puppet 6.19.0-x86-mingw32 → 7.3.0-x86-mingw32

data/spec/unit/ssl/base_spec.rb

@@ -38,16 +38,14 @@ describe Puppet::SSL::Certificate do
 
   describe "when determining a name from a certificate subject" do
     it "should extract only the CN and not any other components" do
-      subject = double('sub')
-      expect(Puppet::Util::SSL).to receive(:cn_from_subject).with(subject).and_return('host.domain.com')
-      expect(@class.name_from_subject(subject)).to eq('host.domain.com')
+      name = OpenSSL::X509::Name.parse('/CN=host.domain.com/L=Portland/ST=Oregon')
+      expect(@class.name_from_subject(name)).to eq('host.domain.com')
     end
   end
 
   describe "when initializing wrapped class from a file with #read" do
     it "should open the file with ASCII encoding" do
       path = '/foo/bar/cert'
-      allow(Puppet::SSL::Base).to receive(:valid_certname).and_return(true)
       expect(Puppet::FileSystem).to receive(:read).with(path, :encoding => Encoding::ASCII).and_return("bar")
       @base.read(path)
     end
@@ -90,4 +88,38 @@ describe Puppet::SSL::Certificate do
       }.to raise_error(Puppet::Error, "Unknown signature algorithm 'nonsense'")
     end
   end
+
+  describe "when getting a CN from a subject" do
+    def parse(dn)
+      OpenSSL::X509::Name.parse(dn)
+    end
+
+    def cn_from(subject)
+      @class.name_from_subject(subject)
+    end
+
+    it "should correctly parse a subject containing only a CN" do
+      subj = parse('/CN=foo')
+      expect(cn_from(subj)).to eq('foo')
+    end
+
+    it "should correctly parse a subject containing other components" do
+      subj = parse('/CN=Root CA/OU=Server Operations/O=Example Org')
+      expect(cn_from(subj)).to eq('Root CA')
+    end
+
+    it "should correctly parse a subject containing other components with CN not first" do
+      subj = parse('/emailAddress=foo@bar.com/CN=foo.bar.com/O=Example Org')
+      expect(cn_from(subj)).to eq('foo.bar.com')
+    end
+
+    it "should return nil for a subject with no CN" do
+      subj = parse('/OU=Server Operations/O=Example Org')
+      expect(cn_from(subj)).to eq(nil)
+    end
+
+    it "should return nil for a bare string" do
+      expect(cn_from("/CN=foo")).to eq(nil)
+    end
+  end
 end

data/spec/unit/ssl/certificate_request_spec.rb

@@ -1,23 +1,10 @@
 require 'spec_helper'
 
 require 'puppet/ssl/certificate_request'
-require 'puppet/ssl/key'
 
 describe Puppet::SSL::CertificateRequest do
   let(:request) { described_class.new("myname") }
-  let(:key) {
-    k = Puppet::SSL::Key.new("myname")
-    k.generate
-    k
-  }
-
-  it "should be extended with the Indirector module" do
-    expect(described_class.singleton_class).to be_include(Puppet::Indirector)
-  end
-
-  it "should indirect certificate_request" do
-    expect(described_class.indirection.name).to eq(:certificate_request)
-  end
+  let(:key) { OpenSSL::PKey::RSA.new(Puppet[:keylength]) }
 
   it "should use any provided name as its name" do
     expect(described_class.new("myname").name).to eq("myname")
@@ -83,14 +70,9 @@ describe Puppet::SSL::CertificateRequest do
   end
 
   describe "when generating", :unless => RUBY_PLATFORM == 'java' do
-    it "should use the content of the provided key if the key is a Puppet::SSL::Key instance" do
+    it "should verify the CSR using the public key associated with the private key" do
       request.generate(key)
-      expect(request.content.verify(key.content.public_key)).to be_truthy
-    end
-
-    it "should set the subject to [CN, name]" do
-      request.generate(key)
-      expect(request.content.subject).to eq OpenSSL::X509::Name.new([['CN', key.name]])
+      expect(request.content.verify(key.public_key)).to be_truthy
     end
 
     it "should set the version to 0" do
@@ -101,7 +83,7 @@ describe Puppet::SSL::CertificateRequest do
     it "should set the public key to the provided key's public key" do
       request.generate(key)
       # The openssl bindings do not define equality on keys so we use to_s
-      expect(request.content.public_key.to_s).to eq(key.content.public_key.to_s)
+      expect(request.content.public_key.to_s).to eq(key.public_key.to_s)
     end
 
     context "without subjectAltName / dns_alt_names" do
@@ -295,20 +277,20 @@ describe Puppet::SSL::CertificateRequest do
 
     it "should sign the csr with the provided key" do
       request.generate(key)
-      expect(request.content.verify(key.content.public_key)).to be_truthy
+      expect(request.content.verify(key.public_key)).to be_truthy
     end
 
     it "should verify the generated request using the public key" do
       # Stupid keys don't have a competent == method.
       expect_any_instance_of(OpenSSL::X509::Request).to receive(:verify) do |public_key|
-        public_key.to_s == key.content.public_key.to_s
+        public_key.to_s == key.public_key.to_s
       end.and_return(true)
       request.generate(key)
     end
 
     it "should fail if verification fails" do
       expect_any_instance_of(OpenSSL::X509::Request).to receive(:verify) do |public_key|
-        public_key.to_s == key.content.public_key.to_s
+        public_key.to_s == key.public_key.to_s
       end.and_return(false)
 
       expect do
@@ -334,8 +316,8 @@ describe Puppet::SSL::CertificateRequest do
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
-      signer.sign(csr, key.content)
-      expect(csr.verify(key.content)).to be_truthy
+      signer.sign(csr, key)
+      expect(csr.verify(key)).to be_truthy
     end
 
     # Attempts to use SHA512 and SHA384 for signing certificates don't seem to work
@@ -348,8 +330,8 @@ describe Puppet::SSL::CertificateRequest do
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
-      signer.sign(csr, key.content)
-      expect(csr.verify(key.content)).to be_truthy
+      signer.sign(csr, key)
+      expect(csr.verify(key)).to be_truthy
     end
 
     # Attempts to use SHA512 and SHA384 for signing certificates don't seem to work
@@ -363,8 +345,8 @@ describe Puppet::SSL::CertificateRequest do
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA384").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
-      signer.sign(csr, key.content)
-      expect(csr.verify(key.content)).to be_truthy
+      signer.sign(csr, key)
+      expect(csr.verify(key)).to be_truthy
     end
 
     it "should use SHA224 to sign the csr when SHA256/SHA1/SHA512/SHA384 aren't available" do
@@ -375,8 +357,8 @@ describe Puppet::SSL::CertificateRequest do
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA384").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA224").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
-      signer.sign(csr, key.content)
-      expect(csr.verify(key.content)).to be_truthy
+      signer.sign(csr, key)
+      expect(csr.verify(key)).to be_truthy
     end
 
     it "should raise an error if neither SHA256/SHA1/SHA512/SHA384/SHA224 are available" do
@@ -390,16 +372,4 @@ describe Puppet::SSL::CertificateRequest do
       }.to raise_error(Puppet::Error)
     end
   end
-
-  it "should save the CSR" do
-    csr = Puppet::SSL::CertificateRequest.new("me")
-    terminus = double('terminus')
-    allow(terminus).to receive(:validate)
-    expect(Puppet::SSL::CertificateRequest.indirection).to receive(:prepare).and_return(terminus)
-    expect(terminus).to receive(:save) do |request|
-      expect(request.instance).to eq(csr)
-      expect(request.key).to eq("me")
-    end
-    Puppet::SSL::CertificateRequest.indirection.save(csr)
-  end
 end

data/spec/unit/ssl/certificate_spec.rb

@@ -4,7 +4,7 @@ require 'puppet/certificate_factory'
 require 'puppet/ssl/certificate'
 
 describe Puppet::SSL::Certificate do
-  let :key do Puppet::SSL::Key.new("test.localdomain").generate end
+  let :key do OpenSSL::PKey::RSA.new(Puppet[:keylength]) end
 
   # Sign the provided cert so that it can be DER-decoded later
   def sign_wrapped_cert(cert)
@@ -16,14 +16,6 @@ describe Puppet::SSL::Certificate do
     @class = Puppet::SSL::Certificate
   end
 
-  it "should be extended with the Indirector module" do
-    expect(@class.singleton_class).to be_include(Puppet::Indirector)
-  end
-
-  it "should indirect certificate" do
-    expect(@class.indirection.name).to eq(:certificate)
-  end
-
   it "should only support the text format" do
     expect(@class.supported_formats).to eq([:s])
   end
@@ -82,8 +74,7 @@ describe Puppet::SSL::Certificate do
 
   describe "when managing instances" do
     def build_cert(opts)
-      key = Puppet::SSL::Key.new('quux')
-      key.generate
+      key = OpenSSL::PKey::RSA.new(Puppet[:keylength])
       csr = Puppet::SSL::CertificateRequest.new('quux')
       csr.generate(key, opts)
 

data/spec/unit/ssl/ssl_provider_spec.rb

@@ -271,14 +271,20 @@ describe Puppet::SSL::SSLProvider do
     end
 
     # This option is only available in openssl 1.1
-    it 'raises if root cert signature is invalid', if: defined?(OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE) do
-      ca = global_cacerts.first
-      ca.sign(wrong_key, OpenSSL::Digest::SHA256.new)
-
-      expect {
-        subject.create_context(**config.merge(cacerts: global_cacerts))
-      }.to raise_error(Puppet::SSL::CertVerifyError,
-                       "Invalid signature for certificate 'CN=Test CA'")
+    # OpenSSL 1.1.1h no longer reports expired root CAs when using "verify".
+    # This regression was fixed in 1.1.1i, so only skip this test if we're on
+    # the affected version.
+    # See: https://github.com/openssl/openssl/pull/13585
+    if Puppet::Util::Package.versioncmp(OpenSSL::OPENSSL_LIBRARY_VERSION.split[1], '1.1.1h') != 0
+      it 'raises if root cert signature is invalid', if: defined?(OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE) do
+        ca = global_cacerts.first
+        ca.sign(wrong_key, OpenSSL::Digest::SHA256.new)
+
+        expect {
+          subject.create_context(**config.merge(cacerts: global_cacerts))
+        }.to raise_error(Puppet::SSL::CertVerifyError,
+                         "Invalid signature for certificate 'CN=Test CA'")
+      end
     end
 
     it 'raises if intermediate CA signature is invalid' do

data/spec/unit/ssl/state_machine_spec.rb

@@ -505,7 +505,6 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       Puppet[:certificate_revocation] = false
 
       expect(cert_provider).not_to receive(:load_crls)
-      expect(Puppet::Rest::Routes).not_to receive(:get_crls)
 
       state.next_state
 

data/spec/unit/ssl/verifier_spec.rb

@@ -6,7 +6,6 @@ describe Puppet::SSL::Verifier do
   let(:host) { 'example.com' }
   let(:http) { Net::HTTP.new(host) }
   let(:verifier) { described_class.new(host, ssl_context) }
-  let(:adapter) { Puppet::SSL::VerifierAdapter.new(Puppet::SSL::Validator::DefaultValidator.new) }
 
   context '#reusable?' do
     it 'Verifiers with the same ssl_context are reusable' do
@@ -16,26 +15,6 @@ describe Puppet::SSL::Verifier do
     it 'Verifiers with different ssl_contexts are not reusable' do
       expect(verifier).to_not be_reusable(described_class.new(host, Puppet::SSL::SSLContext.new))
     end
-
-    it 'Verifier is not reusable with VerifierAdapter' do
-      expect(verifier).to_not be_reusable(adapter)
-    end
-
-    it 'VerifierAdapter is not reusable with Verifier' do
-      expect(adapter).to_not be_reusable(verifier)
-    end
-
-    it 'VerifierAdapters with the same class of Validator are reusable' do
-      expect(
-        adapter
-      ).to be_reusable(Puppet::SSL::VerifierAdapter.new(Puppet::SSL::Validator::DefaultValidator.new))
-    end
-
-    it 'VerifierAdapters with different classes of Validators are not reusable' do
-      expect(
-        adapter
-      ).to_not be_reusable(Puppet::SSL::VerifierAdapter.new(Puppet::SSL::Validator::NoValidator.new))
-    end
   end
 
   context '#setup_connection' do

data/spec/unit/transaction/additional_resource_generator_spec.rb

@@ -33,10 +33,6 @@ describe Puppet::Transaction::AdditionalResourceGenerator do
 
       newparam(:code)
 
-      def respond_to?(method_name)
-        method_name == self[:kind] || super
-      end
-
       def eval_generate
         eval_code
       end
@@ -314,13 +310,13 @@ describe Puppet::Transaction::AdditionalResourceGenerator do
 
     it "sets resources_failed_to_generate to true if resource#eval_generate raises an exception" do
       catalog = compile_to_ral(<<-MANIFEST)
-        notify { 'hello': }
+        generator { thing: }
       MANIFEST
 
-      allow(catalog.resource("Notify[hello]")).to receive(:eval_generate).and_raise(RuntimeError)
+      allow(catalog.resource("Generator[thing]")).to receive(:eval_generate).and_raise(RuntimeError)
       relationship_graph = relationship_graph_for(catalog)
       generator = Puppet::Transaction::AdditionalResourceGenerator.new(catalog, relationship_graph, prioritizer)
-      generator.eval_generate(catalog.resource("Notify[hello]"))
+      generator.eval_generate(catalog.resource("Generator[thing]"))
 
       expect(generator.resources_failed_to_generate).to be_truthy
     end

data/spec/unit/transaction/event_manager_spec.rb

@@ -152,6 +152,9 @@ describe Puppet::Transaction::EventManager do
 
       @resource = Puppet::Type.type(:file).new :path => make_absolute("/my/file")
       @event = Puppet::Transaction::Event.new(:name => :event, :resource => @resource)
+
+      @resource.class.send(:define_method, :callback1) {}
+      @resource.class.send(:define_method, :callback2) {}
     end
 
     it "should call the required callback once for each set of associated events" do
@@ -178,7 +181,7 @@ describe Puppet::Transaction::EventManager do
 
       allow(@resource).to receive(:callback1)
 
-      @manager.process_events(@resource) #x
+      @manager.process_events(@resource)
 
       expect(@transaction.resource_status(@resource).events.length).to eq(1)
     end
@@ -211,9 +214,11 @@ describe Puppet::Transaction::EventManager do
         @event2 = Puppet::Transaction::Event.new(:name => :event, :resource => @resource)
         @event2.status = "success"
         expect(@manager).to receive(:queued_events).with(@resource).and_yield(:callback1, [@event, @event2])
+        @resource.class.send(:define_method, :callback1) {}
       end
 
       it "should call the callback" do
+
         expect(@resource).to receive(:callback1)
 
         @manager.process_events(@resource)
@@ -225,6 +230,7 @@ describe Puppet::Transaction::EventManager do
         allow(@event).to receive(:status).and_return("noop")
         allow(@resource).to receive(:event).and_return(Puppet::Transaction::Event.new)
         expect(@manager).to receive(:queued_events).with(@resource).and_yield(:callback1, [@event])
+        @resource.class.send(:define_method, :callback1) {}
       end
 
       it "should log" do
@@ -254,6 +260,7 @@ describe Puppet::Transaction::EventManager do
         allow(@resource).to receive(:event).and_return(Puppet::Transaction::Event.new)
         allow(@resource).to receive(:noop?).and_return(true)
         expect(@manager).to receive(:queued_events).with(@resource).and_yield(:callback1, [@event])
+        @resource.class.send(:define_method, :callback1) {}
       end
 
       it "should log" do
@@ -279,7 +286,7 @@ describe Puppet::Transaction::EventManager do
 
     describe "and the callback fails" do
       before do
-        expect(@resource).to receive(:callback1).and_raise("a failure")
+        @resource.class.send(:define_method, :callback1) { raise "a failure" }
 
         expect(@manager).to receive(:queued_events).and_yield(:callback1, [@event])
       end
@@ -323,16 +330,12 @@ describe Puppet::Transaction::EventManager do
 
   describe "when queueing then processing events for a given resource" do
     before do
-      @transaction = Puppet::Transaction.new(Puppet::Resource::Catalog.new, nil, nil)
-      @manager = Puppet::Transaction::EventManager.new(@transaction)
+      @catalog = Puppet::Resource::Catalog.new
+      @target = Puppet::Type.type(:exec).new(name: 'target', path: ENV['PATH'])
+      @resource = Puppet::Type.type(:exec).new(name: 'resource', path: ENV['PATH'], notify: @target)
+      @catalog.add_resource(@resource, @target)
 
-      @resource = Puppet::Type.type(:file).new :path => make_absolute("/my/file")
-      @target = Puppet::Type.type(:file).new :path => make_absolute("/your/file")
-
-      @graph = allow('graph')
-      allow(@graph).to receive(:matching_edges).and_return([])
-      allow(@graph).to receive(:matching_edges).with(anything, @resource).and_return([double('edge', :target => @target, :callback => :refresh)])
-      allow(@manager).to receive(:relationship_graph).and_return(@graph)
+      @manager = Puppet::Transaction::EventManager.new(Puppet::Transaction.new(@catalog, nil, nil))
 
       @event  = Puppet::Transaction::Event.new(:name => :notify, :resource => @target)
       @event2 = Puppet::Transaction::Event.new(:name => :service_start, :resource => @target, :invalidate_refreshes => true)

data/spec/unit/transaction/report_spec.rb

@@ -675,7 +675,6 @@ Version:
     report.code_id = "some code id"
     report.catalog_uuid = "some catalog uuid"
     report.cached_catalog_status = "not_used"
-    report.master_used = "test:000"
     report.server_used = "test:000"
     report.add_resource_status(status)
     report.transaction_completed = true
@@ -694,7 +693,6 @@ Version:
     report.code_id = "some code id"
     report.catalog_uuid = "some catalog uuid"
     report.cached_catalog_status = "not_used"
-    report.master_used = "test:000"
     report.server_used = "test:000"
     report.add_resource_status(status)
     report.transaction_completed = true

data/spec/unit/transaction/resource_harness_spec.rb

@@ -612,14 +612,14 @@ describe Puppet::Transaction::ResourceHarness do
       allow_any_instance_of(Puppet::Transaction::Event).to receive(:corrective_change).and_return(true)
       status = @harness.evaluate(resource)
       sync_event = status.events[0]
-      expect(sync_event.message).to match(/content changed '{md5}[0-9a-f]+' to '{md5}[0-9a-f]+' \(corrective\)/)
+      expect(sync_event.message).to match(/content changed '{sha256}[0-9a-f]+' to '{sha256}[0-9a-f]+' \(corrective\)/)
     end
 
     it "contains no modifier when intentional change" do
       allow_any_instance_of(Puppet::Transaction::Event).to receive(:corrective_change).and_return(false)
       status = @harness.evaluate(resource)
       sync_event = status.events[0]
-      expect(sync_event.message).to match(/content changed '{md5}[0-9a-f]+' to '{md5}[0-9a-f]+'$/)
+      expect(sync_event.message).to match(/content changed '{sha256}[0-9a-f]+' to '{sha256}[0-9a-f]+'$/)
     end
   end
 end

data/spec/unit/transaction_spec.rb

@@ -5,6 +5,13 @@ require 'puppet_spec/compiler'
 require 'puppet/transaction'
 require 'fileutils'
 
+Puppet::Type.newtype(:generator) do
+  newparam(:name) { isnamevar }
+
+  def generate
+  end
+end
+
 describe Puppet::Transaction do
   include PuppetSpec::Files
   include PuppetSpec::Compiler
@@ -323,9 +330,9 @@ describe Puppet::Transaction do
   describe "when generating resources before traversal" do
     let(:catalog) { Puppet::Resource::Catalog.new }
     let(:transaction) { Puppet::Transaction.new(catalog, nil, Puppet::Graph::SequentialPrioritizer.new) }
-    let(:generator) { Puppet::Type.type(:notify).new :title => "generator" }
+    let(:generator) { Puppet::Type.type(:generator).new :title => "generator" }
     let(:generated) do
-      %w[a b c].map { |name| Puppet::Type.type(:notify).new(:name => name) }
+      %w[a b c].map { |name| Puppet::Type.type(:generator).new(:name => name) }
     end
 
     before :each do
@@ -598,115 +605,81 @@ describe Puppet::Transaction do
       transaction.prefetch_if_necessary(resource)
     end
 
-    it "should not rescue SystemExit without future_features flag" do
-      Puppet.settings[:future_features] = false
+    it "should not rescue SystemExit" do
       expect(resource.provider.class).to receive(:prefetch).and_raise(SystemExit, "SystemMessage")
       expect { transaction.prefetch_if_necessary(resource) }.to raise_error(SystemExit, "SystemMessage")
     end
 
-    it "should not rescue SystemExit with future_features flag" do
-      Puppet.settings[:future_features] = true
-      expect(resource.provider.class).to receive(:prefetch).and_raise(SystemExit, "SystemMessage")
-      expect { transaction.prefetch_if_necessary(resource) }.to raise_error(SystemExit, "SystemMessage")
-    end
-
-    it "should rescue LoadError without future_features flag" do
-      Puppet.settings[:future_features] = false
-      expect(resource.provider.class).to receive(:prefetch).and_raise(LoadError, "LoadMessage")
-      expect { transaction.prefetch_if_necessary(resource) }.not_to raise_error
-    end
-
-    it "should rescue LoadError with future_features flag" do
-      Puppet.settings[:future_features] = true
+    it "should mark resources as failed when prefetching raises LoadError" do
       expect(resource.provider.class).to receive(:prefetch).and_raise(LoadError, "LoadMessage")
-      expect { transaction.prefetch_if_necessary(resource) }.not_to raise_error
+      transaction.prefetch_if_necessary(resource)
+      expect(transaction.prefetched_providers[:package][:pkgng]).to be_truthy
     end
 
-    describe "and prefetching fails" do
+    describe "and prefetching raises Puppet::Error" do
       before :each do
         expect(resource.provider.class).to receive(:prefetch).and_raise(Puppet::Error, "message")
       end
 
-      context "without future_features flag" do
-        before :each do
-          Puppet.settings[:future_features] = false
-        end
-
-        it "should not rescue prefetch executions" do
-          expect { transaction.prefetch_if_necessary(resource) }.to raise_error(Puppet::Error)
-        end
+      it "should rescue prefetch executions" do
+        transaction.prefetch_if_necessary(resource)
 
-        it "should log the exception during prefetch" do
-          expect(Puppet).to receive(:log_exception).with(anything, "Could not prefetch package provider 'pkgng': message")
-          expect { transaction.prefetch_if_necessary(resource) }.to raise_error(Puppet::Error, "message")
-        end
+        expect(transaction.prefetched_providers[:package][:pkgng]).to be_truthy
       end
 
-      context "with future_features flag" do
-        before :each do
-          Puppet.settings[:future_features] = true
-        end
+      it "should mark resources as failed", :unless => RUBY_PLATFORM == 'java' do
+        transaction.evaluate
 
-        it "should rescue prefetch executions" do
-          transaction.prefetch_if_necessary(resource)
+        expect(transaction.resource_status(resource).failed?).to be_truthy
+      end
 
-          expect(transaction.prefetched_providers[:package][:pkgng]).to be_truthy
-        end
+      it "should mark a provider that has failed prefetch" do
+        transaction.prefetch_if_necessary(resource)
 
-        it "should mark resources as failed", :unless => RUBY_PLATFORM == 'java' do
-          transaction.evaluate
+        expect(transaction.prefetch_failed_providers[:package][:pkgng]).to be_truthy
+      end
 
-          expect(transaction.resource_status(resource).failed?).to be_truthy
+      describe "and new resources are generated" do
+        let(:generator) { Puppet::Type.type(:generator).new :title => "generator" }
+        let(:generated) do
+          %w[a b c].map { |name| Puppet::Type.type(:package).new :title => "foo", :name => name, :provider => :apt }
         end
 
-        it "should mark a provider that has failed prefetch" do
-          transaction.prefetch_if_necessary(resource)
-
-          expect(transaction.prefetch_failed_providers[:package][:pkgng]).to be_truthy
+        before :each do
+          catalog.add_resource generator
+          allow(generator).to receive(:generate).and_return(generated)
+          allow(catalog).to receive(:container_of).and_return(generator)
         end
 
-        describe "and new resources are generated" do
-          let(:generator) { Puppet::Type.type(:notify).new :title => "generator" }
-          let(:generated) do
-            %w[a b c].map { |name| Puppet::Type.type(:package).new :title => "foo", :name => name, :provider => :apt }
-          end
-
-          before :each do
-            catalog.add_resource generator
-            allow(generator).to receive(:generate).and_return(generated)
-            allow(catalog).to receive(:container_of).and_return(generator)
-          end
+        it "should not evaluate resources with a failed provider, even if the prefetch is rescued" do
+          #Only the generator resource should be applied, all the other resources are failed, and skipped.
+          catalog.remove_resource resource2
+          expect(transaction).to receive(:apply).once
 
-          it "should not evaluate resources with a failed provider, even if the prefetch is rescued" do
-            #Only the generator resource should be applied, all the other resources are failed, and skipped.
-            catalog.remove_resource resource2
-            expect(transaction).to receive(:apply).once
-
-            transaction.evaluate
-          end
+          transaction.evaluate
+        end
 
-          it "should not fail other resources added after the failing resource", :unless => RUBY_PLATFORM == 'java' do
-            new_resource = Puppet::Type.type(:notify).new :name => "baz"
-            catalog.add_resource(new_resource)
+        it "should not fail other resources added after the failing resource", :unless => RUBY_PLATFORM == 'java' do
+          new_resource = Puppet::Type.type(:notify).new :name => "baz"
+          catalog.add_resource(new_resource)
 
-            transaction.evaluate
+          transaction.evaluate
 
-            expect(transaction.resource_status(new_resource).failed?).to be_falsey
-          end
+          expect(transaction.resource_status(new_resource).failed?).to be_falsey
+        end
 
-          it "should fail other resources that require the failing resource" do
-            new_resource = Puppet::Type.type(:notify).new(:name => "baz", :require => resource)
-            catalog.add_resource(new_resource)
+        it "should fail other resources that require the failing resource" do
+          new_resource = Puppet::Type.type(:notify).new(:name => "baz", :require => resource)
+          catalog.add_resource(new_resource)
 
-            catalog.remove_resource resource2
-            expect(transaction).to receive(:apply).once
+          catalog.remove_resource resource2
+          expect(transaction).to receive(:apply).once
 
-            transaction.evaluate
+          transaction.evaluate
 
-            expect(transaction.resource_status(resource).failed?).to be_truthy
-            expect(transaction.resource_status(new_resource).dependency_failed?).to be_truthy
-            expect(transaction.skip?(new_resource)).to be_truthy
-          end
+          expect(transaction.resource_status(resource).failed?).to be_truthy
+          expect(transaction.resource_status(new_resource).dependency_failed?).to be_truthy
+          expect(transaction.skip?(new_resource)).to be_truthy
         end
       end
     end
@@ -785,6 +758,9 @@ describe Puppet::Transaction do
           def self.is_selinux_enabled
             true
           end
+
+          def self.matchpathcon_fini
+          end
         end
       end
 
@@ -828,7 +804,6 @@ describe Puppet::Transaction do
       before do
         @resource = Puppet::Type.type(:notify).new :title => "foobar"
         @catalog.add_resource @resource
-        allow(@transaction).to receive(:add_dynamically_generated_resources)
       end
 
       it 'should stop processing if :stop_processing? is true' do