felhom-agent/internal/proxmox/tls_test.go

package proxmox

import "testing"

func TestNormalizeFingerprint(t *testing.T) {
	// 64-hex with colons (the /nodes ssl_fingerprint form) normalizes fine.
	const withColons = "BA:7C:99:7D:45:D0:67:91:E2:F2:72:74:6E:D6:9F:83:51:D1:61:E5:C3:BD:F6:A0:B8:0B:E3:D8:DB:89:5B:CF"
	got, err := normalizeFingerprint(withColons)
	if err != nil {
		t.Fatalf("normalize: %v", err)
	}
	if len(got) != 64 {
		t.Errorf("len = %d", len(got))
	}
	if got != "ba7c997d45d06791e2f272746ed69f8351d161e5c3bdf6a0b80be3d8db895bcf" {
		t.Errorf("got %q", got)
	}
}

func TestNormalizeFingerprint_Bad(t *testing.T) {
	for _, c := range []string{"", "tooshort", "zz7c997d45d06791e2f272746ed69f8351d161e5c3bdf6a0b80be3d8db895bcf"} {
		if _, err := normalizeFingerprint(c); err == nil {
			t.Errorf("normalize(%q) = nil, want error", c)
		}
	}
}

func TestTLSConfig_Build(t *testing.T) {
	// Fingerprint pin produces a config with a pin verifier (and the documented
	// InsecureSkipVerify=true that the verifier overrides).
	c, err := (TLSConfig{Fingerprint: "ba7c997d45d06791e2f272746ed69f8351d161e5c3bdf6a0b80be3d8db895bcf"}).build()
	if err != nil {
		t.Fatalf("build pin: %v", err)
	}
	if c.VerifyPeerCertificate == nil {
		t.Errorf("pin config missing VerifyPeerCertificate")
	}
	// Default (no trust set) uses system roots, no skip.
	def, err := (TLSConfig{}).build()
	if err != nil {
		t.Fatalf("build default: %v", err)
	}
	if def.InsecureSkipVerify {
		t.Errorf("default must verify")
	}
}