aboutsummaryrefslogtreecommitdiff
path: root/tests
blob: 0e7e1e73cd1808a5a3387c39ccd95c61fa07cc8b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/bin/sh

# tests for ssh-agent-filter
#
# Copyright (C) 2018 Timo Weingärtner <timo@tiwe.de>
#
# This file is part of ssh-agent-filter.
#
# ssh-agent-filter is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ssh-agent-filter is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ssh-agent-filter.  If not, see <http://www.gnu.org/licenses/>.

oneTimeSetUp () {
	set -e

	# prepare keys
	( cd "$SHUNIT_TMPDIR"; ssh-keygen -q -t ed25519 -N '' -C key0 -f key0 )
	( cd "$SHUNIT_TMPDIR"; ssh-keygen -q -t ed25519 -N '' -C key1 -f key1 )

	# prepare agent
	eval "$(ssh-agent)"

	( cd "$SHUNIT_TMPDIR"; ssh-add key0 key1 )

	# delete private keys from file system, they are in the agent now
	( cd "$SHUNIT_TMPDIR"; rm key0 key1 )

	set +e
}

oneTimeTearDown () {
	[ -z "$SSH_AGENT_PID" ] || kill "$SSH_AGENT_PID"
}

with_saf_in_tmp () {
	set -e
	cd "$SHUNIT_TMPDIR"
	unset SSH_AGENT_PID
	eval "$(ssh-agent-filter "$@")" > /dev/null
	trap 'kill "$SSH_AGENT_PID"' EXIT
}

produce_filtered_list () (
	with_saf_in_tmp "$@"
	ssh-add -L
)

test_list_filter () {
	reference_out=$(ssh-add -L | grep ' key0$')

	assertNotSame "sanity check: unfiltered shold be different from filtered" "$reference_out" "$(ssh-add -L)"

	assertSame "by comment" "$reference_out" "$(produce_filtered_list --comment key0)"
	assertSame "by comment, confirmed" "$reference_out" "$(produce_filtered_list --comment-confirmed key0)"

	key0_md5=$(cut -d\  -f2 "$SHUNIT_TMPDIR/key0.pub" | base64 -d | md5sum - | cut -d\  -f1)
	assertSame "by md5 fingerprint" "$reference_out" "$(produce_filtered_list --fingerprint "$key0_md5")"
	assertSame "by md5 fingerprint, confirmed" "$reference_out" "$(produce_filtered_list --fingerprint-confirmed "$key0_md5")"

	key0_base64=$(cut -d\  -f2 "$SHUNIT_TMPDIR/key0.pub")
	assertSame "by base64 encoded key" "$reference_out" "$(produce_filtered_list --key "$key0_base64")"
	assertSame "by base64 encoded key, confirmed" "$reference_out" "$(produce_filtered_list --key-confirmed "$key0_base64")"
}

sign_key_with_key_filtered () (
	key_to_be_signed="$1"
	signing_key="$2"
	shift 2
	with_saf_in_tmp "$@"
	ssh-keygen -Us "$signing_key" -I identify "$key_to_be_signed"
)

test_sign_filter () {
	# try to sign with a key that is allowed by the filter
	assertTrue 'sign_key_with_key_filtered key0 key1 --comment key1'

	# try to sign with a key that is not allowed by the filter
	assertFalse 'sign_key_with_key_filtered key1 key0 --comment key1'
}

test_confirmation () {
	assertTrue 'export SSH_ASKPASS=/bin/true; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
	assertFalse 'export SSH_ASKPASS=/bin/false; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'

	cat > "$SHUNIT_TMPDIR/sap" <<-EOT
		#!/bin/sh
		echo "\$1" > "$SHUNIT_TMPDIR/sap_out"
		EOT
	chmod +x "$SHUNIT_TMPDIR/sap"
	assertTrue 'export SSH_ASKPASS="$SHUNIT_TMPDIR/sap"; sign_key_with_key_filtered key0 key1 --comment-confirmed key1'
	assertSame "Something behind the ssh-agent-filter requested use of the key named 'key1'." "$(head -n1 "$SHUNIT_TMPDIR/sap_out")"
}

. shunit2