Merge tag '0.5' into debian

0.5

1 files changed, 104 insertions, 0 deletions

diff --git a/tests b/tests
new file mode 100755
index 0000000..d47daf1
--- /dev/null
+++ b/tests
@@ -0,0 +1,104 @@
+#!/bin/sh
+
+# tests for ssh-agent-filter
+#
+# Copyright (C) 2018 Timo Weingärtner <timo@tiwe.de>
+#
+# This file is part of ssh-agent-filter.
+#
+# ssh-agent-filter is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ssh-agent-filter is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with ssh-agent-filter.  If not, see <http://www.gnu.org/licenses/>.
+
+oneTimeSetUp () {
+	set -e
+
+	# prepare keys
+	( cd "$SHUNIT_TMPDIR"; ssh-keygen -q -t ed25519 -N '' -C key0 -f key0 )
+	( cd "$SHUNIT_TMPDIR"; ssh-keygen -q -t ed25519 -N '' -C key1 -f key1 )
+
+	# prepare agent
+	eval "$(ssh-agent)"
+
+	( cd "$SHUNIT_TMPDIR"; ssh-add key0 key1 )
+
+	# delete private keys from file system, they are in the agent now
+	( cd "$SHUNIT_TMPDIR"; rm key0 key1 )
+
+	set +e
+}
+
+oneTimeTearDown () {
+	[ -z "$SSH_AGENT_PID" ] || kill "$SSH_AGENT_PID"
+}
+
+with_saf_in_tmp () {
+	set -e
+	cd "$SHUNIT_TMPDIR"
+	unset SSH_AGENT_PID
+	eval "$(ssh-agent-filter "$@")" > /dev/null
+	trap 'kill "$SSH_AGENT_PID"' EXIT
+}
+
+produce_filtered_list () (
+	with_saf_in_tmp "$@"
+	ssh-add -L
+)
+
+test_list_filter () {
+	reference_out=$(ssh-add -L | grep ' key0$')
+
+	# sanity check: unfiltered shold be different from filtered
+	assertNotSame "$reference_out" "$(ssh-add -L)"
+
+	assertSame "$reference_out" "$(produce_filtered_list --comment key0)"
+	assertSame "$reference_out" "$(produce_filtered_list --comment-confirmed key0)"
+
+	key0_md5=$(cut -d\  -f2 "$SHUNIT_TMPDIR/key0.pub" | base64 -d | md5sum - | cut -d\  -f1)
+	assertSame "$reference_out" "$(produce_filtered_list --fingerprint "$key0_md5")"
+	assertSame "$reference_out" "$(produce_filtered_list --fingerprint-confirmed "$key0_md5")"
+
+	key0_base64=$(cut -d\  -f2 "$SHUNIT_TMPDIR/key0.pub")
+	assertSame "$reference_out" "$(produce_filtered_list --key "$key0_base64")"
+	assertSame "$reference_out" "$(produce_filtered_list --key-confirmed "$key0_base64")"
+}
+
+sign_key_with_key_filtered () (
+	key_to_be_signed="$1"
+	signing_key="$2"
+	shift 2
+	with_saf_in_tmp "$@"
+	ssh-keygen -Us "$signing_key" -I identify "$key_to_be_signed"
+)
+
+test_sign_filter () {
+	# try to sign with a key that is allowed by the filter
+	assertTrue 'sign_key_with_key_filtered key0 key1 --comment key1'
+
+	# try to sign with a key that is not allowed by the filter
+	assertFalse 'sign_key_with_key_filtered key1 key0 --comment key1'
+}
+
+test_confirmation () {
+	assertTrue 'export SSH_ASKPASS=/bin/true; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
+	assertFalse 'export SSH_ASKPASS=/bin/false; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
+
+	cat > "$SHUNIT_TMPDIR/sap" <<-EOT
+		#!/bin/sh
+		echo "\$1" > "$SHUNIT_TMPDIR/sap_out"
+		EOT
+	chmod +x "$SHUNIT_TMPDIR/sap"
+	assertTrue 'export SSH_ASKPASS="$SHUNIT_TMPDIR/sap"; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
+	assertSame "Something behind the ssh-agent-filter requested use of the key named 'key1'." "$(head -n1 "$SHUNIT_TMPDIR/sap_out")"
+}
+
+. shunit2