puppet 5.5.22 → 6.0.0

data/spec/unit/ssl/certificate_authority_spec.rb

@@ -1,1165 +0,0 @@
-# encoding: ASCII-8BIT
-require 'spec_helper'
-
-require 'puppet/ssl/certificate_authority'
-
-describe Puppet::SSL::CertificateAuthority do
-  after do
-    Puppet::SSL::CertificateAuthority.instance_variable_set(:@singleton_instance, nil)
-  end
-
-  def stub_ca_host
-    @key = double('key')
-    allow(@key).to receive(:content).and_return("cakey")
-    @cacert = double('certificate')
-    allow(@cacert).to receive(:content).and_return("cacertificate")
-
-    @host = double('ssl_host', :key => @key, :certificate => @cacert, :name => Puppet::SSL::Host.ca_name)
-  end
-
-  it "should have a class method for returning a singleton instance" do
-    expect(Puppet::SSL::CertificateAuthority).to respond_to(:instance)
-  end
-
-  describe "when finding an existing instance" do
-    describe "and the host is a CA host and the run_mode is master" do
-      before do
-        Puppet[:ca] = true
-        allow(Puppet.run_mode).to receive(:master?).and_return(true)
-
-        @ca = double('ca')
-        allow(Puppet::SSL::CertificateAuthority).to receive(:new).and_return(@ca)
-      end
-
-      it "should return an instance" do
-        expect(Puppet::SSL::CertificateAuthority.instance).to equal(@ca)
-      end
-
-      it "should always return the same instance" do
-        expect(Puppet::SSL::CertificateAuthority.instance).to equal(Puppet::SSL::CertificateAuthority.instance)
-      end
-    end
-
-    describe "and the host is not a CA host" do
-      it "should return nil" do
-        Puppet[:ca] = false
-        allow(Puppet.run_mode).to receive(:master?).and_return(true)
-
-        expect(Puppet::SSL::CertificateAuthority).not_to receive(:new)
-        expect(Puppet::SSL::CertificateAuthority.instance).to be_nil
-      end
-    end
-
-    describe "and the run_mode is not master" do
-      it "should return nil" do
-        Puppet[:ca] = true
-        allow(Puppet.run_mode).to receive(:master?).and_return(false)
-
-        expect(Puppet::SSL::CertificateAuthority).not_to receive(:new)
-        expect(Puppet::SSL::CertificateAuthority.instance).to be_nil
-      end
-    end
-  end
-
-  describe "when initializing" do
-    before do
-      allow(Puppet.settings).to receive(:use)
-
-      allow_any_instance_of(Puppet::SSL::CertificateAuthority).to receive(:setup)
-    end
-
-    it "should always set its name to the value of :certname" do
-      Puppet[:certname] = "ca_testing"
-
-      expect(Puppet::SSL::CertificateAuthority.new.name).to eq("ca_testing")
-    end
-
-    it "should create an SSL::Host instance whose name is the 'ca_name'" do
-      expect(Puppet::SSL::Host).to receive(:ca_name).and_return("caname")
-
-      host = double('host')
-      expect(Puppet::SSL::Host).to receive(:new).with("caname").and_return(host)
-
-      Puppet::SSL::CertificateAuthority.new
-    end
-
-    it "should use the :main, :ca, and :ssl settings sections" do
-      expect(Puppet.settings).to receive(:use).with(:main, :ssl, :ca)
-      Puppet::SSL::CertificateAuthority.new
-    end
-
-    it "should make sure the CA is set up" do
-      expect_any_instance_of(Puppet::SSL::CertificateAuthority).to receive(:setup)
-
-      Puppet::SSL::CertificateAuthority.new
-    end
-  end
-
-  describe "when setting itself up" do
-    it "should generate the CA certificate if it does not have one" do
-      allow(Puppet.settings).to receive(:use)
-
-      host = double('host')
-      allow(Puppet::SSL::Host).to receive(:new).and_return(host)
-
-      expect(host).to receive(:certificate).and_return(nil)
-
-      expect_any_instance_of(Puppet::SSL::CertificateAuthority).to receive(:generate_ca_certificate)
-      Puppet::SSL::CertificateAuthority.new
-    end
-  end
-
-  describe "when retrieving the certificate revocation list" do
-    before do
-      allow(Puppet.settings).to receive(:use)
-      Puppet[:cacrl] = "/my/crl"
-
-      cert = double("certificate", :content => "real_cert")
-      key = double("key", :content => "real_key")
-      @host = double('host', :certificate => cert, :name => "hostname", :key => key)
-
-      allow_any_instance_of(Puppet::SSL::CertificateAuthority).to receive(:setup)
-      @ca = Puppet::SSL::CertificateAuthority.new
-
-      allow(@ca).to receive(:host).and_return(@host)
-    end
-
-    it "should return any found CRL instance" do
-      crl = double('crl')
-      expect(Puppet::SSL::CertificateRevocationList.indirection).to receive(:find).and_return(crl)
-      expect(@ca.crl).to equal(crl)
-    end
-
-    it "should create, generate, and save a new CRL instance of no CRL can be found" do
-      crl = Puppet::SSL::CertificateRevocationList.new("fakename")
-      expect(Puppet::SSL::CertificateRevocationList.indirection).to receive(:find).and_return(nil)
-
-      expect(Puppet::SSL::CertificateRevocationList).to receive(:new).and_return(crl)
-
-      expect(crl).to receive(:generate).with(@ca.host.certificate.content, @ca.host.key.content)
-      expect(Puppet::SSL::CertificateRevocationList.indirection).to receive(:save).with(crl)
-
-      expect(@ca.crl).to equal(crl)
-    end
-  end
-
-  describe "when generating a self-signed CA certificate" do
-    before do
-      allow(Puppet.settings).to receive(:use)
-
-      allow_any_instance_of(Puppet::SSL::CertificateAuthority).to receive(:setup)
-      allow_any_instance_of(Puppet::SSL::CertificateAuthority).to receive(:crl)
-      @ca = Puppet::SSL::CertificateAuthority.new
-
-      @host = double('host', :key => double("key"), :name => "hostname", :certificate => double('certificate'))
-
-      allow_any_instance_of(Puppet::SSL::CertificateRequest).to receive(:generate)
-
-      allow(@ca).to receive(:host).and_return(@host)
-    end
-
-    it "should create and store a password at :capass" do
-      Puppet[:capass] = File.expand_path("/path/to/pass")
-
-      expect(Puppet::FileSystem).to receive(:exist?).with(Puppet[:capass]).and_return(false)
-
-      fh = StringIO.new
-      expect(Puppet.settings.setting(:capass)).to receive(:open).with('w:ASCII').and_yield(fh)
-
-      allow(@ca).to receive(:sign)
-
-      @ca.generate_ca_certificate
-
-      expect(fh.string.length).to be > 18
-    end
-
-    it "should generate a key if one does not exist" do
-      allow(@ca).to receive(:generate_password)
-      allow(@ca).to receive(:sign)
-
-      expect(@ca.host).to receive(:key).and_return(nil)
-      expect(@ca.host).to receive(:generate_key)
-
-      @ca.generate_ca_certificate
-    end
-
-    it "should create and sign a self-signed cert using the CA name" do
-      request = double('request')
-      expect(Puppet::SSL::CertificateRequest).to receive(:new).with(@ca.host.name).and_return(request)
-      expect(request).to receive(:generate).with(@ca.host.key)
-      allow(request).to receive(:request_extensions).and_return([])
-
-      expect(@ca).to receive(:sign).with(
-        @host.name,
-        {
-          allow_dns_alt_names: false,
-          self_signing_csr: request
-        }
-      )
-
-      allow(@ca).to receive(:generate_password)
-
-      @ca.generate_ca_certificate
-    end
-
-    it "should generate its CRL" do
-      allow(@ca).to receive(:generate_password)
-      allow(@ca).to receive(:sign)
-
-      expect(@ca.host).to receive(:key).and_return(nil)
-      expect(@ca.host).to receive(:generate_key)
-
-      expect(@ca).to receive(:crl)
-
-      @ca.generate_ca_certificate
-    end
-  end
-
-  describe "when signing" do
-    before do
-      allow(Puppet.settings).to receive(:use)
-
-      allow_any_instance_of(Puppet::SSL::CertificateAuthority).to receive(:password?).and_return(true)
-
-      stub_ca_host
-
-      expect(Puppet::SSL::Host).to receive(:new).with(Puppet::SSL::Host.ca_name).and_return(@host)
-
-      @ca = Puppet::SSL::CertificateAuthority.new
-
-      @name = "myhost"
-      @real_cert = double('realcert', :sign => nil)
-      @cert = Puppet::SSL::Certificate.new(@name)
-      @cert.content = @real_cert
-
-      allow(Puppet::SSL::Certificate).to receive(:new).and_return(@cert)
-
-      allow(Puppet::SSL::Certificate.indirection).to receive(:save)
-
-      # Stub out the factory
-      allow(Puppet::SSL::CertificateFactory).to receive(:build).and_return(@cert.content)
-
-      @request_content = double("request content stub", :subject => OpenSSL::X509::Name.new([['CN', @name]]), :public_key => double('public_key'))
-      @request = double('request', :name => @name, :request_extensions => [], :subject_alt_names => [], :content => @request_content)
-      allow(@request_content).to receive(:verify).and_return(true)
-
-      # And the inventory
-      @inventory = double('inventory', :add => nil)
-      allow(@ca).to receive(:inventory).and_return(@inventory)
-
-      allow(Puppet::SSL::CertificateRequest.indirection).to receive(:destroy)
-    end
-
-    describe "its own certificate" do
-      before do
-        @serial = 10
-        allow(@ca).to receive(:next_serial).and_return(@serial)
-      end
-
-      it "should not look up a certificate request for the host" do
-        expect(Puppet::SSL::CertificateRequest.indirection).not_to receive(:find)
-
-        @ca.sign(@name, {allow_dns_alt_names: true,
-                         self_signing_csr: @request})
-      end
-
-      it "should use a certificate type of :ca" do
-        expect(Puppet::SSL::CertificateFactory).to receive(:build).with(:ca, any_args).and_return(@cert.content)
-        @ca.sign(@name, {allow_dns_alt_names: true,
-                         self_signing_csr: @request})
-      end
-
-      it "should pass the provided CSR as the CSR" do
-        expect(Puppet::SSL::CertificateFactory).to receive(:build).with(anything, @request, any_args).and_return(@cert.content)
-        @ca.sign(@name, {allow_dns_alt_names: true,
-                         self_signing_csr: @request})
-      end
-
-      it "should use the provided CSR's content as the issuer" do
-        expect(Puppet::SSL::CertificateFactory).to receive(:build) do |*args|
-          expect(args[2].subject.to_s).to eq("/CN=myhost")
-        end.and_return(@cert.content)
-        @ca.sign(@name, {allow_dns_alt_names: true,
-                         self_signing_csr: @request})
-      end
-
-      it "should pass the next serial as the serial number" do
-        expect(Puppet::SSL::CertificateFactory).to receive(:build).with(anything, anything, anything, @serial).and_return(@cert.content)
-        @ca.sign(@name, {allow_dns_alt_names: true,
-                         self_signing_csr: @request})
-      end
-
-      it "should sign the certificate request even if it contains alt names" do
-        allow(@request).to receive(:subject_alt_names).and_return(%w[DNS:foo DNS:bar DNS:baz])
-
-        expect do
-          @ca.sign(@name, {allow_dns_alt_names: false,
-                           self_signing_csr: @request})
-        end.not_to raise_error
-      end
-
-      it "should save the resulting certificate" do
-        expect(Puppet::SSL::Certificate.indirection).to receive(:save).with(@cert)
-
-        @ca.sign(@name, {allow_dns_alt_names: true,
-                         self_signing_csr: @request})
-      end
-    end
-
-    describe "another host's certificate" do
-      before do
-        @serial = 10
-        allow(@ca).to receive(:next_serial).and_return(@serial)
-
-        allow(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with(@name).and_return(@request)
-        allow(Puppet::SSL::CertificateRequest.indirection).to receive(:save)
-      end
-
-      it "should use a certificate type of :server" do
-        expect(Puppet::SSL::CertificateFactory).to receive(:build).with(:server, any_args).and_return(@cert.content)
-
-        @ca.sign(@name)
-      end
-
-      it "should use look up a CSR for the host in the :ca_file terminus" do
-        expect(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with(@name).and_return(@request)
-
-        @ca.sign(@name)
-      end
-
-      it "should fail if no CSR can be found for the host" do
-        expect(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with(@name).and_return(nil)
-
-        expect { @ca.sign(@name) }.to raise_error(ArgumentError)
-      end
-
-      it "should fail if an unknown request extension is present" do
-        allow(@request).to receive(:request_extensions).and_return([{ "oid"   => "bananas",
-                                                                      "value" => "delicious" }])
-        expect {
-          @ca.sign(@name)
-        }.to raise_error(/CSR has request extensions that are not permitted/)
-      end
-
-      it "should reject auth extensions" do
-        allow(@request).to receive(:request_extensions).and_return([{"oid" => "1.3.6.1.4.1.34380.1.3.1",
-                                                                     "value" => "true"},
-                                                                    {"oid" => "1.3.6.1.4.1.34380.1.3.13",
-                                                                     "value" => "com"}])
-
-        expect {
-          @ca.sign(@name)
-        }.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError,
-                         /CSR '#{@name}' contains authorization extensions (.*?, .*?).*/)
-      end
-
-      it "should not fail if the CSR contains auth extensions and they're allowed" do
-        allow(@request).to receive(:request_extensions).and_return([{"oid" => "1.3.6.1.4.1.34380.1.3.1",
-                                                                     "value" => "true"},
-                                                                    {"oid" => "1.3.6.1.4.1.34380.1.3.13",
-                                                                     "value" => "com"}])
-        expect { @ca.sign(@name, {allow_authorization_extensions: true})}.to_not raise_error
-      end
-
-      it "should fail if the CSR contains alt names and they are not expected" do
-        allow(@request).to receive(:subject_alt_names).and_return(%w[DNS:foo DNS:bar DNS:baz])
-
-        expect do
-          @ca.sign(@name, {allow_dns_alt_names: false})
-        end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError, /CSR '#{@name}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{@name}` to sign this request./)
-      end
-
-      it "should not fail if the CSR does not contain alt names and they are expected" do
-        allow(@request).to receive(:subject_alt_names).and_return([])
-        expect { @ca.sign(@name, {allow_dns_alt_names: true}) }.to_not raise_error
-      end
-
-      it "should reject alt names by default" do
-        allow(@request).to receive(:subject_alt_names).and_return(%w[DNS:foo DNS:bar DNS:baz])
-
-        expect do
-          @ca.sign(@name)
-        end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError, /CSR '#{@name}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{@name}` to sign this request./)
-      end
-
-      it "should use the CA certificate as the issuer" do
-        expect(Puppet::SSL::CertificateFactory).to receive(:build).with(anything, anything, @cacert.content, any_args).and_return(@cert.content)
-        @ca.sign(@name)
-      end
-
-      it "should pass the next serial as the serial number" do
-        expect(Puppet::SSL::CertificateFactory).to receive(:build).with(anything, anything, anything, @serial).and_return(@cert.content)
-        @ca.sign(@name)
-      end
-
-      it "should sign the resulting certificate using its real key and a digest" do
-        digest = double('digest')
-        expect(OpenSSL::Digest::SHA256).to receive(:new).and_return(digest)
-
-        key = double('key', :content => "real_key")
-        allow(@ca.host).to receive(:key).and_return(key)
-
-        expect(@cert.content).to receive(:sign).with("real_key", digest)
-        @ca.sign(@name)
-      end
-
-      it "should save the resulting certificate" do
-        allow(Puppet::SSL::Certificate.indirection).to receive(:save).with(@cert)
-        @ca.sign(@name)
-      end
-
-      it "should remove the host's certificate request" do
-        expect(Puppet::SSL::CertificateRequest.indirection).to receive(:destroy).with(@name)
-
-        @ca.sign(@name)
-      end
-
-      it "should check the internal signing policies" do
-        expect(@ca).to receive(:check_internal_signing_policies).and_return(true)
-        @ca.sign(@name)
-      end
-    end
-
-    context "#check_internal_signing_policies" do
-      before do
-        @serial = 10
-        allow(@ca).to receive(:next_serial).and_return(@serial)
-
-        allow(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with(@name).and_return(@request)
-        allow(@cert).to receive(:save)
-      end
-
-      it "should reject CSRs whose CN doesn't match the name for which we're signing them" do
-        # Shorten this so the test doesn't take too long
-        Puppet[:keylength] = 1024
-        key = Puppet::SSL::Key.new('the_certname')
-        key.generate
-
-        csr = Puppet::SSL::CertificateRequest.new('the_certname')
-        csr.generate(key)
-
-        expect do
-          @ca.check_internal_signing_policies('not_the_certname', csr)
-        end.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /common name "the_certname" does not match expected certname "not_the_certname"/
-        )
-      end
-
-      describe "when validating the CN" do
-        before :all do
-          Puppet[:keylength] = 1024
-          Puppet[:passfile] = '/f00'
-          @signing_key = Puppet::SSL::Key.new('my_signing_key')
-          @signing_key.generate
-        end
-
-        [
-         'completely_okay',
-         'sure, why not? :)',
-         'so+many(things)-are=allowed.',
-         'this"is#just&madness%you[see]',
-         'and even a (an?) \\!',
-         'waltz, nymph, for quick jigs vex bud.',
-         '{552c04ca-bb1b-11e1-874b-60334b04494e}'
-        ].each do |name|
-          it "should accept #{name.inspect}" do
-            csr = Puppet::SSL::CertificateRequest.new(name)
-            csr.generate(@signing_key)
-
-            @ca.check_internal_signing_policies(name, csr)
-          end
-        end
-
-        [
-         'super/bad',
-         "not\neven\tkind\rof",
-         "ding\adong\a",
-         "hidden\b\b\b\b\b\bmessage",
-         "\xE2\x98\x83 :("
-        ].each do |name|
-          it "should reject #{name.inspect}" do
-            # We aren't even allowed to make objects with these names, so let's
-            # stub that to simulate an invalid one coming from outside Puppet
-            allow(Puppet::SSL::CertificateRequest).to receive(:validate_certname)
-            csr = Puppet::SSL::CertificateRequest.new(name)
-            csr.generate(@signing_key)
-
-            expect do
-              @ca.check_internal_signing_policies(name, csr)
-            end.to raise_error(
-              Puppet::SSL::CertificateAuthority::CertificateSigningError,
-              /subject contains unprintable or non-ASCII characters/
-            )
-          end
-        end
-      end
-
-      it "accepts numeric OIDs under the ppRegCertExt subtree" do
-        exts = [{ 'oid' => '1.3.6.1.4.1.34380.1.1.1',
-                  'value' => '657e4780-4cf5-11e3-8f96-0800200c9a66'}]
-
-        allow(@request).to receive(:request_extensions).and_return(exts)
-
-        expect {
-          @ca.check_internal_signing_policies(@name, @request)
-        }.to_not raise_error
-      end
-
-      it "accepts short name OIDs under the ppRegCertExt subtree" do
-        exts = [{ 'oid' => 'pp_uuid',
-                  'value' => '657e4780-4cf5-11e3-8f96-0800200c9a66'}]
-
-        allow(@request).to receive(:request_extensions).and_return(exts)
-
-        expect {
-          @ca.check_internal_signing_policies(@name, @request)
-        }.to_not raise_error
-      end
-
-      it "accepts OIDs under the ppPrivCertAttrs subtree" do
-        exts = [{ 'oid' => '1.3.6.1.4.1.34380.1.2.1',
-                  'value' => 'private extension'}]
-
-        allow(@request).to receive(:request_extensions).and_return(exts)
-
-        expect {
-          @ca.check_internal_signing_policies(@name, @request)
-        }.to_not raise_error
-      end
-
-
-      it "should reject a critical extension that isn't on the whitelist" do
-        allow(@request).to receive(:request_extensions).and_return([{ "oid" => "banana",
-                                                                      "value" => "yumm",
-                                                                      "critical" => true }])
-        expect { @ca.check_internal_signing_policies(@name, @request) }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /request extensions that are not permitted/
-        )
-      end
-
-      it "should reject a non-critical extension that isn't on the whitelist" do
-        allow(@request).to receive(:request_extensions).and_return([{ "oid" => "peach",
-                                                                      "value" => "meh",
-                                                                      "critical" => false }])
-        expect { @ca.check_internal_signing_policies(@name, @request) }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /request extensions that are not permitted/
-        )
-      end
-
-      it "should reject non-whitelist extensions even if a valid extension is present" do
-        allow(@request).to receive(:request_extensions).and_return([{ "oid" => "peach",
-                                                                      "value" => "meh",
-                                                                      "critical" => false },
-                                                                    { "oid" => "subjectAltName",
-                                                                      "value" => "DNS:foo",
-                                                                      "critical" => true }])
-        expect { @ca.check_internal_signing_policies(@name, @request) }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /request extensions that are not permitted/
-        )
-      end
-
-      it "should reject a subjectAltName for a non-DNS value" do
-        allow(@request).to receive(:subject_alt_names).and_return(['DNS:foo', 'email:bar@example.com'])
-        expect {
-          @ca.check_internal_signing_policies(@name, @request, {allow_dns_alt_names: true})
-        }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /subjectAltName outside the DNS label space/
-        )
-      end
-
-      it "should allow a subjectAltName if subject matches CA's certname" do
-        allow(@request).to receive(:subject_alt_names).and_return(['DNS:foo'])
-        Puppet[:certname] = @name
-
-        expect {
-          @ca.check_internal_signing_policies(@name, @request, {allow_dns_alt_names: false})
-        }.to_not raise_error
-      end
-
-      it "should reject a wildcard subject" do
-        allow(@request.content).to receive(:subject).
-          and_return(OpenSSL::X509::Name.new([["CN", "*.local"]]))
-
-        expect { @ca.check_internal_signing_policies('*.local', @request) }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /subject contains a wildcard/
-        )
-      end
-
-      it "should reject a wildcard subjectAltName" do
-        allow(@request).to receive(:subject_alt_names).and_return(['DNS:foo', 'DNS:*.bar'])
-        expect {
-          @ca.check_internal_signing_policies(@name, @request, {allow_dns_alt_names: true})
-        }.to raise_error(
-          Puppet::SSL::CertificateAuthority::CertificateSigningError,
-          /subjectAltName contains a wildcard/
-        )
-      end
-    end
-
-    it "should create a certificate instance with the content set to the newly signed x509 certificate" do
-      @serial = 10
-      allow(@ca).to receive(:next_serial).and_return(@serial)
-
-      allow(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with(@name).and_return(@request)
-      allow(Puppet::SSL::Certificate.indirection).to receive(:save)
-      expect(Puppet::SSL::Certificate).to receive(:new).with(@name).and_return(@cert)
-
-      @ca.sign(@name)
-    end
-
-    it "should return the certificate instance" do
-      allow(@ca).to receive(:next_serial).and_return(@serial)
-      allow(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with(@name).and_return(@request)
-      allow(Puppet::SSL::Certificate.indirection).to receive(:save)
-      expect(@ca.sign(@name)).to equal(@cert)
-    end
-
-    it "should add the certificate to its inventory" do
-      allow(@ca).to receive(:next_serial).and_return(@serial)
-      expect(@inventory).to receive(:add).with(@cert)
-
-      allow(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with(@name).and_return(@request)
-      allow(Puppet::SSL::Certificate.indirection).to receive(:save)
-      @ca.sign(@name)
-    end
-
-    it "should have a method for triggering autosigning of available CSRs" do
-      expect(@ca).to respond_to(:autosign)
-    end
-
-    describe "when autosigning certificates" do
-      let(:csr) { Puppet::SSL::CertificateRequest.new("host") }
-
-      describe "using the autosign setting" do
-        let(:autosign) { File.expand_path("/auto/sign") }
-
-        it "should do nothing if autosign is disabled" do
-          Puppet[:autosign] = false
-
-          expect(@ca).not_to receive(:sign)
-          @ca.autosign(csr)
-        end
-
-        it "should do nothing if no autosign.conf exists" do
-          Puppet[:autosign] = autosign
-          non_existent_file = Puppet::FileSystem::MemoryFile.a_missing_file(autosign)
-          Puppet::FileSystem.overlay(non_existent_file) do
-            expect(@ca).not_to receive(:sign)
-            @ca.autosign(csr)
-          end
-        end
-
-        describe "and autosign is enabled and the autosign.conf file exists" do
-          let(:store) { double('store', :allow => nil, :allowed? => false) }
-
-          before do
-            Puppet[:autosign] = autosign
-          end
-
-          describe "when creating the AuthStore instance to verify autosigning" do
-            it "should create an AuthStore with each line in the configuration file allowed to be autosigned" do
-              Puppet::FileSystem.overlay(Puppet::FileSystem::MemoryFile.a_regular_file_containing(autosign, "one\ntwo\n")) do
-                allow(Puppet::Network::AuthStore).to receive(:new).and_return(store)
-
-                expect(store).to receive(:allow).with("one")
-                expect(store).to receive(:allow).with("two")
-
-                @ca.autosign(csr)
-              end
-            end
-
-            it "should reparse the autosign configuration on each call" do
-              Puppet::FileSystem.overlay(Puppet::FileSystem::MemoryFile.a_regular_file_containing(autosign, "one")) do
-                allow(Puppet::Network::AuthStore).to receive(:new).twice.and_return(store)
-
-                @ca.autosign(csr)
-                @ca.autosign(csr)
-              end
-            end
-
-            it "should ignore comments" do
-              Puppet::FileSystem.overlay(Puppet::FileSystem::MemoryFile.a_regular_file_containing(autosign, "one\n#two\n")) do
-                allow(Puppet::Network::AuthStore).to receive(:new).and_return(store)
-
-                expect(store).to receive(:allow).with("one")
-
-                @ca.autosign(csr)
-              end
-            end
-
-            it "should ignore blank lines" do
-              Puppet::FileSystem.overlay(Puppet::FileSystem::MemoryFile.a_regular_file_containing(autosign, "one\n\n")) do
-                allow(Puppet::Network::AuthStore).to receive(:new).and_return(store)
-
-                expect(store).to receive(:allow).with("one")
-                @ca.autosign(csr)
-              end
-            end
-          end
-        end
-      end
-
-      describe "using the autosign command setting" do
-        let(:cmd) { File.expand_path('/autosign_cmd') }
-        let(:autosign_cmd) { double('autosign_command') }
-        let(:autosign_executable) { Puppet::FileSystem::MemoryFile.an_executable(cmd) }
-
-        before do
-          Puppet[:autosign] = cmd
-
-          allow(Puppet::SSL::CertificateAuthority::AutosignCommand).to receive(:new).and_return(autosign_cmd)
-        end
-
-        it "autosigns the CSR if the autosign command returned true" do
-          Puppet::FileSystem.overlay(autosign_executable) do
-            expect(autosign_cmd).to receive(:allowed?).with(csr).and_return(true)
-
-            expect(@ca).to receive(:sign).with('host')
-            @ca.autosign(csr)
-          end
-        end
-
-        it "doesn't autosign the CSR if the autosign_command returned false" do
-          Puppet::FileSystem.overlay(autosign_executable) do
-            expect(autosign_cmd).to receive(:allowed?).with(csr).and_return(false)
-
-            expect(@ca).not_to receive(:sign)
-            @ca.autosign(csr)
-          end
-        end
-      end
-    end
-  end
-
-  describe "when managing certificate clients" do
-    before do
-      allow(Puppet.settings).to receive(:use)
-
-      allow_any_instance_of(Puppet::SSL::CertificateAuthority).to receive(:password?).and_return(true)
-
-      stub_ca_host
-
-      expect(Puppet::SSL::Host).to receive(:new).and_return(@host)
-      allow_any_instance_of(Puppet::SSL::CertificateAuthority).to receive(:host).and_return(@host)
-
-      @cacert = double('certificate')
-      allow(@cacert).to receive(:content).and_return("cacertificate")
-      @ca = Puppet::SSL::CertificateAuthority.new
-    end
-
-    it "should be able to list waiting certificate requests" do
-      req1 = double('req1', :name => "one")
-      req2 = double('req2', :name => "two")
-      expect(Puppet::SSL::CertificateRequest.indirection).to receive(:search).with("*").and_return([req1, req2])
-
-      expect(@ca.waiting?).to eq(%w{one two})
-    end
-
-    it "should delegate removing hosts to the Host class" do
-      expect(Puppet::SSL::Host).to receive(:destroy).with("myhost")
-
-      @ca.destroy("myhost")
-    end
-
-    it "should be able to verify certificates" do
-      expect(@ca).to respond_to(:verify)
-    end
-
-    it "should list certificates as the sorted list of all existing signed certificates" do
-      cert1 = double('cert1', :name => "cert1")
-      cert2 = double('cert2', :name => "cert2")
-      expect(Puppet::SSL::Certificate.indirection).to receive(:search).with("*").and_return([cert1, cert2])
-      expect(@ca.list).to eq(%w{cert1 cert2})
-    end
-
-    it "should list the full certificates" do
-      cert1 = double('cert1', :name => "cert1")
-      cert2 = double('cert2', :name => "cert2")
-      expect(Puppet::SSL::Certificate.indirection).to receive(:search).with("*").and_return([cert1, cert2])
-      expect(@ca.list_certificates).to eq([cert1, cert2])
-    end
-
-    it "should print a deprecation when using #list_certificates" do
-      allow(Puppet::SSL::Certificate.indirection).to receive(:search).with("*").and_return([:foo, :bar])
-      expect(Puppet).to receive(:deprecation_warning).with(/list_certificates is deprecated/)
-      @ca.list_certificates
-    end
-
-    describe "and printing certificates" do
-      it "should return nil if the certificate cannot be found" do
-        expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("myhost").and_return(nil)
-        expect(@ca.print("myhost")).to be_nil
-      end
-
-      it "should print certificates by calling :to_text on the host's certificate" do
-        cert1 = double('cert1', :name => "cert1", :to_text => "mytext")
-        expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("myhost").and_return(cert1)
-        expect(@ca.print("myhost")).to eq("mytext")
-      end
-    end
-
-    describe "and fingerprinting certificates" do
-      before :each do
-        @cert = double('cert', :name => "cert", :fingerprint => "DIGEST")
-        allow(Puppet::SSL::Certificate.indirection).to receive(:find).with("myhost").and_return(@cert)
-        allow(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with("myhost")
-      end
-
-      it "should raise an error if the certificate or CSR cannot be found" do
-        expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("myhost").and_return(nil)
-        expect(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with("myhost").and_return(nil)
-        expect { @ca.fingerprint("myhost") }.to raise_error(ArgumentError, /Could not find a certificate/)
-      end
-
-      it "should try to find a CSR if no certificate can be found" do
-        expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("myhost").and_return(nil)
-        expect(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with("myhost").and_return(@cert)
-        expect(@cert).to receive(:fingerprint)
-        @ca.fingerprint("myhost")
-      end
-
-      it "should delegate to the certificate fingerprinting" do
-        expect(@cert).to receive(:fingerprint)
-        @ca.fingerprint("myhost")
-      end
-
-      it "should propagate the digest algorithm to the certificate fingerprinting system" do
-        expect(@cert).to receive(:fingerprint).with(:digest)
-        @ca.fingerprint("myhost", :digest)
-      end
-    end
-
-    describe "and verifying certificates" do
-      let(:cacert) { File.expand_path("/ca/cert") }
-
-      before do
-        @store = double('store', :verify => true, :add_file => nil, :purpose= => nil, :add_crl => true, :flags= => nil)
-
-        allow(OpenSSL::X509::Store).to receive(:new).and_return(@store)
-
-        @cert = double('cert', :content => "mycert")
-        allow(Puppet::SSL::Certificate.indirection).to receive(:find).and_return(@cert)
-
-        @crl = double('crl', :content => "mycrl")
-
-        allow(@ca).to receive(:crl).and_return(@crl)
-      end
-
-      it "should fail if the host's certificate cannot be found" do
-        expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("me").and_return(nil)
-
-        expect { @ca.verify("me") }.to raise_error(ArgumentError)
-      end
-
-      it "should create an SSL Store to verify" do
-        expect(OpenSSL::X509::Store).to receive(:new).and_return(@store)
-
-        @ca.verify("me")
-      end
-
-      it "should add the CA Certificate to the store" do
-        Puppet[:cacert] = cacert
-        expect(@store).to receive(:add_file).with(cacert)
-
-        @ca.verify("me")
-      end
-
-      it "should add the CRL to the store if the crl is enabled" do
-        expect(@store).to receive(:add_crl).with("mycrl")
-
-        @ca.verify("me")
-      end
-
-      it "should set the store purpose to OpenSSL::X509::PURPOSE_ANY" do
-        expect(@store).to receive(:purpose=).with OpenSSL::X509::PURPOSE_ANY
-
-        @ca.verify("me")
-      end
-
-      it "should set the store flags to check the crl" do
-        expect(@store).to receive(:flags=).with(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL | OpenSSL::X509::V_FLAG_CRL_CHECK)
-
-        @ca.verify("me")
-      end
-
-      it "should use the store to verify the certificate" do
-        expect(@cert).to receive(:content).and_return("mycert")
-
-        expect(@store).to receive(:verify).with("mycert").and_return(true)
-
-        @ca.verify("me")
-      end
-
-      it "should fail if the verification returns false" do
-        expect(@cert).to receive(:content).and_return("mycert")
-
-        expect(@store).to receive(:verify).with("mycert").and_return(false)
-        expect(@store).to receive(:error)
-        expect(@store).to receive(:error_string)
-
-        expect { @ca.verify("me") }.to raise_error(Puppet::SSL::CertificateAuthority::CertificateVerificationError)
-      end
-
-      describe "certificate_is_alive?" do
-        it "should return false if verification fails" do
-          expect(@cert).to receive(:content).and_return("mycert")
-
-          expect(@store).to receive(:verify).with("mycert").and_return(false)
-
-          expect(@ca.certificate_is_alive?(@cert)).to be_falsey
-        end
-
-        it "should return true if verification passes" do
-          expect(@cert).to receive(:content).and_return("mycert")
-
-          expect(@store).to receive(:verify).with("mycert").and_return(true)
-
-          expect(@ca.certificate_is_alive?(@cert)).to be_truthy
-        end
-
-        it "should use a cached instance of the x509 store" do
-          allow(OpenSSL::X509::Store).to receive(:new).and_return(@store).once
-
-          expect(@cert).to receive(:content).and_return("mycert")
-
-          expect(@store).to receive(:verify).with("mycert").and_return(true)
-
-          @ca.certificate_is_alive?(@cert)
-          @ca.certificate_is_alive?(@cert)
-        end
-
-        it "should be deprecated" do
-          expect(Puppet).to receive(:deprecation_warning).with(/certificate_is_alive\? is deprecated/)
-          @ca.certificate_is_alive?(@cert)
-        end
-      end
-    end
-
-    describe "and revoking certificates" do
-      before do
-        @crl = double('crl')
-        allow(@ca).to receive(:crl).and_return(@crl)
-
-        allow(@ca).to receive(:next_serial).and_return(10)
-
-        @real_cert = double('real_cert', :serial => 15)
-        @cert = double('cert', :content => @real_cert)
-        allow(Puppet::SSL::Certificate.indirection).to receive(:find).and_return(@cert)
-      end
-
-      it "should fail if the certificate revocation list is disabled" do
-        allow(@ca).to receive(:crl).and_return(false)
-
-        expect { @ca.revoke('ca_testing') }.to raise_error(ArgumentError)
-
-      end
-
-      it "should delegate the revocation to its CRL" do
-        expect(@ca.crl).to receive(:revoke)
-
-        @ca.revoke('host')
-      end
-
-      it "should get the serial number from the local certificate if it exists" do
-        expect(@ca.crl).to receive(:revoke).with(15, anything)
-
-        expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("host").and_return(@cert)
-
-        @ca.revoke('host')
-      end
-
-      it "should get the serial number from inventory if no local certificate exists" do
-        expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("host").and_return(nil)
-
-        expect(@ca.inventory).to receive(:serials).with("host").and_return([16])
-
-        expect(@ca.crl).to receive(:revoke).with(16, anything)
-        @ca.revoke('host')
-      end
-
-      it "should revoke all serials matching a name" do
-        expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("host").and_return(nil)
-
-        expect(@ca.inventory).to receive(:serials).with("host").and_return([16, 20, 25])
-
-        expect(@ca.crl).to receive(:revoke).with(16, anything)
-        expect(@ca.crl).to receive(:revoke).with(20, anything)
-        expect(@ca.crl).to receive(:revoke).with(25, anything)
-        @ca.revoke('host')
-      end
-
-      it "should raise an error if no certificate match" do
-        expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("host").and_return(nil)
-
-        expect(@ca.inventory).to receive(:serials).with("host").and_return([])
-
-        expect(@ca.crl).not_to receive(:revoke)
-        expect { @ca.revoke('host') }.to raise_error(ArgumentError, /Could not find a serial number for host/)
-      end
-
-      context "revocation by serial number (#16798)" do
-        it "revokes when given a lower case hexadecimal formatted string" do
-          expect(@ca.crl).to receive(:revoke).with(15, anything)
-          expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("0xf").and_return(nil)
-
-          @ca.revoke('0xf')
-        end
-
-        it "revokes when given an upper case hexadecimal formatted string" do
-          expect(@ca.crl).to receive(:revoke).with(15, anything)
-          expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("0xF").and_return(nil)
-
-          @ca.revoke('0xF')
-        end
-
-        it "handles very large serial numbers" do
-          bighex = '0x4000000000000000000000000000000000000000'
-          bighex_int = 365375409332725729550921208179070754913983135744
-
-          expect(@ca.crl).to receive(:revoke).with(bighex_int, anything)
-          expect(Puppet::SSL::Certificate.indirection).to receive(:find).with(bighex).and_return(nil)
-
-          @ca.revoke(bighex)
-        end
-      end
-    end
-
-    it "should be able to generate a complete new SSL host" do
-      expect(@ca).to respond_to(:generate)
-    end
-  end
-end
-
-require 'puppet/indirector/memory'
-
-module CertificateAuthorityGenerateSpecs
-describe "CertificateAuthority.generate" do
-  def expect_to_increment_serial_file
-    expect(Puppet.settings.setting(:serial)).to receive(:exclusive_open)
-  end
-
-  def expect_to_sign_a_cert
-    expect_to_increment_serial_file
-  end
-
-  def expect_to_write_the_ca_password
-    expect(Puppet.settings.setting(:capass)).to receive(:open).with('w:ASCII')
-  end
-
-  def expect_ca_initialization
-    expect_to_write_the_ca_password
-    expect_to_sign_a_cert
-  end
-
-  INDIRECTED_CLASSES = [
-    Puppet::SSL::Certificate,
-    Puppet::SSL::CertificateRequest,
-    Puppet::SSL::CertificateRevocationList,
-    Puppet::SSL::Key,
-  ]
-
-  INDIRECTED_CLASSES.each do |const|
-    class const::Memory < Puppet::Indirector::Memory
-
-      # @return Array of all the indirector's values
-      #
-      # This mirrors Puppet::Indirector::SslFile#search which returns all files
-      # in the directory.
-      def search(request)
-        return @instances.values
-      end
-    end
-  end
-
-  before do
-    allow(Puppet::SSL::Inventory).to receive(:new).and_return(double("Inventory", :add => nil))
-    INDIRECTED_CLASSES.each { |const| const.indirection.terminus_class = :memory }
-  end
-
-  after do
-    INDIRECTED_CLASSES.each do |const|
-      const.indirection.terminus_class = :file
-      const.indirection.termini.clear
-    end
-  end
-
-  describe "when generating certificates" do
-    let(:ca) { Puppet::SSL::CertificateAuthority.new }
-
-    before do
-      expect_ca_initialization
-    end
-
-    it "should fail if a certificate already exists for the host" do
-      cert = Puppet::SSL::Certificate.new('pre.existing')
-      Puppet::SSL::Certificate.indirection.save(cert)
-      expect { ca.generate(cert.name) }.to raise_error(ArgumentError, /a certificate already exists/i)
-    end
-
-    describe "that do not yet exist" do
-      let(:cn) { "new.host" }
-
-      def expect_cert_does_not_exist(cn)
-        expect( Puppet::SSL::Certificate.indirection.find(cn) ).to be_nil
-      end
-
-      before do
-        expect_to_sign_a_cert
-        expect_cert_does_not_exist(cn)
-      end
-
-      it "should return the created certificate" do
-        cert = ca.generate(cn)
-        expect( cert ).to be_kind_of(Puppet::SSL::Certificate)
-        expect( cert.name ).to eq(cn)
-      end
-
-      it "should not have any subject_alt_names by default" do
-        cert = ca.generate(cn)
-        expect( cert.subject_alt_names ).to be_empty
-      end
-
-      it "should have subject_alt_names if passed dns_alt_names" do
-        cert = ca.generate(cn, :dns_alt_names => 'foo,bar')
-        expect( cert.subject_alt_names ).to match_array(["DNS:#{cn}",'DNS:foo','DNS:bar'])
-      end
-
-      context "if autosign is false" do
-        before do
-          Puppet[:autosign] = false
-        end
-
-        it "should still generate and explicitly sign the request" do
-          cert = nil
-          cert = ca.generate(cn)
-          expect(cert.name).to eq(cn)
-        end
-      end
-
-      context "if autosign is true (Redmine #6112)" do
-        def run_mode_must_be_master_for_autosign_to_be_attempted
-          allow(Puppet).to receive(:run_mode).and_return(Puppet::Util::RunMode[:master])
-        end
-
-        before do
-          Puppet[:autosign] = true
-          run_mode_must_be_master_for_autosign_to_be_attempted
-          Puppet::Util::Log.level = :info
-        end
-
-        it "should generate a cert without attempting to sign again" do
-          cert = ca.generate(cn)
-          expect(cert.name).to eq(cn)
-          expect(@logs.map(&:message)).to include("Autosigning #{cn}")
-        end
-      end
-    end
-  end
-end
-end