From f6fb0fe8298cd6179afbad7c28d5ee82c56c02de Mon Sep 17 00:00:00 2001 From: James Crayne Date: Tue, 26 Apr 2016 05:26:43 -0400 Subject: more export tests --- testkiki/testkiki.hs | 163 ++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 141 insertions(+), 22 deletions(-) (limited to 'testkiki/testkiki.hs') diff --git a/testkiki/testkiki.hs b/testkiki/testkiki.hs index 19c54dc..808900a 100644 --- a/testkiki/testkiki.hs +++ b/testkiki/testkiki.hs @@ -18,6 +18,10 @@ import System.IO import Control.Applicative import Control.Monad import qualified Data.ByteString.Char8 as B +import Data.Time.Clock +import Data.Time.Clock.POSIX +import Data.IORef +import Crypto.Hash.SHA1 (hash) #if !MIN_VERSION_base(4,7,0) setEnv k v = System.Posix.Env.setEnv k v True @@ -34,7 +38,7 @@ main = do args <- getArgs cwd <- getCurrentDirectory let chomp x = takeWhile (/='\n') x - date <- maybe (return "") + date <- maybe (return "") (\x -> chomp <$> readProcess x ["+%Y-%m-%d-%H%M%S"] "") =<< findExecutable "date" let tdir = cwd "TESTS" date @@ -57,21 +61,21 @@ main = do createDirectoryIfMissing True chrootdir createDirectoryIfMissing True gnupghomedir let config = TKS { chroot = chrootdir , gnupghome = gnupghomedir } - print config + print config putStrLn "===" - doTests config + doTests config doTests :: TestKikiSettings -> IO () doTests tkConfig = hspec $ do - {- + {- -- Example of shouldThrow - describe "TODO: error" $ - it "throws an exception" $ + describe "TODO: error" $ + it "throws an exception" $ evaluate (error "TODO:testsuite") `shouldThrow` anyException -} -- **** kiki tests ***** - describe "kiki init" $ do + describe "kiki init" $ do it "honors GNUPGHOME environment variable" $ do let kiki = kiki'Env cfg cfg = appendpaths tkConfig "0" @@ -80,11 +84,11 @@ doTests tkConfig = hspec $ do it "creates parent directories with --homedir" $ do let home = "home" "tester" cfg = appendpaths tkConfig "1" - kiki = kiki'Env'And'HomeArg cfg - { gnupghome = home ".gnupg" } + kiki = kiki'Env'And'HomeArg cfg + { gnupghome = home ".gnupg" } output <- kiki ["init"] b <- doesDirectoryExist (chroot cfg home) - -- isInfixOf "New packet" output + -- isInfixOf "New packet" output b `shouldBe` True it "creates new secring honoring GNUPGHOME" $ do @@ -101,25 +105,134 @@ doTests tkConfig = hspec $ do createDirectoryIfMissing True (chroot cfg "root" ".gnupg") output <- kiki ["init"] let p = (chroot cfg "root" ".gnupg" "secring.gpg") - putStrLn $ "Does exist? " ++ show p b <- doesFileExist p - -- (isInfixOf "New packet" output && b ) - b `shouldBe` True + let c = isInfixOf "New packet" output + (b,c) `shouldBe` (True,True) + + describe "kiki export-secret" $ do + + t <- runIO $ getPOSIXTime + mtime1 <- runIO $ newIORef (posixSecondsToUTCTime t) + mtime2 <- runIO $ newIORef (posixSecondsToUTCTime t) + hash1 <- runIO $ newIORef "" + hash2 <- runIO $ newIORef "" - describe "kiki export-public" $ do - it "does not modify mtime of GNUPGHOME keyrings" $ do - pending it "creates external pem files which do not exist" $ do - pending - it "does not leak secret data from GNUPGHOME keyrings" $ do - pending + let cfg' = appendpaths tkConfig "3" + home = chroot cfg' "root" + gnuhome = home ".gnupg" + cfg = cfg' { gnupghome = gnuhome } + kiki = kiki'Env'NoChroot cfg + secs = home "secs" + tags = [ "tor", "ssh-client", "ssh-server", "ipsec" ] + files = map ((++ ".sec") . (secs )) tags + extraArgs = zipWith (\x y -> concat [x,"=",y]) tags files + + tsec0 <- getModificationTime (gnuhome "secring.gpg") + tpub0 <- getModificationTime (gnuhome "pubring.gpg") + + writeIORef mtime1 tsec0 + writeIORef mtime2 tpub0 + + hsec0 <- hash <$> B.readFile (gnuhome "secring.gpg") + hpub0 <- hash <$> B.readFile (gnuhome "pubring.gpg") + + writeIORef hash1 hsec0 + writeIORef hash2 hpub0 + + createDirectoryIfMissing True secs + kiki ("export-secret":extraArgs) + exists <- mapM doesFileExist files + exists `shouldBe` replicate (length files) True + + it "does not modify mtime nor SHA1 of GNUPGHOME keyrings" $ do + let cfg' = appendpaths tkConfig "3" + home = chroot cfg' "root" + gnuhome = home ".gnupg" + -- mtimes + tsec0 <- readIORef mtime1 + tpub0 <- readIORef mtime2 + tsec <- getModificationTime (gnuhome "secring.gpg") + tpub <- getModificationTime (gnuhome "pubring.gpg") + -- SHA1s + hsec0 <- readIORef hash1 + hpub0 <- readIORef hash2 + hsec <- hash <$> B.readFile (gnuhome "secring.gpg") + hpub <- hash <$> B.readFile (gnuhome "pubring.gpg") + ([ tsec , tpub], hsec == hsec0, hpub == hpub0 ) `shouldBe` ([ tsec0,tpub0],True,True) - describe "kiki export-secret" $ do it "fails when public keys in existing PEM files do not match" $ do pending it "updates public pem files to private ones when told to" $ do pending + + + describe "kiki export-public" $ do + + t <- runIO $ getPOSIXTime + mtime1 <- runIO $ newIORef (posixSecondsToUTCTime t) + mtime2 <- runIO $ newIORef (posixSecondsToUTCTime t) + hash1 <- runIO $ newIORef "" + hash2 <- runIO $ newIORef "" + it "creates external pem files which do not exist" $ do + let cfg' = appendpaths tkConfig "3" + home = chroot cfg' "root" + gnuhome = home ".gnupg" + cfg = cfg' { gnupghome = gnuhome } + kiki = kiki'Env'NoChroot cfg + pubs = home "pubs" + tags = [ "tor", "ssh-client", "ssh-server", "ipsec" ] + files = map ((++ ".pub") . (pubs )) tags + extraArgs = zipWith (\x y -> concat [x,"=",y]) tags files + + tsec0 <- getModificationTime (gnuhome "secring.gpg") + tpub0 <- getModificationTime (gnuhome "pubring.gpg") + writeIORef mtime1 tsec0 -- <$> getModificationTime (gnuhome "secring.gpg") + writeIORef mtime2 tpub0 -- <$> getModificationTime (gnuhome "pubring.gpg") + + hashSec0 <- hash <$> B.readFile (gnuhome "secring.gpg") + hashPub0 <- hash <$> B.readFile (gnuhome "pubring.gpg") + + writeIORef hash1 hashSec0 -- . hash <$> B.readFile (gnuhome "secring.gpg") + writeIORef hash2 hashPub0 -- . hash <$> B.readFile (gnuhome "pubring.gpg") + + createDirectoryIfMissing True pubs + kiki ("export-public":extraArgs) + exists <- mapM doesFileExist files + exists `shouldBe` replicate (length files) True + + it "does not modify mtime nor SHA1 of GNUPGHOME keyrings" $ do + let cfg' = appendpaths tkConfig "3" + home = chroot cfg' "root" + gnuhome = home ".gnupg" + -- mtimes + tsec0 <- readIORef mtime1 + tpub0 <- readIORef mtime2 + tsec <- getModificationTime (gnuhome "secring.gpg") + tpub <- getModificationTime (gnuhome "pubring.gpg") + -- SHA1s + hsec0 <- readIORef hash1 + hpub0 <- readIORef hash2 + hsec <- hash <$> B.readFile (gnuhome "secring.gpg") + hpub <- hash <$> B.readFile (gnuhome "pubring.gpg") + ([ tsec , tpub], hsec == hsec0, hpub == hpub0 ) `shouldBe` ([ tsec0,tpub0],True,True) + + it "creates public PEM files smaller than exported private PEMs" $ do + let cfg' = appendpaths tkConfig "3" + home = chroot cfg' "root" + gnuhome = home ".gnupg" + pubs = home "pubs" + secs = home "secs" + tags = [ "tor", "ssh-client", "ssh-server", "ipsec" ] + filesPub = map ((++ ".pub") . (pubs )) tags + filesSec = map ((++ ".sec") . (secs )) tags + lengthsPub <- map B.length <$> mapM (B.readFile) filesPub + lengthsSec <- map B.length <$> mapM (B.readFile) filesSec + let compares = zipWith (<) lengthsPub lengthsSec + compares `shouldBe` replicate (length tags) True + + it "does not leak secret data from GNUPGHOME keyrings" $ do pending -- **** cokiki tests ***** @@ -142,12 +255,18 @@ doTests tkConfig = hspec $ do pending where kiki'Env config args = do - setEnv "GNUPGHOME" (gnupghome config) + setEnv "GNUPGHOME" (chroot config gnupghome config) let args' = args ++ ["--chroot=" ++ chroot config] r <- readProcess "./dist/build/kiki/kiki" args' "" unsetEnv "GNUPGHOME" return r + kiki'Env'NoChroot config args = do + setEnv "GNUPGHOME" (chroot config gnupghome config) + r <- readProcess "./dist/build/kiki/kiki" args "" + unsetEnv "GNUPGHOME" + return r + kiki'No'Env'No'Home config args = do let args' = args ++ ["--chroot=" ++ chroot config] readProcess "./dist/build/kiki/kiki" args' "" @@ -157,7 +276,7 @@ doTests tkConfig = hspec $ do readProcess "./dist/build/kiki/kiki" args' "" kiki'Env'And'HomeArg config args = do - setEnv "GNUPGHOME" (gnupghome config) + setEnv "GNUPGHOME" (chroot config gnupghome config) let args' = args ++ ["--chroot=" ++ chroot config,"--homedir=" ++ gnupghome config] r <- readProcess "./dist/build/kiki/kiki" args' "" unsetEnv "GNUPGHOME" -- cgit v1.2.3