From a175679b4b0d42f99a49cea215a8bba9fbc5c3b1 Mon Sep 17 00:00:00 2001
From: Mark Laing <mark.laing@canonical.com>
Date: Wed, 4 Dec 2024 09:01:02 +0000
Subject: [PATCH] test/suites: Check that a restricted client certificate
 cannot view server configuration.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
---
 test/suites/tls_restrictions.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/suites/tls_restrictions.sh b/test/suites/tls_restrictions.sh
index e91c0ccd2d48..788faaee9fff 100644
--- a/test/suites/tls_restrictions.sh
+++ b/test/suites/tls_restrictions.sh
@@ -27,6 +27,12 @@ test_tls_restrictions() {
   # Apply restrictions
   lxc config trust show "${FINGERPRINT}" | sed -e "s/restricted: false/restricted: true/" | lxc config trust edit "${FINGERPRINT}"
 
+  # Confirm client with restricted certificate cannot see server configuration.
+  lxc config set user.foo bar
+  [ "$(lxc_remote query localhost:/1.0 | jq '.config | length')" = 0 ]
+  [ "$(lxc_remote query localhost:/1.0 | jq -r '.config."user.foo"')" = "null" ]
+  lxc config unset user.foo
+
   # Confirm no project visible when none listed
   [ "$(lxc_remote project list localhost: --format csv | wc -l)" = 0 ]