Add a test case when server has a cert not trusted by the client's sy…

…stem First we need to break `requireCertificate` into client and server bits, such that we can force the client to use TLS while not having a defined ssl_public_key entry in the landscape.conf testdata file. Client side is about using insecure credentials or not. Server side is about generating new certificates or not. Testdata landscape.conf dictates whether the client will read a self-signed cert or load the system's pool. With that change, we add a test case in which Client's landscape.conf doesn't have a ssl_public_key entry but the test case still requires TLS, so system's cert pool is loaded. As the server cert is a self-signed one, we expect this error message when gRPC attempts to connect over TLS: could not connect to Landscape server: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
canonical · Dec 3, 2024 · 087c3b7 · 087c3b7
1 parent d65f38f
commit 087c3b7
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/windows-agent/internal/proservices/landscape/landscape_test.go b/windows-agent/internal/proservices/landscape/landscape_test.go
@@ -110,7 +110,8 @@ func TestConnect(t *testing.T) {
 		emptyToken bool
 		tokenErr   bool
 
-		requireCertificate         bool
+		clientUsesTLS              bool
+		serverUsesTLS              bool
 		breakLandscapeClientConfig bool
 
 		breakUIDFile bool
@@ -123,7 +124,7 @@ func TestConnect(t *testing.T) {
 	}{
 		"Success":                         {},
 		"Success in non-first contact":    {uid: "123", wantSingleMessage: true},
-		"Success with an SSL certificate": {requireCertificate: true},
+		"Success with an SSL certificate": {clientUsesTLS: true, serverUsesTLS: true},
 
 		// These tests are for the error cases when the error is logged but not returned
 		"Silent error when the config is empty":                   {wantNotConnected: true},
@@ -138,20 +139,23 @@ func TestConnect(t *testing.T) {
 		"Error when the first-contact SendUpdatedInfo fails":   {tokenErr: true, wantErr: true},
 		"Error when the config cannot be accessed":             {breakLandscapeClientConfig: true, wantErr: true},
 		"Error when the config cannot be parsed":               {wantErr: true},
-		"Error when the SSL certificate cannot be read":        {requireCertificate: true, wantErr: true},
-		"Error when the SSL certificate is not valid":          {requireCertificate: true, wantErr: true},
+		"Error when the SSL certificate cannot be read":        {clientUsesTLS: true, serverUsesTLS: true, wantErr: true},
+		"Error when the SSL certificate is not valid":          {clientUsesTLS: true, serverUsesTLS: true, wantErr: true},
+		"Error when the SSL certificate is not trusted":        {clientUsesTLS: true, serverUsesTLS: true, wantErr: true},
 	}
 
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
+			if !tc.clientUsesTLS {
+				ctx = context.WithValue(ctx, landscape.InsecureCredentials, true)
+			}
+
 			p := ""
-			if tc.requireCertificate {
+			if tc.serverUsesTLS {
 				p = certPath
-			} else {
-				ctx = context.WithValue(ctx, landscape.InsecureCredentials, true)
 			}
 
 			if wsl.MockAvailable() {

diff --git a/...ndscape/testdata/TestConnect/error_when_the_SSL_certificate_is_not_trusted/landscape.conf b/...ndscape/testdata/TestConnect/error_when_the_SSL_certificate_is_not_trusted/landscape.conf
@@ -0,0 +1,4 @@
+[client]
+
+[host]
+url = {{ .HostURL }}