RubyGems - puppet - Versions diffs - 6.16.0-x86-mingw32 → 7.0.0-x86-mingw32 - Mend

puppet 6.16.0-x86-mingw32 → 7.0.0-x86-mingw32

Potentially problematic release.

This version of puppet might be problematic. Click here for more details.

Files changed (645) hide show

checksums.yaml +4 -4
data/Gemfile +5 -3
data/Gemfile.lock +31 -33
data/README.md +4 -5
data/Rakefile +4 -12
data/conf/fileserver.conf +5 -10
data/ext/build_defaults.yaml +1 -1
data/ext/osx/file_mapping.yaml +0 -5
data/ext/project_data.yaml +1 -14
data/ext/redhat/puppet.spec.erb +0 -1
data/ext/windows/service/daemon.rb +6 -5
data/install.rb +21 -17
data/lib/puppet.rb +11 -20
data/lib/puppet/agent.rb +2 -2
data/lib/puppet/agent/locker.rb +0 -7
data/lib/puppet/application.rb +172 -98
data/lib/puppet/application/agent.rb +22 -6
data/lib/puppet/application/apply.rb +18 -20
data/lib/puppet/application/device.rb +100 -104
data/lib/puppet/application/doc.rb +1 -1
data/lib/puppet/application/filebucket.rb +15 -11
data/lib/puppet/application/lookup.rb +16 -4
data/lib/puppet/application/ssl.rb +1 -1
data/lib/puppet/configurer.rb +66 -31
data/lib/puppet/configurer/downloader.rb +31 -10
data/lib/puppet/configurer/plugin_handler.rb +21 -19
data/lib/puppet/confine.rb +2 -2
data/lib/puppet/confine/any.rb +1 -1
data/lib/puppet/defaults.rb +166 -169
data/lib/puppet/environments.rb +41 -15
data/lib/puppet/face/catalog.rb +1 -1
data/lib/puppet/face/config.rb +56 -16
data/lib/puppet/face/epp.rb +12 -2
data/lib/puppet/face/facts.rb +66 -6
data/lib/puppet/face/help.rb +1 -1
data/lib/puppet/face/node.rb +3 -3
data/lib/puppet/face/node/clean.rb +2 -2
data/lib/puppet/face/plugin.rb +5 -8
data/lib/puppet/feature/base.rb +1 -1
data/lib/puppet/ffi/windows.rb +12 -0
data/lib/puppet/ffi/windows/api_types.rb +311 -0
data/lib/puppet/ffi/windows/constants.rb +404 -0
data/lib/puppet/ffi/windows/functions.rb +628 -0
data/lib/puppet/ffi/windows/structs.rb +338 -0
data/lib/puppet/file_bucket/dipper.rb +1 -1
data/lib/puppet/file_serving/configuration.rb +0 -5
data/lib/puppet/file_serving/configuration/parser.rb +3 -32
data/lib/puppet/file_serving/http_metadata.rb +13 -1
data/lib/puppet/file_serving/metadata.rb +4 -1
data/lib/puppet/file_serving/mount.rb +1 -2
data/lib/puppet/file_serving/mount/locales.rb +1 -2
data/lib/puppet/file_serving/mount/pluginfacts.rb +1 -2
data/lib/puppet/file_serving/mount/plugins.rb +1 -2
data/lib/puppet/file_serving/terminus_selector.rb +7 -8
data/lib/puppet/file_system/file_impl.rb +4 -4
data/lib/puppet/file_system/uniquefile.rb +8 -16
data/lib/puppet/forge.rb +1 -1
data/lib/puppet/forge/cache.rb +1 -1
data/lib/puppet/forge/repository.rb +3 -8
data/lib/puppet/functions/epp.rb +1 -0
data/lib/puppet/functions/inline_epp.rb +1 -0
data/lib/puppet/functions/lstrip.rb +4 -4
data/lib/puppet/functions/new.rb +8 -3
data/lib/puppet/functions/reverse_each.rb +1 -1
data/lib/puppet/functions/rstrip.rb +4 -4
data/lib/puppet/functions/step.rb +1 -1
data/lib/puppet/functions/strip.rb +4 -4
data/lib/puppet/generate/models/type/type.rb +4 -1
data/lib/puppet/gettext/config.rb +5 -5
data/lib/puppet/gettext/module_translations.rb +4 -4
data/lib/puppet/http.rb +23 -13
data/lib/puppet/http/client.rb +170 -115
data/lib/puppet/{network/resolver.rb → http/dns.rb} +2 -2
data/lib/puppet/http/errors.rb +16 -0
data/lib/puppet/http/external_client.rb +5 -7
data/lib/puppet/{network/http → http}/factory.rb +8 -11
data/lib/puppet/{network/http → http}/pool.rb +61 -26
data/lib/puppet/{network/http/session.rb → http/pool_entry.rb} +2 -3
data/lib/puppet/http/proxy.rb +137 -0
data/lib/puppet/http/redirector.rb +13 -19
data/lib/puppet/http/resolver.rb +10 -23
data/lib/puppet/http/resolver/server_list.rb +23 -45
data/lib/puppet/http/resolver/settings.rb +7 -10
data/lib/puppet/http/resolver/srv.rb +11 -15
data/lib/puppet/http/response.rb +49 -48
data/lib/puppet/http/response_converter.rb +24 -0
data/lib/puppet/http/response_net_http.rb +42 -0
data/lib/puppet/http/retry_after_handler.rb +4 -13
data/lib/puppet/http/service.rb +15 -27
data/lib/puppet/http/service/ca.rb +11 -22
data/lib/puppet/http/service/compiler.rb +23 -70
data/lib/puppet/http/service/file_server.rb +19 -28
data/lib/puppet/http/service/puppetserver.rb +53 -0
data/lib/puppet/http/service/report.rb +8 -10
data/lib/puppet/http/session.rb +16 -24
data/lib/puppet/{network/http → http}/site.rb +1 -2
data/lib/puppet/indirector.rb +1 -1
data/lib/puppet/indirector/catalog/compiler.rb +1 -1
data/lib/puppet/indirector/catalog/rest.rb +2 -4
data/lib/puppet/indirector/exec.rb +1 -1
data/lib/puppet/indirector/fact_search.rb +60 -0
data/lib/puppet/indirector/facts/facter.rb +27 -6
data/lib/puppet/indirector/facts/json.rb +27 -0
data/lib/puppet/indirector/facts/rest.rb +3 -22
data/lib/puppet/indirector/facts/yaml.rb +4 -59
data/lib/puppet/indirector/file_bucket_file/rest.rb +3 -9
data/lib/puppet/indirector/file_content/rest.rb +3 -7
data/lib/puppet/indirector/file_metadata/http.rb +25 -5
data/lib/puppet/indirector/file_metadata/rest.rb +5 -11
data/lib/puppet/indirector/file_server.rb +1 -8
data/lib/puppet/indirector/generic_http.rb +0 -11
data/lib/puppet/indirector/hiera.rb +4 -0
data/lib/puppet/indirector/indirection.rb +1 -1
data/lib/puppet/indirector/json.rb +5 -1
data/lib/puppet/indirector/msgpack.rb +1 -1
data/lib/puppet/indirector/node/json.rb +8 -0
data/lib/puppet/indirector/node/rest.rb +2 -4
data/lib/puppet/indirector/report/json.rb +34 -0
data/lib/puppet/indirector/report/processor.rb +2 -2
data/lib/puppet/indirector/report/rest.rb +3 -8
data/lib/puppet/indirector/request.rb +2 -103
data/lib/puppet/indirector/rest.rb +12 -263
data/lib/puppet/indirector/yaml.rb +1 -1
data/lib/puppet/module.rb +1 -2
data/lib/puppet/module_tool/applications.rb +0 -1
data/lib/puppet/network/authconfig.rb +2 -96
data/lib/puppet/network/authorization.rb +13 -35
data/lib/puppet/network/format_support.rb +2 -2
data/lib/puppet/network/formats.rb +2 -1
data/lib/puppet/network/http.rb +3 -3
data/lib/puppet/network/http/api/indirected_routes.rb +3 -21
data/lib/puppet/network/http/api/master/v3.rb +11 -13
data/lib/puppet/network/http/api/master/v3/environments.rb +0 -1
data/lib/puppet/network/http/connection.rb +247 -316
data/lib/puppet/network/http/handler.rb +0 -1
data/lib/puppet/network/http/route.rb +2 -2
data/lib/puppet/network/http_pool.rb +16 -34
data/lib/puppet/node.rb +1 -30
data/lib/puppet/node/environment.rb +12 -5
data/lib/puppet/node/facts.rb +17 -0
data/lib/puppet/pal/json_catalog_encoder.rb +4 -0
data/lib/puppet/pal/pal_impl.rb +93 -14
data/lib/puppet/parameter.rb +1 -1
data/lib/puppet/parser/ast/leaf.rb +5 -5
data/lib/puppet/parser/ast/pops_bridge.rb +0 -42
data/lib/puppet/parser/compiler.rb +1 -199
data/lib/puppet/parser/compiler/catalog_validator/relationship_validator.rb +14 -39
data/lib/puppet/parser/functions.rb +21 -17
data/lib/puppet/parser/functions/create_resources.rb +11 -7
data/lib/puppet/parser/resource.rb +3 -71
data/lib/puppet/parser/resource/param.rb +6 -0
data/lib/puppet/parser/type_loader.rb +2 -2
data/lib/puppet/pops/adaptable.rb +7 -13
data/lib/puppet/pops/adapters.rb +8 -4
data/lib/puppet/pops/evaluator/collectors/abstract_collector.rb +1 -3
data/lib/puppet/pops/evaluator/evaluator_impl.rb +27 -13
data/lib/puppet/pops/evaluator/runtime3_converter.rb +2 -2
data/lib/puppet/pops/evaluator/runtime3_resource_support.rb +3 -3
data/lib/puppet/pops/evaluator/runtime3_support.rb +1 -1
data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb +6 -8
data/lib/puppet/pops/loader/runtime3_type_loader.rb +4 -2
data/lib/puppet/pops/loaders.rb +18 -11
data/lib/puppet/pops/lookup/context.rb +1 -1
data/lib/puppet/pops/lookup/hiera_config.rb +14 -1
data/lib/puppet/pops/model/ast.pp +0 -42
data/lib/puppet/pops/model/ast.rb +0 -290
data/lib/puppet/pops/model/factory.rb +0 -45
data/lib/puppet/pops/model/model_label_provider.rb +0 -5
data/lib/puppet/pops/model/model_tree_dumper.rb +0 -22
data/lib/puppet/pops/model/pn_transformer.rb +0 -16
data/lib/puppet/pops/parser/egrammar.ra +0 -56
data/lib/puppet/pops/parser/eparser.rb +1520 -1712
data/lib/puppet/pops/parser/lexer2.rb +4 -4
data/lib/puppet/pops/parser/parser_support.rb +0 -5
data/lib/puppet/pops/resource/resource_type_impl.rb +2 -22
data/lib/puppet/pops/types/iterable.rb +34 -8
data/lib/puppet/pops/types/p_meta_type.rb +1 -1
data/lib/puppet/pops/types/p_type_set_type.rb +4 -0
data/lib/puppet/pops/types/type_calculator.rb +0 -7
data/lib/puppet/pops/types/type_parser.rb +0 -4
data/lib/puppet/pops/types/types.rb +0 -1
data/lib/puppet/pops/validation/checker4_0.rb +28 -42
data/lib/puppet/pops/validation/tasks_checker.rb +0 -12
data/lib/puppet/pops/validation/validator_factory_4_0.rb +1 -1
data/lib/puppet/provider.rb +0 -13
data/lib/puppet/provider/file/windows.rb +1 -1
data/lib/puppet/provider/nameservice.rb +0 -18
data/lib/puppet/provider/package/apt.rb +34 -0
data/lib/puppet/provider/package/aptitude.rb +1 -1
data/lib/puppet/provider/package/dpkg.rb +1 -11
data/lib/puppet/provider/package/gem.rb +27 -5
data/lib/puppet/provider/package/pip.rb +0 -1
data/lib/puppet/provider/package/pip2.rb +17 -0
data/lib/puppet/provider/package/pkg.rb +0 -4
data/lib/puppet/provider/package/portage.rb +1 -1
data/lib/puppet/provider/package/puppet_gem.rb +6 -4
data/lib/puppet/provider/package/puppetserver_gem.rb +180 -0
data/lib/puppet/provider/package/yum.rb +2 -1
data/lib/puppet/provider/package/zypper.rb +3 -0
data/lib/puppet/provider/service/smf.rb +191 -73
data/lib/puppet/provider/service/windows.rb +23 -7
data/lib/puppet/provider/user/aix.rb +1 -1
data/lib/puppet/provider/user/directoryservice.rb +0 -10
data/lib/puppet/provider/user/user_role_add.rb +1 -1
data/lib/puppet/provider/user/useradd.rb +11 -4
data/lib/puppet/provider/user/windows_adsi.rb +18 -1
data/lib/puppet/reference/configuration.rb +2 -0
data/lib/puppet/reference/indirection.rb +1 -1
data/lib/puppet/reports/http.rb +2 -0
data/lib/puppet/resource.rb +3 -90
data/lib/puppet/resource/catalog.rb +1 -14
data/lib/puppet/resource/type.rb +5 -112
data/lib/puppet/resource/type_collection.rb +3 -48
data/lib/puppet/runtime.rb +1 -2
data/lib/puppet/settings.rb +84 -35
data/lib/puppet/settings/base_setting.rb +26 -2
data/lib/puppet/settings/integer_setting.rb +17 -0
data/lib/puppet/settings/port_setting.rb +15 -0
data/lib/puppet/settings/priority_setting.rb +5 -4
data/lib/puppet/ssl.rb +10 -6
data/lib/puppet/ssl/base.rb +3 -5
data/lib/puppet/ssl/certificate.rb +0 -6
data/lib/puppet/ssl/certificate_request.rb +1 -12
data/lib/puppet/ssl/certificate_signer.rb +6 -0
data/lib/puppet/ssl/oids.rb +3 -1
data/lib/puppet/ssl/ssl_context.rb +2 -2
data/lib/puppet/ssl/ssl_provider.rb +37 -1
data/lib/puppet/ssl/state_machine.rb +3 -1
data/lib/puppet/ssl/verifier.rb +2 -0
data/lib/puppet/test/test_helper.rb +19 -16
data/lib/puppet/transaction.rb +3 -9
data/lib/puppet/transaction/persistence.rb +1 -1
data/lib/puppet/transaction/report.rb +10 -8
data/lib/puppet/trusted_external.rb +29 -1
data/lib/puppet/type.rb +9 -77
data/lib/puppet/type/file.rb +45 -22
data/lib/puppet/type/file/checksum.rb +5 -5
data/lib/puppet/type/file/source.rb +33 -13
data/lib/puppet/type/filebucket.rb +4 -4
data/lib/puppet/type/notify.rb +2 -2
data/lib/puppet/type/package.rb +5 -13
data/lib/puppet/type/service.rb +53 -0
data/lib/puppet/type/user.rb +18 -3
data/lib/puppet/util.rb +41 -3
data/lib/puppet/util/autoload.rb +9 -7
data/lib/puppet/util/character_encoding.rb +9 -5
data/lib/puppet/util/checksums.rb +19 -4
data/lib/puppet/util/execution.rb +2 -13
data/lib/puppet/util/fileparsing.rb +2 -2
data/lib/puppet/util/http_proxy.rb +2 -215
data/lib/puppet/util/monkey_patches.rb +0 -46
data/lib/puppet/util/provider_features.rb +1 -1
data/lib/puppet/util/rdoc.rb +0 -7
data/lib/puppet/util/reference.rb +1 -1
data/lib/puppet/util/retry_action.rb +1 -1
data/lib/puppet/util/rubygems.rb +5 -1
data/lib/puppet/util/run_mode.rb +14 -2
data/lib/puppet/util/windows.rb +3 -7
data/lib/puppet/util/windows/daemon.rb +360 -0
data/lib/puppet/util/windows/error.rb +1 -0
data/lib/puppet/util/windows/eventlog.rb +5 -15
data/lib/puppet/util/windows/file.rb +8 -242
data/lib/puppet/util/windows/monkey_patches/process.rb +414 -0
data/lib/puppet/util/windows/principal.rb +8 -6
data/lib/puppet/util/windows/process.rb +4 -226
data/lib/puppet/util/windows/registry.rb +11 -11
data/lib/puppet/util/windows/security.rb +4 -4
data/lib/puppet/util/windows/service.rb +52 -486
data/lib/puppet/util/windows/string.rb +12 -13
data/lib/puppet/util/windows/user.rb +242 -8
data/lib/puppet/util/yaml.rb +0 -22
data/lib/puppet/vendor/require_vendored.rb +0 -1
data/lib/puppet/version.rb +1 -1
data/lib/puppet/x509.rb +5 -1
data/lib/puppet/x509/cert_provider.rb +29 -1
data/locales/puppet.pot +713 -1380
data/man/man5/puppet.conf.5 +84 -98
data/man/man8/puppet-agent.8 +7 -4
data/man/man8/puppet-apply.8 +1 -1
data/man/man8/puppet-catalog.8 +1 -1
data/man/man8/puppet-config.8 +6 -6
data/man/man8/puppet-describe.8 +1 -1
data/man/man8/puppet-device.8 +1 -1
data/man/man8/puppet-doc.8 +1 -1
data/man/man8/puppet-epp.8 +1 -1
data/man/man8/puppet-facts.8 +55 -9
data/man/man8/puppet-filebucket.8 +6 -6
data/man/man8/puppet-generate.8 +1 -1
data/man/man8/puppet-help.8 +1 -1
data/man/man8/puppet-lookup.8 +2 -2
data/man/man8/puppet-module.8 +1 -58
data/man/man8/puppet-node.8 +7 -4
data/man/man8/puppet-parser.8 +1 -1
data/man/man8/puppet-plugin.8 +1 -1
data/man/man8/puppet-report.8 +4 -1
data/man/man8/puppet-resource.8 +1 -1
data/man/man8/puppet-script.8 +1 -1
data/man/man8/puppet-ssl.8 +1 -1
data/man/man8/puppet.8 +2 -2
data/spec/fixtures/integration/application/apply/environments/spec/modules/amod/lib/puppet/provider/applytest/applytest.rb +2 -0
data/spec/fixtures/integration/application/apply/environments/spec/modules/amod/lib/puppet/type/applytest.rb +25 -0
data/spec/fixtures/unit/forge/bacula-releases.json +128 -0
data/spec/fixtures/unit/forge/bacula.tar.gz +0 -0
data/spec/fixtures/unit/provider/package/puppetserver_gem/gem-list-local-packages +30 -0
data/spec/fixtures/unit/provider/service/smf/{svcs.out → svcs_instances.out} +0 -0
data/spec/integration/application/agent_spec.rb +157 -59
data/spec/integration/application/apply_spec.rb +150 -150
data/spec/integration/application/doc_spec.rb +16 -6
data/spec/integration/application/filebucket_spec.rb +78 -29
data/spec/integration/application/help_spec.rb +44 -0
data/spec/integration/application/lookup_spec.rb +13 -0
data/spec/integration/application/module_spec.rb +68 -0
data/spec/integration/application/plugin_spec.rb +76 -4
data/spec/integration/configurer_spec.rb +14 -0
data/spec/integration/data_binding_spec.rb +82 -0
data/spec/integration/defaults_spec.rb +33 -5
data/spec/integration/directory_environments_spec.rb +17 -17
data/spec/integration/environments/setting_hooks_spec.rb +1 -1
data/spec/integration/indirector/facts/facter_spec.rb +8 -6
data/spec/integration/network/http_pool_spec.rb +29 -30
data/spec/integration/node/environment_spec.rb +1 -1
data/spec/integration/parser/catalog_spec.rb +0 -38
data/spec/integration/parser/compiler_spec.rb +11 -0
data/spec/integration/parser/node_spec.rb +0 -9
data/spec/integration/parser/pcore_resource_spec.rb +0 -37
data/spec/integration/type/file_spec.rb +6 -5
data/spec/integration/util/execution_spec.rb +22 -0
data/spec/integration/util/windows/adsi_spec.rb +2 -2
data/spec/integration/util/windows/monkey_patches/process_spec.rb +231 -0
data/spec/integration/util/windows/process_spec.rb +26 -32
data/spec/integration/util/windows/registry_spec.rb +7 -7
data/spec/integration/util/windows/security_spec.rb +1 -1
data/spec/integration/util/windows/user_spec.rb +47 -5
data/spec/integration/util_spec.rb +7 -33
data/spec/lib/puppet_spec/matchers.rb +0 -80
data/spec/lib/puppet_spec/puppetserver.rb +9 -1
data/spec/lib/puppet_spec/settings.rb +7 -1
data/spec/shared_contexts/types_setup.rb +2 -0
data/spec/spec_helper.rb +2 -0
data/spec/unit/agent_spec.rb +0 -2
data/spec/unit/application/agent_spec.rb +3 -4
data/spec/unit/application/config_spec.rb +224 -4
data/spec/unit/application/doc_spec.rb +2 -2
data/spec/unit/application/face_base_spec.rb +6 -4
data/spec/unit/application/facts_spec.rb +74 -8
data/spec/unit/application/filebucket_spec.rb +41 -39
data/spec/unit/application/resource_spec.rb +3 -1
data/spec/unit/application/ssl_spec.rb +17 -4
data/spec/unit/application_spec.rb +9 -4
data/spec/unit/certificate_factory_spec.rb +1 -1
data/spec/unit/configurer/downloader_spec.rb +14 -0
data/spec/unit/configurer/fact_handler_spec.rb +4 -4
data/spec/unit/configurer/plugin_handler_spec.rb +56 -18
data/spec/unit/configurer_spec.rb +96 -44
data/spec/unit/confine_spec.rb +2 -1
data/spec/unit/context/trusted_information_spec.rb +12 -10
data/spec/unit/defaults_spec.rb +77 -28
data/spec/unit/environments_spec.rb +96 -32
data/spec/unit/face/config_spec.rb +65 -12
data/spec/unit/face/facts_spec.rb +4 -0
data/spec/unit/face/node_spec.rb +2 -2
data/spec/unit/face/plugin_spec.rb +73 -33
data/spec/unit/file_bucket/file_spec.rb +1 -1
data/spec/unit/file_serving/configuration/parser_spec.rb +14 -18
data/spec/unit/file_serving/configuration_spec.rb +6 -12
data/spec/unit/file_serving/http_metadata_spec.rb +37 -14
data/spec/unit/file_serving/mount/locales_spec.rb +2 -2
data/spec/unit/file_serving/mount/pluginfacts_spec.rb +2 -2
data/spec/unit/file_serving/mount/plugins_spec.rb +2 -2
data/spec/unit/file_serving/terminus_selector_spec.rb +45 -26
data/spec/unit/file_system/uniquefile_spec.rb +18 -0
data/spec/unit/file_system_spec.rb +1 -2
data/spec/unit/functions/camelcase_spec.rb +1 -1
data/spec/unit/functions/capitalize_spec.rb +1 -1
data/spec/unit/functions/downcase_spec.rb +1 -1
data/spec/unit/functions/inline_epp_spec.rb +26 -1
data/spec/unit/functions/upcase_spec.rb +1 -1
data/spec/unit/http/client_spec.rb +71 -17
data/spec/unit/{network/resolver_spec.rb → http/dns_spec.rb} +3 -3
data/spec/unit/http/external_client_spec.rb +4 -4
data/spec/unit/{network/http → http}/factory_spec.rb +5 -11
data/spec/unit/{network/http/session_spec.rb → http/pool_entry_spec.rb} +3 -3
data/spec/unit/{network/http → http}/pool_spec.rb +12 -17
data/spec/unit/{util/http_proxy_spec.rb → http/proxy_spec.rb} +2 -69
data/spec/unit/http/resolver_spec.rb +34 -15
data/spec/unit/http/response_spec.rb +6 -0
data/spec/unit/http/service/ca_spec.rb +2 -3
data/spec/unit/http/service/compiler_spec.rb +51 -65
data/spec/unit/http/service/file_server_spec.rb +5 -6
data/spec/unit/http/service/puppetserver_spec.rb +112 -0
data/spec/unit/http/service/report_spec.rb +2 -3
data/spec/unit/http/service_spec.rb +1 -3
data/spec/unit/http/session_spec.rb +24 -35
data/spec/unit/{network/http → http}/site_spec.rb +3 -3
data/spec/unit/indirector/catalog/json_spec.rb +1 -1
data/spec/unit/indirector/catalog/rest_spec.rb +1 -1
data/spec/unit/indirector/facts/facter_spec.rb +97 -0
data/spec/unit/indirector/facts/json_spec.rb +255 -0
data/spec/unit/indirector/facts/rest_spec.rb +1 -1
data/spec/unit/indirector/file_bucket_file/file_spec.rb +5 -3
data/spec/unit/indirector/file_content/rest_spec.rb +0 -4
data/spec/unit/indirector/file_metadata/http_spec.rb +27 -0
data/spec/unit/indirector/file_metadata/rest_spec.rb +0 -4
data/spec/unit/indirector/file_server_spec.rb +1 -15
data/spec/unit/indirector/json_spec.rb +8 -8
data/spec/unit/indirector/msgpack_spec.rb +8 -8
data/spec/unit/indirector/node/json_spec.rb +33 -0
data/spec/unit/indirector/node/rest_spec.rb +1 -1
data/spec/{integration/indirector/report/yaml.rb → unit/indirector/report/json_spec.rb} +13 -24
data/spec/unit/indirector/report/rest_spec.rb +2 -17
data/spec/unit/indirector/report/yaml_spec.rb +72 -8
data/spec/unit/indirector/request_spec.rb +3 -267
data/spec/unit/indirector/rest_spec.rb +98 -752
data/spec/unit/indirector/yaml_spec.rb +7 -7
data/spec/unit/interface_spec.rb +3 -3
data/spec/unit/module_tool/tar/mini_spec.rb +20 -0
data/spec/unit/network/authconfig_spec.rb +2 -132
data/spec/unit/network/authorization_spec.rb +2 -55
data/spec/unit/network/format_support_spec.rb +3 -2
data/spec/unit/network/formats_spec.rb +4 -4
data/spec/unit/network/http/api/indirected_routes_spec.rb +3 -98
data/spec/unit/network/http/api/master/v3/environments_spec.rb +12 -23
data/spec/unit/network/http/api/master/v3_spec.rb +28 -7
data/spec/unit/network/http/api_spec.rb +10 -0
data/spec/unit/network/http/connection_spec.rb +61 -73
data/spec/unit/network/http/handler_spec.rb +0 -6
data/spec/unit/network/http_pool_spec.rb +0 -4
data/spec/unit/node/environment_spec.rb +51 -22
data/spec/unit/node_spec.rb +2 -54
data/spec/unit/parser/ast/block_expression_spec.rb +1 -1
data/spec/unit/parser/functions/create_resources_spec.rb +2 -20
data/spec/unit/parser/scope_spec.rb +1 -1
data/spec/unit/pops/evaluator/evaluating_parser_spec.rb +19 -8
data/spec/unit/pops/loaders/loaders_spec.rb +77 -22
data/spec/unit/pops/lookup/lookup_spec.rb +25 -0
data/spec/unit/pops/parser/parse_application_spec.rb +4 -22
data/spec/unit/pops/parser/parse_basic_expressions_spec.rb +0 -1
data/spec/unit/pops/parser/parse_capabilities_spec.rb +8 -21
data/spec/unit/pops/parser/parse_site_spec.rb +20 -24
data/spec/unit/pops/resource/resource_type_impl_spec.rb +0 -71
data/spec/unit/pops/serialization/to_from_hr_spec.rb +1 -1
data/spec/unit/pops/types/type_calculator_spec.rb +7 -17
data/spec/unit/pops/types/type_factory_spec.rb +1 -1
data/spec/unit/pops/validator/validator_spec.rb +61 -46
data/spec/unit/pops/visitor_spec.rb +1 -1
data/spec/unit/provider/exec_spec.rb +4 -3
data/spec/unit/provider/nameservice_spec.rb +0 -57
data/spec/unit/provider/package/apt_spec.rb +77 -0
data/spec/unit/provider/package/aptitude_spec.rb +1 -0
data/spec/unit/provider/package/dpkg_spec.rb +22 -55
data/spec/unit/provider/package/gem_spec.rb +32 -0
data/spec/unit/provider/package/openbsd_spec.rb +2 -0
data/spec/unit/provider/package/pip2_spec.rb +36 -0
data/spec/unit/provider/package/puppet_gem_spec.rb +6 -2
data/spec/unit/provider/package/puppetserver_gem_spec.rb +137 -0
data/spec/unit/provider/package/yum_spec.rb +31 -0
data/spec/unit/provider/package/zypper_spec.rb +14 -0
data/spec/unit/provider/service/base_spec.rb +2 -4
data/spec/unit/provider/service/bsd_spec.rb +5 -1
data/spec/unit/provider/service/daemontools_spec.rb +1 -1
data/spec/unit/provider/service/debian_spec.rb +3 -5
data/spec/unit/provider/service/freebsd_spec.rb +1 -1
data/spec/unit/provider/service/gentoo_spec.rb +4 -5
data/spec/unit/provider/service/init_spec.rb +45 -5
data/spec/unit/provider/service/launchd_spec.rb +5 -6
data/spec/unit/provider/service/openrc_spec.rb +4 -5
data/spec/unit/provider/service/openwrt_spec.rb +1 -1
data/spec/unit/provider/service/redhat_spec.rb +1 -1
data/spec/unit/provider/service/runit_spec.rb +2 -1
data/spec/unit/provider/service/smf_spec.rb +402 -166
data/spec/unit/provider/service/src_spec.rb +3 -5
data/spec/unit/provider/service/systemd_spec.rb +3 -6
data/spec/unit/provider/service/upstart_spec.rb +4 -5
data/spec/unit/provider/service/windows_spec.rb +50 -15
data/spec/unit/provider/user/openbsd_spec.rb +1 -0
data/spec/unit/provider/user/useradd_spec.rb +22 -16
data/spec/unit/provider/user/windows_adsi_spec.rb +82 -0
data/spec/unit/provider_spec.rb +0 -12
data/spec/unit/puppet_pal_2pec.rb +40 -0
data/spec/unit/puppet_pal_catalog_spec.rb +45 -0
data/spec/unit/reports/store_spec.rb +17 -13
data/spec/unit/resource/type_collection_spec.rb +2 -22
data/spec/unit/resource_spec.rb +3 -59
data/spec/unit/settings/http_extra_headers_spec.rb +2 -4
data/spec/unit/settings/integer_setting_spec.rb +42 -0
data/spec/unit/settings/port_setting_spec.rb +31 -0
data/spec/unit/settings/priority_setting_spec.rb +4 -4
data/spec/unit/settings_spec.rb +586 -239
data/spec/unit/ssl/base_spec.rb +36 -3
data/spec/unit/ssl/certificate_request_spec.rb +15 -45
data/spec/unit/ssl/certificate_spec.rb +2 -11
data/spec/unit/ssl/ssl_provider_spec.rb +78 -49
data/spec/unit/ssl/state_machine_spec.rb +0 -1
data/spec/unit/ssl/verifier_spec.rb +0 -21
data/spec/unit/test/test_helper_spec.rb +17 -0
data/spec/unit/transaction/persistence_spec.rb +15 -0
data/spec/unit/transaction/report_spec.rb +3 -3
data/spec/unit/transaction/resource_harness_spec.rb +2 -2
data/spec/unit/transaction_spec.rb +45 -79
data/spec/unit/type/file/checksum_spec.rb +6 -6
data/spec/unit/type/file/content_spec.rb +1 -1
data/spec/unit/type/file/ensure_spec.rb +1 -1
data/spec/unit/type/file/mode_spec.rb +1 -1
data/spec/unit/type/file/source_spec.rb +4 -5
data/spec/unit/type/file_spec.rb +134 -102
data/spec/unit/type/filebucket_spec.rb +1 -1
data/spec/unit/type/package_spec.rb +1 -1
data/spec/unit/type/service_spec.rb +209 -0
data/spec/unit/type/user_spec.rb +31 -2
data/spec/unit/type_spec.rb +70 -0
data/spec/unit/util/backups_spec.rb +0 -2
data/spec/unit/util/character_encoding_spec.rb +4 -4
data/spec/unit/util/checksums_spec.rb +16 -0
data/spec/unit/util/command_line_spec.rb +11 -6
data/spec/unit/util/execution_spec.rb +0 -29
data/spec/unit/util/monkey_patches_spec.rb +0 -6
data/spec/unit/util/rubygems_spec.rb +2 -2
data/spec/unit/util/run_mode_spec.rb +27 -127
data/spec/unit/util/windows/api_types_spec.rb +104 -40
data/spec/unit/util/windows/service_spec.rb +4 -4
data/spec/unit/util/windows/string_spec.rb +1 -3
data/spec/unit/util/yaml_spec.rb +0 -54
data/spec/unit/util_spec.rb +3 -21
data/spec/unit/x509/cert_provider_spec.rb +1 -1
metadata +76 -270
data/conf/auth.conf +0 -150
data/lib/puppet/application/cert.rb +0 -76
data/lib/puppet/application/key.rb +0 -4
data/lib/puppet/application/man.rb +0 -4
data/lib/puppet/application/status.rb +0 -4
data/lib/puppet/face/key.rb +0 -16
data/lib/puppet/face/man.rb +0 -145
data/lib/puppet/face/module/build.rb +0 -14
data/lib/puppet/face/module/generate.rb +0 -14
data/lib/puppet/face/module/search.rb +0 -103
data/lib/puppet/face/status.rb +0 -51
data/lib/puppet/indirector/certificate/file.rb +0 -9
data/lib/puppet/indirector/certificate/rest.rb +0 -18
data/lib/puppet/indirector/certificate_request/file.rb +0 -9
data/lib/puppet/indirector/certificate_request/memory.rb +0 -7
data/lib/puppet/indirector/certificate_request/rest.rb +0 -11
data/lib/puppet/indirector/file_content/http.rb +0 -22
data/lib/puppet/indirector/key/file.rb +0 -46
data/lib/puppet/indirector/key/memory.rb +0 -7
data/lib/puppet/indirector/ssl_file.rb +0 -162
data/lib/puppet/indirector/status.rb +0 -3
data/lib/puppet/indirector/status/local.rb +0 -12
data/lib/puppet/indirector/status/rest.rb +0 -27
data/lib/puppet/module_tool/applications/searcher.rb +0 -29
data/lib/puppet/network/auth_config_parser.rb +0 -90
data/lib/puppet/network/authstore.rb +0 -283
data/lib/puppet/network/http/api/master/v3/authorization.rb +0 -18
data/lib/puppet/network/http/api/master/v3/environment.rb +0 -85
data/lib/puppet/network/http/base_pool.rb +0 -36
data/lib/puppet/network/http/compression.rb +0 -127
data/lib/puppet/network/http/connection_adapter.rb +0 -182
data/lib/puppet/network/http/nocache_pool.rb +0 -28
data/lib/puppet/network/rest_controller.rb +0 -2
data/lib/puppet/network/rights.rb +0 -210
data/lib/puppet/parser/compiler/catalog_validator/env_relationship_validator.rb +0 -64
data/lib/puppet/parser/compiler/catalog_validator/site_validator.rb +0 -20
data/lib/puppet/parser/environment_compiler.rb +0 -199
data/lib/puppet/pops/types/enumeration.rb +0 -16
data/lib/puppet/resource/capability_finder.rb +0 -154
data/lib/puppet/rest/errors.rb +0 -15
data/lib/puppet/rest/response.rb +0 -35
data/lib/puppet/rest/route.rb +0 -85
data/lib/puppet/rest/routes.rb +0 -135
data/lib/puppet/ssl/host.rb +0 -505
data/lib/puppet/ssl/key.rb +0 -61
data/lib/puppet/ssl/validator.rb +0 -61
data/lib/puppet/ssl/validator/default_validator.rb +0 -209
data/lib/puppet/ssl/validator/no_validator.rb +0 -22
data/lib/puppet/ssl/verifier_adapter.rb +0 -58
data/lib/puppet/status.rb +0 -40
data/lib/puppet/util/connection.rb +0 -88
data/lib/puppet/util/ssl.rb +0 -83
data/lib/puppet/util/windows/api_types.rb +0 -282
data/lib/puppet/vendor/load_pathspec.rb +0 -1
data/lib/puppet/vendor/pathspec/CHANGELOG.md +0 -2
data/lib/puppet/vendor/pathspec/LICENSE +0 -201
data/lib/puppet/vendor/pathspec/PUPPET_README.md +0 -6
data/lib/puppet/vendor/pathspec/README.md +0 -53
data/lib/puppet/vendor/pathspec/lib/pathspec.rb +0 -122
data/lib/puppet/vendor/pathspec/lib/pathspec/gitignorespec.rb +0 -275
data/lib/puppet/vendor/pathspec/lib/pathspec/regexspec.rb +0 -17
data/lib/puppet/vendor/pathspec/lib/pathspec/spec.rb +0 -14
data/man/man8/puppet-key.8 +0 -126
data/man/man8/puppet-man.8 +0 -76
data/man/man8/puppet-status.8 +0 -108
data/spec/integration/faces/config_spec.rb +0 -91
data/spec/integration/faces/documentation_spec.rb +0 -57
data/spec/integration/file_bucket/file_spec.rb +0 -50
data/spec/integration/file_serving/content_spec.rb +0 -7
data/spec/integration/file_serving/fileset_spec.rb +0 -12
data/spec/integration/file_serving/metadata_spec.rb +0 -8
data/spec/integration/file_serving/terminus_helper_spec.rb +0 -20
data/spec/integration/file_system/uniquefile_spec.rb +0 -26
data/spec/integration/module_tool/forge_spec.rb +0 -51
data/spec/integration/module_tool/tar/mini_spec.rb +0 -28
data/spec/integration/network/authconfig_spec.rb +0 -256
data/spec/integration/provider/service/init_spec.rb +0 -48
data/spec/integration/provider/service/systemd_spec.rb +0 -25
data/spec/integration/provider/service/windows_spec.rb +0 -50
data/spec/integration/reference/providers_spec.rb +0 -21
data/spec/integration/reports_spec.rb +0 -13
data/spec/integration/ssl/certificate_request_spec.rb +0 -44
data/spec/integration/ssl/host_spec.rb +0 -72
data/spec/integration/ssl/key_spec.rb +0 -99
data/spec/integration/test/test_helper_spec.rb +0 -31
data/spec/shared_behaviours/file_serving_model.rb +0 -51
data/spec/unit/capability_spec.rb +0 -414
data/spec/unit/face/catalog_spec.rb +0 -6
data/spec/unit/face/key_spec.rb +0 -9
data/spec/unit/face/man_spec.rb +0 -25
data/spec/unit/face/module/search_spec.rb +0 -231
data/spec/unit/face/module_spec.rb +0 -3
data/spec/unit/face/status_spec.rb +0 -9
data/spec/unit/indirector/certificate/file_spec.rb +0 -14
data/spec/unit/indirector/certificate/rest_spec.rb +0 -61
data/spec/unit/indirector/certificate_request/file_spec.rb +0 -14
data/spec/unit/indirector/certificate_request/rest_spec.rb +0 -25
data/spec/unit/indirector/key/file_spec.rb +0 -79
data/spec/unit/indirector/ssl_file_spec.rb +0 -305
data/spec/unit/indirector/status/local_spec.rb +0 -10
data/spec/unit/indirector/status/rest_spec.rb +0 -50
data/spec/unit/man_spec.rb +0 -31
data/spec/unit/module_tool/applications/searcher_spec.rb +0 -38
data/spec/unit/network/auth_config_parser_spec.rb +0 -115
data/spec/unit/network/authstore_spec.rb +0 -422
data/spec/unit/network/http/api/master/v3/authorization_spec.rb +0 -57
data/spec/unit/network/http/api/master/v3/environment_spec.rb +0 -185
data/spec/unit/network/http/compression_spec.rb +0 -240
data/spec/unit/network/http/nocache_pool_spec.rb +0 -64
data/spec/unit/network/http_spec.rb +0 -9
data/spec/unit/network/rights_spec.rb +0 -439
data/spec/unit/parser/environment_compiler_spec.rb +0 -723
data/spec/unit/pops/types/enumeration_spec.rb +0 -51
data/spec/unit/resource/capability_finder_spec.rb +0 -143
data/spec/unit/rest/route_spec.rb +0 -132
data/spec/unit/ssl/host_spec.rb +0 -650
data/spec/unit/ssl/key_spec.rb +0 -173
data/spec/unit/ssl/validator_spec.rb +0 -278
data/spec/unit/status_spec.rb +0 -45
data/spec/unit/util/ssl_spec.rb +0 -91

@@ -38,9 +38,8 @@ describe Puppet::SSL::Certificate do
   describe "when determining a name from a certificate subject" do
     it "should extract only the CN and not any other components" do
-      subject = double('sub')
-      expect(Puppet::Util::SSL).to receive(:cn_from_subject).with(subject).and_return('host.domain.com')
-      expect(@class.name_from_subject(subject)).to eq('host.domain.com')
+      name = OpenSSL::X509::Name.parse('/CN=host.domain.com/L=Portland/ST=Oregon')
+      expect(@class.name_from_subject(name)).to eq('host.domain.com')
     end
   end
@@ -90,4 +89,38 @@ describe Puppet::SSL::Certificate do
       }.to raise_error(Puppet::Error, "Unknown signature algorithm 'nonsense'")
     end
   end
+  describe "when getting a CN from a subject" do
+    def parse(dn)
+      OpenSSL::X509::Name.parse(dn)
+    end
+    def cn_from(subject)
+      @class.name_from_subject(subject)
+    end
+    it "should correctly parse a subject containing only a CN" do
+      subj = parse('/CN=foo')
+      expect(cn_from(subj)).to eq('foo')
+    end
+    it "should correctly parse a subject containing other components" do
+      subj = parse('/CN=Root CA/OU=Server Operations/O=Example Org')
+      expect(cn_from(subj)).to eq('Root CA')
+    end
+    it "should correctly parse a subject containing other components with CN not first" do
+      subj = parse('/emailAddress=foo@bar.com/CN=foo.bar.com/O=Example Org')
+      expect(cn_from(subj)).to eq('foo.bar.com')
+    end
+    it "should return nil for a subject with no CN" do
+      subj = parse('/OU=Server Operations/O=Example Org')
+      expect(cn_from(subj)).to eq(nil)
+    end
+    it "should return nil for a bare string" do
+      expect(cn_from("/CN=foo")).to eq(nil)
+    end
+  end
 end

data/spec/unit/ssl/certificate_request_spec.rb CHANGED

@@ -1,23 +1,10 @@
 require 'spec_helper'
 require 'puppet/ssl/certificate_request'
-require 'puppet/ssl/key'
 describe Puppet::SSL::CertificateRequest do
   let(:request) { described_class.new("myname") }
-  let(:key) {
-    k = Puppet::SSL::Key.new("myname")
-    k.generate
-    k
-  }
-  it "should be extended with the Indirector module" do
-    expect(described_class.singleton_class).to be_include(Puppet::Indirector)
-  end
-  it "should indirect certificate_request" do
-    expect(described_class.indirection.name).to eq(:certificate_request)
-  end
+  let(:key) { OpenSSL::PKey::RSA.new(Puppet[:keylength]) }
   it "should use any provided name as its name" do
     expect(described_class.new("myname").name).to eq("myname")
@@ -83,14 +70,9 @@ describe Puppet::SSL::CertificateRequest do
   end
   describe "when generating", :unless => RUBY_PLATFORM == 'java' do
-    it "should use the content of the provided key if the key is a Puppet::SSL::Key instance" do
+    it "should verify the CSR using the public key associated with the private key" do
       request.generate(key)
-      expect(request.content.verify(key.content.public_key)).to be_truthy
-    end
-    it "should set the subject to [CN, name]" do
-      request.generate(key)
-      expect(request.content.subject).to eq OpenSSL::X509::Name.new([['CN', key.name]])
+      expect(request.content.verify(key.public_key)).to be_truthy
     end
     it "should set the version to 0" do
@@ -101,7 +83,7 @@ describe Puppet::SSL::CertificateRequest do
     it "should set the public key to the provided key's public key" do
       request.generate(key)
       # The openssl bindings do not define equality on keys so we use to_s
-      expect(request.content.public_key.to_s).to eq(key.content.public_key.to_s)
+      expect(request.content.public_key.to_s).to eq(key.public_key.to_s)
     end
     context "without subjectAltName / dns_alt_names" do
@@ -295,20 +277,20 @@ describe Puppet::SSL::CertificateRequest do
     it "should sign the csr with the provided key" do
       request.generate(key)
-      expect(request.content.verify(key.content.public_key)).to be_truthy
+      expect(request.content.verify(key.public_key)).to be_truthy
     end
     it "should verify the generated request using the public key" do
       # Stupid keys don't have a competent == method.
       expect_any_instance_of(OpenSSL::X509::Request).to receive(:verify) do |public_key|
-        public_key.to_s == key.content.public_key.to_s
+        public_key.to_s == key.public_key.to_s
       end.and_return(true)
       request.generate(key)
     end
     it "should fail if verification fails" do
       expect_any_instance_of(OpenSSL::X509::Request).to receive(:verify) do |public_key|
-        public_key.to_s == key.content.public_key.to_s
+        public_key.to_s == key.public_key.to_s
       end.and_return(false)
       expect do
@@ -334,8 +316,8 @@ describe Puppet::SSL::CertificateRequest do
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
-      signer.sign(csr, key.content)
-      expect(csr.verify(key.content)).to be_truthy
+      signer.sign(csr, key)
+      expect(csr.verify(key)).to be_truthy
     end
     # Attempts to use SHA512 and SHA384 for signing certificates don't seem to work
@@ -348,8 +330,8 @@ describe Puppet::SSL::CertificateRequest do
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
-      signer.sign(csr, key.content)
-      expect(csr.verify(key.content)).to be_truthy
+      signer.sign(csr, key)
+      expect(csr.verify(key)).to be_truthy
     end
     # Attempts to use SHA512 and SHA384 for signing certificates don't seem to work
@@ -363,8 +345,8 @@ describe Puppet::SSL::CertificateRequest do
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA384").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
-      signer.sign(csr, key.content)
-      expect(csr.verify(key.content)).to be_truthy
+      signer.sign(csr, key)
+      expect(csr.verify(key)).to be_truthy
     end
     it "should use SHA224 to sign the csr when SHA256/SHA1/SHA512/SHA384 aren't available" do
@@ -375,8 +357,8 @@ describe Puppet::SSL::CertificateRequest do
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA384").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA224").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
-      signer.sign(csr, key.content)
-      expect(csr.verify(key.content)).to be_truthy
+      signer.sign(csr, key)
+      expect(csr.verify(key)).to be_truthy
     end
     it "should raise an error if neither SHA256/SHA1/SHA512/SHA384/SHA224 are available" do
@@ -390,16 +372,4 @@ describe Puppet::SSL::CertificateRequest do
       }.to raise_error(Puppet::Error)
     end
   end
-  it "should save the CSR" do
-    csr = Puppet::SSL::CertificateRequest.new("me")
-    terminus = double('terminus')
-    allow(terminus).to receive(:validate)
-    expect(Puppet::SSL::CertificateRequest.indirection).to receive(:prepare).and_return(terminus)
-    expect(terminus).to receive(:save) do |request|
-      expect(request.instance).to eq(csr)
-      expect(request.key).to eq("me")
-    end
-    Puppet::SSL::CertificateRequest.indirection.save(csr)
-  end
 end

data/spec/unit/ssl/certificate_spec.rb CHANGED

@@ -4,7 +4,7 @@ require 'puppet/certificate_factory'
 require 'puppet/ssl/certificate'
 describe Puppet::SSL::Certificate do
-  let :key do Puppet::SSL::Key.new("test.localdomain").generate end
+  let :key do OpenSSL::PKey::RSA.new(Puppet[:keylength]) end
   # Sign the provided cert so that it can be DER-decoded later
   def sign_wrapped_cert(cert)
@@ -16,14 +16,6 @@ describe Puppet::SSL::Certificate do
     @class = Puppet::SSL::Certificate
   end
-  it "should be extended with the Indirector module" do
-    expect(@class.singleton_class).to be_include(Puppet::Indirector)
-  end
-  it "should indirect certificate" do
-    expect(@class.indirection.name).to eq(:certificate)
-  end
   it "should only support the text format" do
     expect(@class.supported_formats).to eq([:s])
   end
@@ -82,8 +74,7 @@ describe Puppet::SSL::Certificate do
   describe "when managing instances" do
     def build_cert(opts)
-      key = Puppet::SSL::Key.new('quux')
-      key.generate
+      key = OpenSSL::PKey::RSA.new(Puppet[:keylength])
       csr = Puppet::SSL::CertificateRequest.new('quux')
       csr.generate(key, opts)

data/spec/unit/ssl/ssl_provider_spec.rb CHANGED

@@ -42,20 +42,20 @@ describe Puppet::SSL::SSLProvider do
     let(:config) { { cacerts: [], crls: [], revocation: false } }
     it 'accepts empty list of certs and crls' do
-      sslctx = subject.create_root_context(config)
+      sslctx = subject.create_root_context(**config)
       expect(sslctx.cacerts).to eq([])
       expect(sslctx.crls).to eq([])
     end
     it 'accepts valid root certs' do
       certs = [cert_fixture('ca.pem')]
-      sslctx = subject.create_root_context(config.merge(cacerts: certs))
+      sslctx = subject.create_root_context(**config.merge(cacerts: certs))
       expect(sslctx.cacerts).to eq(certs)
     end
     it 'accepts valid intermediate certs' do
       certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
-      sslctx = subject.create_root_context(config.merge(cacerts: certs))
+      sslctx = subject.create_root_context(**config.merge(cacerts: certs))
       expect(sslctx.cacerts).to eq(certs)
     end
@@ -63,19 +63,19 @@ describe Puppet::SSL::SSLProvider do
       expired = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
       expired.each { |x509| x509.not_after = Time.at(0) }
-      sslctx = subject.create_root_context(config.merge(cacerts: expired))
+      sslctx = subject.create_root_context(**config.merge(cacerts: expired))
       expect(sslctx.cacerts).to eq(expired)
     end
     it 'raises if the frozen context is modified' do
-      sslctx = subject.create_root_context(config)
+      sslctx = subject.create_root_context(**config)
       expect {
         sslctx.verify_peer = false
       }.to raise_error(/can't modify frozen/)
     end
     it 'verifies peer' do
-      sslctx = subject.create_root_context(config)
+      sslctx = subject.create_root_context(**config)
       expect(sslctx.verify_peer).to eq(true)
     end
   end
@@ -134,6 +134,32 @@ describe Puppet::SSL::SSLProvider do
       expect(sslctx.client_cert).to be_nil
       expect(sslctx.private_key).to be_nil
     end
+    it 'trusts additional system certs' do
+      path = tmpfile('system_cacerts')
+      File.write(path, cert_fixture('ca.pem').to_pem)
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:add_file).with(path)
+      subject.create_system_context(cacerts: [], path: path)
+    end
+    it 'ignores empty files' do
+      path = tmpfile('system_cacerts')
+      FileUtils.touch(path)
+      subject.create_system_context(cacerts: [], path: path)
+      expect(@logs).to eq([])
+    end
+    it 'prints an error if it is not a file' do
+      path = tmpdir('system_cacerts')
+      subject.create_system_context(cacerts: [], path: path)
+      expect(@logs).to include(an_object_having_attributes(level: :warning, message: /^The 'ssl_trust_store' setting does not refer to a file and will be ignored/))
+    end
   end
   context 'when creating an ssl context with crls' do
@@ -142,14 +168,14 @@ describe Puppet::SSL::SSLProvider do
     it 'accepts valid CRLs' do
       certs = [cert_fixture('ca.pem')]
       crls = [crl_fixture('crl.pem')]
-      sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
+      sslctx = subject.create_root_context(**config.merge(cacerts: certs, crls: crls))
       expect(sslctx.crls).to eq(crls)
     end
     it 'accepts valid CRLs for intermediate certs' do
       certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
       crls = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
-      sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
+      sslctx = subject.create_root_context(**config.merge(cacerts: certs, crls: crls))
       expect(sslctx.crls).to eq(crls)
     end
@@ -157,12 +183,12 @@ describe Puppet::SSL::SSLProvider do
       expired = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
       expired.each { |x509| x509.last_update = Time.at(0) }
-      sslctx = subject.create_root_context(config.merge(crls: expired))
+      sslctx = subject.create_root_context(**config.merge(crls: expired))
       expect(sslctx.crls).to eq(expired)
     end
     it 'verifies peer' do
-      sslctx = subject.create_root_context(config)
+      sslctx = subject.create_root_context(**config)
       expect(sslctx.verify_peer).to eq(true)
     end
   end
@@ -174,49 +200,49 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if CA certs are missing' do
       expect {
-        subject.create_context(config.merge(cacerts: nil))
+        subject.create_context(**config.merge(cacerts: nil))
       }.to raise_error(ArgumentError, /CA certs are missing/)
     end
     it 'raises if CRLs are are missing' do
       expect {
-        subject.create_context(config.merge(crls: nil))
+        subject.create_context(**config.merge(crls: nil))
       }.to raise_error(ArgumentError, /CRLs are missing/)
     end
     it 'raises if private key is missing' do
       expect {
-        subject.create_context(config.merge(private_key: nil))
+        subject.create_context(**config.merge(private_key: nil))
       }.to raise_error(ArgumentError, /Private key is missing/)
     end
     it 'raises if client cert is missing' do
       expect {
-        subject.create_context(config.merge(client_cert: nil))
+        subject.create_context(**config.merge(client_cert: nil))
       }.to raise_error(ArgumentError, /Client cert is missing/)
     end
     it 'accepts RSA keys' do
-      sslctx = subject.create_context(config)
+      sslctx = subject.create_context(**config)
       expect(sslctx.private_key).to eq(private_key)
     end
     it 'accepts EC keys' do
       ec_key = ec_key_fixture('ec-key.pem')
       ec_cert = cert_fixture('ec.pem')
-      sslctx = subject.create_context(config.merge(client_cert: ec_cert, private_key: ec_key))
+      sslctx = subject.create_context(**config.merge(client_cert: ec_cert, private_key: ec_key))
       expect(sslctx.private_key).to eq(ec_key)
     end
     it 'raises if private key is unsupported' do
       dsa_key = OpenSSL::PKey::DSA.new
       expect {
-        subject.create_context(config.merge(private_key: dsa_key))
+        subject.create_context(**config.merge(private_key: dsa_key))
       }.to raise_error(Puppet::SSL::SSLError, /Unsupported key 'OpenSSL::PKey::DSA'/)
     end
     it 'resolves the client chain from leaf to root' do
-      sslctx = subject.create_context(config)
+      sslctx = subject.create_context(**config)
       expect(
         sslctx.client_chain.map(&:subject).map(&:to_utf8)
       ).to eq(['CN=signed', 'CN=Test CA Subauthority', 'CN=Test CA'])
@@ -225,34 +251,37 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if client cert signature is invalid' do
       client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
       expect {
-        subject.create_context(config.merge(client_cert: client_cert))
+        subject.create_context(**config.merge(client_cert: client_cert))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for certificate 'CN=signed'")
     end
     it 'raises if client cert and private key are mismatched' do
       expect {
-        subject.create_context(config.merge(private_key: wrong_key))
+        subject.create_context(**config.merge(private_key: wrong_key))
       }.to raise_error(Puppet::SSL::SSLError,
                        "The certificate for 'CN=signed' does not match its private key")
     end
     it "raises if client cert's public key has been replaced" do
       expect {
-        subject.create_context(config.merge(client_cert: cert_fixture('tampered-cert.pem')))
+        subject.create_context(**config.merge(client_cert: cert_fixture('tampered-cert.pem')))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for certificate 'CN=signed'")
     end
     # This option is only available in openssl 1.1
-    it 'raises if root cert signature is invalid', if: defined?(OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE) do
-      ca = global_cacerts.first
-      ca.sign(wrong_key, OpenSSL::Digest::SHA256.new)
+    # TODO PUP-10689 behavior changed in openssl 1.1.1h
+    if Puppet::Util::Package.versioncmp(OpenSSL::OPENSSL_LIBRARY_VERSION.split[1], '1.1.1h') < 0
+      it 'raises if root cert signature is invalid', if: defined?(OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE) do
+        ca = global_cacerts.first
+        ca.sign(wrong_key, OpenSSL::Digest::SHA256.new)
-      expect {
-        subject.create_context(config.merge(cacerts: global_cacerts))
-      }.to raise_error(Puppet::SSL::CertVerifyError,
-                       "Invalid signature for certificate 'CN=Test CA'")
+        expect {
+          subject.create_context(**config.merge(cacerts: global_cacerts))
+        }.to raise_error(Puppet::SSL::CertVerifyError,
+                         "Invalid signature for certificate 'CN=Test CA'")
+      end
     end
     it 'raises if intermediate CA signature is invalid' do
@@ -260,7 +289,7 @@ describe Puppet::SSL::SSLProvider do
       int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
       expect {
-        subject.create_context(config.merge(cacerts: global_cacerts))
+        subject.create_context(**config.merge(cacerts: global_cacerts))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for certificate 'CN=Test CA Subauthority'")
     end
@@ -270,7 +299,7 @@ describe Puppet::SSL::SSLProvider do
       crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
       expect {
-        subject.create_context(config.merge(crls: global_crls))
+        subject.create_context(**config.merge(crls: global_crls))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for CRL issued by 'CN=Test CA'")
     end
@@ -280,14 +309,14 @@ describe Puppet::SSL::SSLProvider do
       crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
       expect {
-        subject.create_context(config.merge(crls: global_crls))
+        subject.create_context(**config.merge(crls: global_crls))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Invalid signature for CRL issued by 'CN=Test CA Subauthority'")
     end
     it 'raises if client cert is revoked' do
       expect {
-        subject.create_context(config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
+        subject.create_context(**config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Certificate 'CN=revoked' is revoked")
     end
@@ -295,12 +324,12 @@ describe Puppet::SSL::SSLProvider do
     it 'warns if intermediate issuer is missing' do
       expect(Puppet).to receive(:warning).with("The issuer 'CN=Test CA Subauthority' of certificate 'CN=signed' cannot be found locally")
-      subject.create_context(config.merge(cacerts: [cert_fixture('ca.pem')]))
+      subject.create_context(**config.merge(cacerts: [cert_fixture('ca.pem')]))
     end
     it 'raises if root issuer is missing' do
       expect {
-        subject.create_context(config.merge(cacerts: [cert_fixture('intermediate.pem')]))
+        subject.create_context(**config.merge(cacerts: [cert_fixture('intermediate.pem')]))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The issuer 'CN=Test CA' of certificate 'CN=Test CA Subauthority' is missing")
     end
@@ -308,7 +337,7 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if cert is not valid yet', unless: Puppet::Util::Platform.jruby? do
       client_cert.not_before = Time.now + (5 * 60 * 60)
       expect {
-        subject.create_context(config.merge(client_cert: client_cert))
+        subject.create_context(**config.merge(client_cert: client_cert))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The certificate 'CN=signed' is not yet valid, verify time is synchronized")
     end
@@ -316,7 +345,7 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if cert is expired', unless: Puppet::Util::Platform.jruby? do
       client_cert.not_after = Time.at(0)
       expect {
-        subject.create_context(config.merge(client_cert: client_cert))
+        subject.create_context(**config.merge(client_cert: client_cert))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The certificate 'CN=signed' has expired, verify time is synchronized")
     end
@@ -327,7 +356,7 @@ describe Puppet::SSL::SSLProvider do
       future_crls.first.last_update = Time.now + (5 * 60 * 60)
       expect {
-        subject.create_context(config.merge(crls: future_crls))
+        subject.create_context(**config.merge(crls: future_crls))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The CRL issued by 'CN=Test CA' is not yet valid, verify time is synchronized")
     end
@@ -338,7 +367,7 @@ describe Puppet::SSL::SSLProvider do
       past_crls.first.next_update = Time.at(0)
       expect {
-        subject.create_context(config.merge(crls: past_crls))
+        subject.create_context(**config.merge(crls: past_crls))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The CRL issued by 'CN=Test CA' has expired, verify time is synchronized")
     end
@@ -346,7 +375,7 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if the root CRL is missing' do
       crls = [crl_fixture('intermediate-crl.pem')]
       expect {
-        subject.create_context(config.merge(crls: crls, revocation: :chain))
+        subject.create_context(**config.merge(crls: crls, revocation: :chain))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The CRL issued by 'CN=Test CA' is missing")
     end
@@ -354,23 +383,23 @@ describe Puppet::SSL::SSLProvider do
     it 'raises if the intermediate CRL is missing' do
       crls = [crl_fixture('crl.pem')]
       expect {
-        subject.create_context(config.merge(crls: crls))
+        subject.create_context(**config.merge(crls: crls))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "The CRL issued by 'CN=Test CA Subauthority' is missing")
     end
     it "doesn't raise if the root CRL is missing and we're just checking the leaf" do
       crls = [crl_fixture('intermediate-crl.pem')]
-      subject.create_context(config.merge(crls: crls, revocation: :leaf))
+      subject.create_context(**config.merge(crls: crls, revocation: :leaf))
     end
     it "doesn't raise if the intermediate CRL is missing and revocation checking is disabled" do
       crls = [crl_fixture('crl.pem')]
-      subject.create_context(config.merge(crls: crls, revocation: false))
+      subject.create_context(**config.merge(crls: crls, revocation: false))
     end
     it "doesn't raise if both CRLs are missing and revocation checking is disabled" do
-      subject.create_context(config.merge(crls: [], revocation: false))
+      subject.create_context(**config.merge(crls: [], revocation: false))
     end
     # OpenSSL < 1.1 does not verify basicConstraints
@@ -378,7 +407,7 @@ describe Puppet::SSL::SSLProvider do
       certs = [cert_fixture('bad-basic-constraints.pem'), cert_fixture('intermediate.pem')]
       expect {
-        subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
+        subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Certificate 'CN=Test CA' failed verification (24): invalid CA certificate")
     end
@@ -388,32 +417,32 @@ describe Puppet::SSL::SSLProvider do
       certs = [cert_fixture('ca.pem'), cert_fixture('bad-int-basic-constraints.pem')]
       expect {
-        subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
+        subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
       }.to raise_error(Puppet::SSL::CertVerifyError,
                        "Certificate 'CN=Test CA Subauthority' failed verification (24): invalid CA certificate")
     end
     it 'accepts CA certs in any order' do
-      sslctx = subject.create_context(config.merge(cacerts: global_cacerts.reverse))
+      sslctx = subject.create_context(**config.merge(cacerts: global_cacerts.reverse))
       # certs in ruby+openssl 1.0.x are not comparable, so compare subjects
       expect(sslctx.client_chain.map(&:subject).map(&:to_utf8)).to contain_exactly('CN=Test CA', 'CN=Test CA Subauthority', 'CN=signed')
     end
     it 'accepts CRLs in any order' do
-      sslctx = subject.create_context(config.merge(crls: global_crls.reverse))
+      sslctx = subject.create_context(**config.merge(crls: global_crls.reverse))
       # certs in ruby+openssl 1.0.x are not comparable, so compare subjects
       expect(sslctx.client_chain.map(&:subject).map(&:to_utf8)).to contain_exactly('CN=Test CA', 'CN=Test CA Subauthority', 'CN=signed')
     end
     it 'raises if the frozen context is modified' do
-      sslctx = subject.create_context(config)
+      sslctx = subject.create_context(**config)
       expect {
         sslctx.verify_peer = false
       }.to raise_error(/can't modify frozen/)
     end
     it 'verifies peer' do
-      sslctx = subject.create_context(config)
+      sslctx = subject.create_context(**config)
       expect(sslctx.verify_peer).to eq(true)
     end
   end