puppet 6.0.2-x64-mingw32 → 6.0.3-x64-mingw32

data/man/man5/puppet.conf.5

@@ -868,7 +868,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
 The HTTP User\-Agent string to send when making network requests\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: Puppet/6\.0\.2 Ruby/2\.4\.1\-p111 (x86_64\-linux)
+\fIDefault\fR: Puppet/6\.0\.3 Ruby/2\.4\.1\-p111 (x86_64\-linux)
 .
 .IP "" 0
 .
@@ -1056,6 +1056,13 @@ crit
 \fIDefault\fR: notice
 .
 .IP "" 0
+.
+.SS "logdest"
+Where to send log messages\. Choose between \'syslog\' (the POSIX syslog service), \'eventlog\' (the Windows Event Log), \'console\', or the path to a log file\.
+.
+.TP
+\fIDefault\fR:
+
 .
 .SS "logdir"
 The directory in which to store log files

data/man/man8/puppet-ssl.8

@@ -7,10 +7,26 @@
 \fBpuppet\-ssl\fR \- Manage SSL keys and certificates for puppet SSL clients
 .
 .SH "SYNOPSIS"
-Manage SSL keys and certificates for an SSL clients needed to communicate with a puppet infrastructure\.
+Manage SSL keys and certificates for SSL clients needing to communicate with a puppet infrastructure\.
 .
 .SH "USAGE"
-puppet ssl \fIaction\fR [\-\-certname \fINAME\fR]
+puppet ssl \fIaction\fR [\-h|\-\-help] [\-v|\-\-verbose] [\-d|\-\-debug] [\-\-localca]
+.
+.SH "OPTIONS"
+.
+.IP "\(bu" 4
+\-\-help: Print this help messsge\.
+.
+.IP "\(bu" 4
+\-\-verbose: Print extra information\.
+.
+.IP "\(bu" 4
+\-\-debug: Enable full debugging\.
+.
+.IP "\(bu" 4
+\-\-localca Also clean the local CA certificate and CRL\.
+.
+.IP "" 0
 .
 .SH "ACTIONS"
 .
@@ -25,4 +41,8 @@ Download a certificate for this host\. If the current private key matches the do
 .TP
 verify
 Verify the private key and certificate are present and match, verify the certificate is issued by a trusted CA, and check revocation status\.
+.
+.TP
+clean
+Remove the private key and certificate related files for this host\. If \fB\-\-localca\fR is specified, then also remove this host\'s local copy of the CA certificate(s) and CRL bundle\.
 

data/man/man8/puppet.8

@@ -25,4 +25,4 @@ Specialized:
 catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
 .
 .P
-See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v6\.0\.2
+See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v6\.0\.3

data/spec/integration/parser/collection_spec.rb

@@ -12,6 +12,10 @@ describe 'collectors' do
     expect(messages).to include(*expected_messages)
   end
 
+  def warnings
+    @logs.select { |log| log.level == :warning }.map { |log| log.message }
+  end
+  
   context "virtual resource collection" do
     it "matches everything when no query given" do
       expect_the_message_to_be(["the other message", "the message"], <<-MANIFEST)
@@ -313,8 +317,6 @@ describe 'collectors' do
       end
 
       context 'when overriding an already evaluated resource' do
-        let(:logs) { [] }
-        let(:warnings) { logs.select { |log| log.level == :warning }.map { |log| log.message } }
         let(:manifest) { <<-MANIFEST }
           define foo($message) {
             notify { "testing": message => $message }
@@ -326,12 +328,6 @@ describe 'collectors' do
           delayed {'do it now': }
         MANIFEST
 
-        around(:each) do |example|
-          Puppet::Util::Log.with_destination(Puppet::Test::LogCollector.new(logs)) do
-            example.run
-          end
-        end
-
         it 'and --strict=off, it silently skips the override' do
           Puppet[:strict] = :off
           expect_the_message_to_be(['given'], manifest)

data/spec/integration/type/file_spec.rb

@@ -579,7 +579,7 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
         if Puppet::Util::Platform.windows? && ['sha512', 'sha384'].include?(example.metadata[:digest_algorithm])
           skip "PUP-8257: Skip file bucket test on windows for #{example.metadata[:digest_algorithm]} due to long path names"
         end
-        
+
         bucket = Puppet::Type.type(:filebucket).new :path => tmpfile("filebucket"), :name => "mybucket"
         file = described_class.new({:path => tmpfile("bucket_backs"), :backup => "mybucket", :content => "foo", :force => true}.merge(resource_options))
         catalog.add_resource file
@@ -1283,7 +1283,7 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
   describe "when sourcing" do
     it "should give a deprecation warning when the user sets source_permissions" do
       Puppet.expects(:puppet_deprecation_warning).with(
-        'The `source_permissions` parameter is deprecated. Explicitly set `owner`, `group`, and `mode`.', 
+        'The `source_permissions` parameter is deprecated. Explicitly set `owner`, `group`, and `mode`.',
         {:file => 'my/file.pp', :line => 5})
 
       catalog.add_resource described_class.new(:path => path, :content => 'this is content', :source_permissions => :use_when_creating)
@@ -1525,12 +1525,12 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
               catalog.apply
             end
 
-            it "should allow the user to explicitly set the mode to 4" do
+            it "should not allow the user to explicitly set the mode to 4 ,and correct to 7" do
               system_aces = get_aces_for_path_by_sid(path, @sids[:system])
               expect(system_aces).not_to be_empty
 
               system_aces.each do |ace|
-                expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_GENERIC_READ)
+                expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_ALL_ACCESS)
               end
             end
 
@@ -1612,13 +1612,13 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
                 catalog.apply
               end
 
-              it "should allow the user to explicitly set the mode to 4" do
+              it "should not allow the user to explicitly set the mode to 4, and correct to 7" do
                 system_aces = get_aces_for_path_by_sid(dir, @sids[:system])
                 expect(system_aces).not_to be_empty
 
                 system_aces.each do |ace|
                   # unlike files, Puppet sets execute bit on directories that are readable
-                  expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_GENERIC_READ | Puppet::Util::Windows::File::FILE_GENERIC_EXECUTE)
+                  expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_ALL_ACCESS)
                 end
               end
 

data/spec/integration/util/windows/security_spec.rb

@@ -285,10 +285,11 @@ describe "Puppet::Util::Windows::Security", :if => Puppet::Util::Platform.window
                     # access mask, and back to mode without loss of information
                     # (provided the owner and group are not the same)
                     next if ((u & g) != g) or ((g & o) != o)
-
-                    mode = (s << 9 | u << 6 | g << 3 | o << 0)
-                    winsec.set_mode(mode, path)
-                    expect(winsec.get_mode(path).to_s(8)).to eq(mode.to_s(8))
+                    applied_mode  = (s << 9 | u << 6 | g << 3 | o << 0)
+                    # SYSTEM must always be Full Control (7)
+                    expected_mode = (s << 9 | u << 6 | 7 << 3 | o << 0)
+                    winsec.set_mode(applied_mode, path)
+                    expect(winsec.get_mode(path).to_s(8)).to eq(expected_mode.to_s(8))
                   end
                 end
               end
@@ -634,9 +635,11 @@ describe "Puppet::Util::Windows::Security", :if => Puppet::Util::Platform.window
                   # access mask, and back to mode without loss of information
                   # (provided the owner and group are the same)
                   next if ((ug & o) != o)
-                  mode = (s << 9 | ug << 6 | ug << 3 | o << 0)
-                  winsec.set_mode(mode, path)
-                  expect(winsec.get_mode(path).to_s(8)).to eq(mode.to_s(8))
+                  applied_mode  = (s << 9 | ug << 6 | ug << 3 | o << 0)
+                  # SYSTEM must always be Full Control (7)
+                  expected_mode = (s << 9 | 7 << 6 | 7 << 3 | o << 0)
+                  winsec.set_mode(applied_mode, path)
+                  expect(winsec.get_mode(path).to_s(8)).to eq(expected_mode.to_s(8))
                 end
               end
             end

data/spec/integration/util/windows/user_spec.rb

@@ -6,54 +6,74 @@ describe "Puppet::Util::Windows::User", :if => Puppet::Util::Platform.windows? d
   describe "2003 without UAC" do
     before :each do
       Puppet::Util::Windows::Process.stubs(:windows_major_version).returns(5)
+      Puppet::Util::Windows::Process.stubs(:supports_elevated_security?).returns(false)
     end
 
     it "should be an admin if user's token contains the Administrators SID" do
       Puppet::Util::Windows::User.expects(:check_token_membership).returns(true)
-      Puppet::Util::Windows::Process.expects(:elevated_security?).never
 
       expect(Puppet::Util::Windows::User).to be_admin
     end
 
     it "should not be an admin if user's token doesn't contain the Administrators SID" do
       Puppet::Util::Windows::User.expects(:check_token_membership).returns(false)
-      Puppet::Util::Windows::Process.expects(:elevated_security?).never
 
       expect(Puppet::Util::Windows::User).not_to be_admin
     end
 
     it "should raise an exception if we can't check token membership" do
       Puppet::Util::Windows::User.expects(:check_token_membership).raises(Puppet::Util::Windows::Error, "Access denied.")
-      Puppet::Util::Windows::Process.expects(:elevated_security?).never
 
       expect { Puppet::Util::Windows::User.admin? }.to raise_error(Puppet::Util::Windows::Error, /Access denied./)
     end
   end
 
-  describe "2008 with UAC" do
+  context "2008 with UAC" do
     before :each do
       Puppet::Util::Windows::Process.stubs(:windows_major_version).returns(6)
+      Puppet::Util::Windows::Process.stubs(:supports_elevated_security?).returns(true)
     end
 
-    it "should be an admin if user is running with elevated privileges" do
-      Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(true)
-      Puppet::Util::Windows::User.expects(:check_token_membership).never
+    describe "in local administrators group" do
+      before :each do
+        Puppet::Util::Windows::User.stubs(:check_token_membership).returns(true)
+      end
 
-      expect(Puppet::Util::Windows::User).to be_admin
-    end
+      it "should be an admin if user is running with elevated privileges" do
+        Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(true)
 
-    it "should not be an admin if user is not running with elevated privileges" do
-      Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(false)
-      Puppet::Util::Windows::User.expects(:check_token_membership).never
+        expect(Puppet::Util::Windows::User).to be_admin
+      end
 
-      expect(Puppet::Util::Windows::User).not_to be_admin
+      it "should not be an admin if user is not running with elevated privileges" do
+        Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(false)
+
+        expect(Puppet::Util::Windows::User).not_to be_admin
+      end
+
+      it "should raise an exception if the process fails to open the process token" do
+        Puppet::Util::Windows::Process.stubs(:elevated_security?).raises(Puppet::Util::Windows::Error, "Access denied.")
+
+        expect { Puppet::Util::Windows::User.admin? }.to raise_error(Puppet::Util::Windows::Error, /Access denied./)
+      end
     end
 
-    it "should raise an exception if the process fails to open the process token" do
-      Puppet::Util::Windows::Process.stubs(:elevated_security?).raises(Puppet::Util::Windows::Error, "Access denied.")
-      Puppet::Util::Windows::User.expects(:check_token_membership).never
+    describe "not in local administrators group" do
+      before :each do
+        Puppet::Util::Windows::User.stubs(:check_token_membership).returns(false)
+      end
+
+      it "should not be an admin if user is running with elevated privileges" do
+        Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(true)
 
-      expect { Puppet::Util::Windows::User.admin? }.to raise_error(Puppet::Util::Windows::Error, /Access denied./)
+        expect(Puppet::Util::Windows::User).not_to be_admin
+      end
+
+      it "should not be an admin if user is not running with elevated privileges" do
+        Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(false)
+
+        expect(Puppet::Util::Windows::User).not_to be_admin
+      end
     end
   end
 

data/spec/lib/puppet/test_ca.rb

@@ -52,7 +52,7 @@ module Puppet
     def generate(name, opts)
       host_key = OpenSSL::PKey::RSA.new(1024)
       csr = create_csr(name, host_key)
-      sign(csr, opts)
+      { private_key: host_key, csr: csr, cert: sign(csr, opts).content }
     end
 
     private

data/spec/unit/agent_spec.rb

@@ -138,7 +138,7 @@ describe Puppet::Agent do
 
     it "should not fail if a client class instance cannot be created" do
       AgentTestClient.expects(:new).raises "eh"
-      Puppet.expects(:err)
+      Puppet.expects(:log_exception)
       @agent.run
     end
 
@@ -146,7 +146,7 @@ describe Puppet::Agent do
       client = AgentTestClient.new
       AgentTestClient.expects(:new).returns client
       client.expects(:run).raises "eh"
-      Puppet.expects(:err)
+      Puppet.expects(:log_exception)
       @agent.run
     end
 

data/spec/unit/application/apply_spec.rb

@@ -7,6 +7,8 @@ require 'puppet/configurer'
 require 'fileutils'
 
 describe Puppet::Application::Apply do
+  include PuppetSpec::Files
+
   before :each do
     @apply = Puppet::Application[:apply]
     Puppet::Util::Log.stubs(:newdestination)
@@ -91,6 +93,13 @@ describe Puppet::Application::Apply do
       @apply.setup
     end
 
+    it "sets the log destination if logdest is provided via settings" do
+      Puppet::Log.expects(:newdestination).with("set_via_config")
+      Puppet[:logdest] = "set_via_config"
+
+      @apply.setup
+    end
+
     it "should set INT trap" do
       Signal.expects(:trap).with(:INT)
 
@@ -172,8 +181,6 @@ describe Puppet::Application::Apply do
     end
 
     describe "the main command" do
-      include PuppetSpec::Files
-
       before :each do
         Puppet[:prerun_command] = ''
         Puppet[:postrun_command] = ''
@@ -492,6 +499,38 @@ describe Puppet::Application::Apply do
     end
   end
 
+  describe "when really executing" do
+    let(:testfile) { tmpfile('secret_file_name') }
+    let(:resourcefile) { tmpfile('resourcefile') }
+    let(:classfile) { tmpfile('classfile') }
+
+    it "should not expose sensitive data in the relationship file" do
+      @apply.options[:code] = <<-CODE
+        $secret = Sensitive('cat #{testfile}')
+
+        exec { 'do it':
+          command => $secret,
+          path    => '/bin/'
+        }
+      CODE
+
+      @apply.options[:write_catalog_summary] = true
+
+      Puppet.settings[:resourcefile] = resourcefile
+      Puppet.settings[:classfile] = classfile
+
+      #We don't actually need the resource to do anything, we are using it's properties in other parts of the workflow.
+      Puppet::Util::Execution.stubs(:execute)
+
+      expect { @apply.main }.to exit_with 0
+
+      result = File.read(resourcefile)
+
+      expect(result).not_to match(/secret_file_name/)
+      expect(result).to match(/do it/)
+    end
+  end
+
   describe "apply_catalog" do
     it "should call the configurer with the catalog" do
       catalog = "I am a catalog"

data/spec/unit/application/face_base_spec.rb

@@ -416,7 +416,7 @@ EOT
       # it, but this helps us fail if that slips up and all. --daniel 2011-04-27
       Puppet::Face[:help, :current].expects(:help).never
 
-      Puppet.expects(:err).with("Could not parse application options: I don't know how to render 'interpretive-dance'")
+      Puppet.expects(:send_log).with(:err, "Could not parse application options: I don't know how to render 'interpretive-dance'")
 
       expect { app.run }.to exit_with(1)
     end

data/spec/unit/application/ssl_spec.rb

@@ -2,88 +2,22 @@ require 'spec_helper'
 require 'puppet/application/ssl'
 require 'webmock/rspec'
 require 'openssl'
+require 'puppet/test_ca'
 
 describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
-  let(:ssl) { Puppet::Application[:ssl] }
-  let(:name) { 'ssl-client' }
-
-  def generate_cert(name, issuer = nil, issuer_key = nil)
-    # generate CA key pair
-    private_key = OpenSSL::PKey::RSA.new(512)
-    public_key = private_key.public_key
-
-    # generate CSR
-    csr = OpenSSL::X509::Request.new
-    csr.version = 0
-    csr.subject = OpenSSL::X509::Name.new([["CN", name]])
-    csr.public_key = public_key
-    csr.sign(private_key, OpenSSL::Digest::SHA256.new)
-
-    # is it self-signed?
-    issuer ||= csr.subject
-    issuer_key ||= private_key
-
-    # issue cert
-    cert = OpenSSL::X509::Certificate.new
-    cert.version    = 2 # X509v3
-    cert.subject    = csr.subject
-    cert.issuer     = issuer
-    cert.public_key = csr.public_key
-    cert.serial     = 1
-    cert.not_before = Time.now - (60*60*24)
-    cert.not_after  = Time.now + (60*60*24)
-
-    # Ugly hack, but we need to make sure the CA cert has the proper
-    # X509v3 Basic Constraints to be a valid CA certificate.
-    if name == 'ca'
-      extension_factory = OpenSSL::X509::ExtensionFactory.new
-      extension_factory.subject_certificate = cert
-      extension_factory.issuer_certificate = cert
-
-      extensions = {
-        "keyUsage"         => [%w{cRLSign keyCertSign}, true],
-        "basicConstraints" => ["CA:TRUE", true],
-      }
-
-      cert.extensions = extensions.map do |oid, (val, crit)|
-        val = val.join(', ') unless val.is_a? String
-
-        if Puppet::SSL::Oids.subtree_of?('id-ce', oid) or Puppet::SSL::Oids.subtree_of?('id-pkix', oid)
-          # Attempt to create a X509v3 certificate extension. Standard certificate
-          # extensions may need access to the associated subject certificate and
-          # issuing certificate, so must be created by the OpenSSL::X509::ExtensionFactory
-          # which provides that context.
-          extension_factory.create_ext(oid, val, crit)
-        else
-          # This is not an X509v3 extension which means that the extension
-          # factory cannot generate it. We need to generate the extension
-          # manually.
-          OpenSSL::X509::Extension.new(oid, OpenSSL::ASN1::UTF8String.new(val).to_der, crit)
-        end
-      end
-    end
-
-    cert.sign(issuer_key, OpenSSL::Digest::SHA256.new)
-
-    {:private_key => private_key, :csr => csr, :cert => cert}
-  end
-
-  def generate_crl(name, issuer, issuer_key)
-    crl = OpenSSL::X509::CRL.new
-    crl.version = 1
-    crl.issuer = issuer
-    crl.last_update = Time.now - (60*60*24)
-    crl.next_update =  Time.now + (60*60*24)
-    crl.extensions = [OpenSSL::X509::Extension.new('crlNumber', OpenSSL::ASN1::Integer(0))]
-    crl.sign(issuer_key, OpenSSL::Digest::SHA256.new)
-
-    crl
+  let(:ssl) do
+    app = Puppet::Application[:ssl]
+    app.options[:verbose] = true
+    app.setup_logs
+    app
   end
+  let(:name) { 'ssl-client' }
 
   before :all do
-    @ca = generate_cert('ca')
-    @crl = generate_crl('ca', @ca[:cert].subject, @ca[:private_key])
-    @host = generate_cert('ssl-client', @ca[:cert].subject, @ca[:private_key])
+    @ca = Puppet::TestCa.new
+    @ca_cert = @ca.ca_cert
+    @crl = @ca.ca_crl
+    @host = @ca.generate('ssl-client', {})
   end
 
   before do
@@ -93,7 +27,7 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     Puppet[:certname] = name
 
     # Host assumes ca cert and crl are present
-    File.open(Puppet[:localcacert], 'w') { |f| f.write(@ca[:cert].to_pem) }
+    File.open(Puppet[:localcacert], 'w') { |f| f.write(@ca_cert.to_pem) }
     File.open(Puppet[:hostcrl], 'w') { |f| f.write(@crl.to_pem) }
 
     # Setup our ssl client
@@ -101,25 +35,31 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     File.open(Puppet[:hostpubkey], 'w') { |f| f.write(@host[:private_key].public_key.to_pem) }
   end
 
-  def expects_command_to_output(expected_message = nil, code = 0)
+  def expects_command_to_pass(expected_output = nil)
+    expect {
+      ssl.run_command
+    }.to have_printed(expected_output)
+  end
+
+  def expects_command_to_fail(message)
     expect {
       expect {
         ssl.run_command
-      }.to exit_with(code)
-    }.to output(expected_message).to_stdout
+      }.to raise_error(Puppet::Error, message)
+    }.to have_printed(/.*/) # ignore output
   end
 
   shared_examples_for 'an ssl action' do
     it 'downloads the CA bundle first when missing' do
       File.delete(Puppet[:localcacert])
-      stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: @ca[:cert].to_pem)
+      stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: @ca.ca_cert.to_pem)
       stub_request(:get, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 404)
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
-      stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
+      stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
 
-      expects_command_to_output
+      expects_command_to_pass
 
-      expect(File.read(Puppet[:localcacert])).to eq(@ca[:cert].to_pem)
+      expect(File.read(Puppet[:localcacert])).to eq(@ca.ca_cert.to_pem)
     end
 
     it 'downloads the CRL bundle first when missing' do
@@ -127,23 +67,29 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: @crl.to_pem)
       stub_request(:get, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 404)
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
-      stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
+      stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
 
-      expects_command_to_output
+      expects_command_to_pass
 
       expect(File.read(Puppet[:hostcrl])).to eq(@crl.to_pem)
     end
   end
 
+  it 'uses the agent run mode' do
+    # make sure the ssl app resolves certname, server, etc
+    # the same way the agent application does
+    expect(ssl.class.run_mode.name).to eq(:agent)
+  end
+
   context 'when generating help' do
-    it 'prints usage when no arguments are specified' do
+    it 'prints a message when an unknown action is specified' do
       ssl.command_line.args << 'whoops'
 
-      expects_command_to_output(/Unknown action 'whoops'/, 1)
+      expects_command_to_fail(/Unknown action 'whoops'/)
     end
 
-    it 'rejects unknown actions' do
-      expects_command_to_output(/^puppet-ssl.*SYNOPSIS/m, 1)
+    it 'prints a message requiring an action to be specified' do
+      expects_command_to_fail(/An action must be specified/)
     end
   end
 
@@ -161,7 +107,7 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
 
-      expects_command_to_output(%r{Submitted certificate request for '#{name}' to https://.*}, 0)
+      expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
 
       expect(Puppet::FileSystem).to be_exist(csr_path)
     end
@@ -171,13 +117,13 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
 
-      expects_command_to_output(%r{Submitted certificate request for '#{name}' to https://.*}, 0)
+      expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
 
       stub_request(:get, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200, body: @host[:csr].to_pem)
       #  we skip :put
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
 
-      expects_command_to_output
+      expects_command_to_pass
     end
 
     it "warns if the local CSR doesn't match the local public key, and submits a new CSR" do
@@ -199,7 +145,7 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
 
       Puppet.stubs(:warning) # ignore unrelated warnings
       Puppet.expects(:warning).with("The local CSR does not match the agent's public key. Generating a new CSR.")
-      expects_command_to_output(%r{Submitted certificate request for '#{name}' to https://.*}, 0)
+      expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
     end
 
     it 'downloads the certificate when autosigning is enabled' do
@@ -207,7 +153,7 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
 
-      expects_command_to_output(%r{Submitted certificate request for '#{name}' to https://.*}, 0)
+      expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
 
       expect(Puppet::FileSystem).to be_exist(Puppet[:hostcert])
     end
@@ -219,7 +165,7 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
 
-      expects_command_to_output
+      expects_command_to_pass
 
       csr = Puppet::SSL::CertificateRequest.new(name)
       csr.read(csr_path)
@@ -237,7 +183,7 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     it 'downloads a new cert' do
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
 
-      expects_command_to_output(%r{Downloaded certificate '#{name}' with fingerprint .*})
+      expects_command_to_pass(%r{Downloaded certificate '#{name}' with fingerprint .*})
 
       expect(File.read(Puppet[:hostcert])).to eq(@host[:cert].to_pem)
     end
@@ -247,7 +193,7 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
 
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
 
-      expects_command_to_output(%r{Downloaded certificate '#{name}' with fingerprint .*})
+      expects_command_to_pass(%r{Downloaded certificate '#{name}' with fingerprint .*})
 
       expect(File.read(Puppet[:hostcert])).to eq(@host[:cert].to_pem)
     end
@@ -262,13 +208,15 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
 
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
 
-      expects_command_to_output(%r{^Failed to download certificate: The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?}, 1)
+      expects_command_to_fail(
+        %r{^Failed to download certificate: The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?}
+      )
     end
 
     it "prints a message if there isn't a cert to download" do
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
 
-      expects_command_to_output(/No certificate for '#{name}' on CA/)
+      expects_command_to_fail(/The certificate for '#{name}' has not yet been signed/)
     end
   end
 
@@ -282,13 +230,13 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     it 'reports if the key is missing' do
       File.delete(Puppet[:hostprivkey])
 
-      expects_command_to_output(/The host's private key is missing/, 1)
+      expects_command_to_fail(/The host's private key is missing/)
     end
 
     it 'reports if the cert is missing' do
       File.delete(Puppet[:hostcert])
 
-      expects_command_to_output(/The host's certificate is missing/, 1)
+      expects_command_to_fail(/The host's certificate is missing/)
     end
 
     it 'reports if the key and cert are mismatched' do
@@ -298,25 +246,127 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       File.open(Puppet[:hostprivkey], 'w') { |f| f.write(private_key.to_pem) }
       File.open(Puppet[:hostpubkey], 'w') { |f| f.write(public_key.to_pem) }
 
-      expects_command_to_output(/The host's key does not match the certificate/, 1)
+      expects_command_to_fail(/The host's key does not match the certificate/)
     end
 
     it 'reports if the cert verification fails' do
       # generate a new CA to force an error
-      ca = generate_cert('ca')
-      File.open(Puppet[:localcacert], 'w') { |f| f.write(ca[:cert].to_pem) }
+      new_ca = Puppet::TestCa.new
+      File.open(Puppet[:localcacert], 'w') { |f| f.write(new_ca.ca_cert.to_pem) }
 
       # and CRL for that CA
-      crl = generate_crl('ca', ca[:cert].subject, ca[:private_key])
-      File.open(Puppet[:hostcrl], 'w') { |f| f.write(crl.to_pem) }
+      File.open(Puppet[:hostcrl], 'w') { |f| f.write(new_ca.ca_crl.to_pem) }
 
-      expects_command_to_output(/Failed to verify certificate '#{name}': certificate signature failure \(7\)/, 1)
+      expects_command_to_fail(
+        /Failed to verify certificate '#{name}': certificate signature failure \(7\)/
+      )
     end
 
     it 'reports when verification succeeds' do
       OpenSSL::X509::Store.any_instance.stubs(:verify).returns(true)
 
-      expects_command_to_output(/Verified certificate '#{name}'/, 0)
+      expects_command_to_pass(/Verified certificate '#{name}'/)
+    end
+  end
+
+  context 'when cleaning' do
+    before do
+      ssl.command_line.args << 'clean'
+    end
+
+    it 'deletes the hostcert' do
+      File.open(Puppet[:hostcert], 'w') { |f| f.write(@host[:cert].to_pem) }
+
+      expects_command_to_pass(%r{Removed certificate #{Puppet[:cert]}})
+    end
+
+    it 'deletes the private key' do
+      File.open(Puppet[:hostprivkey], 'w') { |f| f.write(@host[:private_key].to_pem) }
+
+      expects_command_to_pass(%r{Removed private key #{Puppet[:hostprivkey]}})
+    end
+
+    it 'deletes the public key' do
+      File.open(Puppet[:hostpubkey], 'w') { |f| f.write(@host[:private_key].public_key.to_pem) }
+
+      expects_command_to_pass(%r{Removed public key #{Puppet[:hostpubkey]}})
+    end
+
+    it 'deletes the request' do
+      File.open(Puppet[:hostcsr], 'w') { |f| f.write(@host[:csr].to_pem) }
+
+      expects_command_to_pass(%r{Removed certificate request #{Puppet[:hostcsr]}})
+    end
+
+    it 'deletes the passfile' do
+      File.open(Puppet[:passfile], 'w') { |_| }
+
+      expects_command_to_pass(%r{Removed private key password file #{Puppet[:passfile]}})
+    end
+
+    it 'skips files that do not exist' do
+      File.delete(Puppet[:hostprivkey])
+
+      expect {
+        ssl.run_command
+      }.to_not output(%r{Removed private key #{Puppet[:hostprivkey]}}).to_stdout
+    end
+
+    it "raises if we fail to retrieve server's cert that we're about to clean" do
+      Puppet[:certname] = name
+      Puppet[:server] = name
+
+      stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_raise(Errno::ECONNREFUSED)
+
+      expects_command_to_fail(%r{Failed to connect to the CA to determine if certificate #{name} has been cleaned})
+    end
+
+    context 'when deleting local CA' do
+      before do
+        ssl.command_line.args << '--localca'
+        ssl.parse_options
+      end
+
+      it 'deletes the local CA cert' do
+        File.open(Puppet[:localcacert], 'w') { |f| f.write(@ca_cert.to_pem) }
+
+        expects_command_to_pass(%r{Removed local CA certificate #{Puppet[:localcacert]}})
+      end
+
+      it 'deletes the local CRL' do
+        File.open(Puppet[:hostcrl], 'w') { |f| f.write(@crl.to_pem) }
+
+        expects_command_to_pass(%r{Removed local CRL #{Puppet[:hostcrl]}})
+      end
+    end
+
+    context 'on the puppetserver host' do
+      before :each do
+        Puppet[:certname] = 'puppetserver'
+        Puppet[:server] = 'puppetserver'
+      end
+
+      it "prints an error when the CA is local and the CA has not cleaned its cert" do
+        stub_request(:get, %r{puppet-ca/v1/certificate/puppetserver}).to_return(status: 200, body: @host[:cert].to_pem)
+
+        expects_command_to_fail(%r{The certificate puppetserver must be cleaned from the CA first})
+      end
+
+      it "cleans the cert when the CA is local and the CA has already cleaned its cert" do
+        File.open(Puppet[:hostcert], 'w') { |f| f.write(@host[:cert].to_pem) }
+
+        stub_request(:get, %r{puppet-ca/v1/certificate/puppetserver}).to_return(status: 404)
+
+        expects_command_to_pass(%r{Removed certificate .*puppetserver.pem})
+      end
+
+      it "cleans the cert when run on a puppetserver that isn't the CA" do
+        File.open(Puppet[:hostcert], 'w') { |f| f.write(@host[:cert].to_pem) }
+
+        Puppet[:ca_server] = 'caserver'
+
+        expects_command_to_pass(%r{Removed certificate .*puppetserver.pem})
+      end
     end
   end
 end