puppet 6.3.0-universal-darwin → 6.4.0-universal-darwin

data/spec/unit/ssl/verifier_spec.rb

@@ -0,0 +1,123 @@
+require 'spec_helper'
+
+describe Puppet::SSL::Verifier do
+  let(:options) { {} }
+  let(:ssl_context) { Puppet::SSL::SSLContext.new(options) }
+  let(:host) { 'example.com' }
+  let(:http) { Net::HTTP.new(host) }
+  let(:verifier) { described_class.new(host, ssl_context) }
+  let(:adapter) { Puppet::SSL::VerifierAdapter.new(Puppet::SSL::Validator::DefaultValidator.new) }
+
+  context '#reusable?' do
+    it 'Verifiers with the same ssl_context are reusable' do
+      expect(verifier).to be_reusable(described_class.new(host, ssl_context))
+    end
+
+    it 'Verifiers with different ssl_contexts are not reusable' do
+      expect(verifier).to_not be_reusable(described_class.new(host, Puppet::SSL::SSLContext.new))
+    end
+
+    it 'Verifier is not reusable with VerifierAdapter' do
+      expect(verifier).to_not be_reusable(adapter)
+    end
+
+    it 'VerifierAdapter is not reusable with Verifier' do
+      expect(adapter).to_not be_reusable(verifier)
+    end
+
+    it 'VerifierAdapters with the same class of Validator are reusable' do
+      expect(
+        adapter
+      ).to be_reusable(Puppet::SSL::VerifierAdapter.new(Puppet::SSL::Validator::DefaultValidator.new))
+    end
+
+    it 'VerifierAdapters with different classes of Validators are not reusable' do
+      expect(
+        adapter
+      ).to_not be_reusable(Puppet::SSL::VerifierAdapter.new(Puppet::SSL::Validator::NoValidator.new))
+    end
+  end
+
+  context '#setup_connection' do
+    it 'copies parameters from the ssl_context to the connection' do
+      store = stub('store')
+      options.merge!(store: store)
+      verifier.setup_connection(http)
+
+      expect(http.cert_store).to eq(store)
+    end
+
+    it 'defaults to VERIFY_PEER' do
+      http.expects(:verify_mode=).with(OpenSSL::SSL::VERIFY_PEER)
+
+      verifier.setup_connection(http)
+    end
+
+    it 'only uses VERIFY_NONE if explicitly disabled' do
+      options.merge!(verify_peer: false)
+
+      http.expects(:verify_mode=).with(OpenSSL::SSL::VERIFY_NONE)
+
+      verifier.setup_connection(http)
+    end
+
+    it 'registers a verify callback' do
+      verifier.setup_connection(http)
+
+      expect(http.verify_callback).to eq(verifier)
+    end
+  end
+
+  context '#handle_connection_error' do
+    let(:peer_cert) { cert_fixture('127.0.0.1.pem') }
+    let(:chain) { [peer_cert] }
+    let(:ssl_error) { OpenSSL::SSL::SSLError.new("certificate verify failed") }
+
+    it "raises a verification error for a CA cert" do
+      store_context = stub('store_context', current_cert: peer_cert, chain: [peer_cert], error: OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, error_string: "unable to get local issuer certificate")
+      verifier.call(false, store_context)
+
+      expect {
+        verifier.handle_connection_error(http, ssl_error)
+      }.to raise_error(Puppet::SSL::CertVerifyError, "certificate verify failed [unable to get local issuer certificate for /CN=127.0.0.1]")
+    end
+
+    it "raises a verification error for the server cert" do
+      store_context = stub('store_context', current_cert: peer_cert, chain: chain, error: OpenSSL::X509::V_ERR_CERT_REJECTED, error_string: "certificate rejected")
+      verifier.call(false, store_context)
+
+      expect {
+        verifier.handle_connection_error(http, ssl_error)
+      }.to raise_error(Puppet::SSL::CertVerifyError, "certificate verify failed [certificate rejected for /CN=127.0.0.1]")
+    end
+
+    it "raises cert mismatch error on ruby < 2.4" do
+      http.expects(:peer_cert).returns(peer_cert)
+
+      store_context = stub('store_context')
+      verifier.call(true, store_context)
+
+      ssl_error = OpenSSL::SSL::SSLError.new("hostname 'example'com' does not match the server certificate")
+
+      expect {
+        verifier.handle_connection_error(http, ssl_error)
+      }.to raise_error(Puppet::Error, "Server hostname 'example.com' did not match server certificate; expected one of 127.0.0.1, DNS:127.0.0.1, DNS:127.0.0.2")
+    end
+
+    it "raises cert mismatch error on ruby >= 2.4" do
+      store_context = stub('store_context', current_cert: peer_cert, chain: chain, error: OpenSSL::X509::V_OK, error_string: "ok")
+      verifier.call(false, store_context)
+
+      expect {
+        verifier.handle_connection_error(http, ssl_error)
+      }.to raise_error(Puppet::Error, "Server hostname 'example.com' did not match server certificate; expected one of 127.0.0.1, DNS:127.0.0.1, DNS:127.0.0.2")
+    end
+
+    it 're-raises other ssl connection errors' do
+      err = OpenSSL::SSL::SSLError.new("This version of OpenSSL does not support FIPS mode")
+      expect {
+        verifier.handle_connection_error(http, err)
+      }.to raise_error(err)
+    end
+  end
+end

data/spec/unit/type/exec_spec.rb

@@ -31,6 +31,33 @@ describe Puppet::Type.type(:exec) do
     return exec
   end
 
+  def exec_stub(options = {})
+    command = options.delete(:command) || @command
+    #unless_val = options.delete(:unless) || :true
+    type_args = {
+      :name   => command,
+      #:unless => unless_val,
+    }.merge(options)
+
+    # Chicken, meet egg:
+    # Provider methods have to be stubbed before resource init or checks fail
+    # We have to set 'unless' in resource init or it can not be marked sensitive correctly.
+    # So: we create a dummy ahead of time and use 'any_instance' to stub out provider methods.
+    dummy = Puppet::Type.type(:exec).new(:name => @command)
+    dummy.provider.class.any_instance.stubs(:validatecmd)
+    dummy.provider.class.any_instance.stubs(:checkexe).returns(true)
+    pass_status = stub('status', :exitstatus => 0, :split => ["pass output"])
+    fail_status = stub('status', :exitstatus => 1, :split => ["fail output"])
+    Puppet::Util::Execution.stubs(:execute).with(:true, anything).returns(pass_status)
+    Puppet::Util::Execution.stubs(:execute).with(:false, anything).returns(fail_status)
+
+    test = Puppet::Type.type(:exec).new(type_args)
+
+    Puppet::Util::Log.level = :debug
+
+    return test
+  end
+
   before do
     @command = make_absolute('/bin/true whatever')
     @executable = make_absolute('/bin/true')
@@ -176,6 +203,26 @@ describe Puppet::Type.type(:exec) do
       expect(@logs).to eq([])
     end
 
+    describe "when checks stop execution when debugging" do
+      [[:unless, :true], [:onlyif, :false]].each do |check, result|
+        it "should log a message with the command when #{check} is #{result}" do
+          output = "'#{@command}' won't be executed because of failed check '#{check}'"
+          test = exec_stub({:command => @command, check => result})
+          expect(test.check_all_attributes).to eq(false)
+          expect(@logs).to include(an_object_having_attributes(level: :debug, message: output))
+        end
+
+        it "should log a message with a redacted command and check if #{check} is sensitive" do
+          output1 = "Executing check '[redacted]'"
+          output2 = "'[command redacted]' won't be executed because of failed check '#{check}'"
+          test = exec_stub({:command => @command, check => result, :sensitive_parameters => [check]})
+          expect(test.check_all_attributes).to eq(false)
+          expect(@logs).to include(an_object_having_attributes(level: :debug, message: output1))
+          expect(@logs).to include(an_object_having_attributes(level: :debug, message: output2))
+        end
+      end
+    end
+
     describe " when multiple tries are set," do
       it "should repeat the command attempt 'tries' times on failure and produce an error" do
         tries = 5
@@ -635,6 +682,22 @@ describe Puppet::Type.type(:exec) do
           @test[:creates] = [@exist] * 3
         end
       end
+
+      context "when creates is being checked" do
+        it "should be logged to debug when the path does exist" do
+          Puppet::Util::Log.level = :debug
+          @test[:creates] = @exist
+          expect(@test.check_all_attributes).to eq(false)
+          expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Checking that 'creates' path '#{@exist}' exists"))
+        end
+
+        it "should be logged to debug when the path does not exist" do
+          Puppet::Util::Log.level = :debug
+          @test[:creates] = @unexist
+          expect(@test.check_all_attributes).to eq(true)
+          expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Checking that 'creates' path '#{@unexist}' exists"))
+        end
+      end
     end
 
     { :onlyif => { :pass => false, :fail => true  },

data/spec/unit/type/file/source_spec.rb

@@ -594,7 +594,7 @@ describe Puppet::Type.type(:file).attrclass(:source), :uses_checksums => true do
       it 'should use an explicit fileserver if source starts with puppet://' do
         response.stubs(:code).returns('200')
         source.stubs(:metadata).returns stub_everything('metadata', :source => 'puppet://somehostname/test/foo', :ftype => 'file')
-        Puppet::Network::HttpPool.expects(:http_instance).with('somehostname', anything).returns(conn)
+        Puppet::Network::HttpPool.expects(:connection).with('somehostname', 8140, anything).returns(conn)
 
         resource.write(source)
       end
@@ -602,14 +602,14 @@ describe Puppet::Type.type(:file).attrclass(:source), :uses_checksums => true do
       it 'should use the default fileserver if source starts with puppet:///' do
         response.stubs(:code).returns('200')
         source.stubs(:metadata).returns stub_everything('metadata', :source => 'puppet:///test/foo', :ftype => 'file')
-        Puppet::Network::HttpPool.expects(:http_instance).with(Puppet.settings[:server], anything).returns(conn)
+        Puppet::Network::HttpPool.expects(:connection).with(Puppet[:server], 8140, anything).returns(conn)
 
         resource.write(source)
       end
 
       it 'should percent encode reserved characters' do
         response.stubs(:code).returns('200')
-        Puppet::Network::HttpPool.stubs(:http_instance).returns(conn)
+        Puppet::Network::HttpPool.stubs(:connection).returns(conn)
         source.stubs(:metadata).returns stub_everything('metadata', :source => 'puppet:///test/foo bar', :ftype => 'file')
 
         conn.unstub(:request_get)
@@ -620,7 +620,7 @@ describe Puppet::Type.type(:file).attrclass(:source), :uses_checksums => true do
 
       it 'should request binary content' do
         response.stubs(:code).returns('200')
-        Puppet::Network::HttpPool.stubs(:http_instance).returns(conn)
+        Puppet::Network::HttpPool.stubs(:connection).returns(conn)
         source.stubs(:metadata).returns stub_everything('metadata', :source => 'puppet:///test/foo bar', :ftype => 'file')
 
         conn.unstub(:request_get)
@@ -637,7 +637,7 @@ describe Puppet::Type.type(:file).attrclass(:source), :uses_checksums => true do
         end
 
         before(:each) do
-          Puppet::Network::HttpPool.stubs(:http_instance).returns(conn)
+          Puppet::Network::HttpPool.stubs(:connection).returns(conn)
           source.stubs(:metadata).returns stub_everything('metadata', :source => 'puppet:///test/foo', :ftype => 'file')
         end
 

data/spec/unit/type/filebucket_spec.rb

@@ -21,14 +21,14 @@ describe Puppet::Type.type(:filebucket) do
     expect(Puppet::Type.type(:filebucket).new(:name => "main")[:path]).to eq(Puppet[:clientbucketdir])
   end
 
-  it "should use the masterport as the path by default port" do
+  it "should not have a default port" do
     Puppet.settings[:masterport] = 50
-    expect(Puppet::Type.type(:filebucket).new(:name => "main")[:port]).to eq(Puppet[:masterport])
+    expect(Puppet::Type.type(:filebucket).new(:name => "main")[:port]).to eq(nil)
   end
 
-  it "should use the server as the path by default server" do
+  it "should not have a default server" do
     Puppet.settings[:server] = "myserver"
-    expect(Puppet::Type.type(:filebucket).new(:name => "main")[:server]).to eq(Puppet[:server])
+    expect(Puppet::Type.type(:filebucket).new(:name => "main")[:server]).to eq(nil)
   end
 
   it "be local by default" do
@@ -93,10 +93,12 @@ describe Puppet::Type.type(:filebucket) do
       bucket.bucket
     end
 
-    it "should use the default server if the path is unset and no server is provided" do
+    it "should not try to guess server or port if the path is unset and no server is provided" do
       Puppet.settings[:server] = "myserv"
+      Puppet.settings[:server_list] = ['server_list_0', 'server_list_1']
+      Puppet::FileBucket::Dipper.expects(:new).with(:Server => nil, :Port => nil).returns @bucket
+
       bucket = Puppet::Type.type(:filebucket).new :name => "main", :path => false
-      Puppet::FileBucket::Dipper.expects(:new).with { |args| args[:Server] == "myserv" }.returns @bucket
       bucket.bucket
     end
   end

data/spec/unit/util/feature_spec.rb

@@ -88,7 +88,7 @@ describe Puppet::Util::Feature do
     @features.expects(:require).with("foo").raises(LoadError)
     @features.stubs(:require).with("bar")
 
-    Puppet.expects(:debug)
+    @features.expects(:debug_once)
 
     expect(@features).not_to be_myfeature
   end
@@ -100,7 +100,7 @@ describe Puppet::Util::Feature do
     Puppet::Util::RubyGems::Source.stubs(:source).returns(Puppet::Util::RubyGems::Gems18Source)
     Puppet::Util::RubyGems::Gems18Source.any_instance.expects(:clear_paths).times(3)
 
-    Puppet.expects(:debug)
+    @features.expects(:debug_once)
 
     expect(@features).not_to be_myfeature
     expect(@features).to be_myfeature

data/spec/unit/util/storage_spec.rb

@@ -181,6 +181,8 @@ describe Puppet::Util::Storage do
   end
 
   describe "when storing to the state file" do
+    A_SMALL_AMOUNT_OF_TIME = 0.001 #Seconds
+
     before(:each) do
       @state_file = tmpfile('storage_test')
       @saved_statefile = Puppet[:statefile]
@@ -232,13 +234,13 @@ describe Puppet::Util::Storage do
       stale_checked = recent_checked - (Puppet[:statettl] + 10)
       Puppet::Util::Storage.cache(:yayness)[:checked] = recent_checked
       Puppet::Util::Storage.cache(:stale)[:checked] = stale_checked
-      expect(Puppet::Util::Storage.state).to eq(
+      expect(Puppet::Util::Storage.state).to match(
         {
           :yayness => {
-            :checked => recent_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(recent_checked)
           },
           :stale => {
-            :checked => stale_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(stale_checked)
           }
         }
       )
@@ -250,29 +252,28 @@ describe Puppet::Util::Storage do
 
       Puppet::Util::Storage.load
 
-      expect(Puppet::Util::Storage.state).to eq(
+      expect(Puppet::Util::Storage.state).to match(
         {
           :yayness => {
-            :checked => recent_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(recent_checked)
           }
         }
       )
     end
 
-
     it "does not expire entries when statettl is 0" do
       Puppet[:statettl] = '0'
       recent_checked = Time.now.round
       older_checked = recent_checked - 10_000_000
       Puppet::Util::Storage.cache(:yayness)[:checked] = recent_checked
       Puppet::Util::Storage.cache(:older)[:checked] = older_checked
-      expect(Puppet::Util::Storage.state).to eq(
+      expect(Puppet::Util::Storage.state).to match(
         {
           :yayness => {
-            :checked => recent_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(recent_checked)
           },
           :older => {
-            :checked => older_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(older_checked)
           }
         }
       )
@@ -284,32 +285,31 @@ describe Puppet::Util::Storage do
 
       Puppet::Util::Storage.load
 
-      expect(Puppet::Util::Storage.state).to eq(
+      expect(Puppet::Util::Storage.state).to match(
         {
           :yayness => {
-            :checked => recent_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(recent_checked)
           },
           :older => {
-            :checked => older_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(older_checked)
           }
         }
       )
     end
 
-
     it "does not expire entries when statettl is 'unlimited'" do
       Puppet[:statettl] = 'unlimited'
       recent_checked = Time.now
       older_checked = Time.now - 10_000_000
       Puppet::Util::Storage.cache(:yayness)[:checked] = recent_checked
       Puppet::Util::Storage.cache(:older)[:checked] = older_checked
-      expect(Puppet::Util::Storage.state).to eq(
+      expect(Puppet::Util::Storage.state).to match(
         {
           :yayness => {
-            :checked => recent_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(recent_checked)
           },
           :older => {
-            :checked => older_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(older_checked)
           }
         }
       )
@@ -321,13 +321,13 @@ describe Puppet::Util::Storage do
 
       Puppet::Util::Storage.load
 
-      expect(Puppet::Util::Storage.state).to eq(
+      expect(Puppet::Util::Storage.state).to match(
         {
           :yayness => {
-            :checked => recent_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(recent_checked)
           },
           :older => {
-            :checked => older_checked
+            :checked => a_value_within(A_SMALL_AMOUNT_OF_TIME).of(older_checked)
           }
         }
       )

data/spec/unit/x509/cert_provider_spec.rb

@@ -0,0 +1,527 @@
+require 'spec_helper'
+require 'puppet/x509'
+
+describe Puppet::X509::CertProvider do
+  include PuppetSpec::Files
+
+  def create_provider(options)
+    described_class.new(options)
+  end
+
+  def as_pem_file(pem)
+    path = tmpfile('cert_provider_pem')
+    File.write(path, pem)
+    path
+  end
+
+  def expects_public_file(path)
+    if Puppet::Util::Platform.windows?
+      current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_user_name)
+      sd = Puppet::Util::Windows::Security.get_security_descriptor(path)
+      expect(sd.dacl).to contain_exactly(
+        an_object_having_attributes(sid: Puppet::Util::Windows::SID::LocalSystem, mask: 0x1f01ff),
+        an_object_having_attributes(sid: Puppet::Util::Windows::SID::BuiltinAdministrators, mask: 0x1f01ff),
+        an_object_having_attributes(sid: current_sid, mask: 0x1f01ff),
+        an_object_having_attributes(sid: Puppet::Util::Windows::SID::BuiltinUsers, mask: 0x120089)
+      )
+    else
+      expect(File.stat(path).mode & 07777).to eq(0644)
+    end
+  end
+
+  def expects_private_file(path)
+    if Puppet::Util::Platform.windows?
+      current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_user_name)
+      sd = Puppet::Util::Windows::Security.get_security_descriptor(path)
+      expect(sd.dacl).to contain_exactly(
+        an_object_having_attributes(sid: Puppet::Util::Windows::SID::LocalSystem, mask: 0x1f01ff),
+        an_object_having_attributes(sid: Puppet::Util::Windows::SID::BuiltinAdministrators, mask: 0x1f01ff),
+        an_object_having_attributes(sid: current_sid, mask: 0x1f01ff)
+      )
+    else
+      expect(File.stat(path).mode & 07777).to eq(0640)
+    end
+  end
+
+  let(:fixture_dir) { File.join(PuppetSpec::FIXTURE_DIR, 'ssl') }
+
+  context 'when loading' do
+    context 'cacerts' do
+      it 'returns nil if it does not exist' do
+        provider = create_provider(capath: '/does/not/exist')
+
+        expect(provider.load_cacerts).to be_nil
+      end
+
+      it 'raises if cacerts are required' do
+        provider = create_provider(capath: '/does/not/exist')
+
+        expect {
+          provider.load_cacerts(required: true)
+        }.to raise_error(Puppet::Error, %r{The CA certificates are missing from '/does/not/exist'})
+      end
+
+      it 'returns an array of certificates' do
+        subject = OpenSSL::X509::Name.new([['CN', 'Test CA']])
+        certs = create_provider(capath: File.join(fixture_dir, 'ca.pem')).load_cacerts
+        expect(certs).to contain_exactly(an_object_having_attributes(subject: subject))
+      end
+
+      context 'and input is invalid' do
+        it 'raises when invalid input is inside BEGIN-END block' do
+          ca_path = as_pem_file(<<~END)
+            -----BEGIN CERTIFICATE-----
+            whoops
+            -----END CERTIFICATE-----
+          END
+
+          expect {
+            create_provider(capath: ca_path).load_cacerts
+          }.to raise_error(OpenSSL::X509::CertificateError)
+        end
+
+        it 'raises if the input is empty' do
+          expect {
+            create_provider(capath: as_pem_file('')).load_cacerts
+          }.to raise_error(OpenSSL::X509::CertificateError)
+        end
+
+        it 'raises if the input is malformed' do
+          ca_path = as_pem_file(<<~END)
+            -----BEGIN CERTIFICATE-----
+            MIIBpDCCAQ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
+          END
+
+          expect {
+            create_provider(capath: ca_path).load_cacerts
+          }.to raise_error(OpenSSL::X509::CertificateError)
+        end
+      end
+
+      it 'raises if the cacerts are unreadable' do
+        capath = File.join(fixture_dir, 'ca.pem')
+        provider = create_provider(capath: capath)
+        provider.stubs(:load_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.load_cacerts
+        }.to raise_error(Puppet::Error, "Failed to load CA certificates from '#{capath}'")
+      end
+    end
+
+    context 'crls' do
+      it 'returns nil if it does not exist' do
+        provider = create_provider(crlpath: '/does/not/exist')
+        expect(provider.load_crls).to be_nil
+      end
+
+      it 'raises if CRLs are required' do
+        provider = create_provider(crlpath: '/does/not/exist')
+
+        expect {
+          provider.load_crls(required: true)
+        }.to raise_error(Puppet::Error, %r{The CRL is missing from '/does/not/exist'})
+      end
+
+      it 'returns an array of CRLs' do
+        issuer = OpenSSL::X509::Name.new([['CN', 'Test CA']])
+        crls = create_provider(crlpath: File.join(fixture_dir, 'crl.pem')).load_crls
+        expect(crls).to contain_exactly(an_object_having_attributes(issuer: issuer))
+      end
+
+      context 'and input is invalid' do
+        it 'raises when invalid input is inside BEGIN-END block' do
+          pending('jruby bug: https://github.com/jruby/jruby/issues/5619') if Puppet::Util::Platform.jruby?
+
+          crl_path = as_pem_file(<<~END)
+            -----BEGIN X509 CRL-----
+            whoops
+            -----END X509 CRL-----
+          END
+
+          expect {
+            create_provider(crlpath: crl_path).load_crls
+          }.to raise_error(OpenSSL::X509::CRLError, 'nested asn1 error')
+        end
+
+        it 'raises if the input is empty' do
+          expect {
+            create_provider(crlpath: as_pem_file('')).load_crls
+          }.to raise_error(OpenSSL::X509::CRLError, 'Failed to parse CRLs as PEM')
+        end
+
+        it 'raises if the input is malformed' do
+          crl_path = as_pem_file(<<~END)
+            -----BEGIN X509 CRL-----
+            MIIBCjB1AgEBMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EXDTcw
+          END
+
+          expect {
+            create_provider(crlpath: crl_path).load_crls
+          }.to raise_error(OpenSSL::X509::CRLError, 'Failed to parse CRLs as PEM')
+        end
+      end
+
+      it 'raises if the CRLs are unreadable' do
+        crlpath = File.join(fixture_dir, 'crl.pem')
+        provider = create_provider(crlpath: crlpath)
+        provider.stubs(:load_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.load_crls
+        }.to raise_error(Puppet::Error, "Failed to load CRLs from '#{crlpath}'")
+      end
+    end
+  end
+
+  context 'when saving' do
+    context 'cacerts' do
+      let(:ca_path) { tmpfile('pem_cacerts') }
+      let(:ca_cert) { cert_fixture('ca.pem') }
+
+      it 'writes PEM encoded certs' do
+        create_provider(capath: ca_path).save_cacerts([ca_cert])
+
+        expect(File.read(ca_path)).to match(/\A-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----\Z/m)
+      end
+
+      it 'sets mode to 644' do
+        create_provider(capath: ca_path).save_cacerts([ca_cert])
+
+        expects_public_file(ca_path)
+      end
+
+      it 'raises if the CA certs are unwritable' do
+        provider = create_provider(capath: ca_path)
+        provider.stubs(:save_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.save_cacerts([ca_cert])
+        }.to raise_error(Puppet::Error, "Failed to save CA certificates to '#{ca_path}'")
+      end
+    end
+
+    context 'crls' do
+      let(:crl_path) { tmpfile('pem_crls') }
+      let(:ca_crl) { crl_fixture('crl.pem') }
+
+      it 'writes PEM encoded CRLs' do
+        create_provider(crlpath: crl_path).save_crls([ca_crl])
+
+        expect(File.read(crl_path)).to match(/\A-----BEGIN X509 CRL-----.*?-----END X509 CRL-----\Z/m)
+      end
+
+      it 'sets mode to 644' do
+        create_provider(crlpath: crl_path).save_crls([ca_crl])
+
+        expects_public_file(crl_path)
+      end
+
+      it 'raises if the CRLs are unwritable' do
+        provider = create_provider(crlpath: crl_path)
+        provider.stubs(:save_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.save_crls([ca_crl])
+        }.to raise_error(Puppet::Error, "Failed to save CRLs to '#{crl_path}'")
+      end
+    end
+  end
+
+  context 'when loading' do
+    context 'private keys' do
+      let(:provider) { create_provider(privatekeydir: fixture_dir) }
+
+      it 'returns nil if it does not exist' do
+        provider = create_provider(privatekeydir: '/does/not/exist')
+
+        expect(provider.load_private_key('whatever')).to be_nil
+      end
+
+      it 'raises if it is required' do
+        provider = create_provider(privatekeydir: '/does/not/exist')
+
+        expect {
+          provider.load_private_key('whatever', required: true)
+        }.to raise_error(Puppet::Error, %r{The private key is missing from '/does/not/exist/whatever.pem'})
+      end
+
+      it 'returns an RSA key' do
+        expect(provider.load_private_key('signed-key')).to be_a(OpenSSL::PKey::RSA)
+      end
+
+      it 'downcases name' do
+        expect(provider.load_private_key('SIGNED-KEY')).to be_a(OpenSSL::PKey::RSA)
+      end
+
+      it 'raises if name is invalid' do
+        expect {
+          provider.load_private_key('signed/../key')
+        }.to raise_error(RuntimeError, 'Certname "signed/../key" must not contain unprintable or non-ASCII characters')
+      end
+
+      it 'returns nil if `hostprivkey` is overridden' do
+        Puppet[:certname] = 'foo'
+        Puppet[:hostprivkey] = File.join(fixture_dir, "signed-key.pem")
+
+        expect(provider.load_private_key('foo')).to be_nil
+      end
+
+      it 'raises if the private key is unreadable' do
+        provider.stubs(:load_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.load_private_key('signed')
+        }.to raise_error(Puppet::Error, "Failed to load private key for 'signed'")
+      end
+
+      context 'that are encrypted' do
+        it 'raises without a passphrase' do
+          # password is 74695716c8b6
+          expect {
+            provider.load_private_key('encrypted-key')
+          }.to raise_error(OpenSSL::PKey::RSAError, /Neither PUB key nor PRIV key/)
+        end
+      end
+    end
+
+    context 'certs' do
+      let(:provider) { create_provider(certdir: fixture_dir) }
+
+      it 'returns nil if it does not exist' do
+        provider = create_provider(certdir: '/does/not/exist')
+
+        expect(provider.load_client_cert('nonexistent')).to be_nil
+      end
+
+      it 'raises if it is required' do
+        provider = create_provider(certdir: '/does/not/exist')
+
+        expect {
+          provider.load_client_cert('nonexistent', required: true)
+        }.to raise_error(Puppet::Error, %r{The client certificate is missing from '/does/not/exist/nonexistent.pem'})
+      end
+
+      it 'returns a certificate' do
+        cert = provider.load_client_cert('signed')
+        expect(cert.subject.to_s).to eq('/CN=signed')
+      end
+
+      it 'downcases name' do
+        cert = provider.load_client_cert('SIGNED')
+        expect(cert.subject.to_s).to eq('/CN=signed')
+      end
+
+      it 'raises if name is invalid' do
+        expect {
+          provider.load_client_cert('tom/../key')
+        }.to raise_error(RuntimeError, 'Certname "tom/../key" must not contain unprintable or non-ASCII characters')
+      end
+
+      it 'returns nil if `hostcert` is overridden' do
+        Puppet[:certname] = 'foo'
+        Puppet[:hostcert] = File.join(fixture_dir, "signed.pem")
+
+        expect(provider.load_client_cert('foo')).to be_nil
+      end
+
+      it 'raises if the certificate is unreadable' do
+        provider.stubs(:load_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.load_client_cert('signed')
+        }.to raise_error(Puppet::Error, "Failed to load client certificate for 'signed'")
+      end
+    end
+
+    context 'requests' do
+      let(:request) { request_fixture('request.pem') }
+      let(:provider) { create_provider(requestdir: fixture_dir) }
+
+      it 'returns nil if it does not exist' do
+        expect(provider.load_request('whatever')).to be_nil
+      end
+
+      it 'returns a request' do
+        expect(provider.load_request('request')).to be_a(OpenSSL::X509::Request)
+      end
+
+      it 'downcases name' do
+        csr = provider.load_request('REQUEST')
+        expect(csr.subject.to_s).to eq('/CN=pending')
+      end
+
+      it 'raises if name is invalid' do
+        expect {
+          provider.load_request('tom/../key')
+        }.to raise_error(RuntimeError, 'Certname "tom/../key" must not contain unprintable or non-ASCII characters')
+      end
+
+      it 'ignores `hostcsr`' do
+        Puppet[:hostcsr] = File.join(fixture_dir, "doesnotexist.pem")
+
+        expect(provider.load_request('request')).to be_a(OpenSSL::X509::Request)
+      end
+
+      it 'raises if the certificate is unreadable' do
+        provider.stubs(:load_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.load_request('pending')
+        }.to raise_error(Puppet::Error, "Failed to load certificate request for 'pending'")
+      end
+    end
+  end
+
+  context 'when saving' do
+    let(:name) { 'tom' }
+
+    context 'private keys' do
+      let(:privatekeydir) { tmpdir('privatekeydir') }
+      let(:private_key) { key_fixture('signed-key.pem') }
+      let(:path) { File.join(privatekeydir, 'tom.pem') }
+      let(:provider) { create_provider(privatekeydir: privatekeydir) }
+
+      it 'writes PEM encoded private key' do
+        provider.save_private_key(name, private_key)
+
+        expect(File.read(path)).to match(/\A-----BEGIN RSA PRIVATE KEY-----.*?-----END RSA PRIVATE KEY-----\Z/m)
+      end
+
+      it 'sets mode to 640' do
+        provider.save_private_key(name, private_key)
+
+        expects_private_file(path)
+      end
+
+      it 'downcases name' do
+        provider.save_private_key('TOM', private_key)
+
+        expect(File).to be_exist(path)
+      end
+
+      it 'raises if name is invalid' do
+        expect {
+          provider.save_private_key('tom/../key', private_key)
+        }.to raise_error(RuntimeError, 'Certname "tom/../key" must not contain unprintable or non-ASCII characters')
+      end
+
+      it 'raises if the private key is unwritable' do
+        provider.stubs(:save_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.save_private_key(name, private_key)
+        }.to raise_error(Puppet::Error, "Failed to save private key for '#{name}'")
+      end
+    end
+
+    context 'certs' do
+      let(:certdir) { tmpdir('certdir') }
+      let(:client_cert) { cert_fixture('signed.pem') }
+      let(:path) { File.join(certdir, 'tom.pem') }
+      let(:provider) { create_provider(certdir: certdir) }
+
+      it 'writes PEM encoded cert' do
+        provider.save_client_cert(name, client_cert)
+
+        expect(File.read(path)).to match(/\A-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----\Z/m)
+      end
+
+      it 'sets mode to 644' do
+        provider.save_client_cert(name, client_cert)
+
+        expects_public_file(path)
+      end
+
+      it 'downcases name' do
+        provider.save_client_cert('TOM', client_cert)
+
+        expect(File).to be_exist(path)
+      end
+
+      it 'raises if name is invalid' do
+        expect {
+          provider.save_client_cert('tom/../key', client_cert)
+        }.to raise_error(RuntimeError, 'Certname "tom/../key" must not contain unprintable or non-ASCII characters')
+      end
+
+      it 'raises if the cert is unwritable' do
+        provider.stubs(:save_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.save_client_cert(name, client_cert)
+        }.to raise_error(Puppet::Error, "Failed to save client certificate for '#{name}'")
+      end
+    end
+
+    context 'requests' do
+      let(:requestdir) { tmpdir('requestdir') }
+      let(:csr) { request_fixture('request.pem') }
+      let(:path) { File.join(requestdir, 'tom.pem') }
+      let(:provider) { create_provider(requestdir: requestdir) }
+
+      it 'writes PEM encoded request' do
+        provider.save_request(name, csr)
+
+        expect(File.read(path)).to match(/\A-----BEGIN CERTIFICATE REQUEST-----.*?-----END CERTIFICATE REQUEST-----\Z/m)
+      end
+
+      it 'sets mode to 644' do
+        provider.save_request(name, csr)
+
+        expects_public_file(path)
+      end
+
+      it 'downcases name' do
+        provider.save_request('TOM', csr)
+
+        expect(File).to be_exist(path)
+      end
+
+      it 'raises if name is invalid' do
+        expect {
+          provider.save_request('tom/../key', csr)
+        }.to raise_error(RuntimeError, 'Certname "tom/../key" must not contain unprintable or non-ASCII characters')
+      end
+
+      it 'raises if the request is unwritable' do
+        provider.stubs(:save_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.save_request(name, csr)
+        }.to raise_error(Puppet::Error, "Failed to save certificate request for '#{name}'")
+      end
+    end
+  end
+
+  context 'when deleting' do
+    context 'requests' do
+      let(:name) { 'jerry' }
+      let(:requestdir) { tmpdir('cert_provider') }
+      let(:provider) { create_provider(requestdir: requestdir) }
+
+      it 'returns true if request was deleted' do
+        path = File.join(requestdir, "#{name}.pem")
+        File.write(path, "PEM")
+
+        expect(provider.delete_request(name)).to eq(true)
+        expect(File).not_to be_exist(path)
+      end
+
+      it 'returns false if the request is non-existent' do
+        path = File.join(requestdir, "#{name}.pem")
+
+        expect(provider.delete_request(name)).to eq(false)
+        expect(File).to_not be_exist(path)
+      end
+
+      it 'raises if the file is undeletable' do
+        provider.stubs(:delete_pem).raises(Errno::EACCES, 'Permission denied')
+
+        expect {
+          provider.delete_request(name)
+        }.to raise_error(Puppet::Error, "Failed to delete certificate request for '#{name}'")
+      end
+    end
+  end
+end