname").returns(@cert).once
 
       @host.certificate.should equal(@cert)
       @host.certificate.should equal(@cert)
@@ -573,41 +490,41 @@ describe Puppet::SSL::Host do
 
   describe "when listing certificate hosts" do
     it "should default to listing all clients with any file types" do
-      Puppet::SSL::Key.expects(:search).returns []
-      Puppet::SSL::Certificate.expects(:search).returns []
-      Puppet::SSL::CertificateRequest.expects(:search).returns []
+      Puppet::SSL::Key.indirection.expects(:search).returns []
+      Puppet::SSL::Certificate.indirection.expects(:search).returns []
+      Puppet::SSL::CertificateRequest.indirection.expects(:search).returns []
       Puppet::SSL::Host.search
     end
 
     it "should be able to list only clients with a key" do
-      Puppet::SSL::Key.expects(:search).returns []
-      Puppet::SSL::Certificate.expects(:search).never
-      Puppet::SSL::CertificateRequest.expects(:search).never
+      Puppet::SSL::Key.indirection.expects(:search).returns []
+      Puppet::SSL::Certificate.indirection.expects(:search).never
+      Puppet::SSL::CertificateRequest.indirection.expects(:search).never
       Puppet::SSL::Host.search :for => Puppet::SSL::Key
     end
 
     it "should be able to list only clients with a certificate" do
-      Puppet::SSL::Key.expects(:search).never
-      Puppet::SSL::Certificate.expects(:search).returns []
-      Puppet::SSL::CertificateRequest.expects(:search).never
+      Puppet::SSL::Key.indirection.expects(:search).never
+      Puppet::SSL::Certificate.indirection.expects(:search).returns []
+      Puppet::SSL::CertificateRequest.indirection.expects(:search).never
       Puppet::SSL::Host.search :for => Puppet::SSL::Certificate
     end
 
     it "should be able to list only clients with a certificate request" do
-      Puppet::SSL::Key.expects(:search).never
-      Puppet::SSL::Certificate.expects(:search).never
-      Puppet::SSL::CertificateRequest.expects(:search).returns []
+      Puppet::SSL::Key.indirection.expects(:search).never
+      Puppet::SSL::Certificate.indirection.expects(:search).never
+      Puppet::SSL::CertificateRequest.indirection.expects(:search).returns []
       Puppet::SSL::Host.search :for => Puppet::SSL::CertificateRequest
     end
 
-    it "should return a Host instance created with the name of each found instance" do
+    it "should return a Host instance created with the name of each found instance", :'fails_on_ruby_1.9.2' => true do
       key = stub 'key', :name => "key"
       cert = stub 'cert', :name => "cert"
       csr = stub 'csr', :name => "csr"
 
-      Puppet::SSL::Key.expects(:search).returns [key]
-      Puppet::SSL::Certificate.expects(:search).returns [cert]
-      Puppet::SSL::CertificateRequest.expects(:search).returns [csr]
+      Puppet::SSL::Key.indirection.expects(:search).returns [key]
+      Puppet::SSL::Certificate.indirection.expects(:search).returns [cert]
+      Puppet::SSL::CertificateRequest.indirection.expects(:search).returns [csr]
 
       returned = []
       %w{key cert csr}.each do |name|
@@ -657,7 +574,7 @@ describe Puppet::SSL::Host do
       it "should use the CA to sign its certificate request if it does not have a certificate" do
         @host.expects(:certificate).returns nil
 
-        @ca.expects(:sign).with(@host.name, true)
+        @ca.expects(:sign).with(@host.name)
 
         @host.generate
       end
@@ -697,7 +614,7 @@ describe Puppet::SSL::Host do
 
       Puppet.settings.stubs(:value).with(:localcacert).returns "ssl_host_testing"
 
-      Puppet::SSL::CertificateRevocationList.stubs(:find).returns(nil)
+      Puppet::SSL::CertificateRevocationList.indirection.stubs(:find).returns(nil)
     end
 
     it "should accept a purpose" do
@@ -719,7 +636,7 @@ describe Puppet::SSL::Host do
     describe "and a CRL is available" do
       before do
         @crl = stub 'crl', :content => "real_crl"
-        Puppet::SSL::CertificateRevocationList.stubs(:find).returns @crl
+        Puppet::SSL::CertificateRevocationList.indirection.stubs(:find).returns @crl
         Puppet.settings.stubs(:value).with(:certificate_revocation).returns true
       end
 
@@ -764,16 +681,14 @@ describe Puppet::SSL::Host do
       @host.expects(:certificate).returns(nil)
       @host.expects(:generate).raises(RuntimeError)
       @host.expects(:puts)
-      @host.expects(:exit).with(1).raises(SystemExit)
-      lambda { @host.wait_for_cert(0) }.should raise_error(SystemExit)
+      expect { @host.wait_for_cert(0) }.to exit_with 1
     end
 
     it "should exit if the wait time is 0 and it can neither find nor retrieve a certificate" do
       @host.stubs(:certificate).returns nil
       @host.expects(:generate)
       @host.expects(:puts)
-      @host.expects(:exit).with(1).raises(SystemExit)
-      lambda { @host.wait_for_cert(0) }.should raise_error(SystemExit)
+      expect { @host.wait_for_cert(0) }.to exit_with 1
     end
 
     it "should sleep for the specified amount of time if no certificate is found after generating its certificate request" do
@@ -795,4 +710,84 @@ describe Puppet::SSL::Host do
       @host.wait_for_cert(1)
     end
   end
+
+  describe "when handling PSON" do
+    include PuppetSpec::Files
+
+    before do
+      Puppet[:vardir] = tmpdir("ssl_test_vardir")
+      Puppet[:ssldir] = tmpdir("ssl_test_ssldir")
+      Puppet::SSLCertificates::CA.new.mkrootcert
+      # localcacert is where each client stores the CA certificate
+      # cacert is where the master stores the CA certificate
+      # Since we need to play the role of both for testing we need them to be the same and exist
+      Puppet[:cacert] = Puppet[:localcacert]
+
+      @ca=Puppet::SSL::CertificateAuthority.new
+    end
+
+    describe "when converting to PSON" do
+      it "should be able to identify a host with an unsigned certificate request" do
+        host = Puppet::SSL::Host.new("bazinga")
+        host.generate_certificate_request
+        pson_hash = {
+          "fingerprint"          => host.certificate_request.fingerprint,
+          "desired_state"        => 'requested',
+          "name"                 => host.name
+        }
+
+        result = PSON.parse(Puppet::SSL::Host.new(host.name).to_pson)
+        result["fingerprint"].should == pson_hash["fingerprint"]
+        result["name"].should        == pson_hash["name"]
+        result["state"].should       == pson_hash["desired_state"]
+      end
+
+      it "should be able to identify a host with a signed certificate" do
+        host = Puppet::SSL::Host.new("bazinga")
+        host.generate_certificate_request
+        @ca.sign(host.name)
+        pson_hash = {
+          "fingerprint"          => Puppet::SSL::Certificate.indirection.find(host.name).fingerprint,
+          "desired_state"        => 'signed',
+          "name"                 => host.name,
+        }
+
+        result = PSON.parse(Puppet::SSL::Host.new(host.name).to_pson)
+        result["fingerprint"].should == pson_hash["fingerprint"]
+        result["name"].should        == pson_hash["name"]
+        result["state"].should       == pson_hash["desired_state"]
+      end
+
+      it "should be able to identify a host with a revoked certificate" do
+        host = Puppet::SSL::Host.new("bazinga")
+        host.generate_certificate_request
+        @ca.sign(host.name)
+        @ca.revoke(host.name)
+        pson_hash = {
+          "fingerprint"          => Puppet::SSL::Certificate.indirection.find(host.name).fingerprint,
+          "desired_state"        => 'revoked',
+          "name"                 => host.name,
+        }
+
+        result = PSON.parse(Puppet::SSL::Host.new(host.name).to_pson)
+        result["fingerprint"].should == pson_hash["fingerprint"]
+        result["name"].should        == pson_hash["name"]
+        result["state"].should       == pson_hash["desired_state"]
+      end
+    end
+
+    describe "when converting from PSON" do
+      it "should return a Puppet::SSL::Host object with the specified desired state" do
+        host = Puppet::SSL::Host.new("bazinga")
+        host.desired_state="signed"
+        pson_hash = {
+          "name"  => host.name,
+          "desired_state" => host.desired_state,
+        }
+        generated_host = Puppet::SSL::Host.from_pson(pson_hash)
+        generated_host.desired_state.should == host.desired_state
+        generated_host.name.should == host.name
+      end
+    end
+  end
 end