diff --git a/revoke-test/tests/system_tests.rs b/revoke-test/tests/system_tests.rs index 664f3a9a..86d3152c 100644 --- a/revoke-test/tests/system_tests.rs +++ b/revoke-test/tests/system_tests.rs @@ -33,12 +33,19 @@ fn real_world_system_tests() { .unwrap(); fs::write(TEST_CONFIG_PATH, TEST_CONFIG).unwrap(); - upki() + let fetch = upki() .arg("--config-file") .arg(TEST_CONFIG_PATH) .arg("fetch") .output() .expect("cannot execute 'upki fetch'"); + assert!( + fetch.status.success(), + "'upki fetch' failed ({})\nstdout:\n{}\nstderr:\n{}", + fetch.status, + String::from_utf8_lossy(&fetch.stdout), + String::from_utf8_lossy(&fetch.stderr), + ); let tests = serde_json::from_reader::<_, RevocationTestSites<'static>>( File::open("../revoke-test/test-sites.json") @@ -82,8 +89,11 @@ fn real_world_system_tests() { #[cfg(not(windows))] let ((((site, high), rustls), ffi), openssl) = cases; + // When rustls reports the cert as expired it short-circuits before doing any revocation + // check, so its verdict says nothing about revocation status. The high-level API does no + // expiry check, so the two are not comparable in that case; skip the comparison. assert!( - high == rustls || *high == rustls.expired_as_revoked(), + high == rustls || *rustls == TestResult::Expired, "site {site:?} revocation result disagrees between high-level API ({high:?}) and rustls verifier ({rustls:?})" ); assert!( @@ -271,18 +281,6 @@ enum TestResult { Expired, } -impl TestResult { - fn expired_as_revoked(&self) -> Self { - // The high-level CLI doesn't do expiry checks, while the rustls verifier does. - // So we treat expiry as a class of revocation for the purpose of checking - // that the APIs agree. - match self { - Self::Expired => Self::CorrectlyRevoked, - other => *other, - } - } -} - const TEST_CONFIG_PATH: &str = "tmp/system-test/config.toml"; const TEST_CONFIG: &str = "cache-dir=\"tmp/system-test\"\n\ [revocation]\n\