git » kxd » commit aae3b7b

tests: Comment out test that changed behaviour during go 1.8

author Alberto Bertogli
2016-08-22 20:41:18 UTC
committer Alberto Bertogli
2016-08-22 20:57:35 UTC
parent a1eb20414d31b32901a0eeed8af931074df33d3b
tests: Comment out test that changed behaviour during go 1.8

Go commit 8ad70a549364c216c386afcead4dccfdcd39748b by Adam Langley
(agl@golang.org) changed the behaviour of how leaf certificates on root work
on Go.

Before, they would not be assumed valid and we had a test for it.
But the change makes the library consider them explicitly valid, so our test
breaks.

However, this is not something we expect to be a problem for our users, in
practice it's a really unusual corner case for kxd.

The change is not even in a released Go version yet, so changing the tests
would cause them to fail on released versions. But leaving as-is will cause
them to fail when go 1.8 is released.

So we leave the test commented out for now, we can re-enable it once there are
a couple of Go versions with the new behaviour.
tests/run_tests +19 -13 
diff --git a/tests/run_tests b/tests/run_tests
index cff40ad..2973c93 100755
--- a/tests/run_tests
+++ b/tests/run_tests
@@ -496,11 +496,14 @@ class Delegation(TestCase):
         key = self.client.call(self.ca.cert_path(), "kxd://localhost/k1")
         self.assertEquals(key, self.server.keys["k1"])
 
-        # The server is signed by the CA, but the CA is unknown to the client,
-        # so it can't validate it, even if it knows the server directly.
-        self.assertClientFails("kxd://localhost/k1",
-                               "certificate signed by unknown authority",
-                               cert_path=self.server.cert_path())
+        # The server is signed by the CA, but the CA is unknown to the client.
+        # But the client knows the server directly, so it's allowed.
+        #
+        # NOTE: go <= 1.7 rejected this case, it was only allowed during the
+        # 1.8 development cycle (8ad70a5), so comment it out for now.
+        #
+        #key = self.client.call(self.server.cert_path(), "kxd://localhost/k1")
+        #self.assertEquals(key, self.server.keys["k1"])
 
         # Same as above, but give the wrong CA.
         ca2 = CA()
@@ -527,14 +530,17 @@ class Delegation(TestCase):
                                "403 Forbidden.*No allowed certificate found",
                                cert_path=self.server.cert_path())
 
-        # The client is signed by the CA, but the CA is unknown to the server,
-        # so it can't validate it, even if it knows the client directly.
-        self.server.new_key("k3",
-                            allowed_clients=[self.client.cert()],
-                            allowed_hosts=["localhost"])
-        self.assertClientFails("kxd://localhost/k3",
-                               "403 Forbidden.*No allowed certificate found",
-                               cert_path=self.server.cert_path())
+        # The client is signed by the CA, but the CA is unknown to the server.
+        # But the server it knows the client directly, so it's allowed.
+        #
+        # NOTE: go <= 1.7 rejected this case, it was only allowed during the
+        # 1.8 development cycle (8ad70a5), so comment it out for now.
+        #
+        #self.server.new_key("k3",
+        #                    allowed_clients=[self.client.cert()],
+        #                    allowed_hosts=["localhost"])
+        #key = self.client.call(self.server.cert_path(), "kxd://localhost/k3")
+        #self.assertEquals(key, self.server.keys["k3"])
 
     def test_both_delegated(self):
         self.prepare(server_self_sign=False, client_self_sign=False)