puppet 6.15.0-universal-darwin → 6.19.1-universal-darwin

data/spec/unit/settings_spec.rb

@@ -9,7 +9,7 @@ describe Puppet::Settings do
   include Matchers::Resource
 
   let(:main_config_file_default_location) do
-    File.join(Puppet::Util::RunMode[:master].conf_dir, "puppet.conf")
+    File.join(Puppet::Util::RunMode[:server].conf_dir, "puppet.conf")
   end
 
   let(:user_config_file_default_location) do
@@ -112,9 +112,9 @@ describe Puppet::Settings do
     #  case behaviors / uses.  However, until that time... we need to make sure that our private run_mode=
     #  setter method gets properly called during app initialization.
     it "sets the preferred run mode when initializing the app defaults" do
-      @settings.initialize_app_defaults(default_values.merge(:run_mode => :master))
+      @settings.initialize_app_defaults(default_values.merge(:run_mode => :server))
 
-      expect(@settings.preferred_run_mode).to eq(:master)
+      expect(@settings.preferred_run_mode).to eq(:server)
     end
 
     it "creates ancestor directories for all required app settings" do
@@ -326,7 +326,7 @@ describe Puppet::Settings do
     end
 
     it "should identify configured settings from the specified run mode" do
-      user_config_text = "[master]\nmyval = foo"
+      user_config_text = "[server]\nmyval = foo"
 
       allow(Puppet.features).to receive(:root?).and_return(false)
       expect(Puppet::FileSystem).to receive(:exist?).
@@ -337,7 +337,7 @@ describe Puppet::Settings do
         and_return(user_config_text).ordered
 
       @settings.send(:parse_config_files)
-      expect(@settings.set_by_config?(:myval, nil, :master)).to be_truthy
+      expect(@settings.set_by_config?(:myval, nil, :server)).to be_truthy
     end
 
     it "should not identify configured settings from an unspecified run mode" do
@@ -382,7 +382,7 @@ describe Puppet::Settings do
 
     it "should clear the cache when the preferred_run_mode is changed" do
       expect(@settings).to receive(:flush_cache)
-      @settings.preferred_run_mode = :master
+      @settings.preferred_run_mode = :server
     end
 
     it "should not clear other values when setting getopt-specific values" do
@@ -658,6 +658,28 @@ describe Puppet::Settings do
       expect(@settings[:one]).to eq("modeval")
     end
 
+    [:master, :server].each do |run_mode|
+      describe "when run mode is '#{run_mode}'" do
+        before(:each) { @settings.preferred_run_mode = run_mode }
+
+        it "returns values set in the 'master' section if the 'server' section does not exist" do
+          text = "[main]\none = mainval\n[master]\none = modeval\n"
+          allow(@settings).to receive(:read_file).and_return(text)
+          @settings.send(:parse_config_files)
+
+          expect(@settings[:one]).to eq("modeval")
+        end
+
+        it "prioritizes values set in the 'server' section if set" do
+          text = "[main]\none = mainval\n[server]\none = serverval\n[master]\none = masterval\n"
+          allow(@settings).to receive(:read_file).and_return(text)
+          @settings.send(:parse_config_files)
+
+          expect(@settings[:one]).to eq("serverval")
+        end
+      end
+    end
+
     it "should not return values outside of its search path" do
       text = "[other]\none = oval\n"
       allow(@settings).to receive(:read_file).and_return(text)
@@ -854,10 +876,10 @@ describe Puppet::Settings do
         default_values[key] = 'default value'
       end
       @settings.define_settings :main, PuppetSpec::Settings::TEST_APP_DEFAULT_DEFINITIONS
-      @settings.define_settings :master, :myfile => { :type => :file, :default => make_absolute("/myfile"), :desc => "a" }
+      @settings.define_settings :server, :myfile => { :type => :file, :default => make_absolute("/myfile"), :desc => "a" }
 
       otherfile = make_absolute("/other/file")
-      text = "[master]
+      text = "[server]
       myfile = #{otherfile} {mode = 664}
       "
       expect(@settings).to receive(:read_file).and_return(text)
@@ -866,15 +888,153 @@ describe Puppet::Settings do
       expect(@settings.preferred_run_mode).to eq(:user)
       @settings.send(:parse_config_files)
 
-      # change app run_mode to master
-      @settings.initialize_app_defaults(default_values.merge(:run_mode => :master))
-      expect(@settings.preferred_run_mode).to eq(:master)
+      # change app run_mode to server
+      @settings.initialize_app_defaults(default_values.merge(:run_mode => :server))
+      expect(@settings.preferred_run_mode).to eq(:server)
 
       # initializing the app should have reloaded the metadata based on run_mode
       expect(@settings[:myfile]).to eq(otherfile)
       expect(metadata(@settings.setting(:myfile))).to eq({:mode => "664"})
     end
 
+    context "when setting serverport and masterport" do
+      before(:each) do
+        default_values = {}
+        PuppetSpec::Settings::TEST_APP_DEFAULT_DEFINITIONS.keys.each do |key|
+          default_values[key] = 'default value'
+        end
+        @settings.define_settings :main, PuppetSpec::Settings::TEST_APP_DEFAULT_DEFINITIONS
+        @settings.define_settings :server, :masterport => { :desc => "a", :default => 1000 }
+        @settings.define_settings :server, :serverport => { :desc => "a", :default => 1000 }
+        @settings.define_settings :server, :ca_port => { :desc => "a", :default => "$serverport" }
+        @settings.define_settings :server, :report_port => { :desc => "a", :default => "$serverport" }
+        expect(@settings).to receive(:read_file).and_return(text)
+        @settings.send(:parse_config_files)
+        @settings.initialize_app_defaults(default_values.merge(:run_mode => :agent))
+        expect(@settings.preferred_run_mode).to eq(:agent)
+      end
+
+      context 'with serverport in main and masterport in agent' do
+        let(:text) do
+          "[main]
+      serverport = 444
+      [agent]
+      masterport = 445
+      "
+        end
+
+        it { expect(@settings[:serverport]).to eq(445) }
+        it { expect(@settings[:ca_port]).to eq("445") }
+        it { expect(@settings[:report_port]).to eq("445") }
+      end
+
+      context 'with serverport and masterport in main' do
+        let(:text) do
+          "[main]
+      serverport = 445
+      masterport = 444
+      "
+        end
+
+        it { expect(@settings[:serverport]).to eq(445) }
+        it { expect(@settings[:ca_port]).to eq("445") }
+        it { expect(@settings[:report_port]).to eq("445") }
+      end
+
+      context 'with serverport and masterport in agent' do
+        let(:text) do
+          "[agent]
+      serverport = 445
+      masterport = 444
+      "
+        end
+
+        it { expect(@settings[:serverport]).to eq(445) }
+        it { expect(@settings[:ca_port]).to eq("445") }
+        it { expect(@settings[:report_port]).to eq("445") }
+      end
+
+      context 'with both serverport and masterport in main and agent' do
+        let(:text) do
+          "[main]
+      serverport = 447
+      masterport = 442
+      [agent]
+      serverport = 445
+      masterport = 444
+      "
+        end
+
+        it { expect(@settings[:serverport]).to eq(445) }
+        it { expect(@settings[:ca_port]).to eq("445") }
+        it { expect(@settings[:report_port]).to eq("445") }
+      end
+
+      context 'with serverport in agent and masterport in main' do
+        let(:text) do
+          "[agent]
+      serverport = 444
+      [main]
+      masterport = 445
+      "
+        end
+
+        it { expect(@settings[:serverport]).to eq(444) }
+        it { expect(@settings[:ca_port]).to eq("444") }
+        it { expect(@settings[:report_port]).to eq("444") }
+      end
+
+      context 'with masterport in main' do
+        let(:text) do
+          "[main]
+      masterport = 445
+      "
+        end
+
+        it { expect(@settings[:serverport]).to eq(445) }
+        it { expect(@settings[:ca_port]).to eq("445") }
+        it { expect(@settings[:report_port]).to eq("445") }
+      end
+
+      context 'with masterport in agent' do
+        let(:text) do
+          "[agent]
+      masterport = 445
+      "
+        end
+
+        it { expect(@settings[:serverport]).to eq(445) }
+        it { expect(@settings[:ca_port]).to eq("445") }
+        it { expect(@settings[:report_port]).to eq("445") }
+      end
+
+      context 'with serverport in agent' do
+        let(:text) do
+          "[agent]
+      serverport = 445
+      "
+        end
+
+        it { expect(@settings[:serverport]).to eq(445) }
+        it { expect(@settings[:masterport]).to eq(445) }
+        it { expect(@settings[:ca_port]).to eq("445") }
+        it { expect(@settings[:report_port]).to eq("445") }
+      end
+
+      context 'with serverport in main' do
+        let(:text) do
+          "[main]
+      serverport = 445
+      "
+        end
+
+        it { expect(@settings[:serverport]).to eq(445) }
+        it { expect(@settings[:masterport]).to eq(445) }
+        it { expect(@settings[:ca_port]).to eq("445") }
+        it { expect(@settings[:report_port]).to eq("445") }
+      end
+    end
+
     it "does not use the metadata from the same setting in a different section" do
       default_values = {}
       PuppetSpec::Settings::TEST_APP_DEFAULT_DEFINITIONS.keys.each do |key|
@@ -884,9 +1044,9 @@ describe Puppet::Settings do
       file = make_absolute("/file")
       default_mode = "0600"
       @settings.define_settings :main, PuppetSpec::Settings::TEST_APP_DEFAULT_DEFINITIONS
-      @settings.define_settings :master, :myfile => { :type => :file, :default => file, :desc => "a", :mode => default_mode }
+      @settings.define_settings :server, :myfile => { :type => :file, :default => file, :desc => "a", :mode => default_mode }
 
-      text = "[master]
+      text = "[server]
       myfile = #{file}/foo
       [agent]
       myfile = #{file} {mode = 664}
@@ -897,9 +1057,9 @@ describe Puppet::Settings do
       expect(@settings.preferred_run_mode).to eq(:user)
       @settings.send(:parse_config_files)
 
-      # change app run_mode to master
-      @settings.initialize_app_defaults(default_values.merge(:run_mode => :master))
-      expect(@settings.preferred_run_mode).to eq(:master)
+      # change app run_mode to server
+      @settings.initialize_app_defaults(default_values.merge(:run_mode => :server))
+      expect(@settings.preferred_run_mode).to eq(:server)
 
       # initializing the app should have reloaded the metadata based on run_mode
       expect(@settings[:myfile]).to eq("#{file}/foo")
@@ -1900,18 +2060,18 @@ describe Puppet::Settings do
     end
 
     it "should set preferred run mode from --run_mode <foo> string without error" do
-      args = ["--run_mode", "master"]
-      expect(settings).not_to receive(:handlearg).with("--run_mode", "master")
+      args = ["--run_mode", "server"]
+      expect(settings).not_to receive(:handlearg).with("--run_mode", "server")
       expect { settings.send(:parse_global_options, args) } .to_not raise_error
-      expect(Puppet.settings.preferred_run_mode).to eq(:master)
+      expect(Puppet.settings.preferred_run_mode).to eq(:server)
       expect(args.empty?).to eq(true)
     end
 
     it "should set preferred run mode from --run_mode=<foo> string without error" do
-      args = ["--run_mode=master"]
-      expect(settings).not_to receive(:handlearg).with("--run_mode", "master")
+      args = ["--run_mode=server"]
+      expect(settings).not_to receive(:handlearg).with("--run_mode", "server")
       expect { settings.send(:parse_global_options, args) }.to_not raise_error
-      expect(Puppet.settings.preferred_run_mode).to eq(:master)
+      expect(Puppet.settings.preferred_run_mode).to eq(:server)
       expect(args.empty?).to eq(true)
     end
   end

data/spec/unit/ssl/ssl_provider_spec.rb

@@ -42,20 +42,20 @@ describe Puppet::SSL::SSLProvider do
     let(:config) { { cacerts: [], crls: [], revocation: false } }
 
     it 'accepts empty list of certs and crls' do
-      sslctx = subject.create_root_context(config)
+      sslctx = subject.create_root_context(**config)
       expect(sslctx.cacerts).to eq([])
       expect(sslctx.crls).to eq([])
     end
 
     it 'accepts valid root certs' do
       certs = [cert_fixture('ca.pem')]
-      sslctx = subject.create_root_context(config.merge(cacerts: certs))
+      sslctx = subject.create_root_context(**config.merge(cacerts: certs))
       expect(sslctx.cacerts).to eq(certs)
     end
 
     it 'accepts valid intermediate certs' do
       certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
-      sslctx = subject.create_root_context(config.merge(cacerts: certs))
+      sslctx = subject.create_root_context(**config.merge(cacerts: certs))
       expect(sslctx.cacerts).to eq(certs)
     end
 
@@ -63,19 +63,19 @@ describe Puppet::SSL::SSLProvider do
       expired = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
       expired.each { |x509| x509.not_after = Time.at(0) }
 
-      sslctx = subject.create_root_context(config.merge(cacerts: expired))
+      sslctx = subject.create_root_context(**config.merge(cacerts: expired))
       expect(sslctx.cacerts).to eq(expired)
     end
 
     it 'raises if the frozen context is modified' do
-      sslctx = subject.create_root_context(config)
+      sslctx = subject.create_root_context(**config)
       expect {
         sslctx.verify_peer = false
       }.to raise_error(/can't modify frozen/)
     end
 
     it 'verifies peer' do
-      sslctx = subject.create_root_context(config)
+      sslctx = subject.create_root_context(**config)
       expect(sslctx.verify_peer).to eq(true)
     end
   end
@@ -134,6 +134,32 @@ describe Puppet::SSL::SSLProvider do
       expect(sslctx.client_cert).to be_nil
       expect(sslctx.private_key).to be_nil
     end
+
+    it 'trusts additional system certs' do
+      path = tmpfile('system_cacerts')
+      File.write(path, cert_fixture('ca.pem').to_pem)
+
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:add_file).with(path)
+
+      subject.create_system_context(cacerts: [], path: path)
+    end
+
+    it 'ignores empty files' do
+      path = tmpfile('system_cacerts')
+      FileUtils.touch(path)
+
+      subject.create_system_context(cacerts: [], path: path)
+
+      expect(@logs).to eq([])
+    end
+
+    it 'prints an error if it is not a file' do
+      path = tmpdir('system_cacerts')
+
+      subject.create_system_context(cacerts: [], path: path)
+
+      expect(@logs).to include(an_object_having_attributes(level: :warning, message: /^The 'ssl_trust_store' setting does not refer to a file and will be ignored/))
+    end
   end
 
   context 'when creating an ssl context with crls' do
@@ -142,14 +168,14 @@ describe Puppet::SSL::SSLProvider do
     it 'accepts valid CRLs' do
       certs = [cert_fixture('ca.pem')]
       crls = [crl_fixture('crl.pem')]
-      sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
+      sslctx = subject.create_root_context(**config.merge(cacerts: certs, crls: crls))
       expect(sslctx.crls).to eq(crls)
     end
 
     it 'accepts valid CRLs for intermediate certs' do
       certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
       crls = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
-      sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
+      sslctx = subject.create_root_context(**config.merge(cacerts: certs, crls: crls))
       expect(sslctx.crls).to eq(crls)
     end
 
@@ -157,12 +183,12 @@ describe Puppet::SSL::SSLProvider do
       expired = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
       expired.each { |x509| x509.last_update = Time.at(0) }
 
-      sslctx = subject.create_root_context(config.merge(crls: expired))
+      sslctx = subject.create_root_context(**config.merge(crls: expired))
       expect(sslctx.crls).to eq(expired)
     end
 
     it 'verifies peer' do
-      sslctx = subject.create_root_context(config)
+      sslctx = subject.create_root_context(**config)
       expect(sslctx.verify_peer).to eq(true)
     end
   end
@@ -174,49 +200,49 @@ describe Puppet::SSL::SSLProvider do
 
     it 'raises if CA certs are missing' do
       expect {
-        subject.create_context(config.merge(cacerts: nil))
+        subject.create_context(**config.merge(cacerts: nil))
       }.to raise_error(ArgumentError, /CA certs are missing/)
     end
 
     it 'raises if CRLs are are missing' do
       expect {
-        subject.create_context(config.merge(crls: nil))
+        subject.create_context(**config.merge(crls: nil))
       }.to raise_error(ArgumentError, /CRLs are missing/)
     end
 
     it 'raises if private key is missing' do
       expect {
-        subject.create_context(config.merge(private_key: nil))
+        subject.create_context(**config.merge(private_key: nil))
       }.to raise_error(ArgumentError, /Private key is missing/)
     end
 
     it 'raises if client cert is missing' do
       expect {
-        subject.create_context(config.merge(client_cert: nil))
+        subject.create_context(**config.merge(client_cert: nil))
       }.to raise_error(ArgumentError, /Client cert is missing/)
     end
 
     it 'accepts RSA keys' do
-      sslctx = subject.create_context(config)
+      sslctx = subject.create_context(**config)
       expect(sslctx.private_key).to eq(private_key)
     end
 
     it 'accepts EC keys' do
       ec_key = ec_key_fixture('ec-key.pem')
       ec_cert = cert_fixture('ec.pem')
-      sslctx = subject.create_context(config.merge(client_cert: ec_cert, private_key: ec_key))
+      sslctx = subject.create_context(**config.merge(client_cert: ec_cert, private_key: ec_key))
       expect(sslctx.private_key).to eq(ec_key)
     end
 
     it 'raises if private key is unsupported' do
       dsa_key = OpenSSL::PKey::DSA.new
       expect {
-        subject.create_context(config.merge(private_key: dsa_key))
+        subject.create_context(**config.merge(private_key: dsa_key))
       }.to raise_error(Puppet::SSL::SSLError, /Unsupported key 'OpenSSL::PKey::DSA'/)
     end
 
     it 'resolves the client chain from leaf to root' do
-      sslctx = subject.create_context(config)
+      sslctx = subject.create_context(**config)
       expect(
         sslctx.client_chain.map(&:subject).map(&:to_utf8)
       ).to eq(['CN=signed', 'CN=Test CA Subauthority', 'CN=Test CA'])
@@ -225,21 +251,21 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if client cert signature is invalid' do
       client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
       expect {
-        subject.create_context(config.merge(client_cert: client_cert))
+        subject.create_context(**config.merge(client_cert: client_cert))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for certificate 'CN=signed'")
     end
 
     it 'raises if client cert and private key are mismatched' do
       expect {
-        subject.create_context(config.merge(private_key: wrong_key))
+        subject.create_context(**config.merge(private_key: wrong_key))
       }.to raise_error(Puppet::SSL::SSLError,
                        "The certificate for 'CN=signed' does not match its private key")
     end
 
     it "raises if client cert's public key has been replaced" do
       expect {
-        subject.create_context(config.merge(client_cert: cert_fixture('tampered-cert.pem')))
+        subject.create_context(**config.merge(client_cert: cert_fixture('tampered-cert.pem')))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for certificate 'CN=signed'")
     end
@@ -250,7 +276,7 @@ describe Puppet::SSL::SSLProvider do
       ca.sign(wrong_key, OpenSSL::Digest::SHA256.new)
 
       expect {
-        subject.create_context(config.merge(cacerts: global_cacerts))
+        subject.create_context(**config.merge(cacerts: global_cacerts))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for certificate 'CN=Test CA'")
     end
@@ -260,7 +286,7 @@ describe Puppet::SSL::SSLProvider do
       int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
 
       expect {
-        subject.create_context(config.merge(cacerts: global_cacerts))
+        subject.create_context(**config.merge(cacerts: global_cacerts))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for certificate 'CN=Test CA Subauthority'")
     end
@@ -270,7 +296,7 @@ describe Puppet::SSL::SSLProvider do
       crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
 
       expect {
-        subject.create_context(config.merge(crls: global_crls))
+        subject.create_context(**config.merge(crls: global_crls))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for CRL issued by 'CN=Test CA'")
     end
@@ -280,14 +306,14 @@ describe Puppet::SSL::SSLProvider do
       crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
 
       expect {
-        subject.create_context(config.merge(crls: global_crls))
+        subject.create_context(**config.merge(crls: global_crls))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for CRL issued by 'CN=Test CA Subauthority'")
     end
 
     it 'raises if client cert is revoked' do
       expect {
-        subject.create_context(config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
+        subject.create_context(**config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Certificate 'CN=revoked' is revoked")
     end
@@ -295,12 +321,12 @@ describe Puppet::SSL::SSLProvider do
     it 'warns if intermediate issuer is missing' do
       expect(Puppet).to receive(:warning).with("The issuer 'CN=Test CA Subauthority' of certificate 'CN=signed' cannot be found locally")
 
-      subject.create_context(config.merge(cacerts: [cert_fixture('ca.pem')]))
+      subject.create_context(**config.merge(cacerts: [cert_fixture('ca.pem')]))
     end
 
     it 'raises if root issuer is missing' do
       expect {
-        subject.create_context(config.merge(cacerts: [cert_fixture('intermediate.pem')]))
+        subject.create_context(**config.merge(cacerts: [cert_fixture('intermediate.pem')]))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The issuer 'CN=Test CA' of certificate 'CN=Test CA Subauthority' is missing")
     end
@@ -308,7 +334,7 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if cert is not valid yet', unless: Puppet::Util::Platform.jruby? do
       client_cert.not_before = Time.now + (5 * 60 * 60)
       expect {
-        subject.create_context(config.merge(client_cert: client_cert))
+        subject.create_context(**config.merge(client_cert: client_cert))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The certificate 'CN=signed' is not yet valid, verify time is synchronized")
     end
@@ -316,7 +342,7 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if cert is expired', unless: Puppet::Util::Platform.jruby? do
       client_cert.not_after = Time.at(0)
       expect {
-        subject.create_context(config.merge(client_cert: client_cert))
+        subject.create_context(**config.merge(client_cert: client_cert))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The certificate 'CN=signed' has expired, verify time is synchronized")
     end
@@ -327,7 +353,7 @@ describe Puppet::SSL::SSLProvider do
       future_crls.first.last_update = Time.now + (5 * 60 * 60)
 
       expect {
-        subject.create_context(config.merge(crls: future_crls))
+        subject.create_context(**config.merge(crls: future_crls))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The CRL issued by 'CN=Test CA' is not yet valid, verify time is synchronized")
     end
@@ -338,7 +364,7 @@ describe Puppet::SSL::SSLProvider do
       past_crls.first.next_update = Time.at(0)
 
       expect {
-        subject.create_context(config.merge(crls: past_crls))
+        subject.create_context(**config.merge(crls: past_crls))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The CRL issued by 'CN=Test CA' has expired, verify time is synchronized")
     end
@@ -346,7 +372,7 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if the root CRL is missing' do
       crls = [crl_fixture('intermediate-crl.pem')]
       expect {
-        subject.create_context(config.merge(crls: crls, revocation: :chain))
+        subject.create_context(**config.merge(crls: crls, revocation: :chain))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The CRL issued by 'CN=Test CA' is missing")
     end
@@ -354,23 +380,23 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if the intermediate CRL is missing' do
       crls = [crl_fixture('crl.pem')]
       expect {
-        subject.create_context(config.merge(crls: crls))
+        subject.create_context(**config.merge(crls: crls))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The CRL issued by 'CN=Test CA Subauthority' is missing")
     end
 
     it "doesn't raise if the root CRL is missing and we're just checking the leaf" do
       crls = [crl_fixture('intermediate-crl.pem')]
-      subject.create_context(config.merge(crls: crls, revocation: :leaf))
+      subject.create_context(**config.merge(crls: crls, revocation: :leaf))
     end
 
     it "doesn't raise if the intermediate CRL is missing and revocation checking is disabled" do
       crls = [crl_fixture('crl.pem')]
-      subject.create_context(config.merge(crls: crls, revocation: false))
+      subject.create_context(**config.merge(crls: crls, revocation: false))
     end
 
     it "doesn't raise if both CRLs are missing and revocation checking is disabled" do
-      subject.create_context(config.merge(crls: [], revocation: false))
+      subject.create_context(**config.merge(crls: [], revocation: false))
     end
 
     # OpenSSL < 1.1 does not verify basicConstraints
@@ -378,7 +404,7 @@ describe Puppet::SSL::SSLProvider do
       certs = [cert_fixture('bad-basic-constraints.pem'), cert_fixture('intermediate.pem')]
 
       expect {
-        subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
+        subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Certificate 'CN=Test CA' failed verification (24): invalid CA certificate")
     end
@@ -388,32 +414,32 @@ describe Puppet::SSL::SSLProvider do
       certs = [cert_fixture('ca.pem'), cert_fixture('bad-int-basic-constraints.pem')]
 
       expect {
-        subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
+        subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Certificate 'CN=Test CA Subauthority' failed verification (24): invalid CA certificate")
     end
 
     it 'accepts CA certs in any order' do
-      sslctx = subject.create_context(config.merge(cacerts: global_cacerts.reverse))
+      sslctx = subject.create_context(**config.merge(cacerts: global_cacerts.reverse))
       # certs in ruby+openssl 1.0.x are not comparable, so compare subjects
       expect(sslctx.client_chain.map(&:subject).map(&:to_utf8)).to contain_exactly('CN=Test CA', 'CN=Test CA Subauthority', 'CN=signed')
     end
 
     it 'accepts CRLs in any order' do
-      sslctx = subject.create_context(config.merge(crls: global_crls.reverse))
+      sslctx = subject.create_context(**config.merge(crls: global_crls.reverse))
       # certs in ruby+openssl 1.0.x are not comparable, so compare subjects
       expect(sslctx.client_chain.map(&:subject).map(&:to_utf8)).to contain_exactly('CN=Test CA', 'CN=Test CA Subauthority', 'CN=signed')
     end
 
     it 'raises if the frozen context is modified' do
-      sslctx = subject.create_context(config)
+      sslctx = subject.create_context(**config)
       expect {
         sslctx.verify_peer = false
       }.to raise_error(/can't modify frozen/)
     end
 
     it 'verifies peer' do
-      sslctx = subject.create_context(config)
+      sslctx = subject.create_context(**config)
       expect(sslctx.verify_peer).to eq(true)
     end
   end