summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile3
-rwxr-xr-xtests85
2 files changed, 88 insertions, 0 deletions
diff --git a/Makefile b/Makefile
index b2e05ec..9e112a3 100644
--- a/Makefile
+++ b/Makefile
@@ -36,6 +36,9 @@ ssh-agent-filter.o: ssh-agent-filter.C rfc4251.H ssh-agent.h version.h
rfc4251.o: rfc4251.C rfc4251.H
rfc4251_gmp.o: rfc4251_gmp.C rfc4251.H
+test:
+ PATH="$$(pwd):$$PATH" ./tests
+
version.h:
test ! -d .git || git describe | sed 's/^.*$$/#define SSH_AGENT_FILTER_VERSION "ssh-agent-filter \0"/' > $@
diff --git a/tests b/tests
new file mode 100755
index 0000000..b952141
--- /dev/null
+++ b/tests
@@ -0,0 +1,85 @@
+#!/bin/sh
+
+oneTimeSetUp () {
+ set -e
+
+ # prepare keys
+ ( cd "$SHUNIT_TMPDIR"; ssh-keygen -q -t ed25519 -N '' -C key0 -f key0 )
+ ( cd "$SHUNIT_TMPDIR"; ssh-keygen -q -t ed25519 -N '' -C key1 -f key1 )
+
+ # prepare agent
+ eval "$(ssh-agent)"
+
+ ( cd "$SHUNIT_TMPDIR"; ssh-add key0 key1 )
+
+ # delete private keys from file system, they are in the agent now
+ ( cd "$SHUNIT_TMPDIR"; rm key0 key1 )
+
+ set +e
+}
+
+oneTimeTearDown () {
+ [ -z "$SSH_AGENT_PID" ] || kill "$SSH_AGENT_PID"
+}
+
+with_saf_in_tmp () {
+ set -e
+ cd "$SHUNIT_TMPDIR"
+ unset SSH_AGENT_PID
+ eval "$(ssh-agent-filter "$@")" > /dev/null
+ trap 'kill "$SSH_AGENT_PID"' EXIT
+}
+
+produce_filtered_list () (
+ with_saf_in_tmp "$@"
+ ssh-add -L
+)
+
+test_list_filter () {
+ reference_out=$(ssh-add -L | grep ' key0$')
+
+ # sanity check: unfiltered shold be different from filtered
+ assertNotSame "$reference_out" "$(ssh-add -L)"
+
+ assertSame "$reference_out" "$(produce_filtered_list --comment key0)"
+ assertSame "$reference_out" "$(produce_filtered_list --comment-confirmed key0)"
+
+ key0_md5=$(cut -d\ -f2 "$SHUNIT_TMPDIR/key0.pub" | base64 -d | md5sum - | cut -d\ -f1)
+ assertSame "$reference_out" "$(produce_filtered_list --fingerprint "$key0_md5")"
+ assertSame "$reference_out" "$(produce_filtered_list --fingerprint-confirmed "$key0_md5")"
+
+ key0_base64=$(cut -d\ -f2 "$SHUNIT_TMPDIR/key0.pub")
+ assertSame "$reference_out" "$(produce_filtered_list --key "$key0_base64")"
+ assertSame "$reference_out" "$(produce_filtered_list --key-confirmed "$key0_base64")"
+}
+
+sign_key_with_key_filtered () (
+ key_to_be_signed="$1"
+ signing_key="$2"
+ shift 2
+ with_saf_in_tmp "$@"
+ ssh-keygen -Us "$signing_key" -I identify "$key_to_be_signed"
+)
+
+test_sign_filter () {
+ # try to sign with a key that is allowed by the filter
+ assertTrue 'sign_key_with_key_filtered key0 key1 --comment key1'
+
+ # try to sign with a key that is not allowed by the filter
+ assertFalse 'sign_key_with_key_filtered key1 key0 --comment key1'
+}
+
+test_confirmation () {
+ assertTrue 'export SSH_ASKPASS=/bin/true; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
+ assertFalse 'export SSH_ASKPASS=/bin/false; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
+
+ cat > "$SHUNIT_TMPDIR/sap" <<-EOT
+ #!/bin/sh
+ echo "\$1" > "$SHUNIT_TMPDIR/sap_out"
+ EOT
+ chmod +x "$SHUNIT_TMPDIR/sap"
+ assertTrue 'export SSH_ASKPASS="$SHUNIT_TMPDIR/sap"; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
+ assertSame "Something behind the ssh-agent-filter requested use of the key named 'key1'." "$(head -n1 "$SHUNIT_TMPDIR/sap_out")"
+}
+
+. shunit2