RubyGems - puppet - Versions diffs - 2.7.5 → 2.7.6 - Mend

puppet 2.7.5 → 2.7.6

Potentially problematic release.

This version of puppet might be problematic. Click here for more details.

Files changed (140) hide show

data/CHANGELOG +121 -0
data/conf/redhat/puppet.spec +16 -7
data/lib/puppet.rb +1 -1
data/lib/puppet/application/cert.rb +17 -3
data/lib/puppet/application/device.rb +1 -0
data/lib/puppet/application/kick.rb +0 -2
data/lib/puppet/application/resource.rb +73 -66
data/lib/puppet/configurer/plugin_handler.rb +6 -2
data/lib/puppet/defaults.rb +60 -5
data/lib/puppet/face/ca.rb +11 -2
data/lib/puppet/face/certificate.rb +33 -4
data/lib/puppet/file_serving/fileset.rb +1 -1
data/lib/puppet/file_serving/indirection_hooks.rb +2 -2
data/lib/puppet/file_serving/metadata.rb +43 -4
data/lib/puppet/indirector.rb +0 -1
data/lib/puppet/indirector/request.rb +3 -4
data/lib/puppet/indirector/resource/active_record.rb +3 -10
data/lib/puppet/indirector/resource/ral.rb +2 -2
data/lib/puppet/indirector/rest.rb +1 -1
data/lib/puppet/network/handler/ca.rb +16 -106
data/lib/puppet/network/handler/master.rb +0 -3
data/lib/puppet/network/handler/runner.rb +1 -0
data/lib/puppet/parser/scope.rb +10 -0
data/lib/puppet/provider/file/posix.rb +72 -34
data/lib/puppet/provider/file/windows.rb +100 -0
data/lib/puppet/provider/group/windows_adsi.rb +2 -2
data/lib/puppet/provider/user/windows_adsi.rb +19 -4
data/lib/puppet/resource.rb +16 -0
data/lib/puppet/resource/catalog.rb +1 -1
data/lib/puppet/ssl/certificate.rb +2 -2
data/lib/puppet/ssl/certificate_authority.rb +86 -10
data/lib/puppet/ssl/certificate_authority/interface.rb +64 -19
data/lib/puppet/ssl/certificate_factory.rb +112 -91
data/lib/puppet/ssl/certificate_request.rb +88 -1
data/lib/puppet/ssl/host.rb +20 -3
data/lib/puppet/type/file.rb +15 -34
data/lib/puppet/type/file/group.rb +11 -91
data/lib/puppet/type/file/mode.rb +11 -41
data/lib/puppet/type/file/owner.rb +18 -34
data/lib/puppet/type/file/source.rb +22 -7
data/lib/puppet/type/group.rb +4 -3
data/lib/puppet/type/user.rb +4 -1
data/lib/puppet/util.rb +59 -6
data/lib/puppet/util/adsi.rb +11 -0
data/lib/puppet/util/log.rb +4 -0
data/lib/puppet/util/log/destinations.rb +7 -1
data/lib/puppet/util/monkey_patches.rb +19 -0
data/lib/puppet/util/network_device/config.rb +4 -5
data/lib/puppet/util/settings.rb +5 -0
data/lib/puppet/util/suidmanager.rb +0 -1
data/lib/puppet/util/windows.rb +4 -0
data/lib/puppet/util/windows/error.rb +16 -0
data/lib/puppet/util/windows/security.rb +593 -0
data/spec/integration/defaults_spec.rb +27 -0
data/spec/integration/network/handler_spec.rb +1 -1
data/spec/integration/type/file_spec.rb +382 -145
data/spec/integration/util/windows/security_spec.rb +468 -0
data/spec/shared_behaviours/file_serving.rb +4 -3
data/spec/unit/application/agent_spec.rb +1 -0
data/spec/unit/application/device_spec.rb +5 -0
data/spec/unit/application/resource_spec.rb +62 -101
data/spec/unit/configurer/downloader_spec.rb +2 -2
data/spec/unit/configurer/plugin_handler_spec.rb +15 -8
data/spec/unit/configurer_spec.rb +2 -2
data/spec/unit/face/ca_spec.rb +34 -0
data/spec/unit/face/certificate_spec.rb +168 -1
data/spec/unit/file_serving/fileset_spec.rb +1 -1
data/spec/unit/file_serving/indirection_hooks_spec.rb +1 -1
data/spec/unit/file_serving/metadata_spec.rb +151 -107
data/spec/unit/indirector/certificate_request/ca_spec.rb +0 -3
data/spec/unit/indirector/direct_file_server_spec.rb +10 -9
data/spec/unit/indirector/file_metadata/file_spec.rb +6 -4
data/spec/unit/indirector/request_spec.rb +13 -3
data/spec/unit/indirector/resource/active_record_spec.rb +4 -10
data/spec/unit/indirector/resource/ral_spec.rb +6 -4
data/spec/unit/indirector/rest_spec.rb +5 -6
data/spec/unit/network/handler/ca_spec.rb +86 -0
data/spec/unit/parser/collector_spec.rb +7 -7
data/spec/unit/parser/scope_spec.rb +20 -0
data/spec/unit/provider/file/posix_spec.rb +226 -0
data/spec/unit/provider/file/windows_spec.rb +136 -0
data/spec/unit/provider/group/windows_adsi_spec.rb +7 -2
data/spec/unit/provider/user/windows_adsi_spec.rb +36 -3
data/spec/unit/resource/catalog_spec.rb +20 -10
data/spec/unit/resource_spec.rb +55 -8
data/spec/unit/ssl/certificate_authority/interface_spec.rb +97 -54
data/spec/unit/ssl/certificate_authority_spec.rb +133 -23
data/spec/unit/ssl/certificate_factory_spec.rb +90 -70
data/spec/unit/ssl/certificate_request_spec.rb +62 -1
data/spec/unit/ssl/certificate_spec.rb +20 -14
data/spec/unit/ssl/host_spec.rb +52 -6
data/spec/unit/type/file/content_spec.rb +4 -4
data/spec/unit/type/file/group_spec.rb +34 -96
data/spec/unit/type/file/mode_spec.rb +88 -0
data/spec/unit/type/file/owner_spec.rb +32 -123
data/spec/unit/type/file/source_spec.rb +120 -41
data/spec/unit/type/file_spec.rb +1033 -753
data/spec/unit/type_spec.rb +19 -1
data/spec/unit/util/adsi_spec.rb +19 -0
data/spec/unit/util/log/destinations_spec.rb +75 -0
data/spec/unit/util/log_spec.rb +15 -0
data/spec/unit/util/network_device/config_spec.rb +7 -0
data/spec/unit/util/settings_spec.rb +10 -0
data/spec/unit/util_spec.rb +126 -13
data/test/language/functions.rb +0 -1
data/test/language/snippets.rb +0 -9
data/test/lib/puppettest/exetest.rb +1 -1
data/test/lib/puppettest/servertest.rb +0 -1
data/test/rails/rails.rb +0 -1
data/test/ral/type/filesources.rb +0 -60
metadata +13 -33
data/lib/puppet/network/client.rb +0 -174
data/lib/puppet/network/client/ca.rb +0 -56
data/lib/puppet/network/client/file.rb +0 -6
data/lib/puppet/network/client/proxy.rb +0 -27
data/lib/puppet/network/client/report.rb +0 -26
data/lib/puppet/network/client/runner.rb +0 -10
data/lib/puppet/network/client/status.rb +0 -4
data/lib/puppet/network/http_server.rb +0 -3
data/lib/puppet/network/http_server/mongrel.rb +0 -130
data/lib/puppet/network/http_server/webrick.rb +0 -155
data/lib/puppet/network/xmlrpc/client.rb +0 -211
data/lib/puppet/provider/file/win32.rb +0 -72
data/lib/puppet/sslcertificates.rb +0 -146
data/lib/puppet/sslcertificates/ca.rb +0 -375
data/lib/puppet/sslcertificates/certificate.rb +0 -255
data/lib/puppet/sslcertificates/inventory.rb +0 -38
data/lib/puppet/sslcertificates/support.rb +0 -146
data/spec/integration/network/client_spec.rb +0 -18
data/spec/unit/network/xmlrpc/client_spec.rb +0 -172
data/spec/unit/sslcertificates/ca_spec.rb +0 -106
data/test/certmgr/certmgr.rb +0 -308
data/test/certmgr/inventory.rb +0 -69
data/test/certmgr/support.rb +0 -105
data/test/network/client/ca.rb +0 -69
data/test/network/client/dipper.rb +0 -34
data/test/network/handler/ca.rb +0 -273
data/test/network/server/mongrel_test.rb +0 -99
data/test/network/server/webrick.rb +0 -111
data/test/network/xmlrpc/client.rb +0 -45

data/spec/unit/ssl/certificate_authority_spec.rb CHANGED

@@ -199,8 +199,9 @@ describe Puppet::SSL::CertificateAuthority do
       request = mock 'request'
       Puppet::SSL::CertificateRequest.expects(:new).with(@ca.host.name).returns request
       request.expects(:generate).with(@ca.host.key)
+      request.stubs(:request_extensions => [])
-      @ca.expects(:sign).with(@host.name, :ca, request)
+      @ca.expects(:sign).with(@host.name, false, request)
       @ca.stubs :generate_password
@@ -243,10 +244,10 @@ describe Puppet::SSL::CertificateAuthority do
       Puppet::SSL::Certificate.indirection.stubs(:save)
       # Stub out the factory
-      @factory = stub 'factory', :result => "my real cert"
-      Puppet::SSL::CertificateFactory.stubs(:new).returns @factory
+      Puppet::SSL::CertificateFactory.stubs(:build).returns "my real cert"
-      @request = stub 'request', :content => "myrequest", :name => @name
+      @request_content = stub "request content stub", :subject => @name
+      @request = stub 'request', :name => @name, :request_extensions => [], :subject_alt_names => [], :content => @request_content
       # And the inventory
       @inventory = stub 'inventory', :add => nil
@@ -297,37 +298,45 @@ describe Puppet::SSL::CertificateAuthority do
       it "should not look up a certificate request for the host" do
         Puppet::SSL::CertificateRequest.indirection.expects(:find).never
-        @ca.sign(@name, :ca, @request)
+        @ca.sign(@name, true, @request)
       end
       it "should use a certificate type of :ca" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[0] == :ca
-        end.returns @factory
+        end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
       it "should pass the provided CSR as the CSR" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
-          args[1] == "myrequest"
-        end.returns @factory
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
+          args[1] == @request
+        end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
       it "should use the provided CSR's content as the issuer" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
-          args[2] == "myrequest"
-        end.returns @factory
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
+          args[2].subject == "myhost"
+        end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
       it "should pass the next serial as the serial number" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[3] == @serial
-        end.returns @factory
+        end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
+      it "should sign the certificate request even if it contains alt names" do
+        @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
+        expect do
+          @ca.sign(@name, false, @request)
+        end.should_not raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError)
+      end
       it "should save the resulting certificate" do
         Puppet::SSL::Certificate.indirection.expects(:save).with(@cert)
@@ -345,9 +354,9 @@ describe Puppet::SSL::CertificateAuthority do
       end
       it "should use a certificate type of :server" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[0] == :server
-        end.returns @factory
+        end.returns "my real cert"
         @ca.sign(@name)
       end
@@ -364,17 +373,45 @@ describe Puppet::SSL::CertificateAuthority do
         lambda { @ca.sign(@name) }.should raise_error(ArgumentError)
       end
+      it "should fail if an unknown request extension is present" do
+        @request.stubs :request_extensions => [{ "oid"   => "bananas",
+                                                 "value" => "delicious" }]
+        expect { @ca.sign(@name) }.
+          should raise_error(/CSR has request extensions that are not permitted/)
+      end
+      it "should fail if the CSR contains alt names and they are not expected" do
+        @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
+        expect do
+          @ca.sign(@name, false)
+        end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError, /CSR '#{@name}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{@name}` to sign this request./)
+      end
+      it "should not fail if the CSR does not contain alt names and they are expected" do
+        @request.stubs(:subject_alt_names).returns []
+        expect { @ca.sign(@name, true) }.should_not raise_error
+      end
+      it "should reject alt names by default" do
+        @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
+        expect do
+          @ca.sign(@name)
+        end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError, /CSR '#{@name}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{@name}` to sign this request./)
+      end
       it "should use the CA certificate as the issuer" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[2] == @cacert.content
-        end.returns @factory
+        end.returns "my real cert"
         @ca.sign(@name)
       end
       it "should pass the next serial as the serial number" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[3] == @serial
-        end.returns @factory
+        end.returns "my real cert"
         @ca.sign(@name)
       end
@@ -399,6 +436,80 @@ describe Puppet::SSL::CertificateAuthority do
         @ca.sign(@name)
       end
+      it "should check the internal signing policies" do
+        @ca.expects(:check_internal_signing_policies).returns true
+        @ca.sign(@name)
+      end
+    end
+    context "#check_internal_signing_policies" do
+      before do
+        @serial = 10
+        @ca.stubs(:next_serial).returns @serial
+        Puppet::SSL::CertificateRequest.indirection.stubs(:find).with(@name).returns @request
+        @cert.stubs :save
+      end
+      it "should reject a critical extension that isn't on the whitelist" do
+        @request.stubs(:request_extensions).returns [{ "oid" => "banana",
+                                                       "value" => "yumm",
+                                                       "critical" => true }]
+        expect { @ca.sign(@name) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /request extensions that are not permitted/
+        )
+      end
+      it "should reject a non-critical extension that isn't on the whitelist" do
+        @request.stubs(:request_extensions).returns [{ "oid" => "peach",
+                                                       "value" => "meh",
+                                                       "critical" => false }]
+        expect { @ca.sign(@name) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /request extensions that are not permitted/
+        )
+      end
+      it "should reject non-whitelist extensions even if a valid extension is present" do
+        @request.stubs(:request_extensions).returns [{ "oid" => "peach",
+                                                       "value" => "meh",
+                                                       "critical" => false },
+                                                     { "oid" => "subjectAltName",
+                                                       "value" => "DNS:foo",
+                                                       "critical" => true }]
+        expect { @ca.sign(@name) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /request extensions that are not permitted/
+        )
+      end
+      it "should reject a subjectAltName for a non-DNS value" do
+        @request.stubs(:subject_alt_names).returns ['DNS:foo', 'email:bar@example.com']
+        expect { @ca.sign(@name, true) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /subjectAltName outside the DNS label space/
+        )
+      end
+      it "should reject a wildcard subject" do
+        @request.content.stubs(:subject).
+          returns(OpenSSL::X509::Name.new([["CN", "*.local"]]))
+        expect { @ca.sign(@name) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /subject contains a wildcard/
+        )
+      end
+      it "should reject a wildcard subjectAltName" do
+        @request.stubs(:subject_alt_names).returns ['DNS:foo', 'DNS:*.bar']
+        expect { @ca.sign(@name, true) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /subjectAltName contains a wildcard/
+        )
+      end
     end
     it "should create a certificate instance with the content set to the newly signed x509 certificate" do
@@ -763,8 +874,7 @@ describe Puppet::SSL::CertificateAuthority do
       end
       it "should sign the generated request" do
-        @ca.expects(:sign).with("him")
+        @ca.expects(:sign).with("him", false)
         @ca.generate("him")
       end
     end

data/spec/unit/ssl/certificate_factory_spec.rb CHANGED

@@ -4,103 +4,123 @@ require 'spec_helper'
 require 'puppet/ssl/certificate_factory'
 describe Puppet::SSL::CertificateFactory do
-  before do
-    @cert_type = mock 'cert_type'
-    @name = mock 'name'
-    @csr = stub 'csr', :subject => @name
-    @issuer = mock 'issuer'
-    @serial = mock 'serial'
-    @factory = Puppet::SSL::CertificateFactory.new(@cert_type, @csr, @issuer, @serial)
+  let :serial    do OpenSSL::BN.new('12') end
+  let :name      do "example.local" end
+  let :x509_name do OpenSSL::X509::Name.new([['CN', name]]) end
+  let :key       do Puppet::SSL::Key.new(name).generate end
+  let :csr       do
+    csr = Puppet::SSL::CertificateRequest.new(name)
+    csr.generate(key)
+    csr
   end
-  describe "when initializing" do
-    it "should set its :cert_type to its first argument" do
-      @factory.cert_type.should equal(@cert_type)
-    end
-    it "should set its :csr to its second argument" do
-      @factory.csr.should equal(@csr)
-    end
-    it "should set its :issuer to its third argument" do
-      @factory.issuer.should equal(@issuer)
-    end
-    it "should set its :serial to its fourth argument" do
-      @factory.serial.should equal(@serial)
-    end
-    it "should set its name to the subject of the csr" do
-      @factory.name.should equal(@name)
-    end
+  let :issuer do
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = OpenSSL::X509::Name.new([["CN", 'issuer.local']])
+    cert
   end
   describe "when generating the certificate" do
-    before do
-      @cert = mock 'cert'
-      @cert.stub_everything
-      @factory.stubs :build_extensions
-      @factory.stubs :set_ttl
-      @issuer_name = mock 'issuer_name'
-      @issuer.stubs(:subject).returns @issuer_name
-      @public_key = mock 'public_key'
-      @csr.stubs(:public_key).returns @public_key
-      OpenSSL::X509::Certificate.stubs(:new).returns @cert
-    end
     it "should return a new X509 certificate" do
-      OpenSSL::X509::Certificate.expects(:new).returns @cert
-      @factory.result.should equal(@cert)
+      subject.build(:server, csr, issuer, serial).should_not ==
+        subject.build(:server, csr, issuer, serial)
     end
     it "should set the certificate's version to 2" do
-      @cert.expects(:version=).with 2
-      @factory.result
+      subject.build(:server, csr, issuer, serial).version.should == 2
     end
     it "should set the certificate's subject to the CSR's subject" do
-      @cert.expects(:subject=).with @name
-      @factory.result
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.subject.should eql x509_name
     end
     it "should set the certificate's issuer to the Issuer's subject" do
-      @cert.expects(:issuer=).with @issuer_name
-      @factory.result
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.issuer.should eql issuer.subject
     end
     it "should set the certificate's public key to the CSR's public key" do
-      @cert.expects(:public_key=).with @public_key
-      @factory.result
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.public_key.should be_public
+      cert.public_key.to_s.should == csr.content.public_key.to_s
     end
     it "should set the certificate's serial number to the provided serial number" do
-      @cert.expects(:serial=).with @serial
-      @factory.result
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.serial.should == serial
+    end
+    it "should have 24 hours grace on the start of the cert" do
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.not_before.should be_within(1).of(Time.now - 24*60*60)
+    end
+    it "should set the default TTL of the certificate" do
+      ttl  = Puppet::SSL::CertificateFactory.ttl
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.not_after.should be_within(1).of(Time.now + ttl)
+    end
+    it "should respect a custom TTL for the CA" do
+      Puppet[:ca_ttl] = 12
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.not_after.should be_within(1).of(Time.now + 12)
     end
     it "should build extensions for the certificate" do
-      @factory.expects(:build_extensions)
-      @factory.result
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.extensions.map {|x| x.to_h }.find {|x| x["oid"] == "nsComment" }.should ==
+        { "oid"      => "nsComment",
+          "value"    => "Puppet Ruby/OpenSSL Internal Certificate",
+          "critical" => false }
     end
-    it "should set the ttl of the certificate" do
-      @factory.expects(:set_ttl)
-      @factory.result
+    # See #2848 for why we are doing this: we need to make sure that
+    # subjectAltName is set if the CSR has it, but *not* if it is set when the
+    # certificate is built!
+    it "should not add subjectAltNames from dns_alt_names" do
+      Puppet[:dns_alt_names] = 'one, two'
+      # Verify the CSR still has no extReq, just in case...
+      csr.request_extensions.should == []
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.extensions.find {|x| x.oid == 'subjectAltName' }.should be_nil
     end
-  end
-  describe "when building extensions" do
-    it "should have tests"
-  end
+    it "should add subjectAltName when the CSR requests them" do
+      Puppet[:dns_alt_names] = ''
+      expect = %w{one two} + [name]
+      csr = Puppet::SSL::CertificateRequest.new(name)
+      csr.generate(key, :dns_alt_names => expect.join(', '))
-  describe "when setting the ttl" do
-    it "should have tests"
+      csr.request_extensions.should_not be_nil
+      csr.subject_alt_names.should =~ expect.map{|x| "DNS:#{x}"}
+      cert = subject.build(:server, csr, issuer, serial)
+      san = cert.extensions.find {|x| x.oid == 'subjectAltName' }
+      san.should_not be_nil
+      expect.each do |name|
+        san.value.should =~ /DNS:#{name}\b/i
+      end
+    end
+    # Can't check the CA here, since that requires way more infrastructure
+    # that I want to build up at this time.  We can verify the critical
+    # values, though, which are non-CA certs. --daniel 2011-10-11
+    { :ca            => 'CA:TRUE',
+      :terminalsubca => ['CA:TRUE', 'pathlen:0'],
+      :server        => 'CA:FALSE',
+      :ocsp          => 'CA:FALSE',
+      :client        => 'CA:FALSE',
+    }.each do |name, value|
+      it "should set basicConstraints for #{name} #{value.inspect}" do
+        cert = subject.build(name, csr, issuer, serial)
+        bc = cert.extensions.find {|x| x.oid == 'basicConstraints' }
+        bc.should be
+        bc.value.split(/\s*,\s*/).should =~ Array(value)
+      end
+    end
   end
 end

data/spec/unit/ssl/certificate_request_spec.rb CHANGED

@@ -125,7 +125,7 @@ describe Puppet::SSL::CertificateRequest do
     it "should set the CN to the :ca_name setting when the CSR is for a CA" do
       subject = mock 'subject'
-      Puppet.settings.expects(:value).with(:ca_name).returns "mycertname"
+      Puppet[:ca_name] = "mycertname"
       OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == "mycertname" }.returns(subject)
       @request.expects(:subject=).with(subject)
       Puppet::SSL::CertificateRequest.new(Puppet::SSL::CA_NAME).generate(@key)
@@ -144,6 +144,67 @@ describe Puppet::SSL::CertificateRequest do
       @instance.generate(@key)
     end
+    context "without subjectAltName / dns_alt_names" do
+      before :each do
+        Puppet[:dns_alt_names] = ""
+      end
+      ["extreq", "msExtReq"].each do |name|
+        it "should not add any #{name} attribute" do
+          @request.expects(:add_attribute).never
+          @request.expects(:attributes=).never
+          @instance.generate(@key)
+        end
+        it "should return no subjectAltNames" do
+          @instance.generate(@key)
+          @instance.subject_alt_names.should be_empty
+        end
+      end
+    end
+    context "with dns_alt_names" do
+      before :each do
+        Puppet[:dns_alt_names] = "one, two, three"
+      end
+      ["extreq", "msExtReq"].each do |name|
+        it "should not add any #{name} attribute" do
+          @request.expects(:add_attribute).never
+          @request.expects(:attributes=).never
+          @instance.generate(@key)
+        end
+        it "should return no subjectAltNames" do
+          @instance.generate(@key)
+          @instance.subject_alt_names.should be_empty
+        end
+      end
+    end
+    context "with subjectAltName to generate request" do
+      before :each do
+        Puppet[:dns_alt_names] = ""
+      end
+      it "should add an extreq attribute" do
+        @request.expects(:add_attribute).with do |arg|
+          arg.value.value.all? do |x|
+            x.value.all? do |y|
+              y.value[0].value == "subjectAltName"
+            end
+          end
+        end
+        @instance.generate(@key, :dns_alt_names => 'one, two')
+      end
+      it "should return the subjectAltName values" do
+        @instance.generate(@key, :dns_alt_names => 'one,two')
+        @instance.subject_alt_names.should =~ ["DNS:myname", "DNS:one", "DNS:two"]
+      end
+    end
     it "should sign the csr with the provided key and a digest" do
       digest = mock 'digest'
       OpenSSL::Digest::MD5.expects(:new).returns(digest)