bstein/lesavka
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
lesavka/tests/security/install/cert_key_permissions_contract.rs

67 lines
2.0 KiB
Rust
Raw Blame History

// Security coverage for installed secret permissions.
//
// Scope: preserve installer and UI behavior that keeps private keys readable
// only by the local Lesavka operator account.
// Targets: install scripts and the client TLS-bundle import helper.
// Why: mTLS is only meaningful if client/server private keys are not installed
// with broad filesystem permissions.
const SERVER_INSTALL: &str = include_str!(concat!(
env!("CARGO_MANIFEST_DIR"),
"/scripts/install/server.sh"
));
const CLIENT_INSTALL: &str = include_str!(concat!(
env!("CARGO_MANIFEST_DIR"),
"/scripts/install/client.sh"
));
const CERT_UI: &str = include_str!(concat!(
env!("CARGO_MANIFEST_DIR"),
"/client/src/launcher/ui/utility_button_bindings.rs"
));
#[test]
fn server_private_keys_and_client_bundle_are_installed_private() {
for marker in [
"chmod 0600 \"$LESAVKA_TLS_DIR/\"*.key",
"chmod 0644 \"$LESAVKA_TLS_DIR/\"*.crt",
"chmod 0600 \"$LESAVKA_CLIENT_BUNDLE\"",
"cp \"$LESAVKA_TLS_DIR/client.key\"",
] {
assert!(
SERVER_INSTALL.contains(marker),
"server installer should preserve private PKI permission marker {marker}"
);
}
}
#[test]
fn client_installer_preserves_private_client_key_mode() {
for marker in [
"sudo install -m 0600",
"\"$tmp/client.key\" \"$CLIENT_PKI_DIR/client.key\"",
"sudo install -m 0644",
"\"$tmp/ca.crt\"",
"\"$tmp/client.crt\"",
] {
assert!(
CLIENT_INSTALL.contains(marker),
"client installer should preserve enrollment permission marker {marker}"
);
}
}
#[test]
fn client_ui_bundle_import_tightens_key_permissions() {
for marker in [
"tighten_client_key_permissions",
"PermissionsExt",
"permissions.set_mode(0o600)",
"target.join(\"client.key\")",
] {
assert!(
CERT_UI.contains(marker),
"cert import UI should preserve permission marker {marker}"
);
}
}
Reference in New Issue View Git Blame Copy Permalink