Stub tests and partly-working implementation of 'load certs found alongside key_filenames' behavior re #1042

This actually breaks existing tests due to test server not supporting
certs...bah

3 files changed, 36 insertions, 10 deletions

diff --git a/paramiko/client.py b/paramiko/client.py
index 22e636a7..3b3895b6 100644
--- a/paramiko/client.py
+++ b/paramiko/client.py
@@ -515,22 +515,34 @@ class SSHClient (ClosingContextManager):
 
     def _key_from_filepath(self, filename, klass, password):
         """
-        Attempt to derive a `.PKey` from given string path ``filename``.
+        Attempt to derive a `.PKey` from given string path ``filename``:
+
+        - If ``filename`` appears to be a cert, the matching private key is
+          loaded.
+        - Otherwise, the filename is assumed to be a private key, and the
+          matching public cert will be loaded if it exists.
         """
         cert_suffix = '-cert.pub'
-        key_path = filename
-        is_cert = False
+        # Assume privkey, not cert, by default
         if filename.endswith(cert_suffix):
             key_path = filename[:-len(cert_suffix)]
-            is_cert = True
+            cert_path = filename
+        else:
+            key_path = filename
+            cert_path = filename + cert_suffix
+        # Blindly try the key path; if no private key, nothing will work.
         key = klass.from_private_key_file(key_path, password)
-        if is_cert:
-            key.load_certificate(pubkey_filename=filename)
-        type_ = 'certificate' if is_cert else 'key'
-        msg = "Trying discovered {0} {1} in {2}".format(
-            type_, hexlify(key.get_fingerprint()), filename,
+        # TODO: change this to 'Loading' instead of 'Trying' sometime; probably
+        # when #387 is released, since this is a critical log message users are
+        # likely testing/filtering for (bah.)
+        msg = "Trying discovered key {0} in {1}".format(
+            hexlify(key.get_fingerprint()), key_path,
         )
         self._log(DEBUG, msg)
+        # Attempt to load cert if it exists.
+        if os.path.isfile(cert_path):
+            key.load_certificate(pubkey_filename=cert_path)
+            self._log(DEBUG, "Adding public certificate {0}".format(cert_path))
         return key
 
     def _auth(self, username, password, pkey, key_filenames, allow_agent,
diff --git a/tests/test_client.py b/tests/test_client.py
index e912d5b2..cfffa030 100644
--- a/tests/test_client.py
+++ b/tests/test_client.py
@@ -248,6 +248,21 @@ class SSHClientTest (unittest.TestCase):
             allowed_keys=['ecdsa-sha2-nistp256'],
         )
 
+    def test_certs_allowed_as_key_filename_values(self):
+        # TODO: connect() with key_filename containing a cert file, loads up
+        # both the cert and its implied key. This is new functionality on top
+        # of the OpenSSH-compatible stuff.
+        assert False
+
+    def test_certs_implicitly_loaded_alongside_key_filename_keys(self):
+        # TODO: same but with just the key paths, i.e. vanilla OpenSSH behavior
+        assert False
+
+    def test_default_key_locations_trigger_cert_loads_if_found(self):
+        # TODO: what it says on the tin: ~/.ssh/id_rsa tries to load
+        # ~/.ssh/id_rsa-cert.pub
+        assert False
+
     def test_4_auto_add_policy(self):
         """
         verify that SSHClient's AutoAddPolicy works.
diff --git a/tests/util.py b/tests/util.py
index b546a7e1..c1b43da8 100644
--- a/tests/util.py
+++ b/tests/util.py
@@ -4,4 +4,3 @@ root_path = os.path.dirname(os.path.realpath(__file__))
 
 def test_path(filename):
     return os.path.join(root_path, filename)
-