From 53b4d00732879f1ca8e99bb810ba04293cdc82f7 Mon Sep 17 00:00:00 2001
From: Val Lorentz <progval+git@progval.net>
Date: Sun, 13 Feb 2022 14:26:45 +0100
Subject: [PATCH] Preserve client certificate when TLS is indirectly enabled by
 a STS policy

Closes GH-4152.
---
 src/models/network.js  |  8 ++++----
 test/models/network.js | 22 ++++++++++++++++++++++
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/models/network.js b/src/models/network.js
index 17aaff60..822afdf2 100644
--- a/src/models/network.js
+++ b/src/models/network.js
@@ -122,10 +122,6 @@ Network.prototype.validate = function (client) {
 		this.sasl = "";
 	}
 
-	if (!this.tls) {
-		ClientCertificate.remove(this.uuid);
-	}
-
 	if (Helper.config.lockNetwork) {
 		// This check is needed to prevent invalid user configurations
 		if (
@@ -188,6 +184,10 @@ Network.prototype.validate = function (client) {
 		this.rejectUnauthorized = true;
 	}
 
+	if (!this.tls) {
+		ClientCertificate.remove(this.uuid);
+	}
+
 	return true;
 };
 
diff --git a/test/models/network.js b/test/models/network.js
index 315581a0..6abdb3e4 100644
--- a/test/models/network.js
+++ b/test/models/network.js
@@ -223,6 +223,28 @@ describe("Network", function () {
 			ClientCertificate.remove(network.uuid);
 			Helper.config.public = true;
 		});
+
+		it("should remove client certs if there is a STS policy", function () {
+			Helper.config.public = false;
+
+			const client = {idMsg: 1, emit() {}, messageStorage: []};
+			STSPolicies.update("irc.example.com", 7000, 3600);
+
+			const network = new Network({host: "irc.example.com", sasl: "external"});
+			network.createIrcFramework(client);
+			expect(network.irc).to.not.be.null;
+
+			const client_cert = network.irc.options.client_certificate;
+			expect(client_cert).to.not.be.null;
+			expect(ClientCertificate.get(network.uuid)).to.deep.equal(client_cert);
+
+			expect(network.validate(client)).to.be.true;
+
+			expect(ClientCertificate.get(network.uuid)).to.deep.equal(client_cert); // Should be unchanged
+
+			ClientCertificate.remove(network.uuid);
+			Helper.config.public = true;
+		});
 	});
 
 	describe("#createIrcFramework(client)", function () {