287 lines
7.2 KiB
Go
Executable file
287 lines
7.2 KiB
Go
Executable file
// Copyright 2012 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package agent
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/rand"
|
|
"errors"
|
|
"net"
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
"strconv"
|
|
"testing"
|
|
|
|
"github.com/gogits/gogs/modules/crypto/ssh"
|
|
)
|
|
|
|
// startAgent executes ssh-agent, and returns a Agent interface to it.
|
|
func startAgent(t *testing.T) (client Agent, socket string, cleanup func()) {
|
|
if testing.Short() {
|
|
// ssh-agent is not always available, and the key
|
|
// types supported vary by platform.
|
|
t.Skip("skipping test due to -short")
|
|
}
|
|
|
|
bin, err := exec.LookPath("ssh-agent")
|
|
if err != nil {
|
|
t.Skip("could not find ssh-agent")
|
|
}
|
|
|
|
cmd := exec.Command(bin, "-s")
|
|
out, err := cmd.Output()
|
|
if err != nil {
|
|
t.Fatalf("cmd.Output: %v", err)
|
|
}
|
|
|
|
/* Output looks like:
|
|
|
|
SSH_AUTH_SOCK=/tmp/ssh-P65gpcqArqvH/agent.15541; export SSH_AUTH_SOCK;
|
|
SSH_AGENT_PID=15542; export SSH_AGENT_PID;
|
|
echo Agent pid 15542;
|
|
*/
|
|
fields := bytes.Split(out, []byte(";"))
|
|
line := bytes.SplitN(fields[0], []byte("="), 2)
|
|
line[0] = bytes.TrimLeft(line[0], "\n")
|
|
if string(line[0]) != "SSH_AUTH_SOCK" {
|
|
t.Fatalf("could not find key SSH_AUTH_SOCK in %q", fields[0])
|
|
}
|
|
socket = string(line[1])
|
|
|
|
line = bytes.SplitN(fields[2], []byte("="), 2)
|
|
line[0] = bytes.TrimLeft(line[0], "\n")
|
|
if string(line[0]) != "SSH_AGENT_PID" {
|
|
t.Fatalf("could not find key SSH_AGENT_PID in %q", fields[2])
|
|
}
|
|
pidStr := line[1]
|
|
pid, err := strconv.Atoi(string(pidStr))
|
|
if err != nil {
|
|
t.Fatalf("Atoi(%q): %v", pidStr, err)
|
|
}
|
|
|
|
conn, err := net.Dial("unix", string(socket))
|
|
if err != nil {
|
|
t.Fatalf("net.Dial: %v", err)
|
|
}
|
|
|
|
ac := NewClient(conn)
|
|
return ac, socket, func() {
|
|
proc, _ := os.FindProcess(pid)
|
|
if proc != nil {
|
|
proc.Kill()
|
|
}
|
|
conn.Close()
|
|
os.RemoveAll(filepath.Dir(socket))
|
|
}
|
|
}
|
|
|
|
func testAgent(t *testing.T, key interface{}, cert *ssh.Certificate, lifetimeSecs uint32) {
|
|
agent, _, cleanup := startAgent(t)
|
|
defer cleanup()
|
|
|
|
testAgentInterface(t, agent, key, cert, lifetimeSecs)
|
|
}
|
|
|
|
func testAgentInterface(t *testing.T, agent Agent, key interface{}, cert *ssh.Certificate, lifetimeSecs uint32) {
|
|
signer, err := ssh.NewSignerFromKey(key)
|
|
if err != nil {
|
|
t.Fatalf("NewSignerFromKey(%T): %v", key, err)
|
|
}
|
|
// The agent should start up empty.
|
|
if keys, err := agent.List(); err != nil {
|
|
t.Fatalf("RequestIdentities: %v", err)
|
|
} else if len(keys) > 0 {
|
|
t.Fatalf("got %d keys, want 0: %v", len(keys), keys)
|
|
}
|
|
|
|
// Attempt to insert the key, with certificate if specified.
|
|
var pubKey ssh.PublicKey
|
|
if cert != nil {
|
|
err = agent.Add(AddedKey{
|
|
PrivateKey: key,
|
|
Certificate: cert,
|
|
Comment: "comment",
|
|
LifetimeSecs: lifetimeSecs,
|
|
})
|
|
pubKey = cert
|
|
} else {
|
|
err = agent.Add(AddedKey{PrivateKey: key, Comment: "comment", LifetimeSecs: lifetimeSecs})
|
|
pubKey = signer.PublicKey()
|
|
}
|
|
if err != nil {
|
|
t.Fatalf("insert(%T): %v", key, err)
|
|
}
|
|
|
|
// Did the key get inserted successfully?
|
|
if keys, err := agent.List(); err != nil {
|
|
t.Fatalf("List: %v", err)
|
|
} else if len(keys) != 1 {
|
|
t.Fatalf("got %v, want 1 key", keys)
|
|
} else if keys[0].Comment != "comment" {
|
|
t.Fatalf("key comment: got %v, want %v", keys[0].Comment, "comment")
|
|
} else if !bytes.Equal(keys[0].Blob, pubKey.Marshal()) {
|
|
t.Fatalf("key mismatch")
|
|
}
|
|
|
|
// Can the agent make a valid signature?
|
|
data := []byte("hello")
|
|
sig, err := agent.Sign(pubKey, data)
|
|
if err != nil {
|
|
t.Fatalf("Sign(%s): %v", pubKey.Type(), err)
|
|
}
|
|
|
|
if err := pubKey.Verify(data, sig); err != nil {
|
|
t.Fatalf("Verify(%s): %v", pubKey.Type(), err)
|
|
}
|
|
}
|
|
|
|
func TestAgent(t *testing.T) {
|
|
for _, keyType := range []string{"rsa", "dsa", "ecdsa"} {
|
|
testAgent(t, testPrivateKeys[keyType], nil, 0)
|
|
}
|
|
}
|
|
|
|
func TestCert(t *testing.T) {
|
|
cert := &ssh.Certificate{
|
|
Key: testPublicKeys["rsa"],
|
|
ValidBefore: ssh.CertTimeInfinity,
|
|
CertType: ssh.UserCert,
|
|
}
|
|
cert.SignCert(rand.Reader, testSigners["ecdsa"])
|
|
|
|
testAgent(t, testPrivateKeys["rsa"], cert, 0)
|
|
}
|
|
|
|
func TestConstraints(t *testing.T) {
|
|
testAgent(t, testPrivateKeys["rsa"], nil, 3600 /* lifetime in seconds */)
|
|
}
|
|
|
|
// netPipe is analogous to net.Pipe, but it uses a real net.Conn, and
|
|
// therefore is buffered (net.Pipe deadlocks if both sides start with
|
|
// a write.)
|
|
func netPipe() (net.Conn, net.Conn, error) {
|
|
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
defer listener.Close()
|
|
c1, err := net.Dial("tcp", listener.Addr().String())
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
c2, err := listener.Accept()
|
|
if err != nil {
|
|
c1.Close()
|
|
return nil, nil, err
|
|
}
|
|
|
|
return c1, c2, nil
|
|
}
|
|
|
|
func TestAuth(t *testing.T) {
|
|
a, b, err := netPipe()
|
|
if err != nil {
|
|
t.Fatalf("netPipe: %v", err)
|
|
}
|
|
|
|
defer a.Close()
|
|
defer b.Close()
|
|
|
|
agent, _, cleanup := startAgent(t)
|
|
defer cleanup()
|
|
|
|
if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["rsa"], Comment: "comment"}); err != nil {
|
|
t.Errorf("Add: %v", err)
|
|
}
|
|
|
|
serverConf := ssh.ServerConfig{}
|
|
serverConf.AddHostKey(testSigners["rsa"])
|
|
serverConf.PublicKeyCallback = func(c ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
|
|
if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
|
|
return nil, nil
|
|
}
|
|
|
|
return nil, errors.New("pubkey rejected")
|
|
}
|
|
|
|
go func() {
|
|
conn, _, _, err := ssh.NewServerConn(a, &serverConf)
|
|
if err != nil {
|
|
t.Fatalf("Server: %v", err)
|
|
}
|
|
conn.Close()
|
|
}()
|
|
|
|
conf := ssh.ClientConfig{}
|
|
conf.Auth = append(conf.Auth, ssh.PublicKeysCallback(agent.Signers))
|
|
conn, _, _, err := ssh.NewClientConn(b, "", &conf)
|
|
if err != nil {
|
|
t.Fatalf("NewClientConn: %v", err)
|
|
}
|
|
conn.Close()
|
|
}
|
|
|
|
func TestLockClient(t *testing.T) {
|
|
agent, _, cleanup := startAgent(t)
|
|
defer cleanup()
|
|
testLockAgent(agent, t)
|
|
}
|
|
|
|
func testLockAgent(agent Agent, t *testing.T) {
|
|
if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["rsa"], Comment: "comment 1"}); err != nil {
|
|
t.Errorf("Add: %v", err)
|
|
}
|
|
if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["dsa"], Comment: "comment dsa"}); err != nil {
|
|
t.Errorf("Add: %v", err)
|
|
}
|
|
if keys, err := agent.List(); err != nil {
|
|
t.Errorf("List: %v", err)
|
|
} else if len(keys) != 2 {
|
|
t.Errorf("Want 2 keys, got %v", keys)
|
|
}
|
|
|
|
passphrase := []byte("secret")
|
|
if err := agent.Lock(passphrase); err != nil {
|
|
t.Errorf("Lock: %v", err)
|
|
}
|
|
|
|
if keys, err := agent.List(); err != nil {
|
|
t.Errorf("List: %v", err)
|
|
} else if len(keys) != 0 {
|
|
t.Errorf("Want 0 keys, got %v", keys)
|
|
}
|
|
|
|
signer, _ := ssh.NewSignerFromKey(testPrivateKeys["rsa"])
|
|
if _, err := agent.Sign(signer.PublicKey(), []byte("hello")); err == nil {
|
|
t.Fatalf("Sign did not fail")
|
|
}
|
|
|
|
if err := agent.Remove(signer.PublicKey()); err == nil {
|
|
t.Fatalf("Remove did not fail")
|
|
}
|
|
|
|
if err := agent.RemoveAll(); err == nil {
|
|
t.Fatalf("RemoveAll did not fail")
|
|
}
|
|
|
|
if err := agent.Unlock(nil); err == nil {
|
|
t.Errorf("Unlock with wrong passphrase succeeded")
|
|
}
|
|
if err := agent.Unlock(passphrase); err != nil {
|
|
t.Errorf("Unlock: %v", err)
|
|
}
|
|
|
|
if err := agent.Remove(signer.PublicKey()); err != nil {
|
|
t.Fatalf("Remove: %v", err)
|
|
}
|
|
|
|
if keys, err := agent.List(); err != nil {
|
|
t.Errorf("List: %v", err)
|
|
} else if len(keys) != 1 {
|
|
t.Errorf("Want 1 keys, got %v", keys)
|
|
}
|
|
}
|