puppet 6.16.0-x86-mingw32 → 6.17.0-x86-mingw32

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (138) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +4 -2
  3. data/Gemfile.lock +10 -10
  4. data/README.md +2 -2
  5. data/lib/puppet/agent.rb +2 -2
  6. data/lib/puppet/application/agent.rb +14 -3
  7. data/lib/puppet/configurer.rb +20 -12
  8. data/lib/puppet/confine.rb +1 -1
  9. data/lib/puppet/defaults.rb +25 -8
  10. data/lib/puppet/file_serving/http_metadata.rb +13 -1
  11. data/lib/puppet/file_serving/metadata.rb +4 -1
  12. data/lib/puppet/file_serving/terminus_selector.rb +7 -8
  13. data/lib/puppet/file_system/file_impl.rb +1 -1
  14. data/lib/puppet/file_system/uniquefile.rb +8 -16
  15. data/lib/puppet/forge.rb +1 -1
  16. data/lib/puppet/forge/cache.rb +1 -1
  17. data/lib/puppet/forge/repository.rb +3 -7
  18. data/lib/puppet/http/client.rb +5 -0
  19. data/lib/puppet/http/redirector.rb +9 -7
  20. data/lib/puppet/http/response.rb +19 -0
  21. data/lib/puppet/indirector.rb +1 -1
  22. data/lib/puppet/indirector/file_content/rest.rb +1 -1
  23. data/lib/puppet/indirector/file_metadata/http.rb +24 -5
  24. data/lib/puppet/indirector/file_metadata/rest.rb +2 -2
  25. data/lib/puppet/indirector/request.rb +1 -1
  26. data/lib/puppet/network/http/api/indirected_routes.rb +1 -1
  27. data/lib/puppet/network/http/api/master/v3/environment.rb +3 -0
  28. data/lib/puppet/network/http/connection_adapter.rb +6 -4
  29. data/lib/puppet/parser/ast/leaf.rb +5 -5
  30. data/lib/puppet/parser/ast/pops_bridge.rb +0 -4
  31. data/lib/puppet/parser/compiler.rb +1 -1
  32. data/lib/puppet/parser/compiler/catalog_validator/env_relationship_validator.rb +2 -0
  33. data/lib/puppet/parser/compiler/catalog_validator/site_validator.rb +2 -0
  34. data/lib/puppet/parser/environment_compiler.rb +4 -1
  35. data/lib/puppet/parser/resource.rb +3 -2
  36. data/lib/puppet/parser/resource/param.rb +6 -0
  37. data/lib/puppet/pops/evaluator/evaluator_impl.rb +5 -5
  38. data/lib/puppet/pops/issues.rb +5 -0
  39. data/lib/puppet/pops/resource/resource_type_impl.rb +2 -0
  40. data/lib/puppet/pops/validation/checker4_0.rb +10 -0
  41. data/lib/puppet/pops/validation/validator_factory_4_0.rb +1 -0
  42. data/lib/puppet/provider/package/aptitude.rb +1 -1
  43. data/lib/puppet/provider/package/yum.rb +1 -1
  44. data/lib/puppet/provider/service/windows.rb +23 -7
  45. data/lib/puppet/provider/user/useradd.rb +11 -4
  46. data/lib/puppet/reports/http.rb +2 -0
  47. data/lib/puppet/resource.rb +2 -1
  48. data/lib/puppet/resource/type.rb +8 -0
  49. data/lib/puppet/ssl/ssl_context.rb +2 -2
  50. data/lib/puppet/ssl/ssl_provider.rb +20 -1
  51. data/lib/puppet/test/test_helper.rb +8 -10
  52. data/lib/puppet/trusted_external.rb +29 -1
  53. data/lib/puppet/type.rb +12 -5
  54. data/lib/puppet/type/file.rb +38 -13
  55. data/lib/puppet/type/file/checksum.rb +4 -4
  56. data/lib/puppet/type/file/source.rb +4 -4
  57. data/lib/puppet/type/service.rb +49 -0
  58. data/lib/puppet/util.rb +39 -15
  59. data/lib/puppet/util/checksums.rb +19 -4
  60. data/lib/puppet/util/fileparsing.rb +2 -2
  61. data/lib/puppet/util/provider_features.rb +1 -1
  62. data/lib/puppet/util/reference.rb +1 -1
  63. data/lib/puppet/util/windows/api_types.rb +45 -32
  64. data/lib/puppet/util/windows/eventlog.rb +1 -6
  65. data/lib/puppet/util/windows/principal.rb +8 -6
  66. data/lib/puppet/util/windows/registry.rb +11 -11
  67. data/lib/puppet/util/windows/service.rb +43 -26
  68. data/lib/puppet/util/windows/user.rb +23 -8
  69. data/lib/puppet/version.rb +1 -1
  70. data/locales/puppet.pot +249 -221
  71. data/man/man5/puppet.conf.5 +19 -8
  72. data/man/man8/puppet-agent.8 +2 -2
  73. data/man/man8/puppet-apply.8 +1 -1
  74. data/man/man8/puppet-catalog.8 +1 -1
  75. data/man/man8/puppet-config.8 +1 -1
  76. data/man/man8/puppet-describe.8 +1 -1
  77. data/man/man8/puppet-device.8 +1 -1
  78. data/man/man8/puppet-doc.8 +1 -1
  79. data/man/man8/puppet-epp.8 +1 -1
  80. data/man/man8/puppet-facts.8 +1 -1
  81. data/man/man8/puppet-filebucket.8 +1 -1
  82. data/man/man8/puppet-generate.8 +1 -1
  83. data/man/man8/puppet-help.8 +1 -1
  84. data/man/man8/puppet-key.8 +1 -1
  85. data/man/man8/puppet-lookup.8 +1 -1
  86. data/man/man8/puppet-man.8 +1 -1
  87. data/man/man8/puppet-module.8 +1 -1
  88. data/man/man8/puppet-node.8 +1 -1
  89. data/man/man8/puppet-parser.8 +1 -1
  90. data/man/man8/puppet-plugin.8 +1 -1
  91. data/man/man8/puppet-report.8 +1 -1
  92. data/man/man8/puppet-resource.8 +1 -1
  93. data/man/man8/puppet-script.8 +1 -1
  94. data/man/man8/puppet-ssl.8 +1 -1
  95. data/man/man8/puppet-status.8 +1 -1
  96. data/man/man8/puppet.8 +2 -2
  97. data/spec/integration/application/agent_spec.rb +89 -0
  98. data/spec/integration/defaults_spec.rb +1 -2
  99. data/spec/integration/network/http_pool_spec.rb +26 -9
  100. data/spec/integration/parser/compiler_spec.rb +11 -0
  101. data/spec/integration/type/file_spec.rb +1 -1
  102. data/spec/integration/util/windows/registry_spec.rb +7 -7
  103. data/spec/integration/util/windows/user_spec.rb +40 -5
  104. data/spec/unit/configurer/fact_handler_spec.rb +4 -4
  105. data/spec/unit/context/trusted_information_spec.rb +10 -4
  106. data/spec/unit/file_serving/http_metadata_spec.rb +37 -14
  107. data/spec/unit/file_serving/terminus_selector_spec.rb +45 -26
  108. data/spec/unit/http/client_spec.rb +64 -8
  109. data/spec/unit/http/response_spec.rb +6 -0
  110. data/spec/unit/indirector/file_metadata/http_spec.rb +27 -0
  111. data/spec/unit/indirector/request_spec.rb +1 -1
  112. data/spec/unit/interface_spec.rb +3 -3
  113. data/spec/unit/network/http/api/indirected_routes_spec.rb +2 -1
  114. data/spec/unit/network/http/connection_spec.rb +42 -32
  115. data/spec/unit/parser/ast/block_expression_spec.rb +1 -1
  116. data/spec/unit/parser/environment_compiler_spec.rb +7 -0
  117. data/spec/unit/parser/scope_spec.rb +1 -1
  118. data/spec/unit/pops/evaluator/evaluating_parser_spec.rb +15 -1
  119. data/spec/unit/pops/loaders/loaders_spec.rb +1 -1
  120. data/spec/unit/pops/types/type_calculator_spec.rb +1 -11
  121. data/spec/unit/provider/service/windows_spec.rb +22 -14
  122. data/spec/unit/provider/user/openbsd_spec.rb +1 -0
  123. data/spec/unit/provider/user/useradd_spec.rb +22 -16
  124. data/spec/unit/resource_spec.rb +3 -3
  125. data/spec/unit/ssl/ssl_provider_spec.rb +69 -43
  126. data/spec/unit/test/test_helper_spec.rb +17 -0
  127. data/spec/unit/transaction/report_spec.rb +1 -1
  128. data/spec/unit/type/file/source_spec.rb +3 -3
  129. data/spec/unit/type/file_spec.rb +122 -96
  130. data/spec/unit/type/service_spec.rb +176 -0
  131. data/spec/unit/type_spec.rb +50 -0
  132. data/spec/unit/util/checksums_spec.rb +16 -0
  133. data/spec/unit/util/windows/api_types_spec.rb +104 -40
  134. data/spec/unit/util/windows/service_spec.rb +4 -4
  135. data/spec/unit/util_spec.rb +3 -3
  136. data/spec/unit/x509/cert_provider_spec.rb +1 -1
  137. metadata +5 -5
  138. data/spec/integration/test/test_helper_spec.rb +0 -31
@@ -45,6 +45,7 @@ describe Puppet::Type.type(:user).provider(:openbsd) do
45
45
  describe "#addcmd" do
46
46
  it "should return an array with the full command and expiry as MM/DD/YY" do
47
47
  allow(Facter).to receive(:value).with(:osfamily).and_return('OpenBSD')
48
+ allow(Facter).to receive(:value).with(:operatingsystemmajrelease)
48
49
  resource[:expiry] = "1997-06-01"
49
50
  expect(provider.addcmd).to eq(['/usr/sbin/useradd', '-e', 'June 01 1997', 'myuser'])
50
51
  end
@@ -72,20 +72,24 @@ describe Puppet::Type.type(:user).provider(:useradd) do
72
72
  provider.create
73
73
  end
74
74
 
75
- it "should use -G to set groups" do
76
- allow(Facter).to receive(:value).with(:osfamily).and_return('Not RedHat')
77
- resource[:ensure] = :present
78
- resource[:groups] = ['group1', 'group2']
79
- expect(provider).to receive(:execute).with(['/usr/sbin/useradd', '-G', 'group1,group2', 'myuser'], kind_of(Hash))
80
- provider.create
81
- end
75
+ context "when setting groups" do
76
+ it "uses -G to set groups" do
77
+ allow(Facter).to receive(:value).with(:osfamily).and_return('Solaris')
78
+ allow(Facter).to receive(:value).with(:operatingsystemmajrelease)
79
+ resource[:ensure] = :present
80
+ resource[:groups] = ['group1', 'group2']
81
+ expect(provider).to receive(:execute).with(['/usr/sbin/useradd', '-G', 'group1,group2', 'myuser'], kind_of(Hash))
82
+ provider.create
83
+ end
82
84
 
83
- it "should use -G to set groups without -M on RedHat" do
84
- allow(Facter).to receive(:value).with(:osfamily).and_return('RedHat')
85
- resource[:ensure] = :present
86
- resource[:groups] = ['group1', 'group2']
87
- expect(provider).to receive(:execute).with(['/usr/sbin/useradd', '-G', 'group1,group2', '-M', 'myuser'], kind_of(Hash))
88
- provider.create
85
+ it "uses -G to set groups with -M on supported systems" do
86
+ allow(Facter).to receive(:value).with(:osfamily).and_return('RedHat')
87
+ allow(Facter).to receive(:value).with(:operatingsystemmajrelease)
88
+ resource[:ensure] = :present
89
+ resource[:groups] = ['group1', 'group2']
90
+ expect(provider).to receive(:execute).with(['/usr/sbin/useradd', '-G', 'group1,group2', '-M', 'myuser'], kind_of(Hash))
91
+ provider.create
92
+ end
89
93
  end
90
94
 
91
95
  it "should add -o when allowdupe is enabled and the user is being created" do
@@ -429,15 +433,17 @@ describe Puppet::Type.type(:user).provider(:useradd) do
429
433
  provider.delete
430
434
  end
431
435
 
432
- it "should use -M flag if home is not managed and on Redhat" do
436
+ it "should use -M flag if home is not managed on a supported system" do
433
437
  allow(Facter).to receive(:value).with(:osfamily).and_return("RedHat")
438
+ allow(Facter).to receive(:value).with(:operatingsystemmajrelease)
434
439
  resource[:managehome] = :false
435
440
  expect(provider).to receive(:execute).with(include('-M'), kind_of(Hash))
436
441
  provider.create
437
442
  end
438
443
 
439
- it "should not use -M flag if home is not managed and not on Redhat" do
440
- allow(Facter).to receive(:value).with(:osfamily).and_return("not RedHat")
444
+ it "should not use -M flag if home is not managed on an unsupported system" do
445
+ allow(Facter).to receive(:value).with(:osfamily).and_return("Suse")
446
+ allow(Facter).to receive(:value).with(:operatingsystemmajrelease).and_return("11")
441
447
  resource[:managehome] = :false
442
448
  expect(provider).to receive(:execute).with(excluding('-M'), kind_of(Hash))
443
449
  provider.create
@@ -283,7 +283,7 @@ describe Puppet::Resource do
283
283
  let(:scope) { Puppet::Parser::Scope.new(compiler) }
284
284
 
285
285
  def ast_leaf(value)
286
- Puppet::Parser::AST::Leaf.new({:value => value})
286
+ Puppet::Parser::AST::Leaf.new(value: value)
287
287
  end
288
288
 
289
289
  it "should fail when asked to set default values and it is not a parser resource" do
@@ -389,7 +389,7 @@ describe Puppet::Resource do
389
389
  context "when a value is provided" do
390
390
  let(:port_parameter) do
391
391
  Puppet::Parser::Resource::Param.new(
392
- { :name => 'port', :value => '8080' }
392
+ name: 'port', value: '8080'
393
393
  )
394
394
  end
395
395
 
@@ -414,7 +414,7 @@ describe Puppet::Resource do
414
414
  expect_lookup('apache::port', returns: '443')
415
415
 
416
416
  rs = Puppet::Parser::Resource.new("class", "apache", :scope => scope,
417
- :parameters => [Puppet::Parser::Resource::Param.new({ :name => 'port', :value => nil })])
417
+ :parameters => [Puppet::Parser::Resource::Param.new(name: 'port', value: nil)])
418
418
 
419
419
  rs.resource_type.set_resource_parameters(rs, scope)
420
420
  expect(rs[:port]).to eq('443')
@@ -42,20 +42,20 @@ describe Puppet::SSL::SSLProvider do
42
42
  let(:config) { { cacerts: [], crls: [], revocation: false } }
43
43
 
44
44
  it 'accepts empty list of certs and crls' do
45
- sslctx = subject.create_root_context(config)
45
+ sslctx = subject.create_root_context(**config)
46
46
  expect(sslctx.cacerts).to eq([])
47
47
  expect(sslctx.crls).to eq([])
48
48
  end
49
49
 
50
50
  it 'accepts valid root certs' do
51
51
  certs = [cert_fixture('ca.pem')]
52
- sslctx = subject.create_root_context(config.merge(cacerts: certs))
52
+ sslctx = subject.create_root_context(**config.merge(cacerts: certs))
53
53
  expect(sslctx.cacerts).to eq(certs)
54
54
  end
55
55
 
56
56
  it 'accepts valid intermediate certs' do
57
57
  certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
58
- sslctx = subject.create_root_context(config.merge(cacerts: certs))
58
+ sslctx = subject.create_root_context(**config.merge(cacerts: certs))
59
59
  expect(sslctx.cacerts).to eq(certs)
60
60
  end
61
61
 
@@ -63,19 +63,19 @@ describe Puppet::SSL::SSLProvider do
63
63
  expired = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
64
64
  expired.each { |x509| x509.not_after = Time.at(0) }
65
65
 
66
- sslctx = subject.create_root_context(config.merge(cacerts: expired))
66
+ sslctx = subject.create_root_context(**config.merge(cacerts: expired))
67
67
  expect(sslctx.cacerts).to eq(expired)
68
68
  end
69
69
 
70
70
  it 'raises if the frozen context is modified' do
71
- sslctx = subject.create_root_context(config)
71
+ sslctx = subject.create_root_context(**config)
72
72
  expect {
73
73
  sslctx.verify_peer = false
74
74
  }.to raise_error(/can't modify frozen/)
75
75
  end
76
76
 
77
77
  it 'verifies peer' do
78
- sslctx = subject.create_root_context(config)
78
+ sslctx = subject.create_root_context(**config)
79
79
  expect(sslctx.verify_peer).to eq(true)
80
80
  end
81
81
  end
@@ -134,6 +134,32 @@ describe Puppet::SSL::SSLProvider do
134
134
  expect(sslctx.client_cert).to be_nil
135
135
  expect(sslctx.private_key).to be_nil
136
136
  end
137
+
138
+ it 'trusts additional system certs' do
139
+ path = tmpfile('system_cacerts')
140
+ File.write(path, cert_fixture('ca.pem').to_pem)
141
+
142
+ expect_any_instance_of(OpenSSL::X509::Store).to receive(:add_file).with(path)
143
+
144
+ subject.create_system_context(cacerts: [], path: path)
145
+ end
146
+
147
+ it 'ignores empty files' do
148
+ path = tmpfile('system_cacerts')
149
+ FileUtils.touch(path)
150
+
151
+ subject.create_system_context(cacerts: [], path: path)
152
+
153
+ expect(@logs).to eq([])
154
+ end
155
+
156
+ it 'prints an error if it is not a file' do
157
+ path = tmpdir('system_cacerts')
158
+
159
+ subject.create_system_context(cacerts: [], path: path)
160
+
161
+ expect(@logs).to include(an_object_having_attributes(level: :warning, message: /^The 'ssl_trust_store' setting does not refer to a file and will be ignored/))
162
+ end
137
163
  end
138
164
 
139
165
  context 'when creating an ssl context with crls' do
@@ -142,14 +168,14 @@ describe Puppet::SSL::SSLProvider do
142
168
  it 'accepts valid CRLs' do
143
169
  certs = [cert_fixture('ca.pem')]
144
170
  crls = [crl_fixture('crl.pem')]
145
- sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
171
+ sslctx = subject.create_root_context(**config.merge(cacerts: certs, crls: crls))
146
172
  expect(sslctx.crls).to eq(crls)
147
173
  end
148
174
 
149
175
  it 'accepts valid CRLs for intermediate certs' do
150
176
  certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
151
177
  crls = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
152
- sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
178
+ sslctx = subject.create_root_context(**config.merge(cacerts: certs, crls: crls))
153
179
  expect(sslctx.crls).to eq(crls)
154
180
  end
155
181
 
@@ -157,12 +183,12 @@ describe Puppet::SSL::SSLProvider do
157
183
  expired = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
158
184
  expired.each { |x509| x509.last_update = Time.at(0) }
159
185
 
160
- sslctx = subject.create_root_context(config.merge(crls: expired))
186
+ sslctx = subject.create_root_context(**config.merge(crls: expired))
161
187
  expect(sslctx.crls).to eq(expired)
162
188
  end
163
189
 
164
190
  it 'verifies peer' do
165
- sslctx = subject.create_root_context(config)
191
+ sslctx = subject.create_root_context(**config)
166
192
  expect(sslctx.verify_peer).to eq(true)
167
193
  end
168
194
  end
@@ -174,49 +200,49 @@ describe Puppet::SSL::SSLProvider do
174
200
 
175
201
  it 'raises if CA certs are missing' do
176
202
  expect {
177
- subject.create_context(config.merge(cacerts: nil))
203
+ subject.create_context(**config.merge(cacerts: nil))
178
204
  }.to raise_error(ArgumentError, /CA certs are missing/)
179
205
  end
180
206
 
181
207
  it 'raises if CRLs are are missing' do
182
208
  expect {
183
- subject.create_context(config.merge(crls: nil))
209
+ subject.create_context(**config.merge(crls: nil))
184
210
  }.to raise_error(ArgumentError, /CRLs are missing/)
185
211
  end
186
212
 
187
213
  it 'raises if private key is missing' do
188
214
  expect {
189
- subject.create_context(config.merge(private_key: nil))
215
+ subject.create_context(**config.merge(private_key: nil))
190
216
  }.to raise_error(ArgumentError, /Private key is missing/)
191
217
  end
192
218
 
193
219
  it 'raises if client cert is missing' do
194
220
  expect {
195
- subject.create_context(config.merge(client_cert: nil))
221
+ subject.create_context(**config.merge(client_cert: nil))
196
222
  }.to raise_error(ArgumentError, /Client cert is missing/)
197
223
  end
198
224
 
199
225
  it 'accepts RSA keys' do
200
- sslctx = subject.create_context(config)
226
+ sslctx = subject.create_context(**config)
201
227
  expect(sslctx.private_key).to eq(private_key)
202
228
  end
203
229
 
204
230
  it 'accepts EC keys' do
205
231
  ec_key = ec_key_fixture('ec-key.pem')
206
232
  ec_cert = cert_fixture('ec.pem')
207
- sslctx = subject.create_context(config.merge(client_cert: ec_cert, private_key: ec_key))
233
+ sslctx = subject.create_context(**config.merge(client_cert: ec_cert, private_key: ec_key))
208
234
  expect(sslctx.private_key).to eq(ec_key)
209
235
  end
210
236
 
211
237
  it 'raises if private key is unsupported' do
212
238
  dsa_key = OpenSSL::PKey::DSA.new
213
239
  expect {
214
- subject.create_context(config.merge(private_key: dsa_key))
240
+ subject.create_context(**config.merge(private_key: dsa_key))
215
241
  }.to raise_error(Puppet::SSL::SSLError, /Unsupported key 'OpenSSL::PKey::DSA'/)
216
242
  end
217
243
 
218
244
  it 'resolves the client chain from leaf to root' do
219
- sslctx = subject.create_context(config)
245
+ sslctx = subject.create_context(**config)
220
246
  expect(
221
247
  sslctx.client_chain.map(&:subject).map(&:to_utf8)
222
248
  ).to eq(['CN=signed', 'CN=Test CA Subauthority', 'CN=Test CA'])
@@ -225,21 +251,21 @@ describe Puppet::SSL::SSLProvider do
225
251
  it 'raises if client cert signature is invalid' do
226
252
  client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
227
253
  expect {
228
- subject.create_context(config.merge(client_cert: client_cert))
254
+ subject.create_context(**config.merge(client_cert: client_cert))
229
255
  }.to raise_error(Puppet::SSL::CertVerifyError,
230
256
  "Invalid signature for certificate 'CN=signed'")
231
257
  end
232
258
 
233
259
  it 'raises if client cert and private key are mismatched' do
234
260
  expect {
235
- subject.create_context(config.merge(private_key: wrong_key))
261
+ subject.create_context(**config.merge(private_key: wrong_key))
236
262
  }.to raise_error(Puppet::SSL::SSLError,
237
263
  "The certificate for 'CN=signed' does not match its private key")
238
264
  end
239
265
 
240
266
  it "raises if client cert's public key has been replaced" do
241
267
  expect {
242
- subject.create_context(config.merge(client_cert: cert_fixture('tampered-cert.pem')))
268
+ subject.create_context(**config.merge(client_cert: cert_fixture('tampered-cert.pem')))
243
269
  }.to raise_error(Puppet::SSL::CertVerifyError,
244
270
  "Invalid signature for certificate 'CN=signed'")
245
271
  end
@@ -250,7 +276,7 @@ describe Puppet::SSL::SSLProvider do
250
276
  ca.sign(wrong_key, OpenSSL::Digest::SHA256.new)
251
277
 
252
278
  expect {
253
- subject.create_context(config.merge(cacerts: global_cacerts))
279
+ subject.create_context(**config.merge(cacerts: global_cacerts))
254
280
  }.to raise_error(Puppet::SSL::CertVerifyError,
255
281
  "Invalid signature for certificate 'CN=Test CA'")
256
282
  end
@@ -260,7 +286,7 @@ describe Puppet::SSL::SSLProvider do
260
286
  int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
261
287
 
262
288
  expect {
263
- subject.create_context(config.merge(cacerts: global_cacerts))
289
+ subject.create_context(**config.merge(cacerts: global_cacerts))
264
290
  }.to raise_error(Puppet::SSL::CertVerifyError,
265
291
  "Invalid signature for certificate 'CN=Test CA Subauthority'")
266
292
  end
@@ -270,7 +296,7 @@ describe Puppet::SSL::SSLProvider do
270
296
  crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
271
297
 
272
298
  expect {
273
- subject.create_context(config.merge(crls: global_crls))
299
+ subject.create_context(**config.merge(crls: global_crls))
274
300
  }.to raise_error(Puppet::SSL::CertVerifyError,
275
301
  "Invalid signature for CRL issued by 'CN=Test CA'")
276
302
  end
@@ -280,14 +306,14 @@ describe Puppet::SSL::SSLProvider do
280
306
  crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
281
307
 
282
308
  expect {
283
- subject.create_context(config.merge(crls: global_crls))
309
+ subject.create_context(**config.merge(crls: global_crls))
284
310
  }.to raise_error(Puppet::SSL::CertVerifyError,
285
311
  "Invalid signature for CRL issued by 'CN=Test CA Subauthority'")
286
312
  end
287
313
 
288
314
  it 'raises if client cert is revoked' do
289
315
  expect {
290
- subject.create_context(config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
316
+ subject.create_context(**config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
291
317
  }.to raise_error(Puppet::SSL::CertVerifyError,
292
318
  "Certificate 'CN=revoked' is revoked")
293
319
  end
@@ -295,12 +321,12 @@ describe Puppet::SSL::SSLProvider do
295
321
  it 'warns if intermediate issuer is missing' do
296
322
  expect(Puppet).to receive(:warning).with("The issuer 'CN=Test CA Subauthority' of certificate 'CN=signed' cannot be found locally")
297
323
 
298
- subject.create_context(config.merge(cacerts: [cert_fixture('ca.pem')]))
324
+ subject.create_context(**config.merge(cacerts: [cert_fixture('ca.pem')]))
299
325
  end
300
326
 
301
327
  it 'raises if root issuer is missing' do
302
328
  expect {
303
- subject.create_context(config.merge(cacerts: [cert_fixture('intermediate.pem')]))
329
+ subject.create_context(**config.merge(cacerts: [cert_fixture('intermediate.pem')]))
304
330
  }.to raise_error(Puppet::SSL::CertVerifyError,
305
331
  "The issuer 'CN=Test CA' of certificate 'CN=Test CA Subauthority' is missing")
306
332
  end
@@ -308,7 +334,7 @@ describe Puppet::SSL::SSLProvider do
308
334
  it 'raises if cert is not valid yet', unless: Puppet::Util::Platform.jruby? do
309
335
  client_cert.not_before = Time.now + (5 * 60 * 60)
310
336
  expect {
311
- subject.create_context(config.merge(client_cert: client_cert))
337
+ subject.create_context(**config.merge(client_cert: client_cert))
312
338
  }.to raise_error(Puppet::SSL::CertVerifyError,
313
339
  "The certificate 'CN=signed' is not yet valid, verify time is synchronized")
314
340
  end
@@ -316,7 +342,7 @@ describe Puppet::SSL::SSLProvider do
316
342
  it 'raises if cert is expired', unless: Puppet::Util::Platform.jruby? do
317
343
  client_cert.not_after = Time.at(0)
318
344
  expect {
319
- subject.create_context(config.merge(client_cert: client_cert))
345
+ subject.create_context(**config.merge(client_cert: client_cert))
320
346
  }.to raise_error(Puppet::SSL::CertVerifyError,
321
347
  "The certificate 'CN=signed' has expired, verify time is synchronized")
322
348
  end
@@ -327,7 +353,7 @@ describe Puppet::SSL::SSLProvider do
327
353
  future_crls.first.last_update = Time.now + (5 * 60 * 60)
328
354
 
329
355
  expect {
330
- subject.create_context(config.merge(crls: future_crls))
356
+ subject.create_context(**config.merge(crls: future_crls))
331
357
  }.to raise_error(Puppet::SSL::CertVerifyError,
332
358
  "The CRL issued by 'CN=Test CA' is not yet valid, verify time is synchronized")
333
359
  end
@@ -338,7 +364,7 @@ describe Puppet::SSL::SSLProvider do
338
364
  past_crls.first.next_update = Time.at(0)
339
365
 
340
366
  expect {
341
- subject.create_context(config.merge(crls: past_crls))
367
+ subject.create_context(**config.merge(crls: past_crls))
342
368
  }.to raise_error(Puppet::SSL::CertVerifyError,
343
369
  "The CRL issued by 'CN=Test CA' has expired, verify time is synchronized")
344
370
  end
@@ -346,7 +372,7 @@ describe Puppet::SSL::SSLProvider do
346
372
  it 'raises if the root CRL is missing' do
347
373
  crls = [crl_fixture('intermediate-crl.pem')]
348
374
  expect {
349
- subject.create_context(config.merge(crls: crls, revocation: :chain))
375
+ subject.create_context(**config.merge(crls: crls, revocation: :chain))
350
376
  }.to raise_error(Puppet::SSL::CertVerifyError,
351
377
  "The CRL issued by 'CN=Test CA' is missing")
352
378
  end
@@ -354,23 +380,23 @@ describe Puppet::SSL::SSLProvider do
354
380
  it 'raises if the intermediate CRL is missing' do
355
381
  crls = [crl_fixture('crl.pem')]
356
382
  expect {
357
- subject.create_context(config.merge(crls: crls))
383
+ subject.create_context(**config.merge(crls: crls))
358
384
  }.to raise_error(Puppet::SSL::CertVerifyError,
359
385
  "The CRL issued by 'CN=Test CA Subauthority' is missing")
360
386
  end
361
387
 
362
388
  it "doesn't raise if the root CRL is missing and we're just checking the leaf" do
363
389
  crls = [crl_fixture('intermediate-crl.pem')]
364
- subject.create_context(config.merge(crls: crls, revocation: :leaf))
390
+ subject.create_context(**config.merge(crls: crls, revocation: :leaf))
365
391
  end
366
392
 
367
393
  it "doesn't raise if the intermediate CRL is missing and revocation checking is disabled" do
368
394
  crls = [crl_fixture('crl.pem')]
369
- subject.create_context(config.merge(crls: crls, revocation: false))
395
+ subject.create_context(**config.merge(crls: crls, revocation: false))
370
396
  end
371
397
 
372
398
  it "doesn't raise if both CRLs are missing and revocation checking is disabled" do
373
- subject.create_context(config.merge(crls: [], revocation: false))
399
+ subject.create_context(**config.merge(crls: [], revocation: false))
374
400
  end
375
401
 
376
402
  # OpenSSL < 1.1 does not verify basicConstraints
@@ -378,7 +404,7 @@ describe Puppet::SSL::SSLProvider do
378
404
  certs = [cert_fixture('bad-basic-constraints.pem'), cert_fixture('intermediate.pem')]
379
405
 
380
406
  expect {
381
- subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
407
+ subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
382
408
  }.to raise_error(Puppet::SSL::CertVerifyError,
383
409
  "Certificate 'CN=Test CA' failed verification (24): invalid CA certificate")
384
410
  end
@@ -388,32 +414,32 @@ describe Puppet::SSL::SSLProvider do
388
414
  certs = [cert_fixture('ca.pem'), cert_fixture('bad-int-basic-constraints.pem')]
389
415
 
390
416
  expect {
391
- subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
417
+ subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
392
418
  }.to raise_error(Puppet::SSL::CertVerifyError,
393
419
  "Certificate 'CN=Test CA Subauthority' failed verification (24): invalid CA certificate")
394
420
  end
395
421
 
396
422
  it 'accepts CA certs in any order' do
397
- sslctx = subject.create_context(config.merge(cacerts: global_cacerts.reverse))
423
+ sslctx = subject.create_context(**config.merge(cacerts: global_cacerts.reverse))
398
424
  # certs in ruby+openssl 1.0.x are not comparable, so compare subjects
399
425
  expect(sslctx.client_chain.map(&:subject).map(&:to_utf8)).to contain_exactly('CN=Test CA', 'CN=Test CA Subauthority', 'CN=signed')
400
426
  end
401
427
 
402
428
  it 'accepts CRLs in any order' do
403
- sslctx = subject.create_context(config.merge(crls: global_crls.reverse))
429
+ sslctx = subject.create_context(**config.merge(crls: global_crls.reverse))
404
430
  # certs in ruby+openssl 1.0.x are not comparable, so compare subjects
405
431
  expect(sslctx.client_chain.map(&:subject).map(&:to_utf8)).to contain_exactly('CN=Test CA', 'CN=Test CA Subauthority', 'CN=signed')
406
432
  end
407
433
 
408
434
  it 'raises if the frozen context is modified' do
409
- sslctx = subject.create_context(config)
435
+ sslctx = subject.create_context(**config)
410
436
  expect {
411
437
  sslctx.verify_peer = false
412
438
  }.to raise_error(/can't modify frozen/)
413
439
  end
414
440
 
415
441
  it 'verifies peer' do
416
- sslctx = subject.create_context(config)
442
+ sslctx = subject.create_context(**config)
417
443
  expect(sslctx.verify_peer).to eq(true)
418
444
  end
419
445
  end