puppet 3.3.2 → 3.4.0.rc1

data/spec/unit/resource/status_spec.rb

@@ -59,7 +59,9 @@ describe Puppet::Resource::Status do
 
   it "should copy the resource's tags" do
     @resource.expects(:tags).returns %w{foo bar}
-    Puppet::Resource::Status.new(@resource).tags.should == %w{foo bar}
+    status = Puppet::Resource::Status.new(@resource)
+    status.should be_tagged("foo")
+    status.should be_tagged("bar")
   end
 
   it "should always convert the resource to a string" do
@@ -113,6 +115,14 @@ describe Puppet::Resource::Status do
     @status.events.should == [event]
   end
 
+  it "records an event for a failure caused by an error" do
+    @status.failed_because(StandardError.new("the message"))
+
+    expect(@status.events[0].message).to eq("the message")
+    expect(@status.events[0].status).to eq("failure")
+    expect(@status.events[0].name).to eq(:resource_error)
+  end
+
   it "should count the number of successful events and set changed" do
     3.times{ @status << Puppet::Transaction::Event.new(:status => 'success') }
     @status.change_count.should == 3

data/spec/unit/resource/type_spec.rb

@@ -1,8 +1,19 @@
 #! /usr/bin/env ruby
 require 'spec_helper'
-
 require 'puppet/resource/type'
 
+# the json-schema gem doesn't support windows
+if not Puppet.features.microsoft_windows?
+  RESOURCE_TYPE_SCHEMA = JSON.parse(File.read(File.join(File.dirname(__FILE__), '../../../api/schemas/resource_type.json')))
+
+  describe "resource type schema" do
+    it "should validate against the json meta-schema" do
+      JSON::Validator.validate!(JSON_META_SCHEMA, RESOURCE_TYPE_SCHEMA)
+    end
+  end
+
+end
+
 describe Puppet::Resource::Type do
   it "should have a 'name' attribute" do
     Puppet::Resource::Type.new(:hostclass, "foo").name.should == "foo"
@@ -31,6 +42,10 @@ describe Puppet::Resource::Type do
   end
 
   describe "when converting to json" do
+    def validate_json_for_type(type)
+      JSON::Validator.validate!(RESOURCE_TYPE_SCHEMA, type.to_pson)
+    end
+
     before do
       @type = Puppet::Resource::Type.new(:hostclass, "foo")
     end
@@ -48,6 +63,20 @@ describe Puppet::Resource::Type do
       double_convert.type.should == @type.type
     end
 
+    it "should validate with only name and kind", :unless => Puppet.features.microsoft_windows? do
+      validate_json_for_type(@type)
+    end
+
+    it "should validate with all fields set", :unless => Puppet.features.microsoft_windows? do
+      @type.set_arguments("one" => nil, "two" => "foo")
+      @type.line = 100
+      @type.doc = "A weird type"
+      @type.file = "/etc/manifests/thing.pp"
+      @type.parent = "one::two"
+
+      validate_json_for_type(@type)
+    end
+
     it "should include any arguments" do
       @type.set_arguments("one" => nil, "two" => "foo")
 

data/spec/unit/resource_spec.rb

@@ -339,8 +339,11 @@ describe Puppet::Resource do
         end
 
         it "should query the injector using a namespaced key" do
-          compiler.injector.expects(:lookup).with(scope, 'apache::port')
+          compiler.injector.expects(:lookup).with(scope, 'apache::port').returns("8081")
+
           resource.set_default_parameters(scope)
+
+          resource[:port].should == "8081"
         end
 
         it "should use the value from the data_binding terminus" do
@@ -376,8 +379,16 @@ describe Puppet::Resource do
           resource[:port].should == '80'
         end
 
+        it "should fail with error message about data binding on a hiera failure" do
+          Puppet::DataBinding.indirection.expects(:find).raises(Puppet::DataBinding::LookupError, 'Forgettabotit')
+          expect {
+            resource.set_default_parameters(scope)
+          }.to raise_error(Puppet::Error, /Error from DataBinding 'hiera' while looking up 'apache::port':.*Forgettabotit/)
+        end
+
         it "should use the default value if the injector returns nil" do
           compiler.injector.expects(:lookup).returns(nil)
+          Puppet::DataBinding.indirection.expects(:find).returns(nil)
 
           resource.set_default_parameters(scope)
 
@@ -607,7 +618,7 @@ describe Puppet::Resource do
     end
   end
 
-  describe "when serializing" do
+  describe "when serializing a native type" do
     before do
       @resource = Puppet::Resource.new("file", "/my/file")
       @resource["one"] = "test"
@@ -622,6 +633,31 @@ describe Puppet::Resource do
     end
   end
 
+  describe "when serializing a defined type" do
+    before do
+      type = Puppet::Resource::Type.new(:definition, "foo::bar")
+      Puppet::Node::Environment.new.known_resource_types.add type
+    end
+
+    before :each do
+      @resource = Puppet::Resource.new('foo::bar', 'xyzzy')
+      @resource['one'] = 'test'
+      @resource['two'] = 'other'
+      @resource.resource_type
+    end
+
+    it "doesn't include transient instance variables (#4506)" do
+      expect(@resource.to_yaml_properties).to_not include :@rstype
+    end
+
+    it "produces an equivalent yaml object" do
+      text = @resource.render('yaml')
+
+      newresource = Puppet::Resource.convert_from('yaml', text)
+      newresource.should equal_attributes_of @resource
+    end
+  end
+
   describe "when converting to a RAL resource" do
     it "should use the resource type's :new method to create the resource if the resource is of a builtin type" do
       resource = Puppet::Resource.new("file", basepath+"/my/file")
@@ -810,9 +846,9 @@ describe Puppet::Resource do
     end
   end
 
-  describe "it should implement to_resource" do
+  describe "it should implement copy_as_resource" do
     resource = Puppet::Resource.new("file", "/my/file")
-    resource.to_resource.should == resource
+    resource.copy_as_resource.should == resource
   end
 
   describe "because it is an indirector model" do

data/spec/unit/settings/file_setting_spec.rb

@@ -139,14 +139,14 @@ describe Puppet::Settings::FileSetting do
     it "should skip non-existent files if 'create_files' is not enabled" do
       @file.expects(:create_files?).returns false
       @file.expects(:type).returns :file
-      File.expects(:exist?).with(@basepath).returns false
+      Puppet::FileSystem::File.expects(:exist?).with(@basepath).returns false
       @file.to_resource.should be_nil
     end
 
     it "should manage existent files even if 'create_files' is not enabled" do
       @file.expects(:create_files?).returns false
       @file.expects(:type).returns :file
-      File.expects(:exist?).with(@basepath).returns true
+      Puppet::FileSystem::File.expects(:exist?).with(@basepath).returns true
       @file.to_resource.should be_instance_of(Puppet::Resource)
     end
 

data/spec/unit/settings/path_setting_spec.rb

@@ -22,8 +22,8 @@ describe Puppet::Settings::PathSetting do
       end
 
       it "should work with UNC paths" do
-        subject.munge('//server/some/path').should == '//server/some/path'
-        subject.munge('\\\\server\some\path').should == '//server/some/path'
+        subject.munge('//localhost/some/path').should == '//localhost/some/path'
+        subject.munge('\\\\localhost\some\path').should == '//localhost/some/path'
       end
     end
   end

data/spec/unit/settings/priority_setting_spec.rb

@@ -0,0 +1,66 @@
+#!/usr/bin/env ruby
+require 'spec_helper'
+
+require 'puppet/settings'
+require 'puppet/settings/priority_setting'
+require 'puppet/util/platform'
+
+describe Puppet::Settings::PrioritySetting do
+  let(:setting) { described_class.new(:settings => mock('settings'), :desc => "test") }
+
+  it "is of type :priority" do
+    setting.type.should == :priority
+  end
+
+  describe "when munging the setting" do
+    it "passes nil through" do
+      setting.munge(nil).should be_nil
+    end
+
+    it "returns the same value if given an integer" do
+      setting.munge(5).should == 5
+    end
+
+    it "returns an integer if given a decimal string" do
+      setting.munge('12').should == 12
+    end
+
+    it "returns a negative integer if given a negative integer string" do
+      setting.munge('-5').should == -5
+    end
+
+    it "fails if given anything else" do
+      [ 'foo', 'realtime', true, 8.3, [] ].each do |value|
+        expect {
+          setting.munge(value)
+        }.to raise_error(Puppet::Settings::ValidationError)
+      end
+    end
+
+    describe "on a Unix-like platform it", :unless => Puppet::Util::Platform.windows? do
+      it "parses high, normal, low, and idle priorities" do
+        {
+          'high'   => -10,
+          'normal' => 0,
+          'low'    => 10,
+          'idle'   => 19
+        }.each do |value, converted_value|
+          setting.munge(value).should == converted_value
+        end
+      end
+    end
+
+    describe "on a Windows-like platform it", :if => Puppet::Util::Platform.windows? do
+      it "parses high, normal, low, and idle priorities" do
+        {
+          'high'   => Process::HIGH_PRIORITY_CLASS,
+          'normal' => Process::NORMAL_PRIORITY_CLASS,
+          'low'    => Process::BELOW_NORMAL_PRIORITY_CLASS,
+          'idle'   => Process::IDLE_PRIORITY_CLASS
+        }.each do |value, converted_value|
+          setting.munge(value).should == converted_value
+        end
+      end
+    end
+  end
+end

data/spec/unit/settings_spec.rb

@@ -485,7 +485,7 @@ describe Puppet::Settings do
           :three  => { :default => "$one $two THREE", :desc => "c"},
           :four   => { :default => "$two $three FOUR", :desc => "d"},
           :five   => { :default => nil, :desc => "e" }
-      FileTest.stubs(:exist?).returns true
+      Puppet::FileSystem::File.stubs(:exist?).returns true
     end
 
     describe "call_on_define" do
@@ -589,7 +589,7 @@ describe Puppet::Settings do
         :config => { :type => :file, :default => "/my/file", :desc => "a" },
         :one => { :default => "ONE", :desc => "a" },
         :two => { :default => "TWO", :desc => "b" }
-      FileTest.stubs(:exist?).returns true
+      Puppet::FileSystem::File.stubs(:exist?).returns true
       @settings.preferred_run_mode = :agent
     end
 
@@ -666,8 +666,8 @@ describe Puppet::Settings do
     describe "when root" do
       it "should look for the main config file default location config settings haven't been overridden'" do
         Puppet.features.stubs(:root?).returns(true)
-        FileTest.expects(:exist?).with(main_config_file_default_location).returns(false)
-        FileTest.expects(:exist?).with(user_config_file_default_location).never
+        Puppet::FileSystem::File.expects(:exist?).with(main_config_file_default_location).returns(false)
+        Puppet::FileSystem::File.expects(:exist?).with(user_config_file_default_location).never
 
         @settings.send(:parse_config_files)
       end
@@ -678,7 +678,7 @@ describe Puppet::Settings do
         Puppet.features.stubs(:root?).returns(false)
 
         seq = sequence "load config files"
-        FileTest.expects(:exist?).with(user_config_file_default_location).returns(false).in_sequence(seq)
+        Puppet::FileSystem::File.expects(:exist?).with(user_config_file_default_location).returns(false).in_sequence(seq)
 
         @settings.send(:parse_config_files)
       end
@@ -699,8 +699,8 @@ describe Puppet::Settings do
           :two => { :default => "$one TWO", :desc => "b" },
           :three => { :default => "$one $two THREE", :desc => "c" }
       @settings.stubs(:user_config_file).returns(@userconfig)
-      FileTest.stubs(:exist?).with(@file).returns true
-      FileTest.stubs(:exist?).with(@userconfig).returns false
+      Puppet::FileSystem::File.stubs(:exist?).with(@file).returns true
+      Puppet::FileSystem::File.stubs(:exist?).with(@userconfig).returns false
     end
 
     it "should not ignore the report setting" do
@@ -712,7 +712,7 @@ describe Puppet::Settings do
         [puppetd]
           report=true
       CONF
-      FileTest.expects(:exist?).with(myfile).returns(true)
+      Puppet::FileSystem::File.expects(:exist?).with(myfile).returns(true)
       @settings.expects(:read_file).returns(text)
       @settings.send(:parse_config_files)
       @settings[:report].should be_true
@@ -722,7 +722,7 @@ describe Puppet::Settings do
       myfile = make_absolute("/my/file") # do not stub expand_path here, as this leads to a stack overflow, when mocha tries to use it
       @settings[:config] = myfile
 
-      FileTest.expects(:exist?).with(myfile).returns(true)
+      Puppet::FileSystem::File.expects(:exist?).with(myfile).returns(true)
 
       File.expects(:read).with(myfile).returns "[main]"
 
@@ -730,7 +730,7 @@ describe Puppet::Settings do
     end
 
     it "should not try to parse non-existent files" do
-      FileTest.expects(:exist?).with(@file).returns false
+      Puppet::FileSystem::File.expects(:exist?).with(@file).returns false
 
       File.expects(:read).with(@file).never
 
@@ -925,7 +925,7 @@ describe Puppet::Settings do
     context "running non-root without explicit config file" do
       before :each do
         Puppet.features.stubs(:root?).returns(false)
-        FileTest.expects(:exist?).
+        Puppet::FileSystem::File.expects(:exist?).
           with(user_config_file_default_location).
           returns(true).in_sequence(seq)
         @settings.expects(:read_file).
@@ -947,7 +947,7 @@ describe Puppet::Settings do
     context "running as root without explicit config file" do
       before :each do
         Puppet.features.stubs(:root?).returns(true)
-        FileTest.expects(:exist?).
+        Puppet::FileSystem::File.expects(:exist?).
           with(main_config_file_default_location).
           returns(true).in_sequence(seq)
         @settings.expects(:read_file).
@@ -970,7 +970,7 @@ describe Puppet::Settings do
       before :each do
         Puppet.features.stubs(:root?).returns(false)
         @settings[:confdir] = File.dirname(main_config_file_default_location)
-        FileTest.expects(:exist?).
+        Puppet::FileSystem::File.expects(:exist?).
           with(main_config_file_default_location).
           returns(true).in_sequence(seq)
         @settings.expects(:read_file).
@@ -1000,13 +1000,13 @@ describe Puppet::Settings do
           :one => { :default => "ONE", :desc => "a" },
           :two => { :default => "$one TWO", :desc => "b" },
           :three => { :default => "$one $two THREE", :desc => "c" }
-      FileTest.stubs(:exist?).with(@file).returns true
-      FileTest.stubs(:exist?).with(@userconfig).returns false
+      Puppet::FileSystem::File.stubs(:exist?).with(@file).returns true
+      Puppet::FileSystem::File.stubs(:exist?).with(@userconfig).returns false
       @settings.stubs(:user_config_file).returns(@userconfig)
     end
 
     it "does not create the WatchedFile instance and should not parse if the file does not exist" do
-      FileTest.expects(:exist?).with(@file).returns false
+      Puppet::FileSystem::File.expects(:exist?).with(@file).returns false
       Puppet::Util::WatchedFile.expects(:new).never
 
       @settings.expects(:parse_config_files).never
@@ -1285,10 +1285,6 @@ describe Puppet::Settings do
       @settings.define_settings :files, :myfile => {:type => :file, :default => make_absolute("/myfile"), :desc => "a", :mode => 0755}
     end
 
-    it "should provide a method that writes files with the correct modes" do
-      @settings.should respond_to(:write)
-    end
-
     it "should provide a method that creates directories with the correct modes" do
       Puppet::Util::SUIDManager.expects(:asuser).with("suser", "sgroup").yields
       Dir.expects(:mkdir).with(make_absolute("/otherdir"), 0755)
@@ -1567,17 +1563,6 @@ describe Puppet::Settings do
     end
   end
 
-  describe "#writesub" do
-    it "should only pass valid arguments to File.open" do
-      settings = Puppet::Settings.new
-      settings.stubs(:get_config_file_default).with(:privatekeydir).returns(OpenStruct.new(:mode => "750"))
-
-      File.expects(:open).with("/path/to/keydir", "w", 750).returns true
-      settings.writesub(:privatekeydir, "/path/to/keydir")
-    end
-  end
-
-
   describe "when dealing with command-line options" do
     let(:settings) { Puppet::Settings.new }
 

data/spec/unit/ssl/certificate_authority/autosign_command_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+require 'puppet/ssl/certificate_authority/autosign_command'
+
+describe Puppet::SSL::CertificateAuthority::AutosignCommand do
+
+  let(:csr) { stub 'csr', :name => 'host', :to_s => 'CSR PEM goes here' }
+  let(:decider) { Puppet::SSL::CertificateAuthority::AutosignCommand.new('/autosign/command') }
+
+  it "returns true if the command succeeded" do
+    executes_the_command_resulting_in(0)
+
+    decider.allowed?(csr).should == true
+  end
+
+  it "returns false if the command failed" do
+    executes_the_command_resulting_in(1)
+
+    decider.allowed?(csr).should == false
+  end
+
+  def executes_the_command_resulting_in(exitstatus)
+    Puppet::Util::Execution.expects(:execute).
+      with(['/autosign/command', 'host'],
+           has_entries(:stdinfile => anything,
+                       :combine => true,
+                       :failonfail => false)).
+      returns(Puppet::Util::Execution::ProcessOutput.new('', exitstatus))
+  end
+end

data/spec/unit/ssl/certificate_authority_spec.rb

@@ -92,12 +92,6 @@ describe Puppet::SSL::CertificateAuthority do
       Puppet::SSL::CertificateAuthority.new
     end
 
-    it "should create an inventory instance" do
-      Puppet::SSL::Inventory.expects(:new).returns "inventory"
-
-      Puppet::SSL::CertificateAuthority.new.inventory.should == "inventory"
-    end
-
     it "should make sure the CA is set up" do
       Puppet::SSL::CertificateAuthority.any_instance.expects(:setup)
 
@@ -171,16 +165,16 @@ describe Puppet::SSL::CertificateAuthority do
     it "should create and store a password at :capass" do
       Puppet[:capass] = File.expand_path("/path/to/pass")
 
-      FileTest.expects(:exist?).with(Puppet[:capass]).returns false
+      Puppet::FileSystem::File.expects(:exist?).with(Puppet[:capass]).returns false
 
-      fh = mock 'filehandle'
-      Puppet.settings.expects(:write).with(:capass).yields fh
-
-      fh.expects(:print).with { |s| s.length > 18 }
+      fh = StringIO.new
+      Puppet.settings.setting(:capass).expects(:open).with('w').yields fh
 
       @ca.stubs(:sign)
 
       @ca.generate_ca_certificate
+
+      expect(fh.string.length).to be > 18
     end
 
     it "should generate a key if one does not exist" do
@@ -238,11 +232,10 @@ describe Puppet::SSL::CertificateAuthority do
 
       Puppet::SSL::Certificate.stubs(:new).returns @cert
 
-      @cert.stubs(:content=)
       Puppet::SSL::Certificate.indirection.stubs(:save)
 
       # Stub out the factory
-      Puppet::SSL::CertificateFactory.stubs(:build).returns "my real cert"
+      Puppet::SSL::CertificateFactory.stubs(:build).returns @cert.content
 
       @request_content = stub "request content stub", :subject => OpenSSL::X509::Name.new([['CN', @name]]), :public_key => stub('public_key')
       @request = stub 'request', :name => @name, :request_extensions => [], :subject_alt_names => [], :content => @request_content
@@ -255,39 +248,6 @@ describe Puppet::SSL::CertificateAuthority do
       Puppet::SSL::CertificateRequest.indirection.stubs(:destroy)
     end
 
-    describe "and calculating the next certificate serial number" do
-      before do
-        @path = File.expand_path("/path/to/serial")
-        Puppet[:serial] = @path
-
-        @filehandle = stub 'filehandle', :<< => @filehandle
-        Puppet.settings.stubs(:readwritelock).with(:serial).yields @filehandle
-      end
-
-      it "should default to 0x1 for the first serial number" do
-        @ca.next_serial.should == 0x1
-      end
-
-      it "should return the current content of the serial file" do
-        FileTest.stubs(:exist?).with(@path).returns true
-        File.expects(:read).with(@path).returns "0002"
-
-        @ca.next_serial.should == 2
-      end
-
-      it "should write the next serial number to the serial file as hex" do
-        @filehandle.expects(:<<).with("0002")
-
-        @ca.next_serial
-      end
-
-      it "should lock the serial file while writing" do
-        Puppet.settings.expects(:readwritelock).with(:serial)
-
-        @ca.next_serial
-      end
-    end
-
     describe "its own certificate" do
       before do
         @serial = 10
@@ -303,28 +263,28 @@ describe Puppet::SSL::CertificateAuthority do
       it "should use a certificate type of :ca" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[0].should == :ca
-        end.returns "my real cert"
+        end.returns @cert.content
         @ca.sign(@name, :ca, @request)
       end
 
       it "should pass the provided CSR as the CSR" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[1].should == @request
-        end.returns "my real cert"
+        end.returns @cert.content
         @ca.sign(@name, :ca, @request)
       end
 
       it "should use the provided CSR's content as the issuer" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[2].subject.to_s.should == "/CN=myhost"
-        end.returns "my real cert"
+        end.returns @cert.content
         @ca.sign(@name, :ca, @request)
       end
 
       it "should pass the next serial as the serial number" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[3].should == @serial
-        end.returns "my real cert"
+        end.returns @cert.content
         @ca.sign(@name, :ca, @request)
       end
 
@@ -355,7 +315,7 @@ describe Puppet::SSL::CertificateAuthority do
       it "should use a certificate type of :server" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[0] == :server
-        end.returns "my real cert"
+        end.returns @cert.content
 
         @ca.sign(@name)
       end
@@ -404,14 +364,14 @@ describe Puppet::SSL::CertificateAuthority do
       it "should use the CA certificate as the issuer" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[2] == @cacert.content
-        end.returns "my real cert"
-        @ca.sign(@name)
+        end.returns @cert.content
+        signed = @ca.sign(@name)
       end
 
       it "should pass the next serial as the serial number" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[3] == @serial
-        end.returns "my real cert"
+        end.returns @cert.content
         @ca.sign(@name)
       end
 
@@ -518,6 +478,40 @@ describe Puppet::SSL::CertificateAuthority do
         end
       end
 
+      it "accepts numeric OIDs under the ppRegCertExt subtree" do
+        exts = [{ 'oid' => '1.3.6.1.4.1.34380.1.1.1',
+                  'value' => '657e4780-4cf5-11e3-8f96-0800200c9a66'}]
+
+        @request.stubs(:request_extensions).returns exts
+
+        expect {
+          @ca.check_internal_signing_policies(@name, @request, false)
+        }.to_not raise_error
+      end
+
+      it "accepts short name OIDs under the ppRegCertExt subtree" do
+        exts = [{ 'oid' => 'pp_uuid',
+                  'value' => '657e4780-4cf5-11e3-8f96-0800200c9a66'}]
+
+        @request.stubs(:request_extensions).returns exts
+
+        expect {
+          @ca.check_internal_signing_policies(@name, @request, false)
+        }.to_not raise_error
+      end
+
+      it "accepts OIDs under the ppPrivCertAttrs subtree" do
+        exts = [{ 'oid' => '1.3.6.1.4.1.34380.1.2.1',
+                  'value' => 'private extension'}]
+
+        @request.stubs(:request_extensions).returns exts
+
+        expect {
+          @ca.check_internal_signing_policies(@name, @request, false)
+        }.to_not raise_error
+      end
+
+
       it "should reject a critical extension that isn't on the whitelist" do
         @request.stubs(:request_extensions).returns [{ "oid" => "banana",
                                                        "value" => "yumm",
@@ -610,76 +604,104 @@ describe Puppet::SSL::CertificateAuthority do
     end
 
     describe "when autosigning certificates" do
-      let(:autosign) { File.expand_path("/auto/sign") }
-      it "should do nothing if autosign is disabled" do
-        Puppet[:autosign] = 'false'
+      let(:csr) { Puppet::SSL::CertificateRequest.new("host") }
 
-        Puppet::SSL::CertificateRequest.indirection.expects(:search).never
-        @ca.autosign
-      end
+      describe "using the autosign setting" do
+        let(:autosign) { File.expand_path("/auto/sign") }
 
-      it "should do nothing if no autosign.conf exists" do
-        Puppet[:autosign] = autosign
-        FileTest.expects(:exist?).with(autosign).returns false
+        it "should do nothing if autosign is disabled" do
+          Puppet[:autosign] = false
 
-        Puppet::SSL::CertificateRequest.indirection.expects(:search).never
-        @ca.autosign
-      end
+          @ca.expects(:sign).never
+          @ca.autosign(csr)
+        end
 
-      describe "and autosign is enabled and the autosign.conf file exists" do
-        before do
+        it "should do nothing if no autosign.conf exists" do
           Puppet[:autosign] = autosign
-          FileTest.stubs(:exist?).with(autosign).returns true
-          File.stubs(:readlines).with(autosign).returns ["one\n", "two\n"]
+          non_existent_file = Puppet::FileSystem::MemoryFile.a_missing_file(autosign)
+          Puppet::FileSystem::File.overlay(non_existent_file) do
+            @ca.expects(:sign).never
+            @ca.autosign(csr)
+          end
+        end
 
-          Puppet::SSL::CertificateRequest.indirection.stubs(:search).returns []
+        describe "and autosign is enabled and the autosign.conf file exists" do
+          let(:store) { stub 'store', :allow => nil, :allowed? => false }
 
-          @store = stub 'store', :allow => nil
-          Puppet::Network::AuthStore.stubs(:new).returns @store
-        end
+          before do
+            Puppet[:autosign] = autosign
+          end
 
-        describe "when creating the AuthStore instance to verify autosigning" do
-          it "should create an AuthStore with each line in the configuration file allowed to be autosigned" do
-            Puppet::Network::AuthStore.expects(:new).returns @store
+          describe "when creating the AuthStore instance to verify autosigning" do
+            it "should create an AuthStore with each line in the configuration file allowed to be autosigned" do
+              Puppet::FileSystem::File.overlay(Puppet::FileSystem::MemoryFile.a_regular_file_containing(autosign, "one\ntwo\n")) do
+                Puppet::Network::AuthStore.stubs(:new).returns store
 
-            @store.expects(:allow).with("one")
-            @store.expects(:allow).with("two")
+                store.expects(:allow).with("one")
+                store.expects(:allow).with("two")
 
-            @ca.autosign
-          end
+                @ca.autosign(csr)
+              end
+            end
 
-          it "should reparse the autosign configuration on each call" do
-            Puppet::Network::AuthStore.expects(:new).times(2).returns @store
+            it "should reparse the autosign configuration on each call" do
+              Puppet::FileSystem::File.overlay(Puppet::FileSystem::MemoryFile.a_regular_file_containing(autosign, "one")) do
+                Puppet::Network::AuthStore.stubs(:new).times(2).returns store
 
-            @ca.autosign
-            @ca.autosign
-          end
+                @ca.autosign(csr)
+                @ca.autosign(csr)
+              end
+            end
 
-          it "should ignore comments" do
-            File.stubs(:readlines).with(autosign).returns ["one\n", "#two\n"]
+            it "should ignore comments" do
+              Puppet::FileSystem::File.overlay(Puppet::FileSystem::MemoryFile.a_regular_file_containing(autosign, "one\n#two\n")) do
+                Puppet::Network::AuthStore.stubs(:new).returns store
 
-            @store.expects(:allow).with("one")
-            @ca.autosign
-          end
+                store.expects(:allow).with("one")
 
-          it "should ignore blank lines" do
-            File.stubs(:readlines).with(autosign).returns ["one\n", "\n"]
+                @ca.autosign(csr)
+              end
+            end
 
-            @store.expects(:allow).with("one")
-            @ca.autosign
+            it "should ignore blank lines" do
+              Puppet::FileSystem::File.overlay(Puppet::FileSystem::MemoryFile.a_regular_file_containing(autosign, "one\n\n")) do
+                Puppet::Network::AuthStore.stubs(:new).returns store
+
+                store.expects(:allow).with("one")
+                @ca.autosign(csr)
+              end
+            end
           end
         end
+      end
+
+      describe "using the autosign command setting" do
+        let(:cmd) { File.expand_path('/autosign_cmd') }
+        let(:autosign_cmd) { mock 'autosign_command' }
+        let(:autosign_executable) { Puppet::FileSystem::MemoryFile.an_executable(cmd) }
+
+        before do
+          Puppet[:autosign] = cmd
+
+          Puppet::SSL::CertificateAuthority::AutosignCommand.stubs(:new).returns autosign_cmd
+        end
 
-        it "should sign all CSRs whose hostname matches the autosign configuration" do
-          csr1 = mock 'csr1'
-          csr2 = mock 'csr2'
-          Puppet::SSL::CertificateRequest.indirection.stubs(:search).returns [csr1, csr2]
+        it "autosigns the CSR if the autosign command returned true" do
+          Puppet::FileSystem::File.overlay(autosign_executable) do
+            autosign_cmd.expects(:allowed?).with(csr).returns true
+
+            @ca.expects(:sign).with('host')
+            @ca.autosign(csr)
+          end
         end
 
-        it "should not sign CSRs whose hostname does not match the autosign configuration" do
-          csr1 = mock 'csr1'
-          csr2 = mock 'csr2'
-          Puppet::SSL::CertificateRequest.indirection.stubs(:search).returns [csr1, csr2]
+        it "doesn't autosign the CSR if the autosign_command returned false" do
+          Puppet::FileSystem::File.overlay(autosign_executable) do
+            autosign_cmd.expects(:allowed?).with(csr).returns false
+
+            @ca.expects(:sign).never
+            @ca.autosign(csr)
+          end
         end
       end
     end
@@ -701,28 +723,6 @@ describe Puppet::SSL::CertificateAuthority do
       @ca = Puppet::SSL::CertificateAuthority.new
     end
 
-    it "should have a method for acting on the SSL files" do
-      @ca.should respond_to(:apply)
-    end
-
-    describe "when applying a method to a set of hosts" do
-      it "should fail if no subjects have been specified" do
-        expect { @ca.apply(:generate) }.to raise_error(ArgumentError)
-      end
-
-      it "should create an Interface instance with the specified method and the options" do
-        Puppet::SSL::CertificateAuthority::Interface.expects(:new).with(:generate, :to => :host).returns(stub('applier', :apply => nil))
-        @ca.apply(:generate, :to => :host)
-      end
-
-      it "should apply the Interface with itself as the argument" do
-        applier = stub('applier')
-        applier.expects(:apply).with(@ca)
-        Puppet::SSL::CertificateAuthority::Interface.expects(:new).returns applier
-        @ca.apply(:generate, :to => :ca_testing)
-      end
-    end
-
     it "should be able to list waiting certificate requests" do
       req1 = stub 'req1', :name => "one"
       req2 = stub 'req2', :name => "two"
@@ -979,16 +979,15 @@ require 'puppet/indirector/memory'
 describe "CertificateAuthority.generate" do
 
   def expect_to_increment_serial_file
-    Puppet.settings.expects(:readwritelock).with(:serial)
+    Puppet.settings.setting(:serial).expects(:exclusive_open)
   end
 
   def expect_to_sign_a_cert
     expect_to_increment_serial_file
-    Puppet.settings.expects(:write).with(:cert_inventory, "a")
   end
 
   def expect_to_write_the_ca_password
-    Puppet.settings.expects(:write).with(:capass)
+    Puppet.settings.setting(:capass).expects(:open).with('w')
   end
 
   def expect_ca_initialization
@@ -996,10 +995,6 @@ describe "CertificateAuthority.generate" do
     expect_to_sign_a_cert
   end
 
-  def avoid_rebuilding_inventory_for_every_cert
-    Puppet::SSL::Inventory.any_instance.stubs(:rebuild)
-  end
-
   INDIRECTED_CLASSES = [
     Puppet::SSL::Certificate,
     Puppet::SSL::CertificateRequest,
@@ -1021,7 +1016,7 @@ describe "CertificateAuthority.generate" do
   end
 
   before do
-    avoid_rebuilding_inventory_for_every_cert
+    Puppet::SSL::Inventory.stubs(:new).returns(stub("Inventory", :add => nil))
     INDIRECTED_CLASSES.each { |const| const.indirection.terminus_class = :memory }
   end
 
@@ -1036,7 +1031,7 @@ describe "CertificateAuthority.generate" do
     let(:ca) { Puppet::SSL::CertificateAuthority.new }
 
     before do
-      expect_ca_initialization 
+      expect_ca_initialization
     end
 
     it "should fail if a certificate already exists for the host" do