puppet 7.15.0-x86-mingw32 → 7.18.0-x86-mingw32

data/spec/unit/agent_spec.rb

@@ -36,6 +36,10 @@ describe Puppet::Agent do
         end
       end
     end
+
+    ssl_context = Puppet::SSL::SSLContext.new
+    machine = instance_double("Puppet::SSL::StateMachine", ensure_client_certificate: ssl_context)
+    allow(Puppet::SSL::StateMachine).to receive(:new).and_return(machine)
   end
 
   after do
@@ -97,6 +101,8 @@ describe Puppet::Agent do
     end
 
     it "should splay" do
+      Puppet[:splay] = true
+
       expect(@agent).to receive(:splay)
 
       @agent.run
@@ -179,6 +185,26 @@ describe Puppet::Agent do
       expect(@agent.run).to eq(:result)
     end
 
+    it "should check if it's disabled after splaying and log a message" do
+      Puppet[:splay] = true
+      Puppet[:splaylimit] = '5s'
+      Puppet[:onetime] = true
+
+      expect(@agent).to receive(:disabled?).and_return(false, true)
+
+      allow(Puppet).to receive(:notice).and_call_original
+      expect(Puppet).to receive(:notice).with(/Skipping run of .*; administratively disabled.*/)
+      @agent.run
+    end
+
+    it "should check if it's disabled after acquiring the lock and log a message" do
+      expect(@agent).to receive(:disabled?).and_return(false, true)
+
+      allow(Puppet).to receive(:notice).and_call_original
+      expect(Puppet).to receive(:notice).with(/Skipping run of .*; administratively disabled.*/)
+      @agent.run
+    end
+
     describe "and a puppet agent is already running" do
       before(:each) do
         allow_any_instance_of(Object).to receive(:sleep)
@@ -195,7 +221,7 @@ describe Puppet::Agent do
         @agent.run
       end
 
-      it "should inform that a run is already in progres and try to run every X seconds if waitforlock is used" do
+      it "should inform that a run is already in progress and try to run every X seconds if waitforlock is used" do
         # so the locked file exists
         allow(File).to receive(:file?).and_return(true)
         # so we don't have to wait again for the run to exit (default maxwaitforcert is 60)
@@ -224,7 +250,7 @@ describe Puppet::Agent do
         @agent.run
       end
     end
-    
+
     describe "when should_fork is true", :if => Puppet.features.posix? && RUBY_PLATFORM != 'java' do
       before do
         @agent = Puppet::Agent.new(AgentTestClient, true)

data/spec/unit/application/agent_spec.rb

@@ -4,6 +4,11 @@ require 'puppet/agent'
 require 'puppet/application/agent'
 require 'puppet/daemon'
 
+class TestAgentClientClass
+  def initialize(transaction_uuid = nil, job_id = nil); end
+  def run(options = {}); end
+end
+
 describe Puppet::Application::Agent do
   include PuppetSpec::Files
 
@@ -12,13 +17,20 @@ describe Puppet::Application::Agent do
   before :each do
     @puppetd = Puppet::Application[:agent]
 
-    @agent = double('agent')
+    @client = TestAgentClientClass.new
+    allow(TestAgentClientClass).to receive(:new).and_return(@client)
+
+    @agent = Puppet::Agent.new(TestAgentClientClass, false)
     allow(Puppet::Agent).to receive(:new).and_return(@agent)
 
-    @daemon = Puppet::Daemon.new(@agent, nil)
+    Puppet[:pidfile] = tmpfile('pidfile')
+    @daemon = Puppet::Daemon.new(@agent, Puppet::Util::Pidlock.new(Puppet[:pidfile]))
     allow(@daemon).to receive(:daemonize)
-    allow(@daemon).to receive(:start)
     allow(@daemon).to receive(:stop)
+    # simulate one run so we don't infinite looptwo runs of the agent, then return so we don't infinite loop
+    allow(@daemon).to receive(:run_event_loop) do
+      @agent.run(splay: false)
+    end
     allow(Puppet::Daemon).to receive(:new).and_return(@daemon)
     Puppet[:daemonize] = false
 
@@ -92,10 +104,6 @@ describe Puppet::Application::Agent do
   end
 
   describe "when handling options" do
-    before do
-      allow(@puppetd.command_line).to receive(:args).and_return([])
-    end
-
     [:enable, :debug, :fqdn, :test, :verbose, :digest].each do |option|
       it "should declare handle_#{option} method" do
         expect(@puppetd).to respond_to("handle_#{option}".to_sym)
@@ -127,32 +135,34 @@ describe Puppet::Application::Agent do
     end
 
     it "should set waitforcert to 0 with --onetime and if --waitforcert wasn't given" do
-      allow(@agent).to receive(:run).and_return(2)
+      allow(@client).to receive(:run).and_return(2)
       Puppet[:onetime] = true
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 0).and_return(machine)
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 0)).and_return(machine)
 
       expect { execute_agent }.to exit_with 0
     end
 
     it "should use supplied waitforcert when --onetime is specified" do
-      allow(@agent).to receive(:run).and_return(2)
+      allow(@client).to receive(:run).and_return(2)
       Puppet[:onetime] = true
       @puppetd.handle_waitforcert(60)
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 60).and_return(machine)
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 60)).and_return(machine)
 
       expect { execute_agent }.to exit_with 0
     end
 
     it "should use a default value for waitforcert when --onetime and --waitforcert are not specified" do
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 120).and_return(machine)
+      allow(@client).to receive(:run).and_return(2)
+
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 120)).and_return(machine)
 
       execute_agent
     end
 
     it "should register ssl OIDs" do
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 120).and_return(double(ensure_client_certificate: nil))
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 120)).and_return(machine)
       expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
 
       execute_agent
@@ -161,7 +171,7 @@ describe Puppet::Application::Agent do
     it "should use the waitforcert setting when checking for a signed certificate" do
       Puppet[:waitforcert] = 10
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 10).and_return(machine)
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 10)).and_return(machine)
 
       execute_agent
     end
@@ -413,9 +423,9 @@ describe Puppet::Application::Agent do
     end
 
     it "should wait for a certificate" do
-      @puppetd.options[:waitforcert] = 123
+      Puppet[:waitforcert] = 123
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 123).and_return(machine)
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 123)).and_return(machine)
 
       execute_agent
     end

data/spec/unit/daemon_spec.rb

@@ -1,6 +1,7 @@
 require 'spec_helper'
 require 'puppet/daemon'
 require 'puppet/agent'
+require 'puppet/configurer'
 
 def without_warnings
   flag = $VERBOSE
@@ -9,12 +10,6 @@ def without_warnings
   $VERBOSE = flag
 end
 
-class TestClient
-  def lockfile_path
-    "/dev/null"
-  end
-end
-
 describe Puppet::Daemon, :unless => Puppet::Util::Platform.windows? do
   include PuppetSpec::Files
 
@@ -26,7 +21,7 @@ describe Puppet::Daemon, :unless => Puppet::Util::Platform.windows? do
     end
   end
 
-  let(:agent) { Puppet::Agent.new(TestClient.new, false) }
+  let(:agent) { Puppet::Agent.new(Puppet::Configurer, false) }
   let(:server) { double("Server", :start => nil, :wait_for_shutdown => nil) }
 
   let(:pidfile) { double("PidFile", :lock => true, :unlock => true, :file_path => 'fake.pid') }
@@ -131,10 +126,6 @@ describe Puppet::Daemon, :unless => Puppet::Util::Platform.windows? do
   end
 
   describe "when reloading" do
-    it "should do nothing if no agent is configured" do
-      daemon.reload
-    end
-
     it "should do nothing if the agent is running" do
       expect(agent).to receive(:run).with({:splay => false}).and_raise(Puppet::LockError, 'Failed to aquire lock')
       expect(Puppet).to receive(:notice).with('Not triggering already-running agent')

data/spec/unit/http/client_spec.rb

@@ -120,6 +120,24 @@ describe Puppet::HTTP::Client do
 
       client.close
     end
+
+    it 'reloads the default ssl context' do
+      expect(client.pool).to receive(:with_connection) do |_, verifier|
+        expect(verifier.ssl_context).to_not equal(puppet_context)
+      end
+
+      client.close
+      client.connect(uri)
+    end
+
+    it 'reloads the default system ssl context' do
+      expect(client.pool).to receive(:with_connection) do |_, verifier|
+        expect(verifier.ssl_context).to_not equal(system_context)
+      end
+
+      client.close
+      client.connect(uri, options: {include_system_store: true})
+    end
   end
 
   context "for GET requests" do

data/spec/unit/info_service_spec.rb

@@ -11,6 +11,9 @@ describe "Puppet::InfoService" do
 
   context 'task information service' do
     let(:mod_name) { 'test1' }
+    let(:metadata) {
+      { "private" => true,
+        "description" => "a task that does a thing" } }
     let(:task_name) { "#{mod_name}::thingtask" }
     let(:modpath) { tmpdir('modpath') }
     let(:env_name) { 'testing' }
@@ -20,8 +23,13 @@ describe "Puppet::InfoService" do
     context 'tasks_per_environment method' do
       it "returns task data for the tasks in an environment" do
         Puppet.override(:environments => env_loader) do
-          PuppetSpec::Modules.create(mod_name, modpath, {:environment => env, :tasks => [['thingtask']]})
-          expect(Puppet::InfoService.tasks_per_environment(env_name)).to eq([{:name => task_name, :module => {:name => mod_name}}])
+          PuppetSpec::Modules.create(mod_name, modpath, {:environment => env,
+                                                         :tasks => [['thingtask',
+                                                                     {:name => 'thingtask.json',
+                                                                      :content => metadata.to_json}]]})
+          expect(Puppet::InfoService.tasks_per_environment(env_name)).to eq([{:name => task_name,
+                                                                              :module => {:name => mod_name},
+                                                                              :metadata => metadata}  ])
         end
       end
 
@@ -207,7 +215,7 @@ describe "Puppet::InfoService" do
       end
     end
   end
-  
+
   context 'plan information service' do
     let(:mod_name) { 'test1' }
     let(:plan_name) { "#{mod_name}::thingplan" }

data/spec/unit/pops/evaluator/deferred_resolver_spec.rb

@@ -17,4 +17,30 @@ describe Puppet::Pops::Evaluator::DeferredResolver do
 
     expect(catalog.resource(:notify, 'deferred')[:message]).to eq('1:2:3')
   end
+
+  it 'lazily resolves deferred values in a catalog' do
+    catalog = compile_to_catalog(<<~END)
+      notify { "deferred":
+        message => Deferred("join", [[1,2,3], ":"])
+      }
+    END
+    described_class.resolve_and_replace(facts, catalog, environment, false)
+
+    deferred = catalog.resource(:notify, 'deferred')[:message]
+    expect(deferred.resolve).to eq('1:2:3')
+  end
+
+  it 'lazily resolves nested deferred values in a catalog' do
+    catalog = compile_to_catalog(<<~END)
+      $args = Deferred("inline_epp", ["<%= 'a,b,c' %>"])
+      notify { "deferred":
+        message => Deferred("split", [$args, ","])
+      }
+    END
+    described_class.resolve_and_replace(facts, catalog, environment, false)
+
+    deferred = catalog.resource(:notify, 'deferred')[:message]
+    expect(deferred.resolve).to eq(["a", "b", "c"])
+  end
+
 end

data/spec/unit/pops/loaders/loaders_spec.rb

@@ -606,7 +606,7 @@ describe 'loaders' do
     it "an illegal function is loaded" do
       expect {
         loader.load_typed(typed_name(:function, 'bad_func_load3')).value
-      }.to raise_error(SecurityError, /Illegal method definition of method 'bad_func_load3_illegal_method' on line 8 in legacy function/)
+      }.to raise_error(SecurityError, /Illegal method definition of method 'bad_func_load3_illegal_method' in source .*bad_func_load3.rb on line 8 in legacy function/)
     end
   end
 

data/spec/unit/pops/types/type_mismatch_describer_spec.rb

@@ -1,12 +1,178 @@
 require 'spec_helper'
 require 'puppet/pops'
 require 'puppet_spec/compiler'
+require 'puppet_spec/files'
+require 'puppet/loaders'
 
 module Puppet::Pops
 module Types
 
 describe 'the type mismatch describer' do
-  include PuppetSpec::Compiler
+  include PuppetSpec::Compiler, PuppetSpec::Files
+
+  context 'with deferred functions' do
+    let(:env_name) { 'spec' }
+    let(:code_dir) { Puppet[:environmentpath] }
+    let(:env_dir) { File.join(code_dir, env_name) }
+    let(:env) { Puppet::Node::Environment.create(env_name.to_sym, [File.join(populated_code_dir, env_name, 'modules')]) }
+    let(:node) { Puppet::Node.new('fooname', environment: env) }
+    let(:populated_code_dir) do
+      dir_contained_in(code_dir, env_name => env_content)
+      PuppetSpec::Files.record_tmp(env_dir)
+      code_dir
+    end
+
+    let(:env_content) {
+      {
+        'lib' => {
+          'puppet' => {
+            'functions' => {
+              'string_return.rb' => <<-RUBY.unindent,
+              Puppet::Functions.create_function(:string_return) do
+                dispatch :string_return do
+                  param 'String', :arg1
+                  return_type 'String'
+                end
+                def string_return(arg1)
+                  arg1
+                end
+              end
+              RUBY
+              'variant_return.rb' => <<-RUBY.unindent,
+              Puppet::Functions.create_function(:variant_return) do
+                dispatch :variant_return do
+                  param 'String', :arg1
+                  return_type 'Variant[Integer,Float]'
+                end
+                def variant_return(arg1)
+                  arg1
+                end
+              end
+              RUBY
+              'no_return.rb' => <<-RUBY.unindent,
+              Puppet::Functions.create_function(:no_return) do
+                dispatch :no_return do
+                  param 'String', :arg1
+                end
+                def variant_return(arg1)
+                  arg1
+                end
+              end
+              RUBY
+            }
+          }
+        }
+      }
+    }
+
+    before(:each) do
+      Puppet.push_context(:loaders => Puppet::Pops::Loaders.new(env))
+    end
+
+    after(:each) do
+      Puppet.pop_context
+    end
+
+    it 'will compile when the parameter type matches the function return_type' do
+      code = <<-CODE
+        $d = Deferred("string_return", ['/a/non/existing/path'])
+        class testclass(String $classparam) {
+        }
+        class { 'testclass':
+          classparam => $d
+        }
+      CODE
+      expect { eval_and_collect_notices(code, node) }.to_not raise_error
+    end
+
+    it "will compile when a Variant parameter's types matches the return type" do
+      code = <<-CODE
+        $d = Deferred("string_return", ['/a/non/existing/path'])
+        class testclass(Variant[String, Float] $classparam) {
+        }
+        class { 'testclass':
+          classparam => $d
+        }
+      CODE
+      expect { eval_and_collect_notices(code, node) }.to_not raise_error
+    end
+
+    it "will compile with a union of a Variant parameters' types and Variant return types" do
+      code = <<-CODE
+        $d = Deferred("variant_return", ['/a/non/existing/path'])
+        class testclass(Variant[Any,Float] $classparam) {
+        }
+        class { 'testclass':
+          classparam => $d
+        }
+      CODE
+      expect { eval_and_collect_notices(code, node) }.to_not raise_error
+    end
+
+    it 'will warn when there is no defined return_type for the function definition' do
+      code = <<-CODE
+        $d = Deferred("no_return", ['/a/non/existing/path'])
+        class testclass(Variant[String,Boolean] $classparam) {
+        }
+        class { 'testclass':
+          classparam => $d
+        }
+      CODE
+      expect(Puppet).to receive(:warn_once).with(anything, anything, /.+function no_return has no return_type/).at_least(:once)
+      expect { eval_and_collect_notices(code, node) }.to_not raise_error
+    end
+
+    it 'will report a mismatch between a deferred function return type and class parameter value' do
+      code = <<-CODE
+        $d = Deferred("string_return", ['/a/non/existing/path'])
+        class testclass(Integer $classparam) {
+        }
+        class { 'testclass':
+          classparam => $d
+        }
+      CODE
+      expect { eval_and_collect_notices(code, node) }.to raise_error(Puppet::Error, /.+'classparam' expects an Integer value, got String/)
+    end
+
+    it 'will report an argument error when no matching arity is found' do
+      code = <<-CODE
+        $d = Deferred("string_return", ['/a/non/existing/path', 'second-invalid-arg'])
+        class testclass(Integer $classparam) {
+        }
+        class { 'testclass':
+          classparam => $d
+        }
+      CODE
+      expect { eval_and_collect_notices(code,node) }.to raise_error(Puppet::Error, /.+ No matching arity found for string_return/)
+    end
+
+    it 'will error with no matching Variant class parameters and return_type' do
+      code = <<-CODE
+        $d = Deferred("string_return", ['/a/non/existing/path'])
+        class testclass(Variant[Integer,Float] $classparam) {
+        }
+        class { 'testclass':
+          classparam => $d
+        }
+      CODE
+      expect { eval_and_collect_notices(code,node) }.to raise_error(Puppet::Error, /.+'classparam' expects a value of type Integer or Float, got String/)
+    end
+
+    # This test exposes a shortcoming in the #message function for Puppet::Pops::Type::TypeMismatch
+    # where the `actual` is not introspected for the list of Variant types, so the error message
+    # shows that the list of expected types does not match Variant, instead of a list of actual types.
+    it 'will error with no matching Variant class parameters and Variant return_type' do
+      code = <<-CODE
+        $d = Deferred("variant_return", ['/a/non/existing/path'])
+        class testclass(Variant[String,Boolean] $classparam) {
+        }
+        class { 'testclass':
+          classparam => $d
+        }
+      CODE
+      expect { eval_and_collect_notices(code, node) }.to raise_error(Puppet::Error, /.+'classparam' expects a value of type String or Boolean, got Variant/)
+    end
+  end
 
   it 'will report a mismatch between a hash and a struct with details' do
     code = <<-CODE

data/spec/unit/provider/package/puppetserver_gem_spec.rb

@@ -105,9 +105,9 @@ describe Puppet::Type.type(:package).provider(:puppetserver_gem) do
 
   describe ".gemlist" do
     context "listing installed packages" do
-      it "uses the puppet rubygems library to list local gems" do
+      it "uses the puppet_gem provider_command to list local gems" do
         expected = { name: 'world_airports', provider: :puppetserver_gem, ensure: ['1.1.3'] }
-        expect(described_class).to receive(:execute_rubygems_list_command).with(nil).and_return(File.read(my_fixture('gem-list-local-packages')))
+        expect(described_class).to receive(:execute_rubygems_list_command).with(['gem', 'list', '--local']).and_return(File.read(my_fixture('gem-list-local-packages')))
         expect(described_class.gemlist({ local: true })).to include(expected)
       end
     end

data/spec/unit/provider/user/directoryservice_spec.rb

@@ -840,7 +840,7 @@ end
         expect(provider.class.get_salted_sha512_pbkdf2('iterations', pbkdf2_embedded_bplist_hash)).to be_a(Integer)
     end
     it "should raise an error if a field other than 'entropy', 'salt', or 'iterations' is passed" do
-      expect { provider.class.get_salted_sha512_pbkdf2('othervalue', pbkdf2_embedded_bplist_hash) }.to raise_error(Puppet::Error, /Puppet has tried to read an incorrect value from the SALTED-SHA512-PBKDF2 hash. Acceptable fields are 'salt', 'entropy', or 'iterations'/)
+      expect { provider.class.get_salted_sha512_pbkdf2('othervalue', pbkdf2_embedded_bplist_hash, 'test_user') }.to raise_error(Puppet::Error, /Puppet has tried to read an incorrect value from the user test_user in the SALTED-SHA512-PBKDF2 hash. Acceptable fields are 'salt', 'entropy', or 'iterations'/)
     end
   end
 

data/spec/unit/ssl/ssl_provider_spec.rb

@@ -113,12 +113,21 @@ describe Puppet::SSL::SSLProvider do
       }.to raise_error(/can't modify frozen/)
     end
 
-    it 'trusts system ca store' do
+    it 'trusts system ca store by default' do
       expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths)
 
       subject.create_system_context(cacerts: [])
     end
 
+    it 'trusts an external ca store' do
+      path = tmpfile('system_cacerts')
+      File.write(path, cert_fixture('ca.pem').to_pem)
+
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:add_file).with(path)
+
+      subject.create_system_context(cacerts: [], path: path)
+    end
+
     it 'verifies peer' do
       sslctx = subject.create_system_context(cacerts: [])
       expect(sslctx.verify_peer).to eq(true)
@@ -135,6 +144,47 @@ describe Puppet::SSL::SSLProvider do
       expect(sslctx.private_key).to be_nil
     end
 
+    it 'includes the client cert and private key when requested' do
+      Puppet[:hostcert] = fixtures('ssl/signed.pem')
+      Puppet[:hostprivkey] = fixtures('ssl/signed-key.pem')
+      sslctx = subject.create_system_context(cacerts: [], include_client_cert: true)
+      expect(sslctx.client_cert).to be_an(OpenSSL::X509::Certificate)
+      expect(sslctx.private_key).to be_an(OpenSSL::PKey::RSA)
+    end
+
+    it 'ignores non-existent client cert and private key when requested' do
+      Puppet[:certname] = 'doesnotexist'
+      sslctx = subject.create_system_context(cacerts: [], include_client_cert: true)
+      expect(sslctx.client_cert).to be_nil
+      expect(sslctx.private_key).to be_nil
+    end
+
+    it 'warns if the client cert does not exist' do
+      Puppet[:certname] = 'missingcert'
+      Puppet[:hostprivkey] = fixtures('ssl/signed-key.pem')
+
+      expect(Puppet).to receive(:warning).with("Client certificate for 'missingcert' does not exist")
+      subject.create_system_context(cacerts: [], include_client_cert: true)
+    end
+
+    it 'warns if the private key does not exist' do
+      Puppet[:certname] = 'missingkey'
+      Puppet[:hostcert] = fixtures('ssl/signed.pem')
+
+      expect(Puppet).to receive(:warning).with("Private key for 'missingkey' does not exist")
+      subject.create_system_context(cacerts: [], include_client_cert: true)
+    end
+
+    it 'raises if client cert and private key are mismatched' do
+      Puppet[:hostcert] = fixtures('ssl/signed.pem')
+      Puppet[:hostprivkey] = fixtures('ssl/127.0.0.1-key.pem')
+
+      expect {
+        subject.create_system_context(cacerts: [], include_client_cert: true)
+      }.to raise_error(Puppet::SSL::SSLError,
+        "The certificate for 'CN=signed' does not match its private key")
+    end
+
     it 'trusts additional system certs' do
       path = tmpfile('system_cacerts')
       File.write(path, cert_fixture('ca.pem').to_pem)
@@ -448,6 +498,18 @@ describe Puppet::SSL::SSLProvider do
       sslctx = subject.create_context(**config)
       expect(sslctx.verify_peer).to eq(true)
     end
+
+    it 'does not trust the system ca store by default' do
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths).never
+
+      subject.create_context(**config)
+    end
+
+    it 'trusts the system ca store' do
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths)
+
+      subject.create_context(**config.merge(include_system_store: true))
+    end
   end
 
   context 'when loading an ssl context' do
@@ -530,6 +592,18 @@ describe Puppet::SSL::SSLProvider do
         }.to raise_error(Puppet::SSL::SSLError, /Failed to load private key for host 'signed': Could not parse PKey/)
       end
     end
+
+    it 'does not trust the system ca store by default' do
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths).never
+
+      subject.load_context
+    end
+
+    it 'trusts the system ca store' do
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths)
+
+      subject.load_context(include_system_store: true)
+    end
   end
 
   context 'when verifying requests' do

data/spec/unit/ssl/state_machine_spec.rb

@@ -27,6 +27,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
   let(:refused_message) { %r{Connection refused|No connection could be made because the target machine actively refused it} }
 
   before(:each) do
+    Puppet[:daemonize] = false
     Puppet[:ssl_lockfile] = tmpfile('ssllock')
     allow(Kernel).to receive(:sleep)
   end