add test case for invalid pool cert configuration

pendulum-project · Nov 17, 2023 · 15495c6 · 15495c6
1 parent 6c338af
commit 15495c6
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 5 deletions.
diff --git a/ntp-proto/src/nts_record.rs b/ntp-proto/src/nts_record.rs
@@ -2415,10 +2415,10 @@ mod test {
 
         let result = keyexchange_loop(client, server);
 
-        matches!(
-            result.unwrap_err(),
-            KeyExchangeError::UnrecognizedCriticalRecord
-        );
+        assert!(matches!(
+            result,
+            Err(KeyExchangeError::UnrecognizedCriticalRecord)
+        ));
     }
 
     #[test]

diff --git a/ntpd/src/daemon/keyexchange.rs b/ntpd/src/daemon/keyexchange.rs
@@ -574,12 +574,13 @@ mod tests {
     async fn key_exchange_roundtrip() {
         let provider = KeySetProvider::new(1);
         let keyset = provider.get();
+        let pool_certs = ["testdata/certificates/nos-nl.pem"];
 
         let (_sender, keyset) = tokio::sync::watch::channel(keyset);
         let nts_ke_config = NtsKeConfig {
             certificate_chain_path: PathBuf::from("../test-keys/end.fullchain.pem"),
             private_key_path: PathBuf::from("../test-keys/end.key"),
-            authorized_pool_server_certificates: Vec::new(),
+            authorized_pool_server_certificates: pool_certs.iter().map(PathBuf::from).collect(),
             key_exchange_timeout_ms: 1000,
             listen: "0.0.0.0:5431".parse().unwrap(),
         };
@@ -602,6 +603,33 @@ mod tests {
         assert_eq!(result.port, 123);
     }
 
+    #[tokio::test]
+    async fn key_exchange_refusal_due_to_invalid_config() {
+        let cert_path = "testdata/certificates/nos-nl-chain.pem";
+        let certs = [cert_path];
+
+        let provider = KeySetProvider::new(1);
+        let keyset = provider.get();
+
+        let (_sender, keyset) = tokio::sync::watch::channel(keyset);
+        let nts_ke_config = NtsKeConfig {
+            certificate_chain_path: PathBuf::from("../test-keys/end.fullchain.pem"),
+            private_key_path: PathBuf::from("../test-keys/end.key"),
+            authorized_pool_server_certificates: certs.iter().map(PathBuf::from).collect(),
+            key_exchange_timeout_ms: 1000,
+            listen: "0.0.0.0:5431".parse().unwrap(),
+        };
+
+        let Err(io_error) = run_nts_ke(nts_ke_config, keyset).await else {
+            panic!("nts server started normally, this should not happen");
+        };
+
+        let expected_error_msg = format!(
+            "pool certificate file at `\"{cert_path}\"` should contain exactly one certificate"
+        );
+        assert_eq!(io_error.to_string(), expected_error_msg);
+    }
+
     #[tokio::test]
     async fn client_connection_refused() {
         let result = key_exchange_client("localhost".to_string(), 5434, &[]).await;