puppet 4.5.3-x86-mingw32 → 4.6.1-x86-mingw32

data/spec/unit/provider/user/windows_adsi_spec.rb

@@ -18,6 +18,8 @@ describe Puppet::Type.type(:user).provider(:windows_adsi), :if => Puppet.feature
   before :each do
     Puppet::Util::Windows::ADSI.stubs(:computer_name).returns('testcomputername')
     Puppet::Util::Windows::ADSI.stubs(:connect).returns connection
+    # this would normally query the system, but not needed for these tests
+    Puppet::Util::Windows::ADSI::User.stubs(:localized_domains).returns([])
   end
 
   describe ".instances" do
@@ -34,6 +36,16 @@ describe Puppet::Type.type(:user).provider(:windows_adsi), :if => Puppet.feature
     expect(provider.user).to be_a(Puppet::Util::Windows::ADSI::User)
   end
 
+  describe "when retrieving the password property" do
+    context "when the resource has a nil password" do
+      it "should never issue a logon attempt" do
+        resource.stubs(:[]).with(any_of(:name, :password)).returns(nil)
+        Puppet::Util::Windows::User.expects(:logon_user).never
+        provider.password
+      end
+    end
+  end
+
   describe "when managing groups" do
     it 'should return the list of groups as an array of strings' do
       provider.user.stubs(:groups).returns nil
@@ -226,6 +238,13 @@ describe Puppet::Type.type(:user).provider(:windows_adsi), :if => Puppet.feature
       expect(provider.password).to be_nil
     end
 
+    it "should test a blank user password" do
+      resource[:password] = ''
+      provider.user.expects(:password_is?).with('').returns true
+
+      expect(provider.password).to eq('')
+    end
+
     it 'should not create a user if a group by the same name exists' do
       Puppet::Util::Windows::ADSI::User.expects(:create).with('testuser').raises( Puppet::Error.new("Cannot create user if group 'testuser' exists.") )
       expect{ provider.create }.to raise_error( Puppet::Error,

data/spec/unit/resource/capability_finder_spec.rb

@@ -65,13 +65,61 @@ describe Puppet::Resource::CapabilityFinder do
         result = Puppet::Resource::CapabilityFinder.find('production', nil, Puppet::Resource.new('Cap', 'cap'))
         expect(result['host']).to eq('ahost')
       end
+    end
+
+    describe '#find' do
+      let(:capability) { Puppet::Resource.new('Cap', 'cap') }
+      let(:code_id) { 'b59e5df0578ef411f773ee6c33d8073c50e7b8fe' }
+
+      it 'should search for the resource without including code_id' do
+        resources = [{"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"ahost"}}]
+        Puppet::Resource::CapabilityFinder.stubs(:search).with('production', nil, capability).returns resources
 
-      it 'should include code_id in query' do
-        code_id = 'b59e5df0578ef411f773ee6c33d8073c50e7b8fe'
-        Puppet::Util::Puppetdb::Http.expects(:action).with(regexp_matches(Regexp.new(CGI.escape('"=","code_id","' + code_id + "")))).returns(response)
         result = Puppet::Resource::CapabilityFinder.find('production', code_id, Puppet::Resource.new('Cap', 'cap'))
         expect(result['host']).to eq('ahost')
       end
+
+      it 'should return nil if no resource is found' do
+        Puppet::Resource::CapabilityFinder.stubs(:search).with('production', nil, capability).returns []
+
+        result = Puppet::Resource::CapabilityFinder.find('production', code_id, capability)
+        expect(result).to be_nil
+      end
+
+      describe 'when multiple results are returned' do
+        let(:resources) do
+          [{"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"ahost"}},
+           {"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"bhost"}}]
+        end
+
+        before :each do
+          Puppet::Resource::CapabilityFinder.stubs(:search).with('production', nil, capability).returns resources
+        end
+
+        it 'should return the resource matching code_id' do
+          Puppet::Resource::CapabilityFinder.stubs(:search).with('production', code_id, capability).returns [{"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"chost"}}]
+
+          result = Puppet::Resource::CapabilityFinder.find('production', code_id, capability)
+          expect(result['host']).to eq('chost')
+        end
+
+        it 'should return nil if no resource matches code_id' do
+          Puppet::Resource::CapabilityFinder.stubs(:search).with('production', code_id, capability).returns []
+
+          result = Puppet::Resource::CapabilityFinder.find('production', code_id, capability)
+          expect(result).to be_nil
+        end
+
+        it 'should fail if multiple resources match code_id' do
+          Puppet::Resource::CapabilityFinder.stubs(:search).with('production', code_id, capability).returns resources
+
+          expect { Puppet::Resource::CapabilityFinder.find('production', code_id, capability) }.to raise_error(Puppet::DevError, /expected exactly one resource/)
+        end
+
+        it 'should fail if no code_id was specified' do
+          expect { Puppet::Resource::CapabilityFinder.find('production', nil, capability) }.to raise_error(Puppet::DevError, /expected exactly one resource/)
+        end
+      end
     end
   end
 end

data/spec/unit/resource/catalog_spec.rb

@@ -818,6 +818,11 @@ describe Puppet::Resource::Catalog, "when converting a resource catalog to pson"
     expect(catalog.to_pson).to validate_against('api/schemas/catalog.json')
   end
 
+  it "should validate a single sensitive parameter resource catalog against the schema" do
+    catalog = compile_to_catalog("create_resources('file', {'/etc/foo'=>{'ensure'=>'present','content'=>Sensitive('hunter2')}})")
+    expect(catalog.to_pson).to validate_against('api/schemas/catalog.json')
+  end
+
   it "should validate a two resource catalog against the schema" do
     catalog = compile_to_catalog("create_resources('notify', {'foo'=>{'message'=>'one'}, 'bar'=>{'message'=>'two'}})")
     expect(catalog.to_pson).to validate_against('api/schemas/catalog.json')

data/spec/unit/resource/type_spec.rb

@@ -656,7 +656,7 @@ describe Puppet::Resource::Type do
 
         @compiler.add_resource @scope, @parent_resource
 
-        @type.resource_type_collection = @scope.known_resource_types
+        @type.resource_type_collection = @scope.environment.known_resource_types
         @type.resource_type_collection.add @parent_type
       end
 
@@ -696,7 +696,7 @@ describe Puppet::Resource::Type do
 
         @compiler.add_resource @scope, @parent_resource
 
-        @type.resource_type_collection = @scope.known_resource_types
+        @type.resource_type_collection = @scope.environment.known_resource_types
         @type.resource_type_collection.add(@parent_type)
       end
 

data/spec/unit/resource_spec.rb

@@ -811,6 +811,12 @@ describe Puppet::Resource do
       expect(result["fee"]).to eq(%w{baz})
     end
 
+    it "should set sensitive parameters as an array of strings" do
+      resource = Puppet::Resource.new("File", "/foo", :sensitive_parameters => [:foo, :fee])
+      result = PSON.parse(resource.to_pson)
+      expect(result["sensitive_parameters"]).to eq ["foo", "fee"]
+    end
+
     it "should serialize relationships as reference strings" do
       resource = Puppet::Resource.new("File", "/foo")
       resource[:requires] = Puppet::Resource.new("File", "/bar")
@@ -894,6 +900,11 @@ describe Puppet::Resource do
       resource = Puppet::Resource.from_data_hash(@data)
       expect(resource['foo']).to eq(%w{one})
     end
+
+    it "converts deserialized sensitive parameters as symbols" do
+      @data['sensitive_parameters'] = ['content', 'mode']
+      expect(Puppet::Resource.from_data_hash(@data).sensitive_parameters).to eq [:content, :mode]
+    end
   end
 
   it "implements copy_as_resource" do
@@ -901,6 +912,14 @@ describe Puppet::Resource do
     expect(resource.copy_as_resource).to eq(resource)
   end
 
+  describe "when copying resources" do
+    it "deep copies over 'sensitive' values" do
+      rhs = Puppet::Resource.new("file", "/my/file", {:parameters => {:content => "foo"}, :sensitive_parameters => [:content]})
+      lhs = Puppet::Resource.new(rhs)
+      expect(lhs.sensitive_parameters).to eq [:content]
+    end
+  end
+
   describe "because it is an indirector model" do
     it "should include Puppet::Indirector" do
       expect(Puppet::Resource).to be_is_a(Puppet::Indirector)

data/spec/unit/settings_spec.rb

@@ -1375,8 +1375,21 @@ describe Puppet::Settings do
     end
 
     describe "when adding users and groups to the catalog" do
+      before :all do
+        # when this spec is run in isolation to build a settings catalog
+        # it will not be able to autorequire and load types for the first time
+        # on Windows with microsoft_windows? stubbed to false, because
+        # Puppet::Util.path_to_uri is called to generate a URI to load code
+        # and it manipulates the path based on OS
+        # so instead we forcefully "prime" the cached types
+        Puppet::Type.type(:user).new(:name => 'foo')
+        Puppet::Type.type(:group).new(:name => 'bar')
+        Puppet::Type.type(:file).new(:name => Dir.pwd) # appropriate for OS
+      end
+
       before do
         Puppet.features.stubs(:root?).returns true
+        # stubbed to false, as Windows catalogs don't add users / groups
         Puppet.features.stubs(:microsoft_windows?).returns false
 
         @settings.define_settings :foo,

data/spec/unit/ssl/certificate_authority/interface_spec.rb

@@ -125,8 +125,8 @@ describe Puppet::SSL::CertificateAuthority::Interface do
       it "should call :generate on the CA for each host specified" do
         @applier = @class.new(:generate, :to => %w{host1 host2})
 
-        @ca.expects(:generate).with("host1", {})
-        @ca.expects(:generate).with("host2", {})
+        @ca.expects(:generate).with() {|*args| args.first == "host1" }
+        @ca.expects(:generate).with() {|*args| args.first == "host2" }
 
         @applier.apply(@ca)
       end
@@ -156,23 +156,79 @@ describe Puppet::SSL::CertificateAuthority::Interface do
     end
 
     describe ":sign" do
+      before do
+        @csr1 = Puppet::SSL::CertificateRequest.new 'baz'
+      end
+
+      describe "when run in interactive mode" do
+        before do
+          Puppet::SSL::CertificateRequest.indirection.stubs(:find).with("csr1").returns @csr1
+
+          @ca.stubs(:waiting?).returns(%w{csr1})
+          @ca.stubs(:check_internal_signing_policies).returns(true)
+        end
+
+        it "should prompt before signing cert" do
+          @applier = @class.new(:sign, :to => :all, :interactive => true)
+          @applier.stubs(:format_host).returns("(host info)")
+
+          @applier.expects(:puts).
+            with("Signing Certificate Request for:\n(host info)")
+
+          STDOUT.expects(:print).with("Sign Certificate Request? [y/N] ")
+
+          STDIN.stubs(:gets).returns('y')
+          @ca.expects(:sign).with("csr1", {})
+
+          @applier.apply(@ca)
+        end
+
+        it "a yes answer can be assumed via options" do
+          @applier = @class.new(:sign, :to => :all, :interactive => true, :yes => true)
+          @applier.stubs(:format_host).returns("(host info)")
+
+          @applier.expects(:puts).
+            with("Signing Certificate Request for:\n(host info)")
+
+          STDOUT.expects(:print).with("Sign Certificate Request? [y/N] ")
+
+          @applier.expects(:puts).
+            with("Assuming YES from `-y' or `--assume-yes' flag")
+
+          @ca.expects(:sign).with("csr1", {})
+
+          @applier.apply(@ca)
+        end
+      end
+
       describe "and an array of names was provided" do
+        before do
+          Puppet::SSL::CertificateRequest.indirection.stubs(:find).with("host1").returns @csr1
+          Puppet::SSL::CertificateRequest.indirection.stubs(:find).with("host2").returns @csr1
+        end
+
         let(:applier) { @class.new(:sign, @options.merge(:to => %w{host1 host2})) }
 
         it "should sign the specified waiting certificate requests" do
           @options = {:allow_dns_alt_names => false}
+          applier.stubs(:format_host).returns("")
+          applier.stubs(:puts)
+          @ca.stubs(:check_internal_signing_policies).returns(true)
 
-          @ca.expects(:sign).with("host1", false)
-          @ca.expects(:sign).with("host2", false)
+          @ca.expects(:sign).with("host1", @options)
+          @ca.expects(:sign).with("host2", @options)
 
           applier.apply(@ca)
         end
 
         it "should sign the certificate requests with alt names if specified" do
           @options = {:allow_dns_alt_names => true}
+          applier.stubs(:format_host).returns("")
+          applier.stubs(:puts)
+          @ca.stubs(:check_internal_signing_policies).returns(true)
 
-          @ca.expects(:sign).with("host1", true)
-          @ca.expects(:sign).with("host2", true)
+          @ca.expects(:sign).with("host1", @options)
+          @ca.expects(:sign).with("host2", @options)
 
           applier.apply(@ca)
         end
@@ -181,11 +237,16 @@ describe Puppet::SSL::CertificateAuthority::Interface do
       describe "and :all was provided" do
         it "should sign all waiting certificate requests" do
           @ca.stubs(:waiting?).returns(%w{cert1 cert2})
+          Puppet::SSL::CertificateRequest.indirection.stubs(:find).with("cert1").returns @csr1
+          Puppet::SSL::CertificateRequest.indirection.stubs(:find).with("cert2").returns @csr1
+          @ca.stubs(:check_internal_signing_policies).returns(true)
 
-          @ca.expects(:sign).with("cert1", nil)
-          @ca.expects(:sign).with("cert2", nil)
+          @ca.expects(:sign).with("cert1", {})
+          @ca.expects(:sign).with("cert2", {})
 
           @applier = @class.new(:sign, :to => :all)
+          @applier.stubs(:format_host).returns("")
+          @applier.stubs(:puts)
           @applier.apply(@ca)
         end
 
@@ -199,18 +260,33 @@ describe Puppet::SSL::CertificateAuthority::Interface do
     end
 
     describe ":list" do
+      let(:signed_alt_names) { [] }
+      let(:request_alt_names) { [] }
+      let(:custom_attrs) { [] }
+      let(:ext_requests) { [] }
+      let(:custom_exts) { [] }
+
       before :each do
         @cert = Puppet::SSL::Certificate.new 'foo'
         @csr = Puppet::SSL::CertificateRequest.new 'bar'
 
-        @cert.stubs(:subject_alt_names).returns []
-        @csr.stubs(:subject_alt_names).returns []
+        @cert.stubs(:subject_alt_names).returns signed_alt_names
+        @cert.stubs(:custom_extensions).returns custom_exts
+
+        @csr.stubs(:subject_alt_names).returns request_alt_names
+        @csr.stubs(:custom_attributes).returns custom_attrs
+        @csr.stubs(:request_extensions).returns ext_requests
 
         Puppet::SSL::Certificate.indirection.stubs(:find).returns @cert
         Puppet::SSL::CertificateRequest.indirection.stubs(:find).returns @csr
 
         @digest = mock("digest")
         @digest.stubs(:to_s).returns("(fingerprint)")
+
+        @expiration = mock('time')
+        @expiration.stubs(:iso8601).returns("(expiration)")
+        @cert.stubs(:expiration).returns(@expiration)
+
         @ca.expects(:waiting?).returns %w{host1 host2 host3}
         @ca.expects(:list).returns(%w{host4 host5 host6}).at_most(1)
         @csr.stubs(:digest).returns @digest
@@ -293,6 +369,96 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier.apply(@ca)
         end
       end
+
+      describe "with custom attrbutes and extensions" do
+        let(:custom_attrs) { [{'oid' => 'customAttr', 'value' => 'attrValue'}] }
+        let(:ext_requests) { [{'oid' => 'customExt', 'value' => 'reqExtValue'}] }
+        let(:custom_exts) {  [{'oid' => 'extName', 'value' => 'extValue'}] }
+        let(:signed_alt_names) { ["DNS:puppet", "DNS:puppet.example.com"] }
+
+        before do
+          @ca.unstub(:waiting?)
+          @ca.unstub(:list)
+          @ca.expects(:waiting?).returns %w{ext3}
+          @ca.expects(:list).returns(%w{ext1 ext2}).at_most(1)
+
+          @ca.stubs(:verify).with("ext2").
+            raises(Puppet::SSL::CertificateAuthority::CertificateVerificationError.new(23),
+                   "certificate revoked")
+
+          Puppet::SSL::Certificate.indirection.stubs(:find).returns @cert
+          Puppet::SSL::CertificateRequest.indirection.stubs(:find).returns @csr
+        end
+
+        describe "using legacy format" do
+          it "should append astrisks to end of line to denote additional information available" do
+            applier = @class.new(:list, :to => %w{ext1 ext2 ext3})
+
+            applier.expects(:puts).with(<<-OUTPUT.chomp)
+  "ext3" (fingerprint) **
++ "ext1" (fingerprint) (alt names: "DNS:puppet", "DNS:puppet.example.com") **
+- "ext2" (fingerprint) (certificate revoked)
+              OUTPUT
+
+            applier.apply(@ca)
+          end
+
+          it "should append attributes and extensions to end of line when running :verbose" do
+            applier = @class.new(:list, :to => %w{ext1 ext2 ext3}, :verbose => true)
+
+            applier.expects(:puts).with(<<-OUTPUT.chomp)
+  "ext3" (fingerprint) (customAttr: "attrValue", customExt: "reqExtValue")
++ "ext1" (fingerprint) (expiration) (alt names: "DNS:puppet", "DNS:puppet.example.com", extName: "extValue")
+- "ext2" (fingerprint) (certificate revoked)
+              OUTPUT
+
+            applier.apply(@ca)
+          end
+        end
+
+        describe "using line-wise format" do
+          it "use the same format as :verbose legacy format" do
+            applier = @class.new(:list, :to => %w{ext1 ext2 ext3}, :format => :machine)
+
+            applier.expects(:puts).with(<<-OUTPUT.chomp)
+  "ext3" (fingerprint) (customAttr: "attrValue", customExt: "reqExtValue")
++ "ext1" (fingerprint) (expiration) (alt names: "DNS:puppet", "DNS:puppet.example.com", extName: "extValue")
+- "ext2" (fingerprint) (certificate revoked)
+              OUTPUT
+
+            applier.apply(@ca)
+          end
+        end
+
+        describe "using human friendly format" do
+          it "should break attributes and extensions to separate lines" do
+            applier = @class.new(:list, :to => %w{ext1 ext2 ext3}, :format => :human)
+
+            applier.expects(:puts).with(<<-OUTPUT)
+  "ext3"
+  (fingerprint)
+    Status: Request Pending
+    Extensions:
+      customAttr: "attrValue"
+      customExt: "reqExtValue"
+
++ "ext1"
+  (fingerprint)
+    Status: Signed
+    Expiration: (expiration)
+    Extensions:
+      alt names: "DNS:puppet", "DNS:puppet.example.com"
+      extName: "extValue"
+
+- "ext2"
+  (fingerprint)
+    Status: Invalid - (certificate revoked)
+OUTPUT
+
+            applier.apply(@ca)
+          end
+        end
+      end
     end
 
     describe ":print" do

data/spec/unit/ssl/certificate_authority_spec.rb

@@ -192,7 +192,8 @@ describe Puppet::SSL::CertificateAuthority do
       request.expects(:generate).with(@ca.host.key)
       request.stubs(:request_extensions => [])
 
-      @ca.expects(:sign).with(@host.name, false, request)
+      @ca.expects(:sign).with(@host.name, {allow_dns_alt_names: false,
+                                           self_signing_csr: request})
 
       @ca.stubs :generate_password
 
@@ -256,49 +257,56 @@ describe Puppet::SSL::CertificateAuthority do
       it "should not look up a certificate request for the host" do
         Puppet::SSL::CertificateRequest.indirection.expects(:find).never
 
-        @ca.sign(@name, true, @request)
+        @ca.sign(@name, {allow_dns_alt_names: true,
+                         self_signing_csr: @request})
       end
 
       it "should use a certificate type of :ca" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           expect(args[0]).to eq(:ca)
         end.returns @cert.content
-        @ca.sign(@name, :ca, @request)
+        @ca.sign(@name, {allow_dns_alt_names: true,
+                         self_signing_csr: @request})
       end
 
       it "should pass the provided CSR as the CSR" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           expect(args[1]).to eq(@request)
         end.returns @cert.content
-        @ca.sign(@name, :ca, @request)
+        @ca.sign(@name, {allow_dns_alt_names: true,
+                         self_signing_csr: @request})
       end
 
       it "should use the provided CSR's content as the issuer" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           expect(args[2].subject.to_s).to eq("/CN=myhost")
         end.returns @cert.content
-        @ca.sign(@name, :ca, @request)
+        @ca.sign(@name, {allow_dns_alt_names: true,
+                         self_signing_csr: @request})
       end
 
       it "should pass the next serial as the serial number" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           expect(args[3]).to eq(@serial)
         end.returns @cert.content
-        @ca.sign(@name, :ca, @request)
+        @ca.sign(@name, {allow_dns_alt_names: true,
+                         self_signing_csr: @request})
       end
 
       it "should sign the certificate request even if it contains alt names" do
         @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
 
         expect do
-          @ca.sign(@name, false, @request)
+          @ca.sign(@name, {allow_dns_alt_names: false,
+                           self_signing_csr: @request})
         end.not_to raise_error
       end
 
       it "should save the resulting certificate" do
         Puppet::SSL::Certificate.indirection.expects(:save).with(@cert)
 
-        @ca.sign(@name, :ca, @request)
+        @ca.sign(@name, {allow_dns_alt_names: true,
+                         self_signing_csr: @request})
       end
     end
 
@@ -339,17 +347,37 @@ describe Puppet::SSL::CertificateAuthority do
         }.to raise_error(/CSR has request extensions that are not permitted/)
       end
 
+      it "should reject auth extensions" do
+        @request.stubs :request_extensions => [{"oid" => "1.3.6.1.4.1.34380.1.3.1",
+                                                "value" => "true"},
+                                               {"oid" => "1.3.6.1.4.1.34380.1.3.13",
+                                                "value" => "com"}]
+
+        expect {
+          @ca.sign(@name)
+        }.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError,
+                         /CSR '#{@name}' contains authorization extensions (.*?, .*?).*/)
+      end
+
+      it "should not fail if the CSR contains auth extensions and they're allowed" do
+        @request.stubs :request_extensions => [{"oid" => "1.3.6.1.4.1.34380.1.3.1",
+                                                "value" => "true"},
+                                               {"oid" => "1.3.6.1.4.1.34380.1.3.13",
+                                                "value" => "com"}]
+        expect { @ca.sign(@name, {allow_authorization_extensions: true})}.to_not raise_error
+      end
+
       it "should fail if the CSR contains alt names and they are not expected" do
         @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
 
         expect do
-          @ca.sign(@name, false)
+          @ca.sign(@name, {allow_dns_alt_names: false})
         end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError, /CSR '#{@name}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{@name}` to sign this request./)
       end
 
       it "should not fail if the CSR does not contain alt names and they are expected" do
         @request.stubs(:subject_alt_names).returns []
-        expect { @ca.sign(@name, true) }.to_not raise_error
+        expect { @ca.sign(@name, {allow_dns_alt_names: true}) }.to_not raise_error
       end
 
       it "should reject alt names by default" do
@@ -421,7 +449,7 @@ describe Puppet::SSL::CertificateAuthority do
         csr.generate(key)
 
         expect do
-          @ca.check_internal_signing_policies('not_the_certname', csr, false)
+          @ca.check_internal_signing_policies('not_the_certname', csr)
         end.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /common name "the_certname" does not match expected certname "not_the_certname"/
@@ -449,7 +477,7 @@ describe Puppet::SSL::CertificateAuthority do
             csr = Puppet::SSL::CertificateRequest.new(name)
             csr.generate(@signing_key)
 
-            @ca.check_internal_signing_policies(name, csr, false)
+            @ca.check_internal_signing_policies(name, csr)
           end
         end
 
@@ -468,7 +496,7 @@ describe Puppet::SSL::CertificateAuthority do
             csr.generate(@signing_key)
 
             expect do
-              @ca.check_internal_signing_policies(name, csr, false)
+              @ca.check_internal_signing_policies(name, csr)
             end.to raise_error(
               Puppet::SSL::CertificateAuthority::CertificateSigningError,
               /subject contains unprintable or non-ASCII characters/
@@ -484,7 +512,7 @@ describe Puppet::SSL::CertificateAuthority do
         @request.stubs(:request_extensions).returns exts
 
         expect {
-          @ca.check_internal_signing_policies(@name, @request, false)
+          @ca.check_internal_signing_policies(@name, @request)
         }.to_not raise_error
       end
 
@@ -495,7 +523,7 @@ describe Puppet::SSL::CertificateAuthority do
         @request.stubs(:request_extensions).returns exts
 
         expect {
-          @ca.check_internal_signing_policies(@name, @request, false)
+          @ca.check_internal_signing_policies(@name, @request)
         }.to_not raise_error
       end
 
@@ -506,7 +534,7 @@ describe Puppet::SSL::CertificateAuthority do
         @request.stubs(:request_extensions).returns exts
 
         expect {
-          @ca.check_internal_signing_policies(@name, @request, false)
+          @ca.check_internal_signing_policies(@name, @request)
         }.to_not raise_error
       end
 
@@ -515,7 +543,7 @@ describe Puppet::SSL::CertificateAuthority do
         @request.stubs(:request_extensions).returns [{ "oid" => "banana",
                                                        "value" => "yumm",
                                                        "critical" => true }]
-        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /request extensions that are not permitted/
         )
@@ -525,7 +553,7 @@ describe Puppet::SSL::CertificateAuthority do
         @request.stubs(:request_extensions).returns [{ "oid" => "peach",
                                                        "value" => "meh",
                                                        "critical" => false }]
-        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /request extensions that are not permitted/
         )
@@ -538,7 +566,7 @@ describe Puppet::SSL::CertificateAuthority do
                                                      { "oid" => "subjectAltName",
                                                        "value" => "DNS:foo",
                                                        "critical" => true }]
-        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /request extensions that are not permitted/
         )
@@ -546,17 +574,28 @@ describe Puppet::SSL::CertificateAuthority do
 
       it "should reject a subjectAltName for a non-DNS value" do
         @request.stubs(:subject_alt_names).returns ['DNS:foo', 'email:bar@example.com']
-        expect { @ca.check_internal_signing_policies(@name, @request, true) }.to raise_error(
+        expect {
+          @ca.check_internal_signing_policies(@name, @request, {allow_dns_alt_names: true})
+        }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /subjectAltName outside the DNS label space/
         )
       end
 
+      it "should allow a subjectAltName if subject matches CA's certname" do
+        @request.stubs(:subject_alt_names).returns ['DNS:foo']
+        Puppet[:certname] = @name
+
+        expect {
+          @ca.check_internal_signing_policies(@name, @request, {allow_dns_alt_names: false})
+        }.to_not raise_error
+      end
+
       it "should reject a wildcard subject" do
         @request.content.stubs(:subject).
           returns(OpenSSL::X509::Name.new([["CN", "*.local"]]))
 
-        expect { @ca.check_internal_signing_policies('*.local', @request, false) }.to raise_error(
+        expect { @ca.check_internal_signing_policies('*.local', @request) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /subject contains a wildcard/
         )
@@ -564,7 +603,9 @@ describe Puppet::SSL::CertificateAuthority do
 
       it "should reject a wildcard subjectAltName" do
         @request.stubs(:subject_alt_names).returns ['DNS:foo', 'DNS:*.bar']
-        expect { @ca.check_internal_signing_policies(@name, @request, true) }.to raise_error(
+        expect {
+          @ca.check_internal_signing_policies(@name, @request, {allow_dns_alt_names: true})
+        }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /subjectAltName contains a wildcard/
         )