puppet 6.3.0-universal-darwin → 6.4.0-universal-darwin

data/spec/unit/application/device_spec.rb

@@ -20,6 +20,8 @@ describe Puppet::Application::Device do
     Puppet::Node::Facts.indirection.stubs(:terminus_class=)
   end
 
+  let(:state_machine) { stub(ensure_client_certificate: nil) }
+
   it "should operate in agent run_mode" do
     expect(@device.class.run_mode.name).to eq(:agent)
   end
@@ -74,25 +76,28 @@ describe Puppet::Application::Device do
 
     it "should set waitforcert to 0 with --onetime and if --waitforcert wasn't given" do
       Puppet[:onetime] = true
-      Puppet::SSL::Host.any_instance.expects(:wait_for_cert).with(0)
+      Puppet::SSL::StateMachine.expects(:new).with(has_entry(waitforcert: 0)).returns(state_machine)
+
       @device.setup_host('device.example.com')
     end
 
     it "should use supplied waitforcert when --onetime is specified" do
       Puppet[:onetime] = true
       @device.handle_waitforcert(60)
-      Puppet::SSL::Host.any_instance.expects(:wait_for_cert).with(60)
+      Puppet::SSL::StateMachine.expects(:new).with(has_entry(waitforcert: 60)).returns(state_machine)
+
       @device.setup_host('device.example.com')
     end
 
     it "should use a default value for waitforcert when --onetime and --waitforcert are not specified" do
-      Puppet::SSL::Host.any_instance.expects(:wait_for_cert).with(120)
+      Puppet::SSL::StateMachine.expects(:new).with(has_entry(waitforcert: 120)).returns(state_machine)
+
       @device.setup_host('device.example.com')
     end
 
     it "should use the waitforcert setting when checking for a signed certificate" do
       Puppet[:waitforcert] = 10
-      Puppet::SSL::Host.any_instance.expects(:wait_for_cert).with(10)
+      Puppet::SSL::StateMachine.expects(:new).with(has_entry(waitforcert: 10)).returns(state_machine)
       @device.setup_host('device.example.com')
     end
 
@@ -155,8 +160,6 @@ describe Puppet::Application::Device do
       Puppet::Resource::Catalog.indirection.stubs(:terminus_class=)
       Puppet::Resource::Catalog.indirection.stubs(:cache_class=)
       Puppet::Node::Facts.indirection.stubs(:terminus_class=)
-      @host = stub_everything 'host'
-      Puppet::SSL::Host.stubs(:new).returns(@host)
       Puppet.stubs(:settraps)
     end
 
@@ -264,19 +267,15 @@ describe Puppet::Application::Device do
   end
 
   describe "when initializing each devices SSL" do
-    before(:each) do
-      @host = stub_everything 'host'
-      Puppet::SSL::Host.stubs(:new).returns(@host)
-    end
-
     it "should create a new ssl host" do
-      Puppet::SSL::Host.expects(:new).returns(@host)
+      Puppet::SSL::StateMachine.expects(:new).with(has_entry(certname: 'device.example.com')).returns(state_machine)
+
       @device.setup_host('device.example.com')
     end
 
     it "should wait for a certificate" do
       @device.options.stubs(:[]).with(:waitforcert).returns(123)
-      @host.expects(:wait_for_cert).with(123)
+      Puppet::SSL::StateMachine.expects(:new).with(has_entry(waitforcert: 123)).returns(state_machine)
 
       @device.setup_host('device.example.com')
     end
@@ -585,42 +584,6 @@ describe Puppet::Application::Device do
           expect(found_devices).to eq(all_devices)
         end
       end
-
-      it "should cleanup the certname setting after the run" do
-        all_devices = Set.new(@device_hash.keys)
-        found_devices = Set.new()
-
-        # a block to use in a few places later to validate the updated settings
-        p = Proc.new do |my_setting, my_value|
-          if my_setting == :certname && all_devices.include?(my_value)
-            found_devices.add(my_value)
-            true
-          else
-            false
-          end
-        end
-
-        seq = sequence("clean up certname")
-
-        all_devices.size.times do
-          ## one occurrence of set / run / set("certname") for each device
-          Puppet.expects(:[]=).with(&p).in_sequence(seq)
-          @configurer.expects(:run).in_sequence(seq)
-          Puppet.expects(:[]=).with(:certname, "certname").in_sequence(seq)
-        end
-
-
-        expect { @device.main }.to exit_with 1
-
-        # make sure that we were called with each of the defined devices
-        expect(found_devices).to eq(all_devices)
-      end
-
-      it "should expire all cached attributes" do
-        Puppet::SSL::Host.expects(:reset).twice
-
-        expect { @device.main }.to exit_with 1
-      end
     end
   end
 end

data/spec/unit/application/ssl_spec.rb

@@ -25,6 +25,9 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
   before do
     WebMock.disable_net_connect!
 
+    Net::HTTP.any_instance.stubs(:start)
+    Net::HTTP.any_instance.stubs(:finish)
+
     Puppet.settings.use(:main)
     Puppet[:certname] = name
     Puppet[:vardir] = tmpdir("ssl_testing")
@@ -56,7 +59,6 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     it 'downloads the CA bundle first when missing' do
       File.delete(Puppet[:localcacert])
       stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: @ca.ca_cert.to_pem)
-      stub_request(:get, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 404)
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
 
@@ -68,7 +70,6 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     it 'downloads the CRL bundle first when missing' do
       File.delete(Puppet[:hostcrl])
       stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: @crl.to_pem)
-      stub_request(:get, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 404)
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
 
@@ -106,7 +107,6 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     it_behaves_like 'an ssl action'
 
     it 'submits the CSR and saves it locally' do
-      stub_request(:get, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 404)
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
 
@@ -116,55 +116,29 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     end
 
     it 'detects when a CSR with the same public key has already been submitted' do
-      stub_request(:get, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 404)
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
 
       expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
 
-      stub_request(:get, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200, body: @host[:csr].to_pem)
-      #  we skip :put
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
 
       expects_command_to_pass
     end
 
-    it "warns if the local CSR doesn't match the local public key, and submits a new CSR" do
-      # write out the local CSR
-      File.open(csr_path, 'w') { |f| f.write(@host[:csr].to_pem) }
-
-      # generate a new host key, whose public key doesn't match
-      private_key = OpenSSL::PKey::RSA.new(512)
-      public_key = private_key.public_key
-      File.open(Puppet[:hostprivkey], 'w') { |f| f.write(private_key.to_pem) }
-      File.open(Puppet[:hostpubkey], 'w') { |f| f.write(public_key.to_pem) }
-
-      # expect CSR to contain the new pub key
-      stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).with do |request|
-        sent_pem = OpenSSL::X509::Request.new(request.body).public_key.to_pem
-        expect(sent_pem).to eq(public_key.to_pem)
-      end.to_return(status: 200)
-      stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
-
-      Puppet.stubs(:warning) # ignore unrelated warnings
-      Puppet.expects(:warning).with("The local CSR does not match the agent's public key. Generating a new CSR.")
-      expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
-    end
-
     it 'downloads the certificate when autosigning is enabled' do
-      stub_request(:get, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 404)
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
 
       expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
 
       expect(Puppet::FileSystem).to be_exist(Puppet[:hostcert])
+      expect(Puppet::FileSystem).to_not be_exist(csr_path)
     end
 
     it 'accepts dns alt names' do
       Puppet[:dns_alt_names] = 'majortom'
 
-      stub_request(:get, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 404)
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
 
@@ -212,7 +186,7 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
 
       expects_command_to_fail(
-        %r{^Failed to download certificate: The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?}
+        %r{^Failed to download certificate: The certificate for '/CN=ssl-client' does not match its private key}
       )
     end
 
@@ -233,13 +207,13 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     it 'reports if the key is missing' do
       File.delete(Puppet[:hostprivkey])
 
-      expects_command_to_fail(/The host's private key is missing/)
+      expects_command_to_fail(/The private key is missing from/)
     end
 
     it 'reports if the cert is missing' do
       File.delete(Puppet[:hostcert])
 
-      expects_command_to_fail(/The host's certificate is missing/)
+      expects_command_to_fail(/The client certificate is missing from/)
     end
 
     it 'reports if the key and cert are mismatched' do
@@ -249,7 +223,7 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       File.open(Puppet[:hostprivkey], 'w') { |f| f.write(private_key.to_pem) }
       File.open(Puppet[:hostpubkey], 'w') { |f| f.write(public_key.to_pem) }
 
-      expects_command_to_fail(/The host's key does not match the certificate/)
+      expects_command_to_fail(%r{The certificate for '/CN=ssl-client' does not match its private key})
     end
 
     it 'reports if the cert verification fails' do
@@ -260,15 +234,13 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       # and CRL for that CA
       File.open(Puppet[:hostcrl], 'w') { |f| f.write(new_ca.ca_crl.to_pem) }
 
-      expects_command_to_fail(
-        /Failed to verify certificate '#{name}': certificate signature failure \(7\)/
-      )
+      expects_command_to_fail(%r{Invalid signature for certificate '/CN=ssl-client'})
     end
 
     it 'reports when verification succeeds' do
       OpenSSL::X509::Store.any_instance.stubs(:verify).returns(true)
 
-      expects_command_to_pass(/Verified certificate '#{name}'/)
+      expects_command_to_pass(%r{Verified client certificate '/CN=ssl-client' fingerprint})
     end
   end
 
@@ -386,6 +358,20 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
         File.open(device_cert_file, 'w') { |f| f.write('device.example.com') }
         expects_command_to_pass(%r{Removed certificate #{device_cert_file}})
      end
+    end
   end
+
+  context 'when bootstrapping' do
+    before do
+      ssl.command_line.args << 'bootstrap'
+    end
+
+    it 'returns an SSLContext with the loaded CA certs, CRLs, private key and client cert' do
+      Puppet::SSL::StateMachine.any_instance.expects(:ensure_client_certificate).returns(
+        stub('ssl_context')
+      )
+
+      expects_command_to_pass
+    end
   end
 end

data/spec/unit/configurer_spec.rb

@@ -1011,7 +1011,7 @@ describe Puppet::Configurer do
     it "should select a server when provided" do
       Puppet.settings[:server_list] = ["myserver:123"]
       response = Net::HTTPOK.new(nil, 200, 'OK')
-      Puppet::Network::HttpPool.stubs(:http_ssl_instance).with('myserver', '123').returns(mock('request', get: response))
+      Puppet::Network::HttpPool.stubs(:connection).with('myserver', 123, anything).returns(mock('request', get: response))
       @agent.stubs(:run_internal)
 
       options = {}
@@ -1024,7 +1024,7 @@ describe Puppet::Configurer do
       response = Net::HTTPOK.new(nil, 200, 'OK')
       http = mock('request')
       http.expects(:get).with('/status/v1/simple/master').returns(response)
-      Puppet::Network::HttpPool.stubs(:http_ssl_instance).with('myserver', '123').returns(http)
+      Puppet::Network::HttpPool.stubs(:connection).with('myserver', 123, anything).returns(http)
       @agent.stubs(:run_internal)
 
       @agent.run
@@ -1033,27 +1033,27 @@ describe Puppet::Configurer do
     it "should report when a server is unavailable" do
       Puppet.settings[:server_list] = ["myserver:123"]
       response = Net::HTTPInternalServerError.new(nil, 500, 'Internal Server Error')
-      Puppet::Network::HttpPool.stubs(:http_ssl_instance).with('myserver', '123').returns(mock('request', get: response))
-      @agent.stubs(:run_internal)
+      Puppet::Network::HttpPool.stubs(:connection).with('myserver', 123, anything).returns(mock('request', get: response))
 
       Puppet.expects(:debug).with("Puppet server myserver:123 is unavailable: 500 Internal Server Error")
-      @agent.run
+      expect{ @agent.run }.to raise_error(Puppet::Error, /Could not select a functional puppet master from server_list/)
     end
 
-    it "should fallback to an empty server when failover fails" do
+    it "should error when no servers in 'server_list' are reachable" do
       Puppet.settings[:server_list] = ["myserver:123"]
       error = Net::HTTPError.new(400, 'dummy server communication error')
-      Puppet::Network::HttpPool.stubs(:http_ssl_instance).with('myserver', '123').returns(error)
-      @agent.stubs(:run_internal)
+      Puppet::Network::HttpPool.stubs(:connection).with('myserver', 123, anything).returns(mock('request', get: error))
 
       options = {}
-      @agent.run(options)
+      expect{ @agent.run(options) }.to raise_error(Puppet::Error, /Could not select a functional puppet master from server_list/)
       expect(options[:report].master_used).to be_nil
     end
 
-    it "should not make multiple node requets when the server is found" do
+    it "should not make multiple node requests when the server is found" do
       Puppet.settings[:server_list] = ["myserver:123"]
-      Puppet::Network::HttpPool.expects(:http_ssl_instance).once
+      response = Net::HTTPOK.new(nil, 200, 'OK')
+
+      Puppet::Network::HttpPool.expects(:connection).with('myserver', 123, anything).returns(mock('request', get: response))
       @agent.stubs(:run_internal)
 
       @agent.run

data/spec/unit/file_system/uniquefile_spec.rb

@@ -7,6 +7,12 @@ describe Puppet::FileSystem::Uniquefile do
     end
   end
 
+  it "ensures the file has permissions 0600", unless: Puppet::Util::Platform.windows? do
+    Puppet::FileSystem::Uniquefile.open_tmp('foo') do |file|
+      expect(Puppet::FileSystem.stat(file.path).mode & 07777).to eq(0600)
+    end
+  end
+
   it "provides a writeable file" do
     Puppet::FileSystem::Uniquefile.open_tmp('foo') do |file|
       file.write("stuff")

data/spec/unit/file_system_spec.rb

@@ -30,6 +30,35 @@ describe "Puppet::FileSystem" do
     SYSTEM_SID_BYTES == Puppet::Util::Windows::ADSI::User.current_user_sid.sid_bytes
   end
 
+  def expects_public_file(path)
+    if Puppet::Util::Platform.windows?
+      current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_user_name)
+      sd = Puppet::Util::Windows::Security.get_security_descriptor(path)
+      expect(sd.dacl).to contain_exactly(
+        an_object_having_attributes(sid: Puppet::Util::Windows::SID::LocalSystem, mask: 0x1f01ff),
+        an_object_having_attributes(sid: Puppet::Util::Windows::SID::BuiltinAdministrators, mask: 0x1f01ff),
+        an_object_having_attributes(sid: current_sid, mask: 0x1f01ff),
+        an_object_having_attributes(sid: Puppet::Util::Windows::SID::BuiltinUsers, mask: 0x120089)
+      )
+    else
+      expect(File.stat(path).mode & 07777).to eq(0644)
+    end
+  end
+
+  def expects_private_file(path)
+    if Puppet::Util::Platform.windows?
+      current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_user_name)
+      sd = Puppet::Util::Windows::Security.get_security_descriptor(path)
+      expect(sd.dacl).to contain_exactly(
+        an_object_having_attributes(sid: Puppet::Util::Windows::SID::LocalSystem, mask: 0x1f01ff),
+        an_object_having_attributes(sid: Puppet::Util::Windows::SID::BuiltinAdministrators, mask: 0x1f01ff),
+        an_object_having_attributes(sid: current_sid, mask: 0x1f01ff)
+      )
+    else
+      expect(File.stat(path).mode & 07777).to eq(0640)
+    end
+  end
+
   context "#open" do
     it "uses the same default mode as File.open, when specifying a nil mode (umask used on non-Windows)" do
       file = tmpfile('file_to_update')
@@ -770,6 +799,20 @@ describe "Puppet::FileSystem" do
 
         expect(Puppet::FileSystem.exist?(dir)).to be_truthy
       end
+
+      it "should raise Errno::EACCESS when trying to delete a file whose parent directory does not allow execute/traverse", unless: Puppet::Util::Platform.windows? do
+        dir = tmpdir('file_system_unlink')
+        path = File.join(dir, 'deleteme')
+        mode = Puppet::FileSystem.stat(dir).mode
+        Puppet::FileSystem.chmod(0, dir)
+        begin
+          expect {
+            Puppet::FileSystem.unlink(path)
+          }.to raise_error(Errno::EACCES, /^Permission denied .* #{path}/)
+        ensure
+          Puppet::FileSystem.chmod(mode, dir)
+        end
+      end
     end
 
     describe "exclusive_create" do
@@ -875,4 +918,175 @@ describe "Puppet::FileSystem" do
       end
     end
   end
+
+  describe '#replace_file' do
+    let(:dest) { tmpfile('replace_file') }
+    let(:content) { "some data" }
+
+    context 'when creating' do
+      it 'writes the data' do
+        Puppet::FileSystem.replace_file(dest) { |f| f.write(content) }
+
+        expect(Puppet::FileSystem.binread(dest)).to eq(content)
+      end
+
+      it 'writes in binary mode' do
+        Puppet::FileSystem.replace_file(dest) { |f| f.write("\x00\x01\x02") }
+
+        expect(Puppet::FileSystem.binread(dest)).to eq("\x00\x01\x02")
+      end
+
+      context 'on posix', unless: Puppet::Util::Platform.windows? do
+        it 'applies the default mode 0640' do
+          Puppet::FileSystem.replace_file(dest) { |f| f.write(content) }
+
+          mode = Puppet::FileSystem.stat(dest).mode
+          expect(mode & 07777).to eq(0640)
+        end
+
+        it 'applies the specified mode' do
+          Puppet::FileSystem.replace_file(dest, 0777) { |f| f.write(content) }
+
+          mode = Puppet::FileSystem.stat(dest).mode
+          expect(mode & 07777).to eq(0777)
+        end
+
+        it 'raises EACCES if we do not have permission' do
+          dir = tmpdir('file_system')
+          dest = File.join(dir, 'unwritable')
+
+          Puppet::FileSystem.chmod(0600, dir)
+
+          expect {
+            Puppet::FileSystem.replace_file(dest) { |_| }
+          }.to raise_error(Errno::EACCES, /Permission denied/)
+        end
+
+        it 'creates a read-only file' do
+          Puppet::FileSystem.replace_file(dest, 0400) { |f| f.write(content) }
+
+          expect(Puppet::FileSystem.binread(dest)).to eq(content)
+
+          mode = Puppet::FileSystem.stat(dest).mode
+          expect(mode & 07777).to eq(0400)
+        end
+      end
+
+      context 'on windows', if: Puppet::Util::Platform.windows? do
+        it 'does not grant users access by default' do
+          Puppet::FileSystem.replace_file(dest) { |f| f.write(content) }
+
+          expects_private_file(dest)
+        end
+
+        it 'applies the specified mode' do
+          Puppet::FileSystem.replace_file(dest, 0644) { |f| f.write(content) }
+
+          expects_public_file(dest)
+        end
+
+        it 'rejects unsupported modes' do
+          expect {
+            Puppet::FileSystem.replace_file(dest, 0755) { |_| }
+          }.to raise_error(ArgumentError, /Only modes 0644, 0640 and 0600 are allowed/)
+        end
+      end
+    end
+
+    context "when overwriting" do
+      before :each do
+        FileUtils.touch(dest)
+      end
+
+      it 'overwrites the content' do
+        Puppet::FileSystem.replace_file(dest) { |f| f.write(content) }
+
+        expect(Puppet::FileSystem.binread(dest)).to eq(content)
+      end
+
+      it 'raises ISDIR if the destination is a directory' do
+        dir = tmpdir('file_system')
+
+        expect {
+          Puppet::FileSystem.replace_file(dir) { |f| f.write(content) }
+        }.to raise_error(Errno::EISDIR, /Is a directory/)
+      end
+
+      it 'preserves the existing content if an error is raised' do
+        File.write(dest, 'existing content')
+
+        Puppet::FileSystem.replace_file(dest) { |f| raise 'whoops' } rescue nil
+
+        expect(Puppet::FileSystem.binread(dest)).to eq('existing content')
+      end
+
+      context 'on posix', unless: Puppet::Util::Platform.windows? do
+        it 'preserves the existing mode' do
+          Puppet::FileSystem.chmod(0600, dest)
+
+          Puppet::FileSystem.replace_file(dest) { |f| f.write(content) }
+
+          mode = Puppet::FileSystem.stat(dest).mode
+          expect(mode & 07777).to eq(0600)
+        end
+
+        it 'applies the specified mode' do
+          Puppet::FileSystem.chmod(0600, dest)
+
+          Puppet::FileSystem.replace_file(dest, 0777) { |f| f.write(content) }
+
+          mode = Puppet::FileSystem.stat(dest).mode
+          expect(mode & 07777).to eq(0777)
+        end
+
+        it 'updates a read-only file' do
+          Puppet::FileSystem.chmod(0400, dest)
+
+          Puppet::FileSystem.replace_file(dest) { |f| f.write(content) }
+
+          expect(Puppet::FileSystem.binread(dest)).to eq(content)
+
+          mode = Puppet::FileSystem.stat(dest).mode
+          expect(mode & 07777).to eq(0400)
+        end
+      end
+
+      context 'on windows', if: Puppet::Util::Platform.windows? do
+        it 'preserves the existing mode' do
+          old_sd = Puppet::Util::Windows::Security.get_security_descriptor(dest)
+
+          Puppet::FileSystem.replace_file(dest) { |f| f.write(content) }
+
+          new_sd = Puppet::Util::Windows::Security.get_security_descriptor(dest)
+          expect(old_sd.owner).to eq(new_sd.owner)
+          expect(old_sd.group).to eq(new_sd.group)
+          old_sd.dacl.each do |ace|
+            expect(new_sd.dacl).to include(an_object_having_attributes(sid: ace.sid, mask: ace.mask))
+          end
+        end
+
+        it 'applies the specified mode' do
+          Puppet::FileSystem.replace_file(dest, 0644) { |f| f.write(content) }
+
+          expects_public_file(dest)
+        end
+
+        it 'raises Errno::EACCES if access is denied' do
+          Puppet::Util::Windows::Security.stubs(:get_security_descriptor).raises(Puppet::Util::Windows::Error.new('access denied', 5))
+
+          expect {
+            Puppet::FileSystem.replace_file(dest) { |f| f.write(content) }
+          }.to raise_error(Errno::EACCES, /Access is denied/)
+        end
+
+        it 'raises SystemCallError otherwise' do
+          Puppet::Util::Windows::Security.stubs(:get_security_descriptor).raises(Puppet::Util::Windows::Error.new('arena is trashed', 7))
+
+          expect {
+            Puppet::FileSystem.replace_file(dest) { |f| f.write(content) }
+          }.to raise_error(SystemCallError, /The storage control blocks were destroyed/)
+        end
+      end
+    end
+  end
 end