puppet 6.3.0-x86-mingw32 → 6.4.0-x86-mingw32

data/spec/unit/network/http/session_spec.rb

@@ -5,11 +5,12 @@ require 'puppet/network/http'
 
 describe Puppet::Network::HTTP::Session do
   let(:connection) { stub('connection') }
+  let(:verifier) { stub('verifier') }
 
   def create_session(connection, expiration_time = nil)
     expiration_time ||= Time.now + 60 * 60
 
-    Puppet::Network::HTTP::Session.new(connection, expiration_time)
+    Puppet::Network::HTTP::Session.new(connection, verifier, expiration_time)
   end
 
   it 'provides access to its connection' do
@@ -18,6 +19,12 @@ describe Puppet::Network::HTTP::Session do
     expect(session.connection).to eq(connection)
   end
 
+  it 'provides access to its verifier' do
+    session = create_session(connection)
+
+    expect(session.verifier).to eq(verifier)
+  end
+
   it 'expires a connection whose expiration time is in the past' do
     now = Time.now
     past = now - 1

data/spec/unit/network/http_pool_spec.rb

@@ -46,6 +46,42 @@ describe Puppet::Network::HttpPool do
       expect(Puppet::Network::HttpPool.http_instance("me", 54321, true)).to be_use_ssl
     end
 
+    it 'has an http_ssl_instance method' do
+      expect(Puppet::Network::HttpPool.http_ssl_instance("me", 54321)).to be_use_ssl
+    end
+
+    context "when calling 'connection'" do
+      it 'requires an ssl_context' do
+        expect {
+          Puppet::Network::HttpPool.connection('me', 8140)
+        }.to raise_error(ArgumentError, "An ssl_context is required when connecting to 'https://me:8140'")
+      end
+
+      it 'creates a verifier from the context' do
+        ssl_context = Puppet::SSL::SSLContext.new
+        expect(
+          Puppet::Network::HttpPool.connection('me', 8140, ssl_context: ssl_context).verifier
+        ).to be_a_kind_of(Puppet::SSL::Verifier)
+      end
+
+      it 'does not use SSL when specified' do
+        expect(Puppet::Network::HttpPool.connection('me', 8140, use_ssl: false)).to_not be_use_ssl
+      end
+
+      it 'defaults to SSL' do
+        ssl_context = Puppet::SSL::SSLContext.new
+        conn = Puppet::Network::HttpPool.connection('me', 8140, ssl_context: ssl_context)
+        expect(conn).to be_use_ssl
+      end
+
+      it 'warns if an ssl_context is used for an http connection' do
+        Puppet.expects(:warning).with("An ssl_context is unnecessary when connecting to 'http://me:8140' and will be ignored")
+
+        ssl_context = Puppet::SSL::SSLContext.new
+        Puppet::Network::HttpPool.connection('me', 8140, use_ssl: false, ssl_context: ssl_context)
+      end
+    end
+
     describe 'peer verification' do
       def setup_standard_ssl_configuration
         ca_cert_file = File.expand_path('/path/to/ssl/certs/ca_cert.pem')

data/spec/unit/pops/loaders/loader_spec.rb

@@ -250,6 +250,11 @@ describe 'The Loader' do
               'aplan.pp' => <<-PUPPET.unindent,
                 plan b::aplan() {}
                 PUPPET
+              'yamlplan.yaml' => '{}',
+              'conflict.yaml' => '{}',
+              'conflict.pp' => <<-PUPPET.unindent,
+                plan b::conflict() {}
+                PUPPET
             }
           }
 
@@ -368,7 +373,7 @@ describe 'The Loader' do
 
             it 'private loader finds plans in all modules' do
               expect(loader.private_loader.discover(:plan) { |t| t.name =~ /^.(?:::.*)?\z/ }).to(
-                contain_exactly(tn(:plan, 'b'), tn(:plan, 'a::aplan'), tn(:plan, 'b::aplan')))
+                contain_exactly(tn(:plan, 'b'), tn(:plan, 'a::aplan'), tn(:plan, 'b::aplan'), tn(:plan, 'b::conflict')))
             end
 
             it 'module loader finds plans only in itself' do
@@ -376,6 +381,26 @@ describe 'The Loader' do
                 contain_exactly(tn(:plan, 'a::aplan')))
             end
 
+            context 'with a yaml plan instantiator defined' do
+              before :each do
+                Puppet.push_context(:yaml_plan_instantiator => mock(:create => mock('plan')))
+              end
+
+              after :each do
+                Puppet.pop_context
+              end
+
+              it 'module loader finds yaml plans' do
+                expect(Loaders.find_loader('b').discover(:plan)).to(
+                  include(tn(:plan, 'b::yamlplan')))
+              end
+
+              it 'module loader excludes plans with both .pp and .yaml versions' do
+                expect(Loaders.find_loader('b').discover(:plan)).not_to(
+                  include(tn(:plan, 'b::conflict')))
+              end
+            end
+
             it 'private loader finds types in all modules' do
               expect(loader.private_loader.discover(:type) { |t| t.name =~ /^.::.*\z/ }).to(
                 contain_exactly(tn(:type, 'a::atype'), tn(:type, 'b::atype'), tn(:type, 'c::atype')))

data/spec/unit/provider/package/windows_spec.rb

@@ -86,7 +86,7 @@ describe Puppet::Type.type(:package).provider(:windows), :if => Puppet.features.
   context '#install' do
     let(:command) { 'blarg.exe /S' }
     let(:klass) { mock('installer', :install_command => ['blarg.exe', '/S'] ) }
-    let(:execute_options) do {:failonfail => false, :combine => true, :cwd => 'E:\Rando\Directory', :suppress_window => true} end
+    let(:execute_options) do {:failonfail => false, :combine => true, :cwd => nil, :suppress_window => true} end
     before :each do
       Puppet::Provider::Package::Windows::Package.expects(:installer_class).returns(klass)
     end
@@ -136,6 +136,17 @@ describe Puppet::Type.type(:package).provider(:windows), :if => Puppet.features.
         expect(error.code).to eq(5) # ERROR_ACCESS_DENIED
       end
     end
+
+    context 'With a real working dir' do
+      let(:execute_options) do {:failonfail => false, :combine => true, :cwd => 'E:\Rando\Directory', :suppress_window => true} end
+
+      it 'should not try to set the working directory' do
+        Puppet::FileSystem.expects(:exist?).with('E:\Rando\Directory').returns(true)
+        expect_execute(command, 0)
+
+        provider.install
+      end
+    end
   end
 
   context '#uninstall' do

data/spec/unit/reports/http_spec.rb

@@ -18,18 +18,18 @@ describe processor do
     it "configures the connection for ssl when using https" do
       Puppet[:reporturl] = 'https://testing:8080/the/path'
 
-      Puppet::Network::HttpPool.expects(:http_instance).with(
-        'testing', 8080, true
+      Puppet::Network::HttpPool.expects(:connection).with(
+        'testing', 8080, has_entry(ssl_context: instance_of(Puppet::SSL::SSLContext))
       ).returns http
 
       subject.process
     end
 
-    it "does not configure the connectino for ssl when using http" do
-      Puppet[:reporturl] = "http://testing:8080/the/path"
+    it "does not configure the connection for ssl when using http" do
+      Puppet[:reporturl] = 'http://testing:8080/the/path'
 
-      Puppet::Network::HttpPool.expects(:http_instance).with(
-        'testing', 8080, false
+      Puppet::Network::HttpPool.expects(:connection).with(
+        'testing', 8080, use_ssl: false, ssl_context: nil
       ).returns http
 
       subject.process
@@ -42,7 +42,7 @@ describe processor do
     let(:options) { {:metric_id => [:puppet, :report, :http]} }
 
     before :each do
-      Puppet::Network::HttpPool.expects(:http_instance).returns(connection)
+      Puppet::Network::HttpPool.expects(:connection).returns(connection)
     end
 
     it "should use the path specified by the 'reporturl' setting" do

data/spec/unit/rest/client_spec.rb

@@ -1,7 +1,6 @@
 require 'spec_helper'
 
 require 'puppet/rest/client'
-require 'puppet/rest/ssl_context'
 require 'puppet_spec/validators'
 require 'puppet_spec/ssl'
 
@@ -57,7 +56,6 @@ describe Puppet::Rest::Client do
 
     it 'initializes itself with basic defaults' do
       HTTPClient.expects(:new).returns(http)
-      OpenSSL::X509::Store.stubs(:new).returns(ssl_store)
       # Configure connection with HTTP settings
       Puppet[:http_read_timeout] = 120
       Puppet[:http_connect_timeout] = 10
@@ -73,18 +71,18 @@ describe Puppet::Rest::Client do
       Puppet[:hostcert] = '/fake/cert/path'
       ssl_config.expects(:verify_mode=).with(OpenSSL::SSL::VERIFY_NONE)
 
-      Puppet::Rest::Client.new(ssl_context: Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_NONE))
+      Puppet::Rest::Client.new(ssl_context: Puppet::SSL::SSLContext.new(verify_peer: false, store: ssl_store))
     end
 
     it 'uses a given client and SSL store when provided' do
       ssl_config.expects(:cert_store=).with(ssl_store)
       Puppet::Rest::Client.new(client: http,
-                               ssl_context: Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store))
+                               ssl_context: Puppet::SSL::SSLContext.new(verify_peer: true, store: ssl_store))
     end
 
     it 'configures a receive timeout when provided' do
       http.expects(:receive_timeout=).with(10)
-      Puppet::Rest::Client.new(ssl_context: Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_NONE),
+      Puppet::Rest::Client.new(ssl_context: Puppet::SSL::SSLContext.new(verify_peer: false),
                                client: http, receive_timeout: 10)
     end
   end
@@ -92,7 +90,7 @@ describe Puppet::Rest::Client do
   context 'when making requests' do
     let(:ssl_config) { stub_everything('ssl config') }
     let(:http) { stub_everything('http', :ssl_config => ssl_config) }
-    let(:client) { Puppet::Rest::Client.new(ssl_context: Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_NONE), client: http) }
+    let(:client) { Puppet::Rest::Client.new(ssl_context: Puppet::SSL::SSLContext.new(verify_peer: false), client: http) }
     let(:url) { 'https://myserver.com:555/data' }
 
     describe "#get" do

data/spec/unit/ssl/host_spec.rb

@@ -1,5 +1,6 @@
 #!/usr/bin/env ruby
 require 'spec_helper'
+require 'webmock/rspec'
 require 'puppet/test_ca'
 
 require 'puppet/ssl/host'
@@ -308,40 +309,49 @@ describe Puppet::SSL::Host, if: !Puppet::Util::Platform.jruby? do
       @host.stubs(:validate_certificate_with_key)
       @host.stubs(:http_client).returns(@http)
       @host.stubs(:ssl_store).returns(mock("ssl store"))
+
+      WebMock.disable_net_connect!
+      Net::HTTP.any_instance.stubs(:start)
+      Net::HTTP.any_instance.stubs(:finish)
     end
 
     let(:ca_cert_response) { @pki[:ca_bundle] }
+    let(:crl_response) { @pki[:crl_chain] }
     let(:host_cert_response) { @pki[:unrevoked_leaf_node_cert] }
 
     it "should find the CA certificate and save it to disk" do
-      Puppet::Rest::Routes.expects(:get_certificate)
-                          .with(Puppet::SSL::CA_NAME, anything)
-                          .returns(ca_cert_response)
-      Puppet::Rest::Routes.expects(:get_certificate)
-                          .with(@host.name, anything)
-                          .raises(Puppet::Rest::ResponseError.new('no client cert',
-                                                                  mock('response', code: '404')))
+      stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
+      stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
+      stub_request(:get, %r{puppet-ca/v1/certificate/#{@host.name}}).to_return(status: 404)
+
       @host.certificate
       actual_ca_bundle = Puppet::FileSystem.read(Puppet[:localcacert])
       expect(actual_ca_bundle).to match(/BEGIN CERTIFICATE.*END CERTIFICATE.*BEGIN CERTIFICATE/m)
     end
 
-    it "should return nil if it cannot find a CA certificate" do
-      @host.expects(:ensure_ca_certificate).returns(false)
+    it "should raise if it cannot find a CA certificate" do
+      stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 404)
+
       @host.expects(:get_host_certificate).never
 
-      expect(@host.certificate).to be_nil
+      expect {
+        @host.certificate
+      }.to raise_error(Puppet::Error, /CA certificate is missing from the server/)
     end
 
     it "should find the key if it does not have one" do
-      @host.expects(:ensure_ca_certificate).returns(true)
+      stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
+      stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
+
       @host.expects(:get_host_certificate).returns(nil)
       @host.expects(:key).returns mock("key")
       @host.certificate
     end
 
     it "should generate the key if one cannot be found" do
-      @host.expects(:ensure_ca_certificate).returns(true)
+      stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
+      stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
+
       @host.expects(:get_host_certificate).returns(nil)
       @host.expects(:key).returns nil
       @host.expects(:generate_key)
@@ -349,12 +359,10 @@ describe Puppet::SSL::Host, if: !Puppet::Util::Platform.jruby? do
     end
 
     it "should find the host certificate, write it to file, and return the Puppet certificate instance" do
-      Puppet::Rest::Routes.expects(:get_certificate)
-                          .with(Puppet::SSL::CA_NAME, anything)
-                          .returns(ca_cert_response)
-      Puppet::Rest::Routes.expects(:get_certificate)
-                          .with(@host.name, anything)
-                          .returns(host_cert_response)
+      stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
+      stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
+      stub_request(:get, %r{puppet-ca/v1/certificate/#{@host.name}}).to_return(status: 200, body: host_cert_response.to_pem)
+
       expected_cert = Puppet::SSL::Certificate.from_s(@pki[:unrevoked_leaf_node_cert])
       actual_cert = @host.certificate
       expect(actual_cert).to be_a(Puppet::SSL::Certificate)
@@ -365,7 +373,8 @@ describe Puppet::SSL::Host, if: !Puppet::Util::Platform.jruby? do
 
     it "should return any previously found certificate" do
       cert = mock 'cert'
-      @host.expects(:ensure_ca_certificate).returns(true).once
+      stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
+      stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
       @host.expects(:get_host_certificate).returns(cert).once
 
       expect(@host.certificate).to equal(cert)
@@ -374,19 +383,16 @@ describe Puppet::SSL::Host, if: !Puppet::Util::Platform.jruby? do
 
     context 'invalid certificates' do
       it "should raise if the CA certificate downloaded from CA is invalid" do
-        Puppet::Rest::Routes.expects(:get_certificate)
-                            .with(Puppet::SSL::CA_NAME, anything)
-                            .returns('garbage')
-        expect { @host.certificate }.to raise_error(Puppet::Error, /did not contain a valid CA certificate/)
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: 'garbage')
+
+        expect { @host.certificate }.to raise_error(OpenSSL::X509::CertificateError, /Failed to parse CA certificates as PEM/)
       end
 
       it "should warn if the host certificate downloaded from CA is invalid" do
-        Puppet::Rest::Routes.expects(:get_certificate)
-                            .with(Puppet::SSL::CA_NAME, anything)
-                            .returns(ca_cert_response)
-        Puppet::Rest::Routes.expects(:get_certificate)
-                            .with(@host.name, anything)
-                            .returns('garbage')
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
+        stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
+        stub_request(:get, %r{puppet-ca/v1/certificate/#{@host.name}}).to_return(status: 200, body: 'garbage')
+
         expect { @host.certificate }.to raise_error(Puppet::Error, /did not contain a valid certificate for #{@host.name}/)
       end
 
@@ -394,13 +400,13 @@ describe Puppet::SSL::Host, if: !Puppet::Util::Platform.jruby? do
         Puppet::FileSystem.open(Puppet[:localcacert], nil, "w:ASCII") do |f|
           f.puts 'garbage'
         end
-        expect { @host.certificate }.to raise_error(Puppet::Error, /The CA certificate.*invalid/)
+        expect { @host.certificate }.to raise_error(OpenSSL::X509::CertificateError, /Failed to parse CA certificates as PEM/)
       end
 
       it 'should warn if the host certificate loaded from disk in invalid' do
-        Puppet::Rest::Routes.expects(:get_certificate)
-                            .with(Puppet::SSL::CA_NAME, anything)
-                            .returns(ca_cert_response)
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
+        stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
+
         Puppet::FileSystem.open(File.join(Puppet[:certdir], "#{@host.name}.pem"), nil, "w:ASCII") do |f|
           f.puts 'garbage'
         end

data/spec/unit/ssl/ssl_provider_spec.rb

@@ -0,0 +1,428 @@
+require 'spec_helper'
+
+describe Puppet::SSL::SSLProvider do
+  include PuppetSpec::Files
+
+  let(:global_cacerts) { [ cert_fixture('ca.pem'), cert_fixture('intermediate.pem') ] }
+  let(:global_crls) { [ crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem') ] }
+  let(:wrong_key) { OpenSSL::PKey::RSA.new(512) }
+
+  def as_pem_file(x509)
+    path = tmpfile('ssl_provider_pem')
+    File.write(path, x509.to_pem)
+    path
+  end
+
+  context 'when creating an insecure context' do
+    let(:sslctx) { subject.create_insecure_context }
+
+    it 'has an empty list of trusted certs' do
+      expect(sslctx.cacerts).to eq([])
+    end
+
+    it 'has an empty list of crls' do
+      expect(sslctx.crls).to eq([])
+    end
+
+    it 'has an empty chain' do
+      expect(sslctx.client_chain).to eq([])
+    end
+
+    it 'has a nil private key and cert' do
+      expect(sslctx.private_key).to be_nil
+      expect(sslctx.client_cert).to be_nil
+    end
+
+    it 'does not authenticate the server' do
+      expect(sslctx.verify_peer).to eq(false)
+    end
+
+    it 'raises if the frozen context is modified' do
+      expect {
+        sslctx.cacerts = []
+      }.to raise_error(/can't modify frozen/)
+    end
+  end
+
+  context 'when creating an root ssl context with CA certs' do
+    let(:config) { { cacerts: [], crls: [], revocation: false } }
+
+    it 'accepts empty list of certs and crls' do
+      sslctx = subject.create_root_context(config)
+      expect(sslctx.cacerts).to eq([])
+      expect(sslctx.crls).to eq([])
+    end
+
+    it 'accepts valid root certs' do
+      certs = [cert_fixture('ca.pem')]
+      sslctx = subject.create_root_context(config.merge(cacerts: certs))
+      expect(sslctx.cacerts).to eq(certs)
+    end
+
+    it 'accepts valid intermediate certs' do
+      certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
+      sslctx = subject.create_root_context(config.merge(cacerts: certs))
+      expect(sslctx.cacerts).to eq(certs)
+    end
+
+    it 'accepts expired CA certs' do
+      expired = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
+      expired.each { |x509| x509.not_after = Time.at(0) }
+
+      sslctx = subject.create_root_context(config.merge(cacerts: expired))
+      expect(sslctx.cacerts).to eq(expired)
+    end
+
+    it 'raises if the frozen context is modified' do
+      sslctx = subject.create_root_context(config)
+      expect {
+        sslctx.verify_peer = false
+      }.to raise_error(/can't modify frozen/)
+    end
+  end
+
+  context 'when creating an ssl context with crls' do
+    let(:config) { { cacerts: global_cacerts, crls: global_crls} }
+
+    it 'accepts valid CRLs' do
+      certs = [cert_fixture('ca.pem')]
+      crls = [crl_fixture('crl.pem')]
+      sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
+      expect(sslctx.crls).to eq(crls)
+    end
+
+    it 'accepts valid CRLs for intermediate certs' do
+      certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
+      crls = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
+      sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
+      expect(sslctx.crls).to eq(crls)
+    end
+
+    it 'accepts expired CRLs' do
+      expired = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
+      expired.each { |x509| x509.last_update = Time.at(0) }
+
+      sslctx = subject.create_root_context(config.merge(crls: expired))
+      expect(sslctx.crls).to eq(expired)
+    end
+  end
+
+  context 'when creating an ssl context with client certs' do
+    let(:client_cert) { cert_fixture('signed.pem') }
+    let(:private_key) { key_fixture('signed-key.pem') }
+    let(:config) { { cacerts: global_cacerts, crls: global_crls, client_cert: client_cert, private_key: private_key } }
+
+    it 'raises if CA certs are missing' do
+      expect {
+        subject.create_context(config.merge(cacerts: nil))
+      }.to raise_error(ArgumentError, /CA certs are missing/)
+    end
+
+    it 'raises if CRLs are are missing' do
+      expect {
+        subject.create_context(config.merge(crls: nil))
+      }.to raise_error(ArgumentError, /CRLs are missing/)
+    end
+
+    it 'raises if private key is missing' do
+      expect {
+        subject.create_context(config.merge(private_key: nil))
+      }.to raise_error(ArgumentError, /Private key is missing/)
+    end
+
+    it 'raises if client cert is missing' do
+      expect {
+        subject.create_context(config.merge(client_cert: nil))
+      }.to raise_error(ArgumentError, /Client cert is missing/)
+    end
+
+    it 'accepts RSA keys' do
+      sslctx = subject.create_context(config)
+      expect(sslctx.private_key).to eq(private_key)
+    end
+
+    it 'raises if private key is unsupported' do
+      ec_key = OpenSSL::PKey::EC.new
+      expect {
+        subject.create_context(config.merge(private_key: ec_key))
+      }.to raise_error(Puppet::SSL::SSLError, /Unsupported key 'OpenSSL::PKey::EC'/)
+    end
+
+    it 'resolves the client chain from leaf to root' do
+      sslctx = subject.create_context(config)
+      expect(
+        sslctx.client_chain.map(&:subject).map(&:to_s)
+      ).to eq(['/CN=signed', '/CN=Test CA Subauthority', '/CN=Test CA'])
+    end
+
+    it 'raises if client cert signature is invalid' do
+      client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
+      expect {
+        subject.create_context(config.merge(client_cert: client_cert))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "Invalid signature for certificate '/CN=signed'")
+    end
+
+    it 'raises if client cert and private key are mismatched' do
+      expect {
+        subject.create_context(config.merge(private_key: wrong_key))
+      }.to raise_error(Puppet::SSL::SSLError,
+                       "The certificate for '/CN=signed' does not match its private key")
+    end
+
+    it "raises if client cert's public key has been replaced" do
+      expect {
+        subject.create_context(config.merge(client_cert: cert_fixture('tampered-cert.pem')))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "Invalid signature for certificate '/CN=signed'")
+    end
+
+    # This option is only available in openssl 1.1
+    it 'raises if root cert signature is invalid', if: defined?(OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE) do
+      ca = global_cacerts.first
+      ca.sign(wrong_key, OpenSSL::Digest::SHA256.new)
+
+      expect {
+        subject.create_context(config.merge(cacerts: global_cacerts))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "Invalid signature for certificate '/CN=Test CA'")
+    end
+
+    it 'raises if intermediate CA signature is invalid' do
+      int = global_cacerts.last
+      int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
+
+      expect {
+        subject.create_context(config.merge(cacerts: global_cacerts))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "Invalid signature for certificate '/CN=Test CA Subauthority'")
+    end
+
+    it 'raises if CRL signature for root CA is invalid', unless: Puppet::Util::Platform.jruby? do
+      crl = global_crls.first
+      crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
+
+      expect {
+        subject.create_context(config.merge(crls: global_crls))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "Invalid signature for CRL issued by '/CN=Test CA'")
+    end
+
+    it 'raises if CRL signature for intermediate CA is invalid', unless: Puppet::Util::Platform.jruby? do
+      crl = global_crls.last
+      crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
+
+      expect {
+        subject.create_context(config.merge(crls: global_crls))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "Invalid signature for CRL issued by '/CN=Test CA Subauthority'")
+    end
+
+    it 'raises if client cert is revoked' do
+      expect {
+        subject.create_context(config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "Certificate '/CN=revoked' is revoked")
+    end
+
+    it 'warns if intermediate issuer is missing' do
+      Puppet.expects(:warning).with("The issuer '/CN=Test CA Subauthority' of certificate '/CN=signed' cannot be found locally")
+
+      subject.create_context(config.merge(cacerts: [cert_fixture('ca.pem')]))
+    end
+
+    it 'raises if root issuer is missing' do
+      expect {
+        subject.create_context(config.merge(cacerts: [cert_fixture('intermediate.pem')]))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "The issuer '/CN=Test CA' of certificate '/CN=Test CA Subauthority' is missing")
+    end
+
+    it 'raises if cert is not valid yet', unless: Puppet::Util::Platform.jruby? do
+      client_cert.not_before = Time.now + (5 * 60 * 60)
+      expect {
+        subject.create_context(config.merge(client_cert: client_cert))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "The certificate '/CN=signed' is not yet valid, verify time is synchronized")
+    end
+
+    it 'raises if cert is expired', unless: Puppet::Util::Platform.jruby? do
+      client_cert.not_after = Time.at(0)
+      expect {
+        subject.create_context(config.merge(client_cert: client_cert))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "The certificate '/CN=signed' has expired, verify time is synchronized")
+    end
+
+    it 'raises if crl is not valid yet', unless: Puppet::Util::Platform.jruby? do
+      future_crls = global_crls
+      # invalidate the CRL issued by the root
+      future_crls.first.last_update = Time.now + (5 * 60 * 60)
+
+      expect {
+        subject.create_context(config.merge(crls: future_crls))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "The CRL issued by '/CN=Test CA' is not yet valid, verify time is synchronized")
+    end
+
+    it 'raises if crl is expired', unless: Puppet::Util::Platform.jruby? do
+      past_crls = global_crls
+      # invalidate the CRL issued by the root
+      past_crls.first.next_update = Time.at(0)
+
+      expect {
+        subject.create_context(config.merge(crls: past_crls))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "The CRL issued by '/CN=Test CA' has expired, verify time is synchronized")
+    end
+
+    it 'raises if the root CRL is missing' do
+      crls = [crl_fixture('intermediate-crl.pem')]
+      expect {
+        subject.create_context(config.merge(crls: crls, revocation: :chain))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "The CRL issued by '/CN=Test CA' is missing")
+    end
+
+    it 'raises if the intermediate CRL is missing' do
+      crls = [crl_fixture('crl.pem')]
+      expect {
+        subject.create_context(config.merge(crls: crls))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "The CRL issued by '/CN=Test CA Subauthority' is missing")
+    end
+
+    it "doesn't raise if the root CRL is missing and we're just checking the leaf" do
+      crls = [crl_fixture('intermediate-crl.pem')]
+      subject.create_context(config.merge(crls: crls, revocation: :leaf))
+    end
+
+    it "doesn't raise if the intermediate CRL is missing and revocation checking is disabled" do
+      crls = [crl_fixture('crl.pem')]
+      subject.create_context(config.merge(crls: crls, revocation: false))
+    end
+
+    it "doesn't raise if both CRLs are missing and revocation checking is disabled" do
+      subject.create_context(config.merge(crls: [], revocation: false))
+    end
+
+    # OpenSSL < 1.1 does not verify basicConstraints
+    it "raises if root CA's isCA basic constraint is false", unless: Puppet::Util::Platform.jruby? || OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000 do
+      certs = [cert_fixture('bad-basic-constraints.pem'), cert_fixture('intermediate.pem')]
+
+      expect {
+        subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "Certificate '/CN=Test CA' failed verification (24): invalid CA certificate")
+    end
+
+    # OpenSSL < 1.1 does not verify basicConstraints
+    it "raises if intermediate CA's isCA basic constraint is false", unless: Puppet::Util::Platform.jruby? || OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000 do
+      certs = [cert_fixture('ca.pem'), cert_fixture('bad-int-basic-constraints.pem')]
+
+      expect {
+        subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
+      }.to raise_error(Puppet::SSL::CertVerifyError,
+                       "Certificate '/CN=Test CA Subauthority' failed verification (24): invalid CA certificate")
+    end
+
+    it 'accepts CA certs in any order' do
+      sslctx = subject.create_context(config.merge(cacerts: global_cacerts.reverse))
+      # certs in ruby+openssl 1.0.x are not comparable, so compare subjects
+      expect(sslctx.client_chain.map(&:subject).map(&:to_s)).to contain_exactly('/CN=Test CA', '/CN=Test CA Subauthority', '/CN=signed')
+    end
+
+    it 'accepts CRLs in any order' do
+      sslctx = subject.create_context(config.merge(crls: global_crls.reverse))
+      # certs in ruby+openssl 1.0.x are not comparable, so compare subjects
+      expect(sslctx.client_chain.map(&:subject).map(&:to_s)).to contain_exactly('/CN=Test CA', '/CN=Test CA Subauthority', '/CN=signed')
+    end
+
+    it 'raises if the frozen context is modified' do
+      sslctx = subject.create_context(config)
+      expect {
+        sslctx.verify_peer = false
+      }.to raise_error(/can't modify frozen/)
+    end
+  end
+
+  context 'when loading an ssl context' do
+    let(:client_cert) { cert_fixture('signed.pem') }
+    let(:private_key) { key_fixture('signed-key.pem') }
+    let(:doesnt_exist) { '/does/not/exist' }
+
+    before :each do
+      Puppet[:localcacert] = as_pem_file(global_cacerts.first)
+      Puppet[:hostcrl] = as_pem_file(global_crls.first)
+
+      Puppet[:certname] = 'signed'
+      Puppet[:privatekeydir] = tmpdir('privatekeydir')
+      File.write(File.join(Puppet[:privatekeydir], 'signed.pem'), private_key.to_pem)
+
+      Puppet[:certdir] = tmpdir('privatekeydir')
+      File.write(File.join(Puppet[:certdir], 'signed.pem'), client_cert.to_pem)
+    end
+
+    it 'raises if CA certs are missing' do
+      Puppet[:localcacert] = doesnt_exist
+
+      expect {
+        subject.load_context
+      }.to raise_error(Puppet::Error, /The CA certificates are missing from/)
+    end
+
+    it 'raises if the CRL is missing' do
+      Puppet[:hostcrl] = doesnt_exist
+
+      expect {
+        subject.load_context
+      }.to raise_error(Puppet::Error, /The CRL is missing from/)
+    end
+
+    it 'does not raise if the CRL is missing and revocation is disabled' do
+      Puppet[:hostcrl] = doesnt_exist
+
+      subject.load_context(revocation: false)
+    end
+
+    it 'raises if the private key is missing' do
+      Puppet[:privatekeydir] = doesnt_exist
+
+      expect {
+        subject.load_context
+      }.to raise_error(Puppet::Error, /The private key is missing from/)
+    end
+
+    it 'raises if the client cert is missing' do
+      Puppet[:certdir] = doesnt_exist
+
+      expect {
+        subject.load_context
+      }.to raise_error(Puppet::Error, /The client certificate is missing from/)
+    end
+  end
+
+  context 'when verifying requests' do
+    let(:csr) { request_fixture('request.pem') }
+
+    it 'accepts valid requests' do
+      private_key = key_fixture('request-key.pem')
+      expect(subject.verify_request(csr, private_key.public_key)).to eq(csr)
+    end
+
+    it "raises if the CSR was signed by a private key that doesn't match public key" do
+      expect {
+        subject.verify_request(csr, wrong_key.public_key)
+      }.to raise_error(Puppet::SSL::SSLError,
+                       "The CSR for host '/CN=pending' does not match the public key")
+    end
+
+    it "raises if the CSR was tampered with" do
+      csr = request_fixture('tampered-csr.pem')
+      expect {
+        subject.verify_request(csr, csr.public_key)
+      }.to raise_error(Puppet::SSL::SSLError,
+                       "The CSR for host '/CN=signed' does not match the public key")
+    end
+  end
+end