puppet 7.0.0-x64-mingw32 → 7.5.0-x64-mingw32

data/spec/unit/util/logging_spec.rb

@@ -552,7 +552,7 @@ original
 
     describe 'does support debugging' do
       before :each do
-        allow(Facter).to receive(:respond_to?).with(:debugging).and_return(true)
+        allow(Facter).to receive(:respond_to?).with(:debugging, any_args).and_return(true)
       end
 
       it 'enables Facter debugging when debug level' do
@@ -568,7 +568,7 @@ original
 
     describe 'does support trace' do
       before :each do
-        allow(Facter).to receive(:respond_to?).with(:trace).and_return(true)
+        allow(Facter).to receive(:respond_to?).with(:trace, any_args).and_return(true)
       end
 
       it 'enables Facter trace when enabled' do
@@ -584,7 +584,7 @@ original
 
     describe 'does support on_message' do
       before :each do
-        allow(Facter).to receive(:respond_to?).with(:on_message).and_return(true)
+        allow(Facter).to receive(:respond_to?).with(:on_message, any_args).and_return(true)
       end
 
       def setup(level, message)

data/spec/unit/util/posix_spec.rb

@@ -1,5 +1,6 @@
 require 'spec_helper'
 
+require 'puppet/ffi/posix'
 require 'puppet/util/posix'
 
 class PosixTest
@@ -11,35 +12,344 @@ describe Puppet::Util::POSIX do
     @posix = PosixTest.new
   end
 
-  describe '.groups_of' do
+  describe '.groups_of' do 
+    let(:mock_user_data) { double(user, :gid => 1000) }
+
+    let(:ngroups_ptr) { double('FFI::MemoryPointer', :address => 0x0001, :size => 4) }
+    let(:groups_ptr) { double('FFI::MemoryPointer', :address => 0x0002, :size => Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS) }
+
     let(:mock_groups) do
       [
-        ['group1', ['user1', 'user2']],
-        ['group2', ['user2']],
-        ['group1', ['user1', 'user2']],
-        ['group3', ['user1']],
-        ['group4', ['user2']]
-      ].map do |(name, members)|
+        ['root', ['root'], 0],
+        ['nomembers', [], 5 ],
+        ['group1', ['user1', 'user2'], 1001],
+        ['group2', ['user2'], 2002],
+        ['group1', ['user1', 'user2'], 1001],
+        ['group3', ['user1'], 3003],
+        ['group4', ['user2'], 4004],
+        ['user1', [], 1111],
+        ['user2', [], 2222]
+      ].map do |(name, members, gid)|
         group_struct = double("Group #{name}")
         allow(group_struct).to receive(:name).and_return(name)
         allow(group_struct).to receive(:mem).and_return(members)
+        allow(group_struct).to receive(:gid).and_return(gid)
 
         group_struct
       end
     end
 
+    def prepare_user_and_groups_env(user, groups)
+      groups_gids = []
+      groups_and_user = []
+      groups_and_user.replace(groups)
+      groups_and_user.push(user)
+
+      groups_and_user.each do |group|
+        mock_group = mock_groups.find { |m| m.name == group }
+        groups_gids.push(mock_group.gid)
+
+        allow(Puppet::Etc).to receive(:getgrgid).with(mock_group.gid).and_return(mock_group)
+      end
+
+      if groups_and_user.size > Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS
+        allow(ngroups_ptr).to receive(:read_int).and_return(Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS, groups_and_user.size)
+      else
+        allow(ngroups_ptr).to receive(:read_int).and_return(groups_and_user.size)
+      end
+
+      allow(groups_ptr).to receive(:get_array_of_uint).with(0, groups_and_user.size).and_return(groups_gids)
+      allow(Puppet::Etc).to receive(:getpwnam).with(user).and_return(mock_user_data)
+    end
+
     before(:each) do
-      etc_stub = receive(:group)
-      mock_groups.each do |mock_group|
-        etc_stub = etc_stub.and_yield(mock_group)
+      allow(Puppet::FFI::POSIX::Functions).to receive(:respond_to?).with(:getgrouplist, any_args).and_return(true)
+    end
+
+    describe 'when it uses FFI function getgrouplist' do
+      before(:each) do
+        allow(FFI::MemoryPointer).to receive(:new).with(:int).and_yield(ngroups_ptr)
+        allow(FFI::MemoryPointer).to receive(:new).with(:uint, Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS).and_yield(groups_ptr)
+        allow(ngroups_ptr).to receive(:write_int).with(Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS).and_return(ngroups_ptr)
+      end
+
+      describe 'when there are groups' do
+        context 'for user1' do
+          let(:user) { 'user1' }
+          let(:expected_groups) { ['group1', 'group3'] }
+
+          before(:each) do
+            prepare_user_and_groups_env(user, expected_groups)
+            allow(Puppet::FFI::POSIX::Functions).to receive(:getgrouplist).and_return(1)
+          end
+
+          it "should return the groups for given user" do
+            expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+          end
+
+          it 'should not print any debug message about falling back to Puppet::Etc.group' do
+            expect(Puppet).not_to receive(:debug).with(/Falling back to Puppet::Etc.group:/)
+            Puppet::Util::POSIX.groups_of(user)
+          end
+        end
+
+        context 'for user2' do
+          let(:user) { 'user2' }
+          let(:expected_groups) { ['group1', 'group2', 'group4'] }
+
+          before(:each) do
+            prepare_user_and_groups_env(user, expected_groups)
+            allow(Puppet::FFI::POSIX::Functions).to receive(:respond_to?).with(:getgrouplist, any_args).and_return(true)
+            allow(Puppet::FFI::POSIX::Functions).to receive(:getgrouplist).and_return(1)
+          end
+
+          it "should return the groups for given user" do
+            expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+          end
+
+          it 'should not print any debug message about falling back to Puppet::Etc.group' do
+            expect(Puppet).not_to receive(:debug).with(/Falling back to Puppet::Etc.group:/)
+            Puppet::Util::POSIX.groups_of(user)
+          end
+        end
+      end
+
+      describe 'when there are no groups' do
+        let(:user) { 'nomembers' }
+        let(:expected_groups) { [] }
+
+        before(:each) do
+          prepare_user_and_groups_env(user, expected_groups)
+          allow(Puppet::FFI::POSIX::Functions).to receive(:respond_to?).with(:getgrouplist, any_args).and_return(true)
+          allow(Puppet::FFI::POSIX::Functions).to receive(:getgrouplist).and_return(1)
+        end
+
+        it "should return no groups for given user" do
+          expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+        end
+
+        it 'should not print any debug message about falling back to Puppet::Etc.group' do
+          expect(Puppet).not_to receive(:debug).with(/Falling back to Puppet::Etc.group:/)
+          Puppet::Util::POSIX.groups_of(user)
+        end
+      end
+
+      describe 'when primary group explicitly contains user' do
+        let(:user) { 'root' }
+        let(:expected_groups) { ['root'] }
+
+        before(:each) do
+          prepare_user_and_groups_env(user, expected_groups)
+          allow(Puppet::FFI::POSIX::Functions).to receive(:respond_to?).with(:getgrouplist, any_args).and_return(true)
+          allow(Puppet::FFI::POSIX::Functions).to receive(:getgrouplist).and_return(1)
+        end
+
+        it "should return the groups, including primary group, for given user" do
+          expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+        end
+
+        it 'should not print any debug message about falling back to Puppet::Etc.group' do
+          expect(Puppet).not_to receive(:debug).with(/Falling back to Puppet::Etc.group:/)
+          Puppet::Util::POSIX.groups_of(user)
+        end
+      end
+
+      describe 'when primary group does not explicitly contain user' do
+        let(:user) { 'user1' }
+        let(:expected_groups) { ['group1', 'group3'] }
+
+        before(:each) do
+          prepare_user_and_groups_env(user, expected_groups)
+          allow(Puppet::FFI::POSIX::Functions).to receive(:respond_to?).with(:getgrouplist, any_args).and_return(true)
+          allow(Puppet::FFI::POSIX::Functions).to receive(:getgrouplist).and_return(1)
+        end
+
+        it "should not return primary group for given user" do
+          expect(Puppet::Util::POSIX.groups_of(user)).not_to include(user)
+        end
+
+        it 'should not print any debug message about falling back to Puppet::Etc.group' do
+          expect(Puppet).not_to receive(:debug).with(/Falling back to Puppet::Etc.group:/)
+          Puppet::Util::POSIX.groups_of(user)
+        end
+      end
+
+      context 'number of groups' do
+        before(:each) do
+          stub_const("Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS", 2)
+          prepare_user_and_groups_env(user, expected_groups)
+
+          allow(FFI::MemoryPointer).to receive(:new).with(:uint, Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS).and_yield(groups_ptr)
+          allow(ngroups_ptr).to receive(:write_int).with(Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS).and_return(ngroups_ptr)
+        end
+
+        describe 'when there are less than maximum expected number of groups' do
+          let(:user) { 'root' }
+          let(:expected_groups) { ['root'] }
+
+          before(:each) do
+            allow(Puppet::FFI::POSIX::Functions).to receive(:respond_to?).with(:getgrouplist, any_args).and_return(true)
+            allow(Puppet::FFI::POSIX::Functions).to receive(:getgrouplist).and_return(1)
+          end
+
+          it "should return the groups for given user, after one 'getgrouplist' call" do
+            expect(Puppet::FFI::POSIX::Functions).to receive(:getgrouplist).once
+            expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+          end
+
+          it 'should not print any debug message about falling back to Puppet::Etc.group' do
+            expect(Puppet).not_to receive(:debug).with(/Falling back to Puppet::Etc.group:/)
+            Puppet::Util::POSIX.groups_of(user)
+          end
+        end
+
+        describe 'when there are more than maximum expected number of groups' do
+          let(:user) { 'user1' }
+          let(:expected_groups) { ['group1', 'group3'] }
+
+          before(:each) do
+            allow(FFI::MemoryPointer).to receive(:new).with(:uint, Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS * 2).and_yield(groups_ptr)
+            allow(ngroups_ptr).to receive(:write_int).with(Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS * 2).and_return(ngroups_ptr)
+
+            allow(Puppet::FFI::POSIX::Functions).to receive(:respond_to?).with(:getgrouplist, any_args).and_return(true)
+            allow(Puppet::FFI::POSIX::Functions).to receive(:getgrouplist).and_return(-1, 1)
+          end
+
+          it "should return the groups for given user, after two 'getgrouplist' calls" do
+            expect(Puppet::FFI::POSIX::Functions).to receive(:getgrouplist).twice
+            expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+          end
+
+          it 'should not print any debug message about falling back to Puppet::Etc.group' do
+            expect(Puppet).not_to receive(:debug).with(/Falling back to Puppet::Etc.group:/)
+            Puppet::Util::POSIX.groups_of(user)
+          end
+        end
       end
-      allow(Puppet::Etc).to etc_stub
     end
 
-    it 'returns the groups of the given user' do
-      expect(Puppet::Util::POSIX.groups_of('user1')).to eql(
-        ['group1', 'group3']
-      )
+    describe 'when it falls back to Puppet::Etc.group method' do
+      before(:each) do
+        etc_stub = receive(:group)
+        mock_groups.each do |mock_group|
+          etc_stub = etc_stub.and_yield(mock_group)
+        end
+        allow(Puppet::Etc).to etc_stub
+
+        allow(Puppet::Etc).to receive(:getpwnam).with(user).and_raise(ArgumentError, "can't find user for #{user}")
+        allow(Puppet).to receive(:debug)
+
+        allow(Puppet::FFI::POSIX::Functions).to receive(:respond_to?).with(:getgrouplist, any_args).and_return(false)
+      end
+
+      describe 'when there are groups' do
+        context 'for user1' do
+          let(:user) { 'user1' }
+          let(:expected_groups) { ['group1', 'group3'] }
+
+          it "should return the groups for given user" do
+            expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+          end
+
+          it 'logs a debug message' do
+            expect(Puppet).to receive(:debug).with("Falling back to Puppet::Etc.group: The 'getgrouplist' method is not available")
+            Puppet::Util::POSIX.groups_of(user)
+          end
+        end
+
+        context 'for user2' do
+          let(:user) { 'user2' }
+          let(:expected_groups) { ['group1', 'group2', 'group4'] }
+
+          it "should return the groups for given user" do
+            expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+          end
+
+          it 'logs a debug message' do
+            expect(Puppet).to receive(:debug).with("Falling back to Puppet::Etc.group: The 'getgrouplist' method is not available")
+            Puppet::Util::POSIX.groups_of(user)
+          end
+        end
+      end
+
+      describe 'when there are no groups' do
+        let(:user) { 'nomembers' }
+        let(:expected_groups) { [] }
+
+        it "should return no groups for given user" do
+          expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+        end
+
+        it 'logs a debug message' do
+          expect(Puppet).to receive(:debug).with("Falling back to Puppet::Etc.group: The 'getgrouplist' method is not available")
+          Puppet::Util::POSIX.groups_of(user)
+        end
+      end
+
+      describe 'when primary group explicitly contains user' do
+        let(:user) { 'root' }
+        let(:expected_groups) { ['root'] }
+
+        it "should return the groups, including primary group, for given user" do
+          expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+        end
+
+        it 'logs a debug message' do
+          expect(Puppet).to receive(:debug).with("Falling back to Puppet::Etc.group: The 'getgrouplist' method is not available")
+          Puppet::Util::POSIX.groups_of(user)
+        end
+      end
+
+      describe 'when primary group does not explicitly contain user' do
+        let(:user) { 'user1' }
+        let(:expected_groups) { ['group1', 'group3'] }
+
+        it "should not return primary group for given user" do
+          expect(Puppet::Util::POSIX.groups_of(user)).not_to include(user)
+        end
+
+        it 'logs a debug message' do
+          expect(Puppet).to receive(:debug).with("Falling back to Puppet::Etc.group: The 'getgrouplist' method is not available")
+          Puppet::Util::POSIX.groups_of(user)
+        end
+      end
+
+      describe "when the 'getgrouplist' method is not available" do
+        let(:user) { 'user1' }
+        let(:expected_groups) { ['group1', 'group3'] }
+
+        before(:each) do
+          allow(Puppet::FFI::POSIX::Functions).to receive(:respond_to?).with(:getgrouplist).and_return(false)
+        end
+
+        it "should return the groups" do
+          expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+        end
+
+        it 'logs a debug message' do
+          expect(Puppet).to receive(:debug).with("Falling back to Puppet::Etc.group: The 'getgrouplist' method is not available")
+          Puppet::Util::POSIX.groups_of(user)
+        end
+      end
+
+
+      describe "when ffi is not available on the machine" do
+        let(:user) { 'user1' }
+        let(:expected_groups) { ['group1', 'group3'] }
+
+        before(:each) do
+          allow(Puppet::Util::POSIX).to receive(:require).with('puppet/ffi/posix').and_raise(LoadError, 'cannot load such file -- ffi')
+        end
+
+        it "should return the groups" do
+          expect(Puppet::Util::POSIX.groups_of(user)).to eql(expected_groups)
+        end
+
+        it 'logs a debug message' do
+          expect(Puppet).to receive(:debug).with("Falling back to Puppet::Etc.group: cannot load such file -- ffi")
+          Puppet::Util::POSIX.groups_of(user)
+        end
+      end
     end
   end
 
@@ -189,6 +499,25 @@ describe Puppet::Util::POSIX do
         expect(@posix.gid("asdf")).to eq(100)
       end
 
+      it "returns the id without full groups query if multiple groups have the same id" do
+        expect(@posix).to receive(:get_posix_field).with(:group, :gid, "asdf").and_return(100)
+        expect(@posix).to receive(:get_posix_field).with(:group, :name, 100).and_return("boo")
+        expect(@posix).to receive(:get_posix_field).with(:group, :gid, "boo").and_return(100)
+
+        expect(@posix).not_to receive(:search_posix_field)
+        expect(@posix.gid("asdf")).to eq(100)
+      end
+
+      it "returns the id with full groups query if name is nil" do
+        expect(@posix).to receive(:get_posix_field).with(:group, :gid, "asdf").and_return(100)
+        expect(@posix).to receive(:get_posix_field).with(:group, :name, 100).and_return(nil)
+        expect(@posix).not_to receive(:get_posix_field).with(:group, :gid, nil)
+
+
+        expect(@posix).to receive(:search_posix_field).with(:group, :gid, "asdf").and_return(100)
+        expect(@posix.gid("asdf")).to eq(100)
+      end
+
       it "should use :search_posix_field if the discovered name does not match the passed-in name" do
         expect(@posix).to receive(:get_posix_field).with(:group, :gid, "asdf").and_return(100)
         expect(@posix).to receive(:get_posix_field).with(:group, :name, 100).and_return("boo")
@@ -265,6 +594,25 @@ describe Puppet::Util::POSIX do
         expect(@posix.uid("asdf")).to eq(100)
       end
 
+      it "returns the id without full users query if multiple users have the same id" do
+        expect(@posix).to receive(:get_posix_field).with(:passwd, :uid, "asdf").and_return(100)
+        expect(@posix).to receive(:get_posix_field).with(:passwd, :name, 100).and_return("boo")
+        expect(@posix).to receive(:get_posix_field).with(:passwd, :uid, "boo").and_return(100)
+
+        expect(@posix).not_to receive(:search_posix_field)
+        expect(@posix.uid("asdf")).to eq(100)
+      end
+
+      it "returns the id with full users query if name is nil" do
+        expect(@posix).to receive(:get_posix_field).with(:passwd, :uid, "asdf").and_return(100)
+        expect(@posix).to receive(:get_posix_field).with(:passwd, :name, 100).and_return(nil)
+        expect(@posix).not_to receive(:get_posix_field).with(:passwd, :uid, nil)
+
+
+        expect(@posix).to receive(:search_posix_field).with(:passwd, :uid, "asdf").and_return(100)
+        expect(@posix.uid("asdf")).to eq(100)
+      end
+
       it "should use :search_posix_field if the discovered name does not match the passed-in name" do
         expect(@posix).to receive(:get_posix_field).with(:passwd, :uid, "asdf").and_return(100)
         expect(@posix).to receive(:get_posix_field).with(:passwd, :name, 100).and_return("boo")

data/spec/unit/util/selinux_spec.rb

@@ -111,15 +111,19 @@ describe Puppet::Util::SELinux do
     end
 
     it "should return a context" do
-      expect(self).to receive(:selinux_support?).and_return(true)
-      expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return([0, "user_u:role_r:type_t:s0"])
-      expect(get_selinux_current_context("/foo")).to eq("user_u:role_r:type_t:s0")
+      without_partial_double_verification do
+        expect(self).to receive(:selinux_support?).and_return(true)
+        expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return([0, "user_u:role_r:type_t:s0"])
+        expect(get_selinux_current_context("/foo")).to eq("user_u:role_r:type_t:s0")
+      end
     end
 
     it "should return nil if lgetfilecon fails" do
-      expect(self).to receive(:selinux_support?).and_return(true)
-      expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return(-1)
-      expect(get_selinux_current_context("/foo")).to be_nil
+      without_partial_double_verification do
+        expect(self).to receive(:selinux_support?).and_return(true)
+        expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return(-1)
+        expect(get_selinux_current_context("/foo")).to be_nil
+      end
     end
   end
 
@@ -130,47 +134,57 @@ describe Puppet::Util::SELinux do
     end
 
     it "should return a context if a default context exists" do
-      expect(self).to receive(:selinux_support?).and_return(true)
-      fstat = double('File::Stat', :mode => 0)
-      expect(Puppet::FileSystem).to receive(:lstat).with('/foo').and_return(fstat)
-      expect(self).to receive(:find_fs).with("/foo").and_return("ext3")
-      expect(Selinux).to receive(:matchpathcon).with("/foo", 0).and_return([0, "user_u:role_r:type_t:s0"])
-
-      expect(get_selinux_default_context("/foo")).to eq("user_u:role_r:type_t:s0")
+      without_partial_double_verification do
+        expect(self).to receive(:selinux_support?).and_return(true)
+        fstat = double('File::Stat', :mode => 0)
+        expect(Puppet::FileSystem).to receive(:lstat).with('/foo').and_return(fstat)
+        expect(self).to receive(:find_fs).with("/foo").and_return("ext3")
+        expect(Selinux).to receive(:matchpathcon).with("/foo", 0).and_return([0, "user_u:role_r:type_t:s0"])
+
+        expect(get_selinux_default_context("/foo")).to eq("user_u:role_r:type_t:s0")
+      end
     end
 
     it "handles permission denied errors by issuing a warning" do
-      allow(self).to receive(:selinux_support?).and_return(true)
-      allow(self).to receive(:selinux_label_support?).and_return(true)
-      allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 0).and_return(-1)
-      allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::EACCES, "/root/chuj")
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 0).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::EACCES, "/root/chuj")
 
-      expect(get_selinux_default_context("/root/chuj")).to be_nil
+        expect(get_selinux_default_context("/root/chuj")).to be_nil
+      end
     end
 
     it "handles no such file or directory errors by issuing a warning" do
-      allow(self).to receive(:selinux_support?).and_return(true)
-      allow(self).to receive(:selinux_label_support?).and_return(true)
-      allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 0).and_return(-1)
-      allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 0).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
 
-      expect(get_selinux_default_context("/root/chuj")).to be_nil
+        expect(get_selinux_default_context("/root/chuj")).to be_nil
+      end
     end
 
     it "should return nil if matchpathcon returns failure" do
-      expect(self).to receive(:selinux_support?).and_return(true)
-      fstat = double('File::Stat', :mode => 0)
-      expect(Puppet::FileSystem).to receive(:lstat).with('/foo').and_return(fstat)
-      expect(self).to receive(:find_fs).with("/foo").and_return("ext3")
-      expect(Selinux).to receive(:matchpathcon).with("/foo", 0).and_return(-1)
-
-      expect(get_selinux_default_context("/foo")).to be_nil
+      without_partial_double_verification do
+        expect(self).to receive(:selinux_support?).and_return(true)
+        fstat = double('File::Stat', :mode => 0)
+        expect(Puppet::FileSystem).to receive(:lstat).with('/foo').and_return(fstat)
+        expect(self).to receive(:find_fs).with("/foo").and_return("ext3")
+        expect(Selinux).to receive(:matchpathcon).with("/foo", 0).and_return(-1)
+
+        expect(get_selinux_default_context("/foo")).to be_nil
+      end
     end
 
     it "should return nil if selinux_label_support returns false" do
-      expect(self).to receive(:selinux_support?).and_return(true)
-      expect(self).to receive(:find_fs).with("/foo").and_return("nfs")
-      expect(get_selinux_default_context("/foo")).to be_nil
+      without_partial_double_verification do
+        expect(self).to receive(:selinux_support?).and_return(true)
+        expect(self).to receive(:find_fs).with("/foo").and_return("nfs")
+        expect(get_selinux_default_context("/foo")).to be_nil
+      end
     end
   end
 
@@ -261,37 +275,47 @@ describe Puppet::Util::SELinux do
     end
 
     it "should use lsetfilecon to set a context" do
-      expect(self).to receive(:selinux_support?).and_return(true)
-      expect(Selinux).to receive(:lsetfilecon).with("/foo", "user_u:role_r:type_t:s0").and_return(0)
-      expect(set_selinux_context("/foo", "user_u:role_r:type_t:s0")).to be_truthy
+      without_partial_double_verification do
+        expect(self).to receive(:selinux_support?).and_return(true)
+        expect(Selinux).to receive(:lsetfilecon).with("/foo", "user_u:role_r:type_t:s0").and_return(0)
+        expect(set_selinux_context("/foo", "user_u:role_r:type_t:s0")).to be_truthy
+      end
     end
 
     it "should use lsetfilecon to set user_u user context" do
-      expect(self).to receive(:selinux_support?).and_return(true)
-      expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return([0, "foo:role_r:type_t:s0"])
-      expect(Selinux).to receive(:lsetfilecon).with("/foo", "user_u:role_r:type_t:s0").and_return(0)
-      expect(set_selinux_context("/foo", "user_u", :seluser)).to be_truthy
+      without_partial_double_verification do
+        expect(self).to receive(:selinux_support?).and_return(true)
+        expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return([0, "foo:role_r:type_t:s0"])
+        expect(Selinux).to receive(:lsetfilecon).with("/foo", "user_u:role_r:type_t:s0").and_return(0)
+        expect(set_selinux_context("/foo", "user_u", :seluser)).to be_truthy
+      end
     end
 
     it "should use lsetfilecon to set role_r role context" do
-      expect(self).to receive(:selinux_support?).and_return(true)
-      expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return([0, "user_u:foo:type_t:s0"])
-      expect(Selinux).to receive(:lsetfilecon).with("/foo", "user_u:role_r:type_t:s0").and_return(0)
-      expect(set_selinux_context("/foo", "role_r", :selrole)).to be_truthy
+      without_partial_double_verification do
+        expect(self).to receive(:selinux_support?).and_return(true)
+        expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return([0, "user_u:foo:type_t:s0"])
+        expect(Selinux).to receive(:lsetfilecon).with("/foo", "user_u:role_r:type_t:s0").and_return(0)
+        expect(set_selinux_context("/foo", "role_r", :selrole)).to be_truthy
+      end
     end
 
     it "should use lsetfilecon to set type_t type context" do
-      expect(self).to receive(:selinux_support?).and_return(true)
-      expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return([0, "user_u:role_r:foo:s0"])
-      expect(Selinux).to receive(:lsetfilecon).with("/foo", "user_u:role_r:type_t:s0").and_return(0)
-      expect(set_selinux_context("/foo", "type_t", :seltype)).to be_truthy
+      without_partial_double_verification do
+        expect(self).to receive(:selinux_support?).and_return(true)
+        expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return([0, "user_u:role_r:foo:s0"])
+        expect(Selinux).to receive(:lsetfilecon).with("/foo", "user_u:role_r:type_t:s0").and_return(0)
+        expect(set_selinux_context("/foo", "type_t", :seltype)).to be_truthy
+      end
     end
 
     it "should use lsetfilecon to set s0:c3,c5 range context" do
-      expect(self).to receive(:selinux_support?).and_return(true)
-      expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return([0, "user_u:role_r:type_t:s0"])
-      expect(Selinux).to receive(:lsetfilecon).with("/foo", "user_u:role_r:type_t:s0:c3,c5").and_return(0)
-      expect(set_selinux_context("/foo", "s0:c3,c5", :selrange)).to be_truthy
+      without_partial_double_verification do
+        expect(self).to receive(:selinux_support?).and_return(true)
+        expect(Selinux).to receive(:lgetfilecon).with("/foo").and_return([0, "user_u:role_r:type_t:s0"])
+        expect(Selinux).to receive(:lsetfilecon).with("/foo", "user_u:role_r:type_t:s0:c3,c5").and_return(0)
+        expect(set_selinux_context("/foo", "s0:c3,c5", :selrange)).to be_truthy
+      end
     end
   end