36 lines
1.2 KiB
Rust
36 lines
1.2 KiB
Rust
|
//! Contract tests for client install-time security defaults.
|
||
|
|
//!
|
||
|
|
//! Scope: inspect the client installer shell contract without running it.
|
||
|
|
//! Targets: `scripts/install/client.sh`.
|
||
|
|
//! Why: secure-by-default relay transport depends on installing the server-issued
|
||
|
|
//! client cert bundle exactly where the desktop app auto-discovers it.
|
||
|
|
|
||
|
|
const CLIENT_INSTALL: &str = include_str!("../../scripts/install/client.sh");
|
||
|
|
|
||
|
|
#[test]
|
||
|
|
fn client_install_accepts_server_generated_tls_bundle() {
|
||
|
|
for expected in [
|
||
|
|
"LESAVKA_CLIENT_PKI_BUNDLE",
|
||
|
|
"CLIENT_PKI_DIR",
|
||
|
|
"ca.crt",
|
||
|
|
"client.crt",
|
||
|
|
"client.key",
|
||
|
|
"install_client_pki_bundle",
|
||
|
|
"HTTPS relay connections will need a trusted public cert or a bundle install later",
|
||
|
|
"TLS identity:",
|
||
|
|
] {
|
||
|
|
assert!(
|
||
|
|
CLIENT_INSTALL.contains(expected),
|
||
|
|
"client installer should include TLS bundle contract fragment {expected}"
|
||
|
|
);
|
||
|
|
}
|
||
|
|
assert!(
|
||
|
|
CLIENT_INSTALL.contains(".config/lesavka/pki"),
|
||
|
|
"client cert bundle should land in the same path the desktop app auto-loads"
|
||
|
|
);
|
||
|
|
assert!(
|
||
|
|
CLIENT_INSTALL.contains("0600"),
|
||
|
|
"client private key should be installed with private permissions"
|
||
|
|
);
|
||
|
|
}
|