summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorTimo Weingärtner <timo@tiwe.de>2018-01-11 21:45:50 +0100
committerTimo Weingärtner <timo@tiwe.de>2018-01-11 21:45:50 +0100
commit7fc55df2837845374888318958794049ecbcf9f6 (patch)
tree3da424b7815cdc884e2eee375634bd943d6d54f3 /tests
parent5b2392b2684a31faeb174affd1a6f518c44f146a (diff)
parentd731f74d7ccf56874953c395bcfcc93efdd70f00 (diff)
downloadssh-agent-filter-7fc55df2837845374888318958794049ecbcf9f6.tar.gz
Merge tag '0.5' into debian
0.5
Diffstat (limited to 'tests')
-rwxr-xr-xtests104
1 files changed, 104 insertions, 0 deletions
diff --git a/tests b/tests
new file mode 100755
index 0000000..d47daf1
--- /dev/null
+++ b/tests
@@ -0,0 +1,104 @@
+#!/bin/sh
+
+# tests for ssh-agent-filter
+#
+# Copyright (C) 2018 Timo Weingärtner <timo@tiwe.de>
+#
+# This file is part of ssh-agent-filter.
+#
+# ssh-agent-filter is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ssh-agent-filter is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with ssh-agent-filter. If not, see <http://www.gnu.org/licenses/>.
+
+oneTimeSetUp () {
+ set -e
+
+ # prepare keys
+ ( cd "$SHUNIT_TMPDIR"; ssh-keygen -q -t ed25519 -N '' -C key0 -f key0 )
+ ( cd "$SHUNIT_TMPDIR"; ssh-keygen -q -t ed25519 -N '' -C key1 -f key1 )
+
+ # prepare agent
+ eval "$(ssh-agent)"
+
+ ( cd "$SHUNIT_TMPDIR"; ssh-add key0 key1 )
+
+ # delete private keys from file system, they are in the agent now
+ ( cd "$SHUNIT_TMPDIR"; rm key0 key1 )
+
+ set +e
+}
+
+oneTimeTearDown () {
+ [ -z "$SSH_AGENT_PID" ] || kill "$SSH_AGENT_PID"
+}
+
+with_saf_in_tmp () {
+ set -e
+ cd "$SHUNIT_TMPDIR"
+ unset SSH_AGENT_PID
+ eval "$(ssh-agent-filter "$@")" > /dev/null
+ trap 'kill "$SSH_AGENT_PID"' EXIT
+}
+
+produce_filtered_list () (
+ with_saf_in_tmp "$@"
+ ssh-add -L
+)
+
+test_list_filter () {
+ reference_out=$(ssh-add -L | grep ' key0$')
+
+ # sanity check: unfiltered shold be different from filtered
+ assertNotSame "$reference_out" "$(ssh-add -L)"
+
+ assertSame "$reference_out" "$(produce_filtered_list --comment key0)"
+ assertSame "$reference_out" "$(produce_filtered_list --comment-confirmed key0)"
+
+ key0_md5=$(cut -d\ -f2 "$SHUNIT_TMPDIR/key0.pub" | base64 -d | md5sum - | cut -d\ -f1)
+ assertSame "$reference_out" "$(produce_filtered_list --fingerprint "$key0_md5")"
+ assertSame "$reference_out" "$(produce_filtered_list --fingerprint-confirmed "$key0_md5")"
+
+ key0_base64=$(cut -d\ -f2 "$SHUNIT_TMPDIR/key0.pub")
+ assertSame "$reference_out" "$(produce_filtered_list --key "$key0_base64")"
+ assertSame "$reference_out" "$(produce_filtered_list --key-confirmed "$key0_base64")"
+}
+
+sign_key_with_key_filtered () (
+ key_to_be_signed="$1"
+ signing_key="$2"
+ shift 2
+ with_saf_in_tmp "$@"
+ ssh-keygen -Us "$signing_key" -I identify "$key_to_be_signed"
+)
+
+test_sign_filter () {
+ # try to sign with a key that is allowed by the filter
+ assertTrue 'sign_key_with_key_filtered key0 key1 --comment key1'
+
+ # try to sign with a key that is not allowed by the filter
+ assertFalse 'sign_key_with_key_filtered key1 key0 --comment key1'
+}
+
+test_confirmation () {
+ assertTrue 'export SSH_ASKPASS=/bin/true; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
+ assertFalse 'export SSH_ASKPASS=/bin/false; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
+
+ cat > "$SHUNIT_TMPDIR/sap" <<-EOT
+ #!/bin/sh
+ echo "\$1" > "$SHUNIT_TMPDIR/sap_out"
+ EOT
+ chmod +x "$SHUNIT_TMPDIR/sap"
+ assertTrue 'export SSH_ASKPASS="$SHUNIT_TMPDIR/sap"; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
+ assertSame "Something behind the ssh-agent-filter requested use of the key named 'key1'." "$(head -n1 "$SHUNIT_TMPDIR/sap_out")"
+}
+
+. shunit2