puppet 8.1.0-x86-mingw32 → 8.3.1-x86-mingw32

data/spec/lib/puppet_spec/verbose.rb

@@ -1,4 +1,4 @@
-# Support code for running stuff with warnings disabled.
+# Support code for running stuff with warnings disabled or enabled
 module Kernel
   def with_verbose_disabled
     verbose, $VERBOSE = $VERBOSE, nil
@@ -6,4 +6,13 @@ module Kernel
     $VERBOSE = verbose
     return result
   end
+
+  def with_verbose_enabled
+    verbose, $VERBOSE = $VERBOSE, true
+    begin
+      yield
+    ensure
+      $VERBOSE = verbose
+    end
+  end
 end

data/spec/unit/agent_spec.rb

@@ -15,19 +15,12 @@ class AgentTestClient
   end
 end
 
-def without_warnings
-  flag = $VERBOSE
-  $VERBOSE = nil
-  yield
-  $VERBOSE = flag
-end
-
 describe Puppet::Agent do
   before do
     @agent = Puppet::Agent.new(AgentTestClient, false)
 
     # make Puppet::Application safe for stubbing; restore in an :after block; silence warnings for this.
-    without_warnings { Puppet::Application = Class.new(Puppet::Application) }
+    with_verbose_disabled { Puppet::Application = Class.new(Puppet::Application) }
     allow(Puppet::Application).to receive(:clear?).and_return(true)
     Puppet::Application.class_eval do
       class << self
@@ -44,7 +37,7 @@ describe Puppet::Agent do
 
   after do
     # restore Puppet::Application from stub-safe subclass, and silence warnings
-    without_warnings { Puppet::Application = Puppet::Application.superclass }
+    with_verbose_disabled { Puppet::Application = Puppet::Application.superclass }
   end
 
   it "should set its client class at initialization" do

data/spec/unit/application/ssl_spec.rb

@@ -171,6 +171,50 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     end
   end
 
+  context 'when generating a CSR' do
+    let(:csr_path) { Puppet[:hostcsr] }
+    let(:requestdir) { Puppet[:requestdir] }
+
+    before do
+      ssl.command_line.args << 'generate_request'
+    end
+
+    it 'generates an RSA private key' do
+      File.unlink(Puppet[:hostprivkey])
+
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+    end
+
+    it 'generates an EC private key' do
+      Puppet[:key_type] = 'ec'
+      File.unlink(Puppet[:hostprivkey])
+
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+    end
+
+    it 'registers OIDs' do
+      expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
+
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+    end
+
+    it 'saves the CSR locally' do
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+
+      expect(Puppet::FileSystem).to be_exist(csr_path)
+    end
+
+    it 'accepts dns alt names' do
+      Puppet[:dns_alt_names] = 'majortom'
+
+      expects_command_to_pass
+
+      csr = Puppet::SSL::CertificateRequest.new(name)
+      csr.read(csr_path)
+      expect(csr.subject_alt_names).to include('DNS:majortom')
+    end
+  end
+
   context 'when downloading a certificate' do
     before do
       ssl.command_line.args << 'download_cert'
@@ -347,6 +391,11 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       expects_command_to_fail(%r{Failed to connect to the CA to determine if certificate #{name} has been cleaned})
     end
 
+    it 'raises if we have extra args' do
+      ssl.command_line.args << 'hostname.example.biz'
+      expects_command_to_fail(/Extra arguments detected: hostname.example.biz/)
+    end
+
     context 'when deleting local CA' do
       before do
         ssl.command_line.args << '--localca'

data/spec/unit/defaults_spec.rb

@@ -3,46 +3,8 @@ require 'puppet/settings'
 
 describe "Defaults" do
   describe ".default_diffargs" do
-    describe "on AIX" do
-      before(:each) do
-        allow(Facter).to receive(:value).with(:kernel).and_return("AIX")
-      end
-
-      describe "on 5.3" do
-        before(:each) do
-          allow(Facter).to receive(:value).with(:kernelmajversion).and_return("5300")
-        end
-
-        it "should be empty" do
-          expect(Puppet.default_diffargs).to eq("")
-        end
-      end
-
-      [ "",
-        nil,
-        "6300",
-        "7300",
-      ].each do |kernel_version|
-        describe "on kernel version #{kernel_version.inspect}" do
-          before(:each) do
-            allow(Facter).to receive(:value).with(:kernelmajversion).and_return(kernel_version)
-          end
-
-          it "should be '-u'" do
-            expect(Puppet.default_diffargs).to eq("-u")
-          end
-        end
-      end
-    end
-
-    describe "on everything else" do
-      before(:each) do
-        allow(Facter).to receive(:value).with(:kernel).and_return("NOT_AIX")
-      end
-
-      it "should be '-u'" do
-        expect(Puppet.default_diffargs).to eq("-u")
-      end
+    it "should be '-u'" do
+      expect(Puppet.default_diffargs).to eq("-u")
     end
   end
 

data/spec/unit/file_system/path_pattern_spec.rb

@@ -1,6 +1,7 @@
 require 'spec_helper'
 require 'puppet_spec/files'
 require 'puppet/file_system'
+require 'puppet/util'
 
 describe Puppet::FileSystem::PathPattern do
   include PuppetSpec::Files
@@ -132,6 +133,20 @@ describe Puppet::FileSystem::PathPattern do
                                          File.join(dir, "found_two")])
   end
 
+  it 'globs wildcard patterns properly' do
+    # See PUP-11788 and https://github.com/jruby/jruby/issues/7836.
+    pending 'JRuby does not properly handle Dir.glob' if Puppet::Util::Platform.jruby?
+
+    dir = tmpdir('globtest')
+    create_file_in(dir, 'foo.pp')
+    create_file_in(dir, 'foo.pp.pp')
+
+    pattern = Puppet::FileSystem::PathPattern.absolute(File.join(dir, '**/*.pp'))
+
+    expect(pattern.glob).to match_array([File.join(dir, 'foo.pp'),
+                                         File.join(dir, 'foo.pp.pp')])
+  end
+
   def create_file_in(dir, name)
     File.open(File.join(dir, name), "w") { |f| f.puts "data" }
   end

data/spec/unit/functions/split_spec.rb

@@ -50,4 +50,10 @@ describe 'the split function' do
   it 'should handle pattern in Regexp Type form with missing regular expression' do
     expect(split('ab',type_parser.parse('Regexp'))).to eql(['a', 'b'])
   end
+
+  it 'should handle sensitive String' do
+    expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), ',')).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+    expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), /,/)).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+    expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), type_parser.parse('Regexp[/,/]'))).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+  end
 end

data/spec/unit/http/service/ca_spec.rb

@@ -207,4 +207,75 @@ describe Puppet::HTTP::Service::Ca do
       end
     end
   end
+
+  context 'when getting certificates' do
+    let(:cert) { cert_fixture('signed.pem') }
+    let(:pem) { cert.to_pem }
+    let(:url) { "https://www.example.com/puppet-ca/v1/certificate_renewal" }
+    let(:cert_context) { Puppet::SSL::SSLContext.new(client_cert: pem) }
+    let(:client) { Puppet::HTTP::Client.new(ssl_context: cert_context) }
+    let(:session) { Puppet::HTTP::Session.new(client, []) }
+    let(:subject) { client.create_session.route_to(:ca) }
+
+    it "gets a certificate from the 'certificate_renewal' endpoint" do
+      stub_request(:post, url).to_return(body: pem)
+
+      _, body = subject.post_certificate_renewal(cert_context)
+      expect(body).to eq(pem)
+    end
+
+    it 'returns the request response' do
+      stub_request(:post, url).to_return(body: 'pem')
+
+      resp, _ = subject.post_certificate_renewal(cert_context)
+      expect(resp).to be_a(Puppet::HTTP::Response)
+    end
+
+    it 'accepts text/plain responses' do
+      stub_request(:post, url).with(headers: {'Accept' => 'text/plain'})
+
+      subject.post_certificate_renewal(cert_context)
+    end
+
+    it 'raises an ArgumentError if the SSL context does not contain a client cert' do
+      stub_request(:post, url)
+      expect { subject.post_certificate_renewal(ssl_context) }.to raise_error(ArgumentError, 'SSL context must contain a client certificate.')
+    end
+
+    it 'raises response error if unsuccessful' do
+      stub_request(:post, url).to_return(status: [400, 'Bad Request'])
+
+      expect {
+        subject.post_certificate_renewal(cert_context)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq('Bad Request')
+        expect(err.response.code).to eq(400)
+      end
+    end
+
+    it 'raises a response error if unsuccessful' do
+      stub_request(:post, url).to_return(status: [404, 'Not Found'])
+
+      expect {
+        subject.post_certificate_renewal(cert_context)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq("Not Found")
+        expect(err.response.code).to eq(404)
+      end
+    end
+
+    it 'raises a response error if unsuccessful' do
+      stub_request(:post, url).to_return(status: [404, 'Forbidden'])
+
+      expect {
+        subject.post_certificate_renewal(cert_context)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq("Forbidden")
+        expect(err.response.code).to eq(404)
+      end
+    end
+  end
 end

data/spec/unit/info_service_spec.rb

@@ -47,7 +47,7 @@ describe "Puppet::InfoService" do
                                                                              :content => metadata.to_json}]]})
           File.write("#{modpath}/#{mod_name}/tasks/atask.json", "NOT JSON")
 
-          expect(Puppet).to receive(:send_log).with(:err, 'Failed to validate task')
+          expect(Puppet).to receive(:send_log).with(:err, /unexpected token at 'NOT JSON'/)
 
           @tasks = Puppet::InfoService.tasks_per_environment(env_name)
           expect(@tasks.map{|t| t[:name]}).to contain_exactly('test1::btask', 'test1::ctask')

data/spec/unit/ssl/certificate_signer_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe Puppet::SSL::CertificateSigner do
+  include PuppetSpec::Files
+
+  let(:wrong_key) { OpenSSL::PKey::RSA.new(512) }
+  let(:client_cert) { cert_fixture('signed.pem') }
+
+  # jruby-openssl >= 0.13.0 (JRuby >= 9.3.5.0) raises an error when signing a
+  # certificate when there is a discrepancy between the certificate and key.
+  it 'raises if client cert signature is invalid', if: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
+    expect {
+      client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
+    }.to raise_error(OpenSSL::X509::CertificateError,
+                     'invalid public key data')
+  end
+end

data/spec/unit/ssl/ssl_provider_spec.rb

@@ -338,7 +338,7 @@ describe Puppet::SSL::SSLProvider do
       end
     end
 
-    it 'raises if intermediate CA signature is invalid' do
+    it 'raises if intermediate CA signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
       int = global_cacerts.last
       int.public_key = wrong_key.public_key if Puppet::Util::Platform.jruby?
       int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
@@ -634,4 +634,24 @@ describe Puppet::SSL::SSLProvider do
                        "The CSR for host 'CN=signed' does not match the public key")
     end
   end
+
+  context 'printing' do
+    let(:client_cert) { cert_fixture('signed.pem') }
+    let(:private_key) { key_fixture('signed-key.pem') }
+    let(:config) { { cacerts: global_cacerts, crls: global_crls, client_cert: client_cert, private_key: private_key } }
+
+    it 'prints in debug' do
+      Puppet[:log_level] = 'debug'
+
+      ctx = subject.create_context(**config)
+      subject.print(ctx)
+      expect(@logs.map(&:message)).to include(
+        /Verified CA certificate 'CN=Test CA' fingerprint/,
+        /Verified CA certificate 'CN=Test CA Subauthority' fingerprint/,
+        /Verified client certificate 'CN=signed' fingerprint/,
+        /Using CRL 'CN=Test CA' authorityKeyIdentifier '(keyid:)?[A-Z0-9:]{59}' crlNumber '0'/,
+        /Using CRL 'CN=Test CA Subauthority' authorityKeyIdentifier '(keyid:)?[A-Z0-9:]{59}' crlNumber '0'/
+      )
+    end
+  end
 end

data/spec/unit/ssl/state_machine_spec.rb

@@ -487,7 +487,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         expect(state.next_state.ssl_context.cacerts.map(&:to_pem)).to eq(new_ca_bundle)
       end
 
-      it 'updates the `last_update` time' do
+      it 'updates the `last_update` time on successful CA refresh' do
         stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: new_ca_bundle.join)
 
         expect_any_instance_of(Puppet::X509::CertProvider).to receive(:ca_last_update=).with(be_within(60).of(Time.now))
@@ -495,6 +495,14 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         state.next_state
       end
 
+      it "does not update the `last_update` time when CA refresh fails" do
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_raise(Errno::ECONNREFUSED)
+
+        expect_any_instance_of(Puppet::X509::CertProvider).to receive(:ca_last_update=).never
+
+        state.next_state
+      end
+
       it 'forces the NeedCRLs to refresh' do
         stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: new_ca_bundle.join)
 
@@ -737,6 +745,26 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
           state.next_state
         }.to raise_error(OpenSSL::PKey::RSAError)
       end
+
+      it "transitions to Done if current time plus renewal interval is less than cert's \"NotAfter\" time" do
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+        allow(cert_provider).to receive(:load_client_cert).and_return(client_cert)
+
+        st = state.next_state
+        expect(st).to be_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+
+      it "returns NeedRenewedCert if current time plus renewal interval is greater than cert's \"NotAfter\" time" do
+        client_cert.not_after=(Time.now + 300)
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+        allow(cert_provider).to receive(:load_client_cert).and_return(client_cert)
+
+        ssl_context = Puppet::SSL::SSLContext.new(cacerts: [cacert], client_cert: client_cert, crls: [crl])
+        state = Puppet::SSL::StateMachine::NeedKey.new(machine, ssl_context)
+
+        st = state.next_state
+        expect(st).to be_instance_of(Puppet::SSL::StateMachine::NeedRenewedCert)
+      end
     end
 
     context 'in state NeedSubmitCSR' do
@@ -778,7 +806,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         state.next_state
       end
 
-      it 'includes CSR attributes' do
+      it 'includes CSR attributes', :unless => RUBY_PLATFORM == 'java' do
         Puppet[:csr_attributes] = write_csr_attributes(
           'custom_attributes' => {
               '1.3.6.1.4.1.34380.1.2.1' => 'CSR specific info',
@@ -792,7 +820,8 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
             csr.custom_attributes
           ).to contain_exactly(
                  {'oid' => '1.3.6.1.4.1.34380.1.2.1', 'value' => 'CSR specific info'},
-                 {'oid' => '1.3.6.1.4.1.34380.1.2.2', 'value' => 'more CSR specific info'}
+                 {'oid' => '1.3.6.1.4.1.34380.1.2.2', 'value' => 'more CSR specific info'},
+                 {'oid' => 'pp_auth_auto_renew', 'value' => 'true'}
                )
         end.to_return(status: 200)
 
@@ -1041,5 +1070,48 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::LockFailure)
       end
     end
+
+    context 'in state NeedRenewedCert' do
+      before :each do
+        client_cert.not_after=(Time.now + 300)
+      end
+
+      let(:ssl_context) { Puppet::SSL::SSLContext.new(cacerts: cacerts, client_cert: client_cert, crls: crls,)}
+      let(:state) { Puppet::SSL::StateMachine::NeedRenewedCert.new(machine, ssl_context, private_key) }
+      let(:renewed_cert) { cert_fixture('renewed.pem') }
+
+      it 'returns Done with renewed cert when successful' do
+        allow(cert_provider).to receive(:save_client_cert)
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_return(status: 200, body: renewed_cert.to_pem)
+
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+        expect(st.ssl_context[:client_cert]).to eq(renewed_cert)
+      end
+
+      it 'logs a warning message when failing with a non-404 status' do
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_return(status: 400, body: 'Failed to automatically renew certificate: 400 Bad request')
+
+        expect(Puppet).to receive(:warning).with(/Failed to automatically renew certificate/)
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+
+      it 'logs an info message when failing with 404' do
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_return(status: 404, body: 'Certificate autorenewal has not been enabled on the server.')
+
+        expect(Puppet).to receive(:info).with('Certificate autorenewal has not been enabled on the server.')
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+
+      it 'logs a warning message when failing with no HTTP status' do
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_raise(Errno::ECONNREFUSED)
+
+        expect(Puppet).to receive(:warning).with(/Unable to automatically renew certificate:/)
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+    end
   end
 end

data/spec/unit/util/execution_spec.rb

@@ -29,6 +29,7 @@ describe Puppet::Util::Execution, if: !Puppet::Util::Platform.jruby? do
         allow(FFI::WIN32).to receive(:CloseHandle).with(thread_handle)
       else
         allow(Process).to receive(:waitpid2).with(pid, Process::WNOHANG).and_return(nil, [pid, double('child_status', :exitstatus => exitstatus)])
+        allow(Process).to receive(:waitpid2).with(pid, 0).and_return(nil, [pid, double('child_status', :exitstatus => exitstatus)])
         allow(Process).to receive(:waitpid2).with(pid).and_return([pid, double('child_status', :exitstatus => exitstatus)])
       end
     end

data/spec/unit/util/monkey_patches_spec.rb

@@ -2,6 +2,48 @@ require 'spec_helper'
 
 require 'puppet/util/monkey_patches'
 
+describe Dir do
+  describe '.exists?' do
+    it 'returns false if the directory does not exist' do
+      expect(Dir.exists?('/madeupdirectory')).to be false
+    end
+
+    it 'returns true if the directory exists' do
+      expect(Dir.exists?(__dir__)).to be true
+    end
+
+    if RUBY_VERSION >= '3.2'
+      it 'logs a warning message' do
+        expect(Dir).to receive(:warn).with("Dir.exists?('#{__dir__}') is deprecated, use Dir.exist? instead")
+        with_verbose_enabled do
+          Dir.exists?(__dir__)
+        end
+      end
+    end
+  end
+end
+
+describe File do
+  describe '.exists?' do
+    it 'returns false if the directory does not exist' do
+      expect(File.exists?('spec/unit/util/made_up_file')).to be false
+    end
+
+    it 'returns true if the file exists' do
+      expect(File.exists?(__FILE__)).to be true
+    end
+
+    if RUBY_VERSION >= '3.2'
+      it 'logs a warning message' do
+        expect(File).to receive(:warn).with("File.exists?('#{__FILE__}') is deprecated, use File.exist? instead")
+        with_verbose_enabled do
+          File.exists?(__FILE__)
+        end
+      end
+    end
+  end
+end
+
 describe Symbol do
   after :all do
     $unique_warnings.delete('symbol_comparison') if $unique_warnings

data/spec/unit/util/windows/adsi_spec.rb

@@ -95,6 +95,31 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
     end
   end
 
+  describe '.get_sids' do
+    it 'returns an array of SIDs given two an array of ADSI children' do
+      child1 = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      child2 = double('child2', name: 'Guest', sid: 'S-1-5-21-3882680660-671291151-3888264257-501')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child1).and_return('Administrator')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child2).and_return('Guest')
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child1, child2])
+      expect(sids).to eq(['Administrator', 'Guest'])
+    end
+
+    it 'returns an array of SIDs given an ADSI child and ads_to_principal returning domain failure' do
+      child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE))
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
+      expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
+    end
+
+    it 'returns an array of SIDs given an ADSI child and ads_to_principal returning relationship failure' do
+      child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE))
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
+      expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
+    end
+  end
+
   describe Puppet::Util::Windows::ADSI::User do
     let(:username)  { 'testuser' }
     let(:domain)    { 'DOMAIN' }

data/spec/unit/x509/cert_provider_spec.rb

@@ -586,6 +586,29 @@ describe Puppet::X509::CertProvider do
     end
   end
 
+  context 'when creating', :unless => RUBY_PLATFORM == 'java' do
+    context 'requests' do
+      let(:name) { 'tom' }
+      let(:requestdir) { tmpdir('cert_provider') }
+      let(:provider) { create_provider(requestdir: requestdir) }
+      let(:key) { OpenSSL::PKey::RSA.new(Puppet[:keylength]) }
+
+      it 'has the auto-renew attribute by default for agents that support automatic renewal' do
+        csr = provider.create_request(name, key)
+        # need to create CertificateRequest instance from csr in order to view CSR attributes
+        wrapped_csr = Puppet::SSL::CertificateRequest.from_instance csr
+        expect(wrapped_csr.custom_attributes).to include('oid' => 'pp_auth_auto_renew', 'value' => 'true')
+      end
+
+      it 'does not have the auto-renew attribute for agents that do not support automatic renewal' do
+        Puppet[:hostcert_renewal_interval] = 0
+        csr = provider.create_request(name, key)
+        wrapped_csr = Puppet::SSL::CertificateRequest.from_instance csr
+        expect(wrapped_csr.custom_attributes.length).to eq(0)
+      end
+    end
+  end
+
   context 'CA last update time' do
     let(:ca_path) { tmpfile('pem_ca') }
 

data/tasks/generate_cert_fixtures.rake

@@ -94,6 +94,10 @@ task(:gen_cert_fixtures) do
   save(dir, 'signed.pem', signed[:cert])
   save(dir, 'signed-key.pem', signed[:private_key])
 
+  # Create a cert for host "renewed" and issued by "Test CA Subauthority"
+  renewed = ca.create_cert('renewed', inter[:cert], inter[:private_key], reuse_key: signed[:private_key])
+  save(dir, 'renewed.pem', renewed[:cert])
+
   # Create an encrypted version of the above private key for host "signed"
   save(dir, 'encrypted-key.pem', signed[:private_key]) do |x509|
     # private key password was chosen at random