puppet 6.11.1-x64-mingw32 → 6.16.0-x64-mingw32

data/spec/unit/util/plist_spec.rb

@@ -1,3 +1,5 @@
+# coding: utf-8
+
 require 'spec_helper'
 require 'puppet/util/plist'
 require 'puppet_spec/files'
@@ -52,6 +54,19 @@ describe Puppet::Util::Plist, :if => Puppet.features.cfpropertylist? do
     </dict>
     </plist>'
   end
+  let(:ascii_xml_plist) do
+    '<?xml version="1.0" encoding="UTF-8"?>
+     <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+     <plist version="1.0">
+     <dict>
+       <key>RecordName</key>
+         <array>
+           <string>Timișoara</string>
+           <string>Tōkyō</string>
+         </array>
+     </dict>
+     </plist>'.force_encoding(Encoding::US_ASCII)
+  end
   let(:non_plist_data) do
     "Take my love, take my land
      Take me where I cannot stand
@@ -62,6 +77,7 @@ describe Puppet::Util::Plist, :if => Puppet.features.cfpropertylist? do
     "\xCF\xFA\xED\xFE\a\u0000\u0000\u0001\u0003\u0000\u0000\x80\u0002\u0000\u0000\u0000\u0012\u0000\u0000\u0000\b"
   end
   let(:valid_xml_plist_hash) { {"LastUsedPrinters"=>[{"Network"=>"10.85.132.1", "PrinterID"=>"baskerville_corp_puppetlabs_net"}, {"Network"=>"10.14.96.1", "PrinterID"=>"Statler"}]} }
+  let(:ascii_xml_plist_hash) { {"RecordName"=>["Timișoara", "Tōkyō"]} }
   let(:plist_path) { file_containing('sample.plist', valid_xml_plist) }
   let(:binary_plist_magic_number) { 'bplist00' }
   let(:bad_xml_doctype) { '<!DOCTYPE plist PUBLIC -//Apple Computer' }
@@ -132,6 +148,10 @@ describe Puppet::Util::Plist, :if => Puppet.features.cfpropertylist? do
       expect(subject.parse_plist(valid_xml_plist)).to eq(valid_xml_plist_hash)
     end
 
+    it "returns a valid hash when an ASCII XML plist is provided" do
+      expect(subject.parse_plist(ascii_xml_plist)).to eq(ascii_xml_plist_hash)
+    end
+
     it "raises a debug message and replaces a bad XML plist doctype should one be encountered" do
       expect(subject).to receive(:new_cfpropertylist).with({:data => good_xml_doctype}).and_return('plist_object')
       allow(subject).to receive(:convert_cfpropertylist_to_native_types).with('plist_object')

data/spec/unit/util/rpm_compare_spec.rb

@@ -0,0 +1,196 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'puppet/util/rpm_compare'
+
+describe Puppet::Util::RpmCompare do
+  class RpmTest
+    extend Puppet::Util::RpmCompare
+  end
+
+  describe '.rpmvercmp' do
+    # test cases munged directly from rpm's own
+    # tests/rpmvercmp.at
+    it { expect(RpmTest.rpmvercmp('1.0', '1.0')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('1.0', '2.0')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('2.0', '1.0')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('2.0.1', '2.0.1')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('2.0', '2.0.1')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('2.0.1', '2.0')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('2.0.1a', '2.0.1a')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('2.0.1a', '2.0.1')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('2.0.1', '2.0.1a')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('5.5p1', '5.5p1')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('5.5p1', '5.5p2')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('5.5p2', '5.5p1')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('5.5p10', '5.5p10')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('5.5p1', '5.5p10')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('5.5p10', '5.5p1')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('10xyz', '10.1xyz')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('10.1xyz', '10xyz')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('xyz10', 'xyz10')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('xyz10', 'xyz10.1')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('xyz10.1', 'xyz10')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('xyz.4', 'xyz.4')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('xyz.4', '8')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('8', 'xyz.4')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('xyz.4', '2')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('2', 'xyz.4')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('5.5p2', '5.6p1')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('5.6p1', '5.5p2')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('5.6p1', '6.5p1')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('6.5p1', '5.6p1')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('6.0.rc1', '6.0')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('6.0', '6.0.rc1')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('10b2', '10a1')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('10a2', '10b2')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('1.0aa', '1.0aa')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('1.0a', '1.0aa')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('1.0aa', '1.0a')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('10.0001', '10.0001')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('10.0001', '10.1')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('10.1', '10.0001')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('10.0001', '10.0039')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('10.0039', '10.0001')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('4.999.9', '5.0')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('5.0', '4.999.9')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('20101121', '20101121')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('20101121', '20101122')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('20101122', '20101121')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('2_0', '2_0')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('2.0', '2_0')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('2_0', '2.0')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('a', 'a')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('a+', 'a+')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('a+', 'a_')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('a_', 'a+')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('+a', '+a')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('+a', '_a')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('_a', '+a')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('+_', '+_')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('_+', '+_')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('_+', '_+')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('+', '_')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('_', '+')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('1.0~rc1', '1.0~rc1')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('1.0~rc1', '1.0')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('1.0', '1.0~rc1')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('1.0~rc1', '1.0~rc2')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('1.0~rc2', '1.0~rc1')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('1.0~rc1~git123', '1.0~rc1~git123')).to eq(0) }
+    it { expect(RpmTest.rpmvercmp('1.0~rc1~git123', '1.0~rc1')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('1.0~rc1', '1.0~rc1~git123')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('1.0~rc1', '1.0arc1')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('', '~')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('~', '~~')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('~', '~+~')).to eq(1) }
+    it { expect(RpmTest.rpmvercmp('~', '~a')).to eq(-1) }
+
+    # non-upstream test cases
+    it { expect(RpmTest.rpmvercmp('405', '406')).to eq(-1) }
+    it { expect(RpmTest.rpmvercmp('1', '0')).to eq(1) }
+  end
+
+  describe '.rpm_compareEVR' do
+    it 'evaluates identical version-release as equal' do
+      expect(RpmTest.rpm_compareEVR('1.2.3-1.el5', '1.2.3-1.el5')).to eq(0)
+    end
+
+    it 'evaluates identical version as equal' do
+      expect(RpmTest.rpm_compareEVR('1.2.3', '1.2.3')).to eq(0)
+    end
+
+    it 'evaluates identical version but older release as less' do
+      expect(RpmTest.rpm_compareEVR('1.2.3-1.el5', '1.2.3-2.el5')).to eq(-1)
+    end
+
+    it 'evaluates identical version but newer release as greater' do
+      expect(RpmTest.rpm_compareEVR('1.2.3-3.el5', '1.2.3-2.el5')).to eq(1)
+    end
+
+    it 'evaluates a newer epoch as greater' do
+      expect(RpmTest.rpm_compareEVR('1:1.2.3-4.5', '1.2.3-4.5')).to eq(1)
+    end
+
+    # these tests describe PUP-1244 logic yet to be implemented
+    it 'evaluates any version as equal to the same version followed by release' do
+      expect(RpmTest.rpm_compareEVR('1.2.3', '1.2.3-2.el5')).to eq(0)
+    end
+
+    # test cases for PUP-682
+    it 'evaluates same-length numeric revisions numerically' do
+      expect(RpmTest.rpm_compareEVR('2.2-405', '2.2-406')).to eq(-1)
+    end
+  end
+
+  describe '.rpm_parse_evr' do
+    it 'parses full simple evr' do
+      version = RpmTest.rpm_parse_evr('0:1.2.3-4.el5')
+      expect([version[:epoch], version[:version], version[:release]]).to \
+        eq(['0', '1.2.3', '4.el5'])
+    end
+
+    it 'parses version only' do
+      version = RpmTest.rpm_parse_evr('1.2.3')
+      expect([version[:epoch], version[:version], version[:release]]).to \
+        eq([nil, '1.2.3', nil])
+    end
+
+    it 'parses version-release' do
+      version = RpmTest.rpm_parse_evr('1.2.3-4.5.el6')
+      expect([version[:epoch], version[:version], version[:release]]).to \
+        eq([nil, '1.2.3', '4.5.el6'])
+    end
+
+    it 'parses release with git hash' do
+      version = RpmTest.rpm_parse_evr('1.2.3-4.1234aefd')
+      expect([version[:epoch], version[:version], version[:release]]).to \
+        eq([nil, '1.2.3', '4.1234aefd'])
+    end
+
+    it 'parses single integer versions' do
+      version = RpmTest.rpm_parse_evr('12345')
+      expect([version[:epoch], version[:version], version[:release]]).to \
+        eq([nil, '12345', nil])
+    end
+
+    it 'parses text in the epoch to 0' do
+      version = RpmTest.rpm_parse_evr('foo0:1.2.3-4')
+      expect([version[:epoch], version[:version], version[:release]]).to \
+        eq([nil, '1.2.3', '4'])
+    end
+
+    it 'parses revisions with text' do
+      version = RpmTest.rpm_parse_evr('1.2.3-SNAPSHOT20140107')
+      expect([version[:epoch], version[:version], version[:release]]).to \
+        eq([nil, '1.2.3', 'SNAPSHOT20140107'])
+    end
+
+    # test cases for PUP-682
+    it 'parses revisions with text and numbers' do
+      version = RpmTest.rpm_parse_evr('2.2-SNAPSHOT20121119105647')
+      expect([version[:epoch], version[:version], version[:release]]).to \
+        eq([nil, '2.2', 'SNAPSHOT20121119105647'])
+    end
+  end
+
+  describe '.compare_values' do
+    it 'treats two nil values as equal' do
+      expect(RpmTest.compare_values(nil, nil)).to eq(0)
+    end
+
+    it 'treats a nil value as less than a non-nil value' do
+      expect(RpmTest.compare_values(nil, '0')).to eq(-1)
+    end
+
+    it 'treats a non-nil value as greater than a nil value' do
+      expect(RpmTest.compare_values('0', nil)).to eq(1)
+    end
+
+    it 'passes two non-nil values on to rpmvercmp' do
+      allow(RpmTest).to receive(:rpmvercmp).and_return(0)
+      expect(RpmTest).to receive(:rpmvercmp).with('s1', 's2')
+      RpmTest.compare_values('s1', 's2')
+    end
+  end
+end

data/spec/unit/util/storage_spec.rb

@@ -201,14 +201,7 @@ describe Puppet::Util::Storage do
       Dir.mkdir(Puppet[:statefile])
       Puppet::Util::Storage.cache(:yayness)
 
-      if Puppet::Util::Platform.windows?
-        expect { Puppet::Util::Storage.store }.to raise_error do |error|
-          expect(error).to be_a(Puppet::Util::Windows::Error)
-          expect(error.code).to eq(5) # ERROR_ACCESS_DENIED
-        end
-      else
-        expect { Puppet::Util::Storage.store }.to raise_error(Errno::EISDIR, /Is a directory/)
-      end
+      expect { Puppet::Util::Storage.store }.to raise_error(Errno::EISDIR, /Is a directory/)
 
       Dir.rmdir(Puppet[:statefile])
     end

data/spec/unit/util/windows/adsi_spec.rb

@@ -41,6 +41,19 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
     end
   end
 
+  describe ".domain_role" do
+    DOMAIN_ROLES = Puppet::Util::Platform.windows? ? Puppet::Util::Windows::ADSI::DOMAIN_ROLES : {}
+
+    DOMAIN_ROLES.each do |id, role|
+      it "should be able to return #{role} as the domain role of the computer" do
+        Puppet::Util::Windows::ADSI.instance_variable_set(:@domain_role, nil)
+        domain_role = [double('WMI', :DomainRole => id)]
+        allow(Puppet::Util::Windows::ADSI).to receive(:execquery).with('select DomainRole from Win32_ComputerSystem').and_return(domain_role)
+        expect(Puppet::Util::Windows::ADSI.domain_role).to eq(role)
+      end
+    end
+  end
+
   describe ".sid_uri" do
     it "should raise an error when the input is not a SID Principal" do
       [Object.new, {}, 1, :symbol, '', nil].each do |input|
@@ -56,6 +69,32 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
     end
   end
 
+  shared_examples 'a local only resource query' do |klass, account_type|
+    before(:each) do
+      allow(Puppet::Util::Windows::ADSI).to receive(:domain_role).and_return(:MEMBER_SERVER)
+    end
+
+    it "should be able to check for a local resource" do
+      local_domain = 'testcomputername'
+      principal = double('Principal', :account => resource_name, :domain => local_domain, :account_type => account_type)
+      allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).with(resource_name).and_return(principal)
+      expect(klass.exists?(resource_name)).to eq(true)
+    end
+
+    it "should be case insensitive when comparing the domain with the computer name" do
+      local_domain = 'TESTCOMPUTERNAME'
+      principal = double('Principal', :account => resource_name, :domain => local_domain, :account_type => account_type)
+      allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).with(resource_name).and_return(principal)
+      expect(klass.exists?(resource_name)).to eq(true)
+    end
+
+    it "should return false if no local resource exists" do
+      principal = double('Principal', :account => resource_name, :domain => 'AD_DOMAIN', :account_type => account_type)
+      allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).with(resource_name).and_return(principal)
+      expect(klass.exists?(resource_name)).to eq(false)
+    end
+  end
+
   describe Puppet::Util::Windows::ADSI::User do
     let(:username)  { 'testuser' }
     let(:domain)    { 'DOMAIN' }
@@ -103,6 +142,12 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
       expect(user.native_object).to eq(adsi_user)
     end
 
+    context "when domain-joined" do
+      it_should_behave_like 'a local only resource query', Puppet::Util::Windows::ADSI::User, :SidTypeUser do
+        let(:resource_name) { username }
+      end
+    end
+
     it "should be able to check the existence of a user" do
       expect(Puppet::Util::Windows::SID).to receive(:name_to_principal).with(username).and_return(nil)
       expect(Puppet::Util::Windows::ADSI).to receive(:connect).with("WinNT://./#{username},user").and_return(connection)
@@ -421,8 +466,8 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
           expect(Puppet::Util::Windows::SID).to receive(:octet_string_to_principal).with([0]).and_return(sids[0])
           expect(Puppet::Util::Windows::SID).to receive(:octet_string_to_principal).with([1]).and_return(sids[1])
 
-          expect(Puppet::Util::Windows::SID).to receive(:name_to_principal).with('user2').and_return(sids[1])
-          expect(Puppet::Util::Windows::SID).to receive(:name_to_principal).with('DOMAIN2\user3').and_return(sids[2])
+          expect(Puppet::Util::Windows::SID).to receive(:name_to_principal).with('user2', false).and_return(sids[1])
+          expect(Puppet::Util::Windows::SID).to receive(:name_to_principal).with('DOMAIN2\user3', false).and_return(sids[2])
 
           expect(Puppet::Util::Windows::ADSI).to receive(:sid_uri).with(sids[0]).and_return("WinNT://DOMAIN/user1,user")
           expect(Puppet::Util::Windows::ADSI).to receive(:sid_uri).with(sids[2]).and_return("WinNT://DOMAIN2/user3,user")
@@ -448,8 +493,8 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
           expect(Puppet::Util::Windows::SID).to receive(:octet_string_to_principal).with([0]).and_return(sids[0])
           expect(Puppet::Util::Windows::SID).to receive(:octet_string_to_principal).with([1]).and_return(sids[1])
 
-          expect(Puppet::Util::Windows::SID).to receive(:name_to_principal).with('user2').and_return(sids[1])
-          expect(Puppet::Util::Windows::SID).to receive(:name_to_principal).with('DOMAIN2\user3').and_return(sids[2])
+          expect(Puppet::Util::Windows::SID).to receive(:name_to_principal).with('user2', any_args).and_return(sids[1])
+          expect(Puppet::Util::Windows::SID).to receive(:name_to_principal).with('DOMAIN2\user3', any_args).and_return(sids[2])
 
           expect(Puppet::Util::Windows::ADSI).to receive(:sid_uri).with(sids[2]).and_return("WinNT://DOMAIN2/user3,user")
 
@@ -543,6 +588,12 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
       expect(Puppet::Util::Windows::ADSI::Group.uri(groupname, ntauthority_localized)).to eq("WinNT://./#{groupname},group")
     end
 
+    context "when domain-joined" do
+      it_should_behave_like 'a local only resource query', Puppet::Util::Windows::ADSI::Group, :SidTypeGroup do
+        let(:resource_name) { groupname }
+      end
+    end
+
     it "should be able to create a group" do
       adsi_group = double("adsi")
 

data/spec/unit/util/windows/sid_spec.rb

@@ -201,9 +201,9 @@ describe "Puppet::Util::Windows::SID", :if => Puppet::Util::Platform.windows? do
       principal = subject.ads_to_principal(unresolvable_user)
 
       expect(principal).to be_an_instance_of(Puppet::Util::Windows::SID::Principal)
-      expect(principal.account).to eq('S-1-1-1 (unresolvable)')
+      expect(principal.account).to eq('S-1-1-1')
       expect(principal.domain).to eq(nil)
-      expect(principal.domain_account).to eq('S-1-1-1 (unresolvable)')
+      expect(principal.domain_account).to eq('S-1-1-1')
       expect(principal.sid).to eq('S-1-1-1')
       expect(principal.sid_bytes).to eq(valid_octet_invalid_user)
       expect(principal.account_type).to eq(:SidTypeUnknown)

data/spec/unit/x509/cert_provider_spec.rb

@@ -251,11 +251,11 @@ describe Puppet::X509::CertProvider do
         }.to raise_error(RuntimeError, 'Certname "signed/../key" must not contain unprintable or non-ASCII characters')
       end
 
-      it 'returns nil if `hostprivkey` is overridden' do
+      it 'prefers `hostprivkey` if set' do
         Puppet[:certname] = 'foo'
         Puppet[:hostprivkey] = File.join(fixture_dir, "signed-key.pem")
 
-        expect(provider.load_private_key('foo')).to be_nil
+        expect(provider.load_private_key('foo')).to be_a(OpenSSL::PKey::RSA)
       end
 
       it 'raises if the private key is unreadable' do
@@ -345,11 +345,11 @@ describe Puppet::X509::CertProvider do
         }.to raise_error(RuntimeError, 'Certname "tom/../key" must not contain unprintable or non-ASCII characters')
       end
 
-      it 'returns nil if `hostcert` is overridden' do
+      it 'prefers `hostcert` if set' do
         Puppet[:certname] = 'foo'
         Puppet[:hostcert] = File.join(fixture_dir, "signed.pem")
 
-        expect(provider.load_client_cert('foo')).to be_nil
+        expect(provider.load_client_cert('foo')).to be_a(OpenSSL::X509::Certificate)
       end
 
       it 'raises if the certificate is unreadable' do
@@ -446,6 +446,16 @@ describe Puppet::X509::CertProvider do
           provider.save_private_key(name, private_key)
         }.to raise_error(Puppet::Error, "Failed to save private key for '#{name}'")
       end
+
+      it 'prefers `hostprivkey` if set' do
+        overridden_path = tmpfile('hostprivkey')
+        Puppet[:hostprivkey] = overridden_path
+
+        provider.save_private_key(name, private_key)
+
+        expect(File).to_not exist(path)
+        expect(File).to exist(overridden_path)
+      end
     end
 
     context 'certs' do
@@ -485,6 +495,16 @@ describe Puppet::X509::CertProvider do
           provider.save_client_cert(name, client_cert)
         }.to raise_error(Puppet::Error, "Failed to save client certificate for '#{name}'")
       end
+
+      it 'prefers `hostcert` if set' do
+        overridden_path = tmpfile('hostcert')
+        Puppet[:hostcert] = overridden_path
+
+        provider.save_client_cert(name, client_cert)
+
+        expect(File).to_not exist(path)
+        expect(File).to exist(overridden_path)
+      end
     end
 
     context 'requests' do

data/tasks/generate_cert_fixtures.rake

@@ -49,6 +49,10 @@ task(:gen_cert_fixtures) do
   #
   # bad-basic-constraints.pem        /CN=Test CA (bad isCA constraint)
   #
+  # unknown-ca.pemm                  /CN=Unknown CA
+  #                                   |
+  # unknown-127.0.0.1.pem             +- /CN=127.0.0.1
+  #
   # Keys
   # ====
   #
@@ -61,10 +65,20 @@ task(:gen_cert_fixtures) do
   # `request.pem` contains a valid CSR for /CN=pending, while `tampered_csr.pem`
   # is the same as `request.pem`, but it's public key has been replaced.
   #
-  ca = Puppet::TestCa.new
   dir = File.join(RAKE_ROOT, 'spec/fixtures/ssl')
 
+  # Create self-signed CA & key
+  unknown_ca = Puppet::TestCa.new('Unknown CA')
+  save(dir, 'unknown-ca.pem', unknown_ca.ca_cert)
+  save(dir, 'unknown-ca-key.pem', unknown_ca.key)
+
+  # Create an SSL cert for 127.0.0.1
+  signed = unknown_ca.create_cert('127.0.0.1', unknown_ca.ca_cert, unknown_ca.key, subject_alt_names: 'DNS:127.0.0.1,DNS:127.0.0.2')
+  save(dir, 'unknown-127.0.0.1.pem', signed[:cert])
+  save(dir, 'unknown-127.0.0.1-key.pem', signed[:private_key])
+
   # Create Test CA & CRL
+  ca = Puppet::TestCa.new
   save(dir, 'ca.pem', ca.ca_cert)
   save(dir, 'crl.pem', ca.ca_crl)