Implement test that checks invalid cert case

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>

cmd/discovery/client/client.go

@@ -17,6 +17,7 @@ import (
 )
 
 var errPartNotFound error = fmt.Errorf("pass for partition not found")
+var errBadCertificate error = fmt.Errorf("unknown certificate")
 
 func NewClient() (*Client, error) {
 	conf, err := unmarshalConfig()
@@ -103,10 +104,15 @@ func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err er
 			tries = 0
 			continue
 		}
+
 		if generated { // passphrase is encrypted
 			return c.decryptPassphrase(pass)
 		}
 
+		if err == errBadCertificate { // No need to retry, won't succeed.
+			return
+		}
+
 		if err == nil { // passphrase available, no errors
 			return
 		}

cmd/discovery/client/enc.go

@@ -37,6 +37,9 @@ func getPass(server, certificate string, partition *block.Partition) (string, bo
 		if strings.Contains(result.Error, "No secret found for") {
 			return "", false, errPartNotFound
 		}
+		if strings.Contains(result.Error, "x509: certificate signed by unknown authority") {
+			return "", false, errBadCertificate
+		}
 		return "", false, fmt.Errorf(result.Error)
 	}
 

tests/encryption_test.go

@@ -43,8 +43,6 @@ var _ = Describe("local encrypted passphrase", func() {
 
 		installationOutput, err = vm.Sudo("set -o pipefail && kairos-agent manual-install --device auto config.yaml 2>&1 | tee manual-install.txt")
 		Expect(err).ToNot(HaveOccurred(), installationOutput)
-
-		vm.Reboot()
 	})
 
 	AfterEach(func() {
@@ -81,6 +79,7 @@ users:
 		})
 
 		It("boots and has an encrypted partition", func() {
+			vm.Reboot()
 			vm.EventuallyConnects(1200)
 			out, err := vm.Sudo("blkid")
 			Expect(err).ToNot(HaveOccurred(), out)
@@ -141,6 +140,7 @@ kcrypt:
 
 		It("creates a passphrase and a key/pair to decrypt it", func() {
 			// Expect a LUKS partition
+			vm.Reboot()
 			vm.EventuallyConnects(1200)
 			out, err := vm.Sudo("blkid")
 			Expect(err).ToNot(HaveOccurred(), out)
@@ -230,6 +230,7 @@ kcrypt:
 
 		It("creates uses the existing passphrase to decrypt it", func() {
 			// Expect a LUKS partition
+			vm.Reboot()
 			vm.EventuallyConnects(1200)
 			out, err := vm.Sudo("blkid")
 			Expect(err).ToNot(HaveOccurred(), out)
@@ -286,8 +287,7 @@ install:
 			})
 
 			It("successfully talks to the server", func() {
-				// TODO: Maybe do something simpler than installation to keep things fast?
+				vm.Reboot()
-				// Something that proves we talked to the server.
 				vm.EventuallyConnects(1200)
 				out, err := vm.Sudo("blkid")
 				Expect(err).ToNot(HaveOccurred(), out)
@@ -321,19 +321,17 @@ kcrypt:
 `, os.Getenv("KMS_ADDRESS"))
 			})
 
-			// TODO:
 			It("fails to talk to the server", func() {
-				// TODO: Maybe do something simpler than installation to keep things fast?
+				out, err := vm.Sudo("cat manual-install.txt")
-				// Something that proves we talked to the server.
+				Expect(err).ToNot(HaveOccurred(), out)
-				//vm.EventuallyConnects(1200)
+				Expect(out).To(MatchRegexp("could not encrypt partition.*x509: certificate signed by unknown authority"))
-				// out, err := vm.Sudo("blkid")
-				// Expect(err).ToNot(HaveOccurred(), out)
-				// Expect(out).To(MatchRegexp("TYPE=\"crypto_LUKS\" PARTLABEL=\"persistent\""), out)
-				// Expect(out).To(MatchRegexp("/dev/mapper.*LABEL=\"COS_PERSISTENT\""), out)
 			})
 		})
 
 		When("the certificate signed by a well known CA (system certs)", func() {
+			BeforeEach(func() {
+				Skip("No way to implement")
+			})
 			It("successfully talks to the server", func() {
 				// TODO: How do we get a properly signed cert? Maybe do that once,
 				// and put the cert is the assets directory?