puppet 6.10.1 → 6.11.0

data/spec/unit/http/resolver_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+require 'webmock/rspec'
+require 'puppet/http'
+
+describe Puppet::HTTP::Resolver do
+  let(:ssl_context) { Puppet::SSL::SSLContext.new }
+  let(:client) { Puppet::HTTP::Client.new(ssl_context: ssl_context) }
+  let(:session) { client.create_session }
+  let(:uri) { URI.parse('https://www.example.com') }
+
+  context 'when resolving using settings' do
+    let(:subject) { Puppet::HTTP::Resolver::Settings.new }
+
+    it 'yields a service based on the current ca_server and ca_port settings' do
+      Puppet[:ca_server] = 'ca.example.com'
+      Puppet[:ca_port] = 8141
+
+      subject.resolve(session, :ca) do |service|
+        expect(service).to be_an_instance_of(Puppet::HTTP::Service::Ca)
+        expect(service.url.to_s).to eq("https://ca.example.com:8141/puppet-ca/v1")
+      end
+    end
+  end
+
+  context 'when resolving using SRV' do
+    let(:dns) { double('dns') }
+    let(:subject) { Puppet::HTTP::Resolver::SRV.new(domain: 'example.com', dns: dns) }
+
+    def stub_srv(host, port)
+      srv = Resolv::DNS::Resource::IN::SRV.new(0, 0, port, host)
+      srv.instance_variable_set :@ttl, 3600
+
+      allow(dns).to receive(:getresources).with("_x-puppet-ca._tcp.example.com", Resolv::DNS::Resource::IN::SRV).and_return([srv])
+    end
+
+    it 'yields a service based on an SRV record' do
+      stub_srv('ca1.example.com', 8142)
+
+      subject.resolve(session, :ca) do |service|
+        expect(service).to be_an_instance_of(Puppet::HTTP::Service::Ca)
+        expect(service.url.to_s).to eq("https://ca1.example.com:8142/puppet-ca/v1")
+      end
+    end
+  end
+end

data/spec/unit/http/service/ca_spec.rb

@@ -0,0 +1,106 @@
+require 'spec_helper'
+require 'webmock/rspec'
+require 'puppet/http'
+
+describe Puppet::HTTP::Service::Ca do
+  let(:ssl_context) { Puppet::SSL::SSLContext.new }
+  let(:client) { Puppet::HTTP::Client.new(ssl_context: ssl_context) }
+  let(:base_url) { URI.parse('https://www.example.com') }
+  let(:subject) { described_class.new(client, base_url) }
+
+  context 'when getting certificates' do
+    let(:cert) { cert_fixture('ca.pem') }
+    let(:pem) { cert.to_pem }
+    let(:url) { "https://www.example.com/certificate/ca" }
+
+    it 'gets a certificate from the "certificate" endpoint' do
+      stub_request(:get, url).to_return(body: pem)
+
+      expect(subject.get_certificate('ca')).to eq(pem)
+    end
+
+    it 'accepts text/plain responses' do
+      stub_request(:get, url).with(headers: {'Accept' => 'text/plain'})
+
+      subject.get_certificate('ca')
+    end
+
+    it 'raises a response error if unsuccessful' do
+      stub_request(:get, url).to_return(status: [404, 'Not Found'])
+
+      expect {
+        subject.get_certificate('ca')
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq("Not Found")
+        expect(err.response.code).to eq(404)
+      end
+    end
+  end
+
+  context 'when getting CRLs' do
+    let(:crl) { crl_fixture('crl.pem') }
+    let(:pem) { crl.to_pem }
+    let(:url) { "https://www.example.com/certificate_revocation_list/ca" }
+
+    it 'gets a CRL from "certificate_revocation_list" endpoint' do
+      stub_request(:get, url).to_return(body: pem)
+
+      expect(subject.get_certificate_revocation_list).to eq(pem)
+    end
+
+    it 'accepts text/plain responses' do
+      stub_request(:get, url).with(headers: {'Accept' => 'text/plain'})
+
+      subject.get_certificate_revocation_list
+    end
+
+    it 'raises a response error if unsuccessful' do
+      stub_request(:get, url).to_return(status: [404, 'Not Found'])
+
+      expect {
+        subject.get_certificate_revocation_list
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq("Not Found")
+        expect(err.response.code).to eq(404)
+      end
+    end
+
+    it 'raises a 304 response error if it is unmodified' do
+      stub_request(:get, url).to_return(status: [304, 'Not Modified'])
+
+      expect {
+        subject.get_certificate_revocation_list(if_modified_since: Time.now)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq("Not Modified")
+        expect(err.response.code).to eq(304)
+      end
+    end
+  end
+
+  context 'when submitting a CSR' do
+    let(:request) { request_fixture('request.pem') }
+    let(:pem) { request.to_pem }
+    let(:url) { "https://www.example.com/certificate_request/infinity" }
+
+    it 'submits a CSR to the "certificate_request" endpoint' do
+      stub_request(:put, url).with(body: pem, headers: { 'Content-Type' => 'text/plain' })
+
+      subject.put_certificate_request('infinity', request)
+    end
+
+    it 'raises response error if unsuccessful' do
+      stub_request(:put, url).to_return(status: [400, 'Bad Request'])
+
+      expect {
+        subject.put_certificate_request('infinity', request)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq('Bad Request')
+        expect(err.response.code).to eq(400)
+      end
+    end
+  end
+end

data/spec/unit/http/service_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+require 'webmock/rspec'
+require 'puppet/http'
+
+describe Puppet::HTTP::Service do
+  let(:ssl_context) { Puppet::SSL::SSLContext.new }
+  let(:client) { Puppet::HTTP::Client.new(ssl_context: ssl_context) }
+  let(:url) { URI.parse('https://www.example.com') }
+  let(:service) { described_class.new(client, url) }
+
+  it "returns a URI containing the base URL and path" do
+    expect(service.with_base_url('/puppet/v3')).to eq(URI.parse("https://www.example.com/puppet/v3"))
+  end
+
+  it "doesn't modify frozen the base URL" do
+    service = described_class.new(client, url.freeze)
+    service.with_base_url('/puppet/v3')
+  end
+
+  it "connects to the base URL with a nil ssl context" do
+    expect(client).to receive(:connect).with(url, ssl_context: nil)
+
+    service.connect
+  end
+
+  it "accepts an optional ssl_context" do
+    other_ctx = Puppet::SSL::SSLContext.new
+    expect(client).to receive(:connect).with(url, ssl_context: other_ctx)
+
+    service.connect(ssl_context: other_ctx)
+  end
+end

data/spec/unit/http/session_spec.rb

@@ -0,0 +1,102 @@
+require 'spec_helper'
+require 'webmock/rspec'
+require 'puppet/http'
+
+describe Puppet::HTTP::Session do
+  let(:ssl_context) { Puppet::SSL::SSLContext.new }
+  let(:client) { Puppet::HTTP::Client.new(ssl_context: ssl_context) }
+  let(:uri) { URI.parse('https://www.example.com') }
+  let(:good_service) {
+    double('good', url: uri, connect: nil)
+  }
+  let(:bad_service) {
+    service = double('good', url: uri)
+    allow(service).to receive(:connect).and_raise(Puppet::HTTP::ConnectionError, 'whoops')
+    service
+  }
+
+  class DummyResolver
+    attr_reader :count
+
+    def initialize(service)
+      @service = service
+      @count = 0
+    end
+
+    def resolve(session, name, &block)
+      @count += 1
+      yield @service
+    end
+  end
+
+  context 'when routing' do
+    it 'returns the first resolved service' do
+      Puppet[:log_level] = :debug
+      resolvers = [DummyResolver.new(bad_service), DummyResolver.new(good_service)]
+      session = described_class.new(client, resolvers)
+      resolved = session.route_to(:ca)
+
+      expect(resolved).to eq(good_service)
+      expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Connection to #{uri} failed, trying next route: whoops"))
+    end
+
+    it 'only resolves once per session' do
+      resolver = DummyResolver.new(good_service)
+      session = described_class.new(client, [resolver])
+      session.route_to(:ca)
+      session.route_to(:ca)
+
+      expect(resolver.count).to eq(1)
+    end
+
+    it 'raises if there are no more routes' do
+      resolvers = [DummyResolver.new(bad_service)]
+      session = described_class.new(client, resolvers)
+
+      expect {
+        session.route_to(:ca)
+      }.to raise_error(Puppet::HTTP::RouteError, 'No more routes to ca')
+    end
+
+    it 'accepts an ssl context to use when connecting' do
+      alt_context = Puppet::SSL::SSLContext.new
+      expect(good_service).to receive(:connect).with(ssl_context: alt_context)
+
+      resolvers = [DummyResolver.new(good_service)]
+      session = described_class.new(client, resolvers)
+      session.route_to(:ca, ssl_context: alt_context)
+    end
+
+    it 'raises for unknown service names' do
+      expect {
+        session = described_class.new(client, [])
+        session.route_to(:westbound)
+      }.to raise_error(ArgumentError, "Unknown service westbound")
+    end
+  end
+
+  context 'when creating services' do
+    let(:session) { described_class.new(client, []) }
+
+    it 'defaults the server and port based on settings' do
+      Puppet[:ca_server] = 'ca.example.com'
+      Puppet[:ca_port] = 8141
+      service = session.create_service(:ca)
+
+      expect(service.url.to_s).to eq("https://ca.example.com:8141/puppet-ca/v1")
+    end
+
+    it 'accepts server and port arguments' do
+      service = session.create_service(:ca, 'ca2.example.com', 8142)
+
+      expect(service.url.to_s).to eq("https://ca2.example.com:8142/puppet-ca/v1")
+    end
+
+    it 'raises for unknown service names' do
+      expect {
+        session = described_class.new(client, [])
+        session.create_service(:westbound)
+      }.to raise_error(ArgumentError, "Unknown service westbound")
+    end
+  end
+end

data/spec/unit/indirector/resource/ral_spec.rb

@@ -48,7 +48,7 @@ describe "Puppet::Resource::Ral" do
     end
 
     it "should convert ral resources into regular resources" do
-      my_resource = double("my user resource")
+      my_resource = double("my user resource", :title => "my user resource")
       my_instance = double("my user", :name => "root", :to_resource => my_resource)
 
       expect(Puppet::Type::User).to receive(:instances).and_return([ my_instance ])
@@ -56,7 +56,7 @@ describe "Puppet::Resource::Ral" do
     end
 
     it "should filter results by name if there's a name in the key" do
-      my_resource = double("my user resource")
+      my_resource = double("my user resource", title: "my user resource")
       allow(my_resource).to receive(:to_resource).and_return(my_resource)
       allow(my_resource).to receive(:[]).with(:name).and_return("root")
 
@@ -74,11 +74,11 @@ describe "Puppet::Resource::Ral" do
     end
 
     it "should filter results by query parameters" do
-      wrong_resource = double("my user resource")
+      wrong_resource = double("my user resource", title: "my user resource")
       allow(wrong_resource).to receive(:to_resource).and_return(wrong_resource)
       allow(wrong_resource).to receive(:[]).with(:name).and_return("root")
 
-      my_resource = double("wrong resource")
+      my_resource = double("wrong resource", title: "wrong resource")
       allow(my_resource).to receive(:to_resource).and_return(my_resource)
       allow(my_resource).to receive(:[]).with(:name).and_return("bob")
 

data/spec/unit/network/http/connection_spec.rb

@@ -4,10 +4,11 @@ require 'puppet_spec/validators'
 require 'puppet/test_ca'
 
 describe Puppet::Network::HTTP::Connection do
-  let (:host) { "me" }
-  let (:port) { 54321 }
+  let (:host) { "me.example.com" }
+  let (:port) { 8140 }
+  let (:url) { "https://#{host}:#{port}/foo" }
+
   subject { Puppet::Network::HTTP::Connection.new(host, port, :verify => Puppet::SSL::Validator.no_validator) }
-  let (:httpok) { Net::HTTPOK.new('1.1', 200, '') }
 
   context "when providing HTTP connections" do
     context "when initializing http instances" do
@@ -68,68 +69,48 @@ describe Puppet::Network::HTTP::Connection do
     end
   end
 
-  context "when handling requests", :vcr do
-    let (:host) { "my-server" }
-    let (:port) { 8140 }
-    let (:subject) { Puppet::Network::HTTP::Connection.new(host, port, :use_ssl => false, :verify => Puppet::SSL::Validator.no_validator) }
-
-    { :request_get  => {},
-      :request_head => {},
-      :request_post => "param: value" }.each do |method,body|
-      context "##{method}" do
-        it "should yield to the block" do
-          allow_any_instance_of(Net::HTTP).to receive(method) do |_, *_, &block|
-            block.call()
-            httpok
-          end
-
-          block_executed = false
-          subject.send(method, "/foo", body) do |response|
-            block_executed = true
-          end
-          expect(block_executed).to eq(true)
-        end
-      end
-    end
-  end
+  context "when handling requests" do
+    it 'yields the response when request_get is called' do
+      stub_request(:get, url)
 
-  context "when response is a redirect" do
-    let (:site)       { Puppet::Network::HTTP::Site.new('http', 'my_server', 8140) }
-    let (:other_site) { Puppet::Network::HTTP::Site.new('http', 'redirected', 9292) }
-    let (:other_path) { "other-path" }
-    let (:verify) { Puppet::SSL::Validator.no_validator }
-    let (:subject) { Puppet::Network::HTTP::Connection.new(site.host, site.port, :use_ssl => false, :verify => verify) }
-    let (:httpredirection) do
-      response = Net::HTTPFound.new('1.1', 302, 'Moved Temporarily')
-      response['location'] = "#{other_site.addr}/#{other_path}"
-      allow(response).to receive(:read_body).and_return("This resource has moved")
-      response
+      expect { |b|
+        subject.request_get('/foo', {}, &b)
+      }.to yield_with_args(Net::HTTPResponse)
     end
 
-    def create_connection(site, options)
-      options[:use_ssl] = site.use_ssl?
-      Puppet::Network::HTTP::Connection.new(site.host, site.port, options)
+    it 'yields the response when request_head is called' do
+      stub_request(:head, url)
+
+      expect { |b|
+        subject.request_head('/foo', {}, &b)
+      }.to yield_with_args(Net::HTTPResponse)
     end
 
-    it "should redirect to the final resource location" do
-      http = double('http')
-      allow(http).to receive(:request).and_return(httpredirection, httpok)
+    it 'yields the response when request_post is called' do
+      stub_request(:post, url)
 
-      pool = Puppet.lookup(:http_pool)
-      expect(pool).to receive(:with_connection).with(site, anything).and_yield(http).ordered
-      expect(pool).to receive(:with_connection).with(other_site, anything).and_yield(http).ordered
+      expect { |b|
+        subject.request_post('/foo', "param: value", &b)
+      }.to yield_with_args(Net::HTTPResponse)
+    end
+  end
+
+  context "when response is a redirect" do
+    def create_connection(options = {})
+      options[:use_ssl] = false
+      options[:verify] = Puppet::SSL::Validator.no_validator
+      Puppet::Network::HTTP::Connection.new(host, port, options)
+    end
 
-      conn = create_connection(site, :verify => verify)
-      conn.get('/foo')
+    def redirect_to(url)
+      { status: 302, headers: { 'Location' => url } }
     end
 
-    def expects_redirection(conn, &block)
-      http = double('http')
-      allow(http).to receive(:request).and_return(httpredirection)
+    it "should follow the redirect to the final resource location" do
+      stub_request(:get, "http://me.example.com:8140/foo").to_return(redirect_to("http://me.example.com:8140/bar"))
+      stub_request(:get, "http://me.example.com:8140/bar").to_return(status: 200)
 
-      pool = Puppet.lookup(:http_pool)
-      expect(pool).to receive(:with_connection).with(site, anything).and_yield(http)
-      pool
+      create_connection.get('/foo')
     end
 
     def expects_limit_exceeded(conn)
@@ -138,164 +119,157 @@ describe Puppet::Network::HTTP::Connection do
       }.to raise_error(Puppet::Network::HTTP::RedirectionLimitExceededException)
     end
 
-    it "should not redirect when the limit is 0" do
-      conn = create_connection(site, :verify => verify, :redirect_limit => 0)
-
-      pool = expects_redirection(conn)
-      expect(pool).not_to receive(:with_connection).with(other_site, anything)
+    it "should not follow any redirects when the limit is 0" do
+      stub_request(:get, "http://me.example.com:8140/").to_return(redirect_to("http://me.example.com:8140/foo"))
 
+      conn = create_connection(:redirect_limit => 0)
       expects_limit_exceeded(conn)
     end
 
-    it "should redirect only once" do
-      conn = create_connection(site, :verify => verify, :redirect_limit => 1)
-
-      pool = expects_redirection(conn)
-      expect(pool).to receive(:with_connection).with(other_site, anything).once
+    it "should follow the redirect once" do
+      stub_request(:get, "http://me.example.com:8140/").to_return(redirect_to("http://me.example.com:8140/foo"))
+      stub_request(:get, "http://me.example.com:8140/foo").to_return(redirect_to("http://me.example.com:8140/bar"))
 
+      conn = create_connection(:redirect_limit => 1)
       expects_limit_exceeded(conn)
     end
 
     it "should raise an exception when the redirect limit is exceeded" do
-      conn = create_connection(site, :verify => verify, :redirect_limit => 3)
-
-      pool = expects_redirection(conn)
-      expect(pool).to receive(:with_connection).with(other_site, anything).exactly(3).times
+      stub_request(:get, "http://me.example.com:8140/").to_return(redirect_to("http://me.example.com:8140/foo"))
+      stub_request(:get, "http://me.example.com:8140/foo").to_return(redirect_to("http://me.example.com:8140/bar"))
+      stub_request(:get, "http://me.example.com:8140/bar").to_return(redirect_to("http://me.example.com:8140/baz"))
+      stub_request(:get, "http://me.example.com:8140/baz").to_return(redirect_to("http://me.example.com:8140/qux"))
 
+      conn = create_connection(:redirect_limit => 3)
       expects_limit_exceeded(conn)
     end
   end
 
   context "when response indicates an overloaded server" do
-    let(:http) { double('http') }
-    let(:site) { Puppet::Network::HTTP::Site.new('http', 'my_server', 8140) }
-    let(:verify) { Puppet::SSL::Validator.no_validator }
-    let(:httpunavailable) { Net::HTTPServiceUnavailable.new('1.1', 503, 'Service Unavailable') }
-
-    subject { Puppet::Network::HTTP::Connection.new(site.host, site.port, :use_ssl => false, :verify => verify) }
-
-    context "when parsing Retry-After headers" do
-      # Private method. Create a reference that can be called by tests.
-      let(:header_parser) { subject.method(:parse_retry_after_header) }
-
-      it "returns 0 when parsing a RFC 2822 date that has passed" do
-        test_date = 'Wed, 13 Apr 2005 15:18:05 GMT'
-
-        expect(header_parser.call(test_date)).to eq(0)
-      end
+    def retry_after(datetime)
+      stub_request(:get, url)
+        .to_return(status: [503, 'Service Unavailable'], headers: {'Retry-After' => datetime}).then
+        .to_return(status: 200)
     end
 
     it "should return a 503 response if Retry-After is not set" do
-      allow(http).to receive(:request).and_return(httpunavailable)
-
-      pool = Puppet.lookup(:http_pool)
-      expect(pool).to receive(:with_connection).with(site, anything).and_yield(http)
+      stub_request(:get, url).to_return(status: [503, 'Service Unavailable'])
 
       result = subject.get('/foo')
-
-      expect(result.code).to eq(503)
+      expect(result.code).to eq("503")
     end
 
     it "should return a 503 response if Retry-After is not convertible to an Integer or RFC 2822 Date" do
-      httpunavailable['Retry-After'] = 'foo'
-      allow(http).to receive(:request).and_return(httpunavailable)
-
-      pool = Puppet.lookup(:http_pool)
-      expect(pool).to receive(:with_connection).with(site, anything).and_yield(http)
+      stub_request(:get, url).to_return(status: [503, 'Service Unavailable'], headers: {'Retry-After' => 'foo'})
 
       result = subject.get('/foo')
-
-      expect(result.code).to eq(503)
+      expect(result.code).to eq("503")
     end
 
     it "should sleep and retry if Retry-After is an Integer" do
-      httpunavailable['Retry-After'] = '42'
-      allow(http).to receive(:request).and_return(httpunavailable, httpok)
-
-      pool = Puppet.lookup(:http_pool)
-      expect(pool).to receive(:with_connection).with(site, anything).twice.and_yield(http)
+      retry_after('42')
 
       expect(::Kernel).to receive(:sleep).with(42)
 
       result = subject.get('/foo')
-
-      expect(result.code).to eq(200)
+      expect(result.code).to eq("200")
     end
 
     it "should sleep and retry if Retry-After is an RFC 2822 Date" do
-      httpunavailable['Retry-After'] = 'Wed, 13 Apr 2005 15:18:05 GMT'
-      allow(http).to receive(:request).and_return(httpunavailable, httpok)
+      retry_after('Wed, 13 Apr 2005 15:18:05 GMT')
 
       now = DateTime.new(2005, 4, 13, 8, 17, 5, '-07:00')
       allow(DateTime).to receive(:now).and_return(now)
 
-      pool = Puppet.lookup(:http_pool)
-      expect(pool).to receive(:with_connection).with(site, anything).twice.and_yield(http)
-
       expect(::Kernel).to receive(:sleep).with(60)
 
       result = subject.get('/foo')
-
-      expect(result.code).to eq(200)
+      expect(result.code).to eq("200")
     end
 
     it "should sleep for no more than the Puppet runinterval" do
-      httpunavailable['Retry-After'] = '60'
-      allow(http).to receive(:request).and_return(httpunavailable, httpok)
+      retry_after('60')
       Puppet[:runinterval] = 30
 
-      pool = Puppet.lookup(:http_pool)
-      expect(pool).to receive(:with_connection).with(site, anything).twice.and_yield(http)
-
       expect(::Kernel).to receive(:sleep).with(30)
 
       subject.get('/foo')
     end
-  end
 
-  it "allows setting basic auth on get requests" do
-    expect_request_with_basic_auth
+    it "should sleep for 0 seconds if the RFC 2822 date has past" do
+      retry_after('Wed, 13 Apr 2005 15:18:05 GMT')
+
+      expect(::Kernel).to receive(:sleep).with(0)
 
-    subject.get('/path', nil, :basic_auth => { :user => 'user', :password => 'password' })
+      subject.get('/foo')
+    end
   end
 
-  it "allows setting basic auth on post requests" do
-    expect_request_with_basic_auth
+  context "basic auth" do
+    let(:auth) { { :user => 'user', :password => 'password' } }
+    let(:creds) { [ 'user', 'password'] }
 
-    subject.post('/path', 'data', nil, :basic_auth => { :user => 'user', :password => 'password' })
-  end
+    it "is allowed in get requests" do
+      stub_request(:get, url).with(basic_auth: creds)
 
-  it "allows setting basic auth on head requests" do
-    expect_request_with_basic_auth
+      subject.get('/foo', nil, :basic_auth => auth)
+    end
 
-    subject.head('/path', nil, :basic_auth => { :user => 'user', :password => 'password' })
-  end
+    it "is allowed in post requests" do
+      stub_request(:post, url).with(basic_auth: creds)
 
-  it "allows setting basic auth on delete requests" do
-    expect_request_with_basic_auth
+      subject.post('/foo', 'data', nil, :basic_auth => auth)
+    end
 
-    subject.delete('/path', nil, :basic_auth => { :user => 'user', :password => 'password' })
-  end
+    it "is allowed in head requests" do
+      stub_request(:head, url).with(basic_auth: creds)
 
-  it "allows setting basic auth on put requests" do
-    expect_request_with_basic_auth
+      subject.head('/foo', nil, :basic_auth => auth)
+    end
 
-    subject.put('/path', 'data', nil, :basic_auth => { :user => 'user', :password => 'password' })
-  end
+    it "is allowed in delete requests" do
+      stub_request(:delete, url).with(basic_auth: creds)
 
-  def expect_request_with_basic_auth
-    expect_any_instance_of(Net::HTTP).to receive(:request) do |_, request|
-      expect(request['authorization']).to match(/^Basic/)
-    end.and_return(httpok)
+      subject.delete('/foo', nil, :basic_auth => auth)
+    end
+
+    it "is allowed in put requests" do
+      stub_request(:put, url).with(basic_auth: creds)
+
+      subject.put('/foo', 'data', nil, :basic_auth => auth)
+    end
   end
 
   it "sets HTTP User-Agent header" do
     puppet_ua = "Puppet/#{Puppet.version} Ruby/#{RUBY_VERSION}-p#{RUBY_PATCHLEVEL} (#{RUBY_PLATFORM})"
+    stub_request(:get, url).with(headers: { 'User-Agent' => puppet_ua })
 
-    expect_any_instance_of(Net::HTTP).to receive(:request) do |_, request|
-      expect(request['User-Agent']).to eq(puppet_ua)
-    end.and_return(httpok)
+    subject.get('/foo')
+  end
+
+  describe 'connection request errors' do
+    it "logs and raises generic http errors" do
+      generic_error = Net::HTTPError.new('generic error', double("response"))
+      stub_request(:get, url).to_raise(generic_error)
 
-    subject.get('/path')
+      expect(Puppet).to receive(:log_exception).with(anything, /^.*failed: generic error$/)
+      expect { subject.get('/foo') }.to raise_error(generic_error)
+    end
+
+    it "logs and raises timeout errors" do
+      timeout_error = Timeout::Error.new
+      stub_request(:get, url).to_raise(timeout_error)
+
+      expect(Puppet).to receive(:log_exception).with(anything, /^.*timed out after .* seconds$/)
+      expect { subject.get('/foo') }.to raise_error(timeout_error)
+    end
+
+    it "logs and raises eof errors" do
+      eof_error = EOFError
+      stub_request(:get, url).to_raise(eof_error)
+
+      expect(Puppet).to receive(:log_exception).with(anything, /^.*interrupted after .* seconds$/)
+      expect { subject.get('/foo') }.to raise_error(eof_error)
+    end
   end
 end