Implement test that checks invalid cert case

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
2025-05-10 17:05:48 +00:00 · 2023-02-09 10:49:32 +02:00 · 2023-02-09 10:49:32 +02:00 · 1cd4d9a7af
commit 1cd4d9a7af
parent d875e54171
3 changed files with 19 additions and 12 deletions
--- a/cmd/discovery/client/client.go
+++ b/cmd/discovery/client/client.go
@ -17,6 +17,7 @@ import (
 )

 var errPartNotFound error = fmt.Errorf("pass for partition not found")
+var errBadCertificate error = fmt.Errorf("unknown certificate")

 func NewClient() (*Client, error) {
 	conf, err := unmarshalConfig()
@ -103,10 +104,15 @@ func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err er
 			tries = 0
 			continue
 		}
+
 		if generated { // passphrase is encrypted
 			return c.decryptPassphrase(pass)
 		}

+		if err == errBadCertificate { // No need to retry, won't succeed.
+			return
+		}
+
 		if err == nil { // passphrase available, no errors
 			return
 		}
--- a/cmd/discovery/client/enc.go
+++ b/cmd/discovery/client/enc.go
@ -37,6 +37,9 @@ func getPass(server, certificate string, partition *block.Partition) (string, bo
 		if strings.Contains(result.Error, "No secret found for") {
 			return "", false, errPartNotFound
 		}
+		if strings.Contains(result.Error, "x509: certificate signed by unknown authority") {
+			return "", false, errBadCertificate
+		}
 		return "", false, fmt.Errorf(result.Error)
 	}

--- a/tests/encryption_test.go
+++ b/tests/encryption_test.go
@ -43,8 +43,6 @@ var _ = Describe("local encrypted passphrase", func() {

 		installationOutput, err = vm.Sudo("set -o pipefail && kairos-agent manual-install --device auto config.yaml 2>&1 | tee manual-install.txt")
 		Expect(err).ToNot(HaveOccurred(), installationOutput)
-
-		vm.Reboot()
 	})

 	AfterEach(func() {
@ -81,6 +79,7 @@ users:
 		})

 		It("boots and has an encrypted partition", func() {
+			vm.Reboot()
 			vm.EventuallyConnects(1200)
 			out, err := vm.Sudo("blkid")
 			Expect(err).ToNot(HaveOccurred(), out)
@ -141,6 +140,7 @@ kcrypt:

 		It("creates a passphrase and a key/pair to decrypt it", func() {
 			// Expect a LUKS partition
+			vm.Reboot()
 			vm.EventuallyConnects(1200)
 			out, err := vm.Sudo("blkid")
 			Expect(err).ToNot(HaveOccurred(), out)
@ -230,6 +230,7 @@ kcrypt:

 		It("creates uses the existing passphrase to decrypt it", func() {
 			// Expect a LUKS partition
+			vm.Reboot()
 			vm.EventuallyConnects(1200)
 			out, err := vm.Sudo("blkid")
 			Expect(err).ToNot(HaveOccurred(), out)
@ -286,8 +287,7 @@ install:
 			})

 			It("successfully talks to the server", func() {
-				// TODO: Maybe do something simpler than installation to keep things fast?
-				// Something that proves we talked to the server.
+				vm.Reboot()
 				vm.EventuallyConnects(1200)
 				out, err := vm.Sudo("blkid")
 				Expect(err).ToNot(HaveOccurred(), out)
@ -321,19 +321,17 @@ kcrypt:
 `, os.Getenv("KMS_ADDRESS"))
 			})

-			// TODO:
 			It("fails to talk to the server", func() {
-				// TODO: Maybe do something simpler than installation to keep things fast?
-				// Something that proves we talked to the server.
-				//vm.EventuallyConnects(1200)
-				// out, err := vm.Sudo("blkid")
-				// Expect(err).ToNot(HaveOccurred(), out)
-				// Expect(out).To(MatchRegexp("TYPE=\"crypto_LUKS\" PARTLABEL=\"persistent\""), out)
-				// Expect(out).To(MatchRegexp("/dev/mapper.*LABEL=\"COS_PERSISTENT\""), out)
+				out, err := vm.Sudo("cat manual-install.txt")
+				Expect(err).ToNot(HaveOccurred(), out)
+				Expect(out).To(MatchRegexp("could not encrypt partition.*x509: certificate signed by unknown authority"))
 			})
 		})

 		When("the certificate signed by a well known CA (system certs)", func() {
+			BeforeEach(func() {
+				Skip("No way to implement")
+			})
 			It("successfully talks to the server", func() {
 				// TODO: How do we get a properly signed cert? Maybe do that once,
 				// and put the cert is the assets directory?