diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-03-03 03:16:17 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-03-03 14:39:25 +1100 |
| commit | de1920d743d295f50e6905e5957c4172c038e8eb (patch) | |
| tree | 7653a33a7b665d5ac1dc0367a6dec30d29ca6851 | |
| parent | dc3e92df17556dc5b0ab19cee8dcb2a6ba348717 (diff) | |
upstream: unit tests for new authorized_keys options API
OpenBSD-Regress-ID: 820f9ec9c6301f6ca330ad4052d85f0e67d0bdc1
20 files changed, 640 insertions, 1 deletions
diff --git a/regress/unittests/Makefile b/regress/unittests/Makefile index e975f6ca4..e464b085a 100644 --- a/regress/unittests/Makefile +++ b/regress/unittests/Makefile | |||
| @@ -1,6 +1,7 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.9 2017/03/14 01:20:29 dtucker Exp $ | 1 | # $OpenBSD: Makefile,v 1.10 2018/03/03 03:16:17 djm Exp $ |
| 2 | 2 | ||
| 3 | REGRESS_FAIL_EARLY?= yes | 3 | REGRESS_FAIL_EARLY?= yes |
| 4 | SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion | 4 | SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion |
| 5 | SUBDIR+=authopt | ||
| 5 | 6 | ||
| 6 | .include <bsd.subdir.mk> | 7 | .include <bsd.subdir.mk> |
diff --git a/regress/unittests/authopt/testdata/all_permit.cert b/regress/unittests/authopt/testdata/all_permit.cert new file mode 100644 index 000000000..38ac57318 --- /dev/null +++ b/regress/unittests/authopt/testdata/all_permit.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIOv/h7mJS1WkRHukSvqPwKDiNVrcib/VqBLpbHW6xjWCAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgKFWCzCzQTh9UkoHphbgwaa86Q16Kern0UjqOr7Q+Jk8AAABTAAAAC3NzaC1lZDI1NTE5AAAAQNe1XDN+J4Eb82TH5J5sYypcabocufjTFRfpU57K+csRP41Yo1FCSEWx95ilUuNvK9Iv3yFDOeVPzdqRqzWoHwE= user key | |||
diff --git a/regress/unittests/authopt/testdata/bad_sourceaddr.cert b/regress/unittests/authopt/testdata/bad_sourceaddr.cert new file mode 100644 index 000000000..9732745ac --- /dev/null +++ b/regress/unittests/authopt/testdata/bad_sourceaddr.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAILFEJyunlz9scYU3mwbOEJoSSkeO1z20uNBw13tEn+lJAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAHwAAAA5zb3VyY2UtYWRkcmVzcwAAAAkAAAAFeHh4eHgAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEA5xY/OEAJ3tgg8/KJqaBR5KMdYYRDiMJ6u4VKS9lQOV1HJQvDDvjj3F5k53BIqTJRVQx242YWs+B3C4db/uLgB user key | |||
diff --git a/regress/unittests/authopt/testdata/force_command.cert b/regress/unittests/authopt/testdata/force_command.cert new file mode 100644 index 000000000..f7af27e43 --- /dev/null +++ b/regress/unittests/authopt/testdata/force_command.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIJkpCeqaVl6qnp7qa90KehAmHFecx3HW8HZQ22KEqeKBAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAHAAAAA1mb3JjZS1jb21tYW5kAAAABwAAAANmb28AAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEAxbhjgbXvfEumRP1E7VH8nUfuJyVlDChhCxiPg9Nvb9PFK8cHdDUEybDCzKCsIDieRc3mtLTyEu7Kb52va/B4C user key | |||
diff --git a/regress/unittests/authopt/testdata/host.cert b/regress/unittests/authopt/testdata/host.cert new file mode 100644 index 000000000..6326d0453 --- /dev/null +++ b/regress/unittests/authopt/testdata/host.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIFWMw3ftP29RSefnxQwdvK1KiE2G9Y7rPRrJ7ZsrDiOeAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAACAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABAKTMqwPkaBg23RS7/aj347dc2kY4bWt/sHwzREYSrKRqZ5RNBnSvZOQ8m5euMCEuf92bZ8VJEdF653jRiW6VoBA== user key | |||
diff --git a/regress/unittests/authopt/testdata/mktestdata.sh b/regress/unittests/authopt/testdata/mktestdata.sh new file mode 100644 index 000000000..06a24e390 --- /dev/null +++ b/regress/unittests/authopt/testdata/mktestdata.sh | |||
| @@ -0,0 +1,48 @@ | |||
| 1 | #/bin/sh | ||
| 2 | |||
| 3 | set -xe | ||
| 4 | |||
| 5 | rm -f ca_key ca_key.pub | ||
| 6 | rm -f user_key user_key.pub | ||
| 7 | rm -f *.cert | ||
| 8 | |||
| 9 | ssh-keygen -q -f ca_key -t ed25519 -C CA -N '' | ||
| 10 | ssh-keygen -q -f user_key -t ed25519 -C "user key" -N '' | ||
| 11 | |||
| 12 | sign() { | ||
| 13 | output=$1 | ||
| 14 | shift | ||
| 15 | set -xe | ||
| 16 | ssh-keygen -q -s ca_key -I user -n user \ | ||
| 17 | -V 19990101:19991231 -z 1 "$@" user_key.pub | ||
| 18 | mv user_key-cert.pub "$output" | ||
| 19 | } | ||
| 20 | |||
| 21 | sign all_permit.cert -Opermit-agent-forwarding -Opermit-port-forwarding \ | ||
| 22 | -Opermit-pty -Opermit-user-rc -Opermit-X11-forwarding | ||
| 23 | sign no_permit.cert -Oclear | ||
| 24 | |||
| 25 | sign no_agentfwd.cert -Ono-agent-forwarding | ||
| 26 | sign no_portfwd.cert -Ono-port-forwarding | ||
| 27 | sign no_pty.cert -Ono-pty | ||
| 28 | sign no_user_rc.cert -Ono-user-rc | ||
| 29 | sign no_x11fwd.cert -Ono-X11-forwarding | ||
| 30 | |||
| 31 | sign only_agentfwd.cert -Oclear -Opermit-agent-forwarding | ||
| 32 | sign only_portfwd.cert -Oclear -Opermit-port-forwarding | ||
| 33 | sign only_pty.cert -Oclear -Opermit-pty | ||
| 34 | sign only_user_rc.cert -Oclear -Opermit-user-rc | ||
| 35 | sign only_x11fwd.cert -Oclear -Opermit-X11-forwarding | ||
| 36 | |||
| 37 | sign force_command.cert -Oforce-command="foo" | ||
| 38 | sign sourceaddr.cert -Osource-address="127.0.0.1/32,::1/128" | ||
| 39 | |||
| 40 | # ssh-keygen won't permit generation of certs with invalid source-address | ||
| 41 | # values, so we do it as a custom extension. | ||
| 42 | sign bad_sourceaddr.cert -Ocritical:source-address=xxxxx | ||
| 43 | |||
| 44 | sign unknown_critical.cert -Ocritical:blah=foo | ||
| 45 | |||
| 46 | sign host.cert -h | ||
| 47 | |||
| 48 | rm -f user_key ca_key user_key.pub ca_key.pub | ||
diff --git a/regress/unittests/authopt/testdata/no_agentfwd.cert b/regress/unittests/authopt/testdata/no_agentfwd.cert new file mode 100644 index 000000000..bfa5c2e65 --- /dev/null +++ b/regress/unittests/authopt/testdata/no_agentfwd.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIL2qEsLCVtKaBkbCrZicxbPUorcHHrQ8yw5h/26krTOlAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAGMAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABAdRhISpol01OwV30g39PM/JD1t35muskX4lyCcGpFQ08GQtBuHE/hABOp6apbGBJIC7CZYYF+uHkD7PfGU3NPAQ== user key | |||
diff --git a/regress/unittests/authopt/testdata/no_permit.cert b/regress/unittests/authopt/testdata/no_permit.cert new file mode 100644 index 000000000..351e138ae --- /dev/null +++ b/regress/unittests/authopt/testdata/no_permit.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGVQtVgp9sD4sc8esIhVWbZaM8d0NxpX3UbEVzTHm9feAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABAIKlI0TqqraKjYTjIuKhwoxAV/XnzWRJHq8lNs4aj5yDb84un2xXDF/0vXoLjPgVcLgEbksBKKn0i4whp+xn9Ag== user key | |||
diff --git a/regress/unittests/authopt/testdata/no_portfwd.cert b/regress/unittests/authopt/testdata/no_portfwd.cert new file mode 100644 index 000000000..9457dc34e --- /dev/null +++ b/regress/unittests/authopt/testdata/no_portfwd.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIE6gC/QjjuzGWVDkr8ZyaHhja80V+lKLC/MvmEFa+CEBAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAGQAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgKFWCzCzQTh9UkoHphbgwaa86Q16Kern0UjqOr7Q+Jk8AAABTAAAAC3NzaC1lZDI1NTE5AAAAQEzpgckYlfc1BK1ir0reDSXo9OIDx4UoDMrNXrFO6I44NXoJJ4TlUUJH07WcKp/Xp5ESCdyVZtqwgHQxZr0+PwI= user key | |||
diff --git a/regress/unittests/authopt/testdata/no_pty.cert b/regress/unittests/authopt/testdata/no_pty.cert new file mode 100644 index 000000000..e8154ec7f --- /dev/null +++ b/regress/unittests/authopt/testdata/no_pty.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIFFjhISpSDR3blDejuCf2T9Fe4aHW53jG7KOH2PV/E7jAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAHAAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgKFWCzCzQTh9UkoHphbgwaa86Q16Kern0UjqOr7Q+Jk8AAABTAAAAC3NzaC1lZDI1NTE5AAAAQF5c4BdxVYgqbMGAep414IGFK4deCFBCeNUTOLpKodrfb1M0gS4d2qoeMxZvMv5yMf/viKl/gallHzEmcrEcIQY= user key | |||
diff --git a/regress/unittests/authopt/testdata/no_user_rc.cert b/regress/unittests/authopt/testdata/no_user_rc.cert new file mode 100644 index 000000000..6676a0cbd --- /dev/null +++ b/regress/unittests/authopt/testdata/no_user_rc.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIFUM0VLATkYh05QeS5uuhB1X50NMom3jTWeQUmrPQ1FwAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAGwAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABAcmJ3c2FCKJL9BCLv1Ij+uN1N+NWZmMXYionsSkv42Go4pMZiH3g8UfTd+OKq9Q7GAcCzGXa///6Dr/wqFssoDA== user key | |||
diff --git a/regress/unittests/authopt/testdata/no_x11fwd.cert b/regress/unittests/authopt/testdata/no_x11fwd.cert new file mode 100644 index 000000000..0aff9e6cf --- /dev/null +++ b/regress/unittests/authopt/testdata/no_x11fwd.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIPRKPAP+b5S+4zihdgoJrYNcMovFBgKZaJupIhN1kUvkAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAGUAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAECMzj6VDfT+BJmIEo1qUKdr8VDLExF92K7KkbNxTH77n7uip7TL24HDfXjYBCvqxSSn9KAGBhnWsIC/GPx6A+cP user key | |||
diff --git a/regress/unittests/authopt/testdata/only_agentfwd.cert b/regress/unittests/authopt/testdata/only_agentfwd.cert new file mode 100644 index 000000000..3cf64b05c --- /dev/null +++ b/regress/unittests/authopt/testdata/only_agentfwd.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIOvJ28yW5uvA7yxE3ySuyFvPjcRYKAr03CYr4okGTNIFAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAB8AAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgKFWCzCzQTh9UkoHphbgwaa86Q16Kern0UjqOr7Q+Jk8AAABTAAAAC3NzaC1lZDI1NTE5AAAAQEG2uTgmOSk9dJ0s/Ol1EIERXFP9PF6AauF9t5jBMSthNyvSANSrC/1EIaf4TV5kMYfhZxJXoS0XHQjGndcq2AE= user key | |||
diff --git a/regress/unittests/authopt/testdata/only_portfwd.cert b/regress/unittests/authopt/testdata/only_portfwd.cert new file mode 100644 index 000000000..bb09c3a63 --- /dev/null +++ b/regress/unittests/authopt/testdata/only_portfwd.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGPoYoExiSyHMyDEvOFgoNZXk5z91u7xq/7357X23TotAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAB4AAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABAHN3YnwipcbDKVn+PObGSoaT9rwlau+yrPYZ50oetvCKng3RMjGaV+roqlv0vjjLcxE9J4Y0ti+9MXtQ0D7beBA== user key | |||
diff --git a/regress/unittests/authopt/testdata/only_pty.cert b/regress/unittests/authopt/testdata/only_pty.cert new file mode 100644 index 000000000..520c89f3b --- /dev/null +++ b/regress/unittests/authopt/testdata/only_pty.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAILvocWYto5Lg7P46YLbe7U4/b2h9Lr5rWqMZ4Cj4ra7RAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAABIAAAAKcGVybWl0LXB0eQAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABASv2xQvp+Y6E8dCf5pzg3MZaan5bl1ToYXNcmQ3ysGrk9Djkcu8m3TytDpF471KmUejxy/iF4xjs9CDpk7h+SBQ== user key | |||
diff --git a/regress/unittests/authopt/testdata/only_user_rc.cert b/regress/unittests/authopt/testdata/only_user_rc.cert new file mode 100644 index 000000000..fb49c35f3 --- /dev/null +++ b/regress/unittests/authopt/testdata/only_user_rc.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIJwsRZQ7kx4A8AQ0q/G/3i6sHM48kr4TxJtTcyy3lZAPAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAABYAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgKFWCzCzQTh9UkoHphbgwaa86Q16Kern0UjqOr7Q+Jk8AAABTAAAAC3NzaC1lZDI1NTE5AAAAQDhgEXsvoHr21XrxmiZq/sIjWeYapp11XvEVkkTBPVhBnPwtrrUeJbPmGs3gmJkQdv8BYajYpT7TXEX8GvEeLwU= user key | |||
diff --git a/regress/unittests/authopt/testdata/only_x11fwd.cert b/regress/unittests/authopt/testdata/only_x11fwd.cert new file mode 100644 index 000000000..6715585a0 --- /dev/null +++ b/regress/unittests/authopt/testdata/only_x11fwd.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIDAhZFZBl3eu8Qa8I5BaHCz/mpH8xCjaPusBwo1eJ9OGAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAB0AAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDysfgbhniX/zdA8576rrDJpaO2D7QtQse2KWIM9XmREPkLKeP6FKiXKKFcPQiMyV28rptfvK8bBXAiOvITSUgL user key | |||
diff --git a/regress/unittests/authopt/testdata/sourceaddr.cert b/regress/unittests/authopt/testdata/sourceaddr.cert new file mode 100644 index 000000000..0fcf7b182 --- /dev/null +++ b/regress/unittests/authopt/testdata/sourceaddr.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIJ54qqoPs87gtjN1aJoLUn7ZTYUtcaGxkzLyJvRkYG7nAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAALgAAAA5zb3VyY2UtYWRkcmVzcwAAABgAAAAUMTI3LjAuMC4xLzMyLDo6MS8xMjgAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEAppSUKQ/a9tw/HgIazWceCO3d48GU7mkV4iQMpWWs2nB1dFryY1GDtZrBggAjMviwmBXyM3jIk5vxJDINZXGQJ user key | |||
diff --git a/regress/unittests/authopt/testdata/unknown_critical.cert b/regress/unittests/authopt/testdata/unknown_critical.cert new file mode 100644 index 000000000..216960ab3 --- /dev/null +++ b/regress/unittests/authopt/testdata/unknown_critical.cert | |||
| @@ -0,0 +1 @@ | |||
| ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIjs/wRAB/p5QShSfqoU9cWnCLT3lSveUirk61A27KxVAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAEwAAAARibGFoAAAABwAAAANmb28AAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDix3FV7JIBuHNAwtZOVIqGBq8lqhnEwP51DqPA43qt+Tzynm56EWxuFzgGehBPF3L8gl+fVqxIJmiQ9iHB0LUD user key | |||
diff --git a/regress/unittests/authopt/tests.c b/regress/unittests/authopt/tests.c new file mode 100644 index 000000000..0e8aacb91 --- /dev/null +++ b/regress/unittests/authopt/tests.c | |||
| @@ -0,0 +1,573 @@ | |||
| 1 | /* $OpenBSD: tests.c,v 1.1 2018/03/03 03:16:17 djm Exp $ */ | ||
| 2 | |||
| 3 | /* | ||
| 4 | * Regress test for keys options functions. | ||
| 5 | * | ||
| 6 | * Placed in the public domain | ||
| 7 | */ | ||
| 8 | |||
| 9 | #include <sys/types.h> | ||
| 10 | #include <sys/param.h> | ||
| 11 | #include <stdio.h> | ||
| 12 | #include <stdint.h> | ||
| 13 | #include <stdlib.h> | ||
| 14 | #include <string.h> | ||
| 15 | |||
| 16 | #include "test_helper.h" | ||
| 17 | |||
| 18 | #include "sshkey.h" | ||
| 19 | #include "authfile.h" | ||
| 20 | #include "auth-options.h" | ||
| 21 | #include "misc.h" | ||
| 22 | #include "log.h" | ||
| 23 | |||
| 24 | static struct sshkey * | ||
| 25 | load_key(const char *name) | ||
| 26 | { | ||
| 27 | struct sshkey *ret; | ||
| 28 | int r; | ||
| 29 | |||
| 30 | r = sshkey_load_public(test_data_file(name), &ret, NULL); | ||
| 31 | ASSERT_INT_EQ(r, 0); | ||
| 32 | ASSERT_PTR_NE(ret, NULL); | ||
| 33 | return ret; | ||
| 34 | } | ||
| 35 | |||
| 36 | static struct sshauthopt * | ||
| 37 | default_authkey_opts(void) | ||
| 38 | { | ||
| 39 | struct sshauthopt *ret = sshauthopt_new(); | ||
| 40 | |||
| 41 | ASSERT_PTR_NE(ret, NULL); | ||
| 42 | ret->permit_port_forwarding_flag = 1; | ||
| 43 | ret->permit_agent_forwarding_flag = 1; | ||
| 44 | ret->permit_x11_forwarding_flag = 1; | ||
| 45 | ret->permit_pty_flag = 1; | ||
| 46 | ret->permit_user_rc = 1; | ||
| 47 | return ret; | ||
| 48 | } | ||
| 49 | |||
| 50 | static struct sshauthopt * | ||
| 51 | default_authkey_restrict_opts(void) | ||
| 52 | { | ||
| 53 | struct sshauthopt *ret = sshauthopt_new(); | ||
| 54 | |||
| 55 | ASSERT_PTR_NE(ret, NULL); | ||
| 56 | ret->permit_port_forwarding_flag = 0; | ||
| 57 | ret->permit_agent_forwarding_flag = 0; | ||
| 58 | ret->permit_x11_forwarding_flag = 0; | ||
| 59 | ret->permit_pty_flag = 0; | ||
| 60 | ret->permit_user_rc = 0; | ||
| 61 | ret->restricted = 1; | ||
| 62 | return ret; | ||
| 63 | } | ||
| 64 | |||
| 65 | static char ** | ||
| 66 | commasplit(const char *s, size_t *np) | ||
| 67 | { | ||
| 68 | char *ocp, *cp, *cp2, **ret = NULL; | ||
| 69 | size_t n; | ||
| 70 | |||
| 71 | ocp = cp = strdup(s); | ||
| 72 | ASSERT_PTR_NE(cp, NULL); | ||
| 73 | for (n = 0; (cp2 = strsep(&cp, ",")) != NULL;) { | ||
| 74 | ret = recallocarray(ret, n, n + 1, sizeof(*ret)); | ||
| 75 | ASSERT_PTR_NE(ret, NULL); | ||
| 76 | cp2 = strdup(cp2); | ||
| 77 | ASSERT_PTR_NE(cp2, NULL); | ||
| 78 | ret[n++] = cp2; | ||
| 79 | } | ||
| 80 | free(ocp); | ||
| 81 | *np = n; | ||
| 82 | return ret; | ||
| 83 | } | ||
| 84 | |||
| 85 | static void | ||
| 86 | compare_opts(const struct sshauthopt *opts, | ||
| 87 | const struct sshauthopt *expected) | ||
| 88 | { | ||
| 89 | size_t i; | ||
| 90 | |||
| 91 | ASSERT_PTR_NE(opts, NULL); | ||
| 92 | ASSERT_PTR_NE(expected, NULL); | ||
| 93 | ASSERT_PTR_NE(expected, opts); /* bozo :) */ | ||
| 94 | |||
| 95 | #define FLAG_EQ(x) ASSERT_INT_EQ(opts->x, expected->x) | ||
| 96 | FLAG_EQ(permit_port_forwarding_flag); | ||
| 97 | FLAG_EQ(permit_agent_forwarding_flag); | ||
| 98 | FLAG_EQ(permit_x11_forwarding_flag); | ||
| 99 | FLAG_EQ(permit_pty_flag); | ||
| 100 | FLAG_EQ(permit_user_rc); | ||
| 101 | FLAG_EQ(restricted); | ||
| 102 | FLAG_EQ(cert_authority); | ||
| 103 | #undef FLAG_EQ | ||
| 104 | |||
| 105 | #define STR_EQ(x) \ | ||
| 106 | do { \ | ||
| 107 | if (expected->x == NULL) \ | ||
| 108 | ASSERT_PTR_EQ(opts->x, expected->x); \ | ||
| 109 | else \ | ||
| 110 | ASSERT_STRING_EQ(opts->x, expected->x); \ | ||
| 111 | } while (0) | ||
| 112 | STR_EQ(cert_principals); | ||
| 113 | STR_EQ(force_command); | ||
| 114 | STR_EQ(required_from_host_cert); | ||
| 115 | STR_EQ(required_from_host_keys); | ||
| 116 | #undef STR_EQ | ||
| 117 | |||
| 118 | #define ARRAY_EQ(nx, x) \ | ||
| 119 | do { \ | ||
| 120 | ASSERT_SIZE_T_EQ(opts->nx, expected->nx); \ | ||
| 121 | if (expected->nx == 0) \ | ||
| 122 | break; \ | ||
| 123 | for (i = 0; i < expected->nx; i++) \ | ||
| 124 | ASSERT_STRING_EQ(opts->x[i], expected->x[i]); \ | ||
| 125 | } while (0) | ||
| 126 | ARRAY_EQ(nenv, env); | ||
| 127 | ARRAY_EQ(npermitopen, permitopen); | ||
| 128 | #undef ARRAY_EQ | ||
| 129 | } | ||
| 130 | |||
| 131 | static void | ||
| 132 | test_authkeys_parse(void) | ||
| 133 | { | ||
| 134 | struct sshauthopt *opts, *expected; | ||
| 135 | const char *errstr; | ||
| 136 | |||
| 137 | #define FAIL_TEST(label, keywords) \ | ||
| 138 | do { \ | ||
| 139 | TEST_START("sshauthopt_parse invalid " label); \ | ||
| 140 | opts = sshauthopt_parse(keywords, &errstr); \ | ||
| 141 | ASSERT_PTR_EQ(opts, NULL); \ | ||
| 142 | ASSERT_PTR_NE(errstr, NULL); \ | ||
| 143 | TEST_DONE(); \ | ||
| 144 | } while (0) | ||
| 145 | #define CHECK_SUCCESS_AND_CLEANUP() \ | ||
| 146 | do { \ | ||
| 147 | if (errstr != NULL) \ | ||
| 148 | ASSERT_STRING_EQ(errstr, ""); \ | ||
| 149 | compare_opts(opts, expected); \ | ||
| 150 | sshauthopt_free(expected); \ | ||
| 151 | sshauthopt_free(opts); \ | ||
| 152 | } while (0) | ||
| 153 | |||
| 154 | /* Basic tests */ | ||
| 155 | TEST_START("sshauthopt_parse empty"); | ||
| 156 | expected = default_authkey_opts(); | ||
| 157 | opts = sshauthopt_parse("", &errstr); | ||
| 158 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 159 | TEST_DONE(); | ||
| 160 | |||
| 161 | TEST_START("sshauthopt_parse trailing whitespace"); | ||
| 162 | expected = default_authkey_opts(); | ||
| 163 | opts = sshauthopt_parse(" ", &errstr); | ||
| 164 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 165 | TEST_DONE(); | ||
| 166 | |||
| 167 | TEST_START("sshauthopt_parse restrict"); | ||
| 168 | expected = default_authkey_restrict_opts(); | ||
| 169 | opts = sshauthopt_parse("restrict", &errstr); | ||
| 170 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 171 | TEST_DONE(); | ||
| 172 | |||
| 173 | /* Invalid syntax */ | ||
| 174 | FAIL_TEST("trailing comma", "restrict,"); | ||
| 175 | FAIL_TEST("bare comma", ","); | ||
| 176 | FAIL_TEST("unknown option", "BLAH"); | ||
| 177 | FAIL_TEST("unknown option with trailing comma", "BLAH,"); | ||
| 178 | FAIL_TEST("unknown option with trailing whitespace", "BLAH "); | ||
| 179 | |||
| 180 | /* force_tun_device */ | ||
| 181 | TEST_START("sshauthopt_parse tunnel explicit"); | ||
| 182 | expected = default_authkey_opts(); | ||
| 183 | expected->force_tun_device = 1; | ||
| 184 | opts = sshauthopt_parse("tunnel=\"1\"", &errstr); | ||
| 185 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 186 | TEST_DONE(); | ||
| 187 | |||
| 188 | TEST_START("sshauthopt_parse tunnel any"); | ||
| 189 | expected = default_authkey_opts(); | ||
| 190 | expected->force_tun_device = SSH_TUNID_ANY; | ||
| 191 | opts = sshauthopt_parse("tunnel=\"any\"", &errstr); | ||
| 192 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 193 | TEST_DONE(); | ||
| 194 | |||
| 195 | FAIL_TEST("tunnel", "tunnel=\"blah\""); | ||
| 196 | |||
| 197 | /* Flag options */ | ||
| 198 | #define FLAG_TEST(keyword, var, val) \ | ||
| 199 | do { \ | ||
| 200 | TEST_START("sshauthopt_parse " keyword); \ | ||
| 201 | expected = default_authkey_opts(); \ | ||
| 202 | expected->var = val; \ | ||
| 203 | opts = sshauthopt_parse(keyword, &errstr); \ | ||
| 204 | CHECK_SUCCESS_AND_CLEANUP(); \ | ||
| 205 | expected = default_authkey_restrict_opts(); \ | ||
| 206 | expected->var = val; \ | ||
| 207 | opts = sshauthopt_parse("restrict,"keyword, &errstr); \ | ||
| 208 | CHECK_SUCCESS_AND_CLEANUP(); \ | ||
| 209 | TEST_DONE(); \ | ||
| 210 | } while (0) | ||
| 211 | /* Positive flags */ | ||
| 212 | FLAG_TEST("cert-authority", cert_authority, 1); | ||
| 213 | FLAG_TEST("port-forwarding", permit_port_forwarding_flag, 1); | ||
| 214 | FLAG_TEST("agent-forwarding", permit_agent_forwarding_flag, 1); | ||
| 215 | FLAG_TEST("x11-forwarding", permit_x11_forwarding_flag, 1); | ||
| 216 | FLAG_TEST("pty", permit_pty_flag, 1); | ||
| 217 | FLAG_TEST("user-rc", permit_user_rc, 1); | ||
| 218 | /* Negative flags */ | ||
| 219 | FLAG_TEST("no-port-forwarding", permit_port_forwarding_flag, 0); | ||
| 220 | FLAG_TEST("no-agent-forwarding", permit_agent_forwarding_flag, 0); | ||
| 221 | FLAG_TEST("no-x11-forwarding", permit_x11_forwarding_flag, 0); | ||
| 222 | FLAG_TEST("no-pty", permit_pty_flag, 0); | ||
| 223 | FLAG_TEST("no-user-rc", permit_user_rc, 0); | ||
| 224 | #undef FLAG_TEST | ||
| 225 | FAIL_TEST("no-cert-authority", "no-cert-authority"); | ||
| 226 | |||
| 227 | /* String options */ | ||
| 228 | #define STRING_TEST(keyword, var, val) \ | ||
| 229 | do { \ | ||
| 230 | TEST_START("sshauthopt_parse " keyword); \ | ||
| 231 | expected = default_authkey_opts(); \ | ||
| 232 | expected->var = strdup(val); \ | ||
| 233 | ASSERT_PTR_NE(expected->var, NULL); \ | ||
| 234 | opts = sshauthopt_parse(keyword "=" #val, &errstr); \ | ||
| 235 | CHECK_SUCCESS_AND_CLEANUP(); \ | ||
| 236 | expected = default_authkey_restrict_opts(); \ | ||
| 237 | expected->var = strdup(val); \ | ||
| 238 | ASSERT_PTR_NE(expected->var, NULL); \ | ||
| 239 | opts = sshauthopt_parse( \ | ||
| 240 | "restrict," keyword "=" #val ",restrict", &errstr); \ | ||
| 241 | CHECK_SUCCESS_AND_CLEANUP(); \ | ||
| 242 | TEST_DONE(); \ | ||
| 243 | } while (0) | ||
| 244 | STRING_TEST("command", force_command, "/bin/true"); | ||
| 245 | STRING_TEST("principals", cert_principals, "gregor,josef,K"); | ||
| 246 | STRING_TEST("from", required_from_host_keys, "127.0.0.0/8"); | ||
| 247 | #undef STRING_TEST | ||
| 248 | FAIL_TEST("unquoted command", "command=oops"); | ||
| 249 | FAIL_TEST("unquoted principals", "principals=estragon"); | ||
| 250 | FAIL_TEST("unquoted from", "from=127.0.0.1"); | ||
| 251 | |||
| 252 | /* String array option tests */ | ||
| 253 | #define ARRAY_TEST(label, keywords, var, nvar, val) \ | ||
| 254 | do { \ | ||
| 255 | TEST_START("sshauthopt_parse " label); \ | ||
| 256 | expected = default_authkey_opts(); \ | ||
| 257 | expected->var = commasplit(val, &expected->nvar); \ | ||
| 258 | ASSERT_PTR_NE(expected->var, NULL); \ | ||
| 259 | opts = sshauthopt_parse(keywords, &errstr); \ | ||
| 260 | CHECK_SUCCESS_AND_CLEANUP(); \ | ||
| 261 | expected = default_authkey_restrict_opts(); \ | ||
| 262 | expected->var = commasplit(val, &expected->nvar); \ | ||
| 263 | ASSERT_PTR_NE(expected->var, NULL); \ | ||
| 264 | opts = sshauthopt_parse( \ | ||
| 265 | "restrict," keywords ",restrict", &errstr); \ | ||
| 266 | CHECK_SUCCESS_AND_CLEANUP(); \ | ||
| 267 | TEST_DONE(); \ | ||
| 268 | } while (0) | ||
| 269 | ARRAY_TEST("environment", "environment=\"foo=1\",environment=\"bar=2\"", | ||
| 270 | env, nenv, "foo=1,bar=2"); | ||
| 271 | ARRAY_TEST("permitopen", "permitopen=\"foo:123\",permitopen=\"bar:*\"", | ||
| 272 | permitopen, npermitopen, "foo:123,bar:*"); | ||
| 273 | #undef ARRAY_TEST | ||
| 274 | FAIL_TEST("environment", "environment=\",=bah\""); | ||
| 275 | FAIL_TEST("permitopen port", "foo:bar"); | ||
| 276 | FAIL_TEST("permitopen missing port", "foo:"); | ||
| 277 | FAIL_TEST("permitopen missing port specification", "foo"); | ||
| 278 | FAIL_TEST("permitopen invalid host", "[:"); | ||
| 279 | |||
| 280 | #undef CHECK_SUCCESS_AND_CLEANUP | ||
| 281 | #undef FAIL_TEST | ||
| 282 | } | ||
| 283 | |||
| 284 | static void | ||
| 285 | test_cert_parse(void) | ||
| 286 | { | ||
| 287 | struct sshkey *cert; | ||
| 288 | struct sshauthopt *opts, *expected; | ||
| 289 | |||
| 290 | #define CHECK_SUCCESS_AND_CLEANUP() \ | ||
| 291 | do { \ | ||
| 292 | compare_opts(opts, expected); \ | ||
| 293 | sshauthopt_free(expected); \ | ||
| 294 | sshauthopt_free(opts); \ | ||
| 295 | sshkey_free(cert); \ | ||
| 296 | } while (0) | ||
| 297 | #define FLAG_TEST(keybase, var) \ | ||
| 298 | do { \ | ||
| 299 | TEST_START("sshauthopt_from_cert no_" keybase); \ | ||
| 300 | cert = load_key("no_" keybase ".cert"); \ | ||
| 301 | expected = default_authkey_opts(); \ | ||
| 302 | expected->var = 0; \ | ||
| 303 | opts = sshauthopt_from_cert(cert); \ | ||
| 304 | CHECK_SUCCESS_AND_CLEANUP(); \ | ||
| 305 | TEST_DONE(); \ | ||
| 306 | TEST_START("sshauthopt_from_cert only_" keybase); \ | ||
| 307 | cert = load_key("only_" keybase ".cert"); \ | ||
| 308 | expected = sshauthopt_new(); \ | ||
| 309 | ASSERT_PTR_NE(expected, NULL); \ | ||
| 310 | expected->var = 1; \ | ||
| 311 | opts = sshauthopt_from_cert(cert); \ | ||
| 312 | CHECK_SUCCESS_AND_CLEANUP(); \ | ||
| 313 | TEST_DONE(); \ | ||
| 314 | } while (0) | ||
| 315 | FLAG_TEST("agentfwd", permit_agent_forwarding_flag); | ||
| 316 | FLAG_TEST("portfwd", permit_port_forwarding_flag); | ||
| 317 | FLAG_TEST("pty", permit_pty_flag); | ||
| 318 | FLAG_TEST("user_rc", permit_user_rc); | ||
| 319 | FLAG_TEST("x11fwd", permit_x11_forwarding_flag); | ||
| 320 | #undef FLAG_TEST | ||
| 321 | |||
| 322 | TEST_START("sshauthopt_from_cert all permitted"); | ||
| 323 | cert = load_key("all_permit.cert"); | ||
| 324 | expected = default_authkey_opts(); | ||
| 325 | opts = sshauthopt_from_cert(cert); | ||
| 326 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 327 | TEST_DONE(); | ||
| 328 | |||
| 329 | TEST_START("sshauthopt_from_cert nothing permitted"); | ||
| 330 | cert = load_key("no_permit.cert"); | ||
| 331 | expected = sshauthopt_new(); | ||
| 332 | ASSERT_PTR_NE(expected, NULL); | ||
| 333 | opts = sshauthopt_from_cert(cert); | ||
| 334 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 335 | TEST_DONE(); | ||
| 336 | |||
| 337 | TEST_START("sshauthopt_from_cert force-command"); | ||
| 338 | cert = load_key("force_command.cert"); | ||
| 339 | expected = default_authkey_opts(); | ||
| 340 | expected->force_command = strdup("foo"); | ||
| 341 | ASSERT_PTR_NE(expected->force_command, NULL); | ||
| 342 | opts = sshauthopt_from_cert(cert); | ||
| 343 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 344 | TEST_DONE(); | ||
| 345 | |||
| 346 | TEST_START("sshauthopt_from_cert source-address"); | ||
| 347 | cert = load_key("sourceaddr.cert"); | ||
| 348 | expected = default_authkey_opts(); | ||
| 349 | expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128"); | ||
| 350 | ASSERT_PTR_NE(expected->required_from_host_cert, NULL); | ||
| 351 | opts = sshauthopt_from_cert(cert); | ||
| 352 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 353 | TEST_DONE(); | ||
| 354 | #undef CHECK_SUCCESS_AND_CLEANUP | ||
| 355 | |||
| 356 | #define FAIL_TEST(keybase) \ | ||
| 357 | do { \ | ||
| 358 | TEST_START("sshauthopt_from_cert " keybase); \ | ||
| 359 | cert = load_key(keybase ".cert"); \ | ||
| 360 | opts = sshauthopt_from_cert(cert); \ | ||
| 361 | ASSERT_PTR_EQ(opts, NULL); \ | ||
| 362 | sshkey_free(cert); \ | ||
| 363 | TEST_DONE(); \ | ||
| 364 | } while (0) | ||
| 365 | FAIL_TEST("host"); | ||
| 366 | FAIL_TEST("bad_sourceaddr"); | ||
| 367 | FAIL_TEST("unknown_critical"); | ||
| 368 | #undef FAIL_TEST | ||
| 369 | } | ||
| 370 | |||
| 371 | static void | ||
| 372 | test_merge(void) | ||
| 373 | { | ||
| 374 | struct sshkey *cert; | ||
| 375 | struct sshauthopt *key_opts, *cert_opts, *merge_opts, *expected; | ||
| 376 | const char *errstr; | ||
| 377 | |||
| 378 | /* | ||
| 379 | * Prepare for a test by making some key and cert options and | ||
| 380 | * attempting to merge them. | ||
| 381 | */ | ||
| 382 | #define PREPARE(label, keyname, keywords) \ | ||
| 383 | do { \ | ||
| 384 | expected = NULL; \ | ||
| 385 | TEST_START("sshauthopt_merge " label); \ | ||
| 386 | cert = load_key(keyname ".cert"); \ | ||
| 387 | cert_opts = sshauthopt_from_cert(cert); \ | ||
| 388 | ASSERT_PTR_NE(cert_opts, NULL); \ | ||
| 389 | key_opts = sshauthopt_parse(keywords, &errstr); \ | ||
| 390 | if (errstr != NULL) \ | ||
| 391 | ASSERT_STRING_EQ(errstr, ""); \ | ||
| 392 | ASSERT_PTR_NE(key_opts, NULL); \ | ||
| 393 | merge_opts = sshauthopt_merge(key_opts, \ | ||
| 394 | cert_opts, &errstr); \ | ||
| 395 | } while (0) | ||
| 396 | |||
| 397 | /* Cleanup stuff allocated by PREPARE() */ | ||
| 398 | #define CLEANUP() \ | ||
| 399 | do { \ | ||
| 400 | sshauthopt_free(expected); \ | ||
| 401 | sshauthopt_free(merge_opts); \ | ||
| 402 | sshauthopt_free(key_opts); \ | ||
| 403 | sshauthopt_free(cert_opts); \ | ||
| 404 | sshkey_free(cert); \ | ||
| 405 | } while (0) | ||
| 406 | |||
| 407 | /* Check the results of PREPARE() against expectation; calls CLEANUP */ | ||
| 408 | #define CHECK_SUCCESS_AND_CLEANUP() \ | ||
| 409 | do { \ | ||
| 410 | if (errstr != NULL) \ | ||
| 411 | ASSERT_STRING_EQ(errstr, ""); \ | ||
| 412 | compare_opts(merge_opts, expected); \ | ||
| 413 | CLEANUP(); \ | ||
| 414 | } while (0) | ||
| 415 | |||
| 416 | /* Check a single case of merging of flag options */ | ||
| 417 | #define FLAG_CASE(keybase, label, keyname, keywords, mostly_off, var, val) \ | ||
| 418 | do { \ | ||
| 419 | PREPARE(keybase " " label, keyname, keywords); \ | ||
| 420 | expected = mostly_off ? \ | ||
| 421 | sshauthopt_new() : default_authkey_opts(); \ | ||
| 422 | expected->var = val; \ | ||
| 423 | ASSERT_PTR_NE(expected, NULL); \ | ||
| 424 | CHECK_SUCCESS_AND_CLEANUP(); \ | ||
| 425 | TEST_DONE(); \ | ||
| 426 | } while (0) | ||
| 427 | |||
| 428 | /* | ||
| 429 | * Fairly exhaustive exercise of a flag option. Tests | ||
| 430 | * option both set and clear in certificate, set and clear in | ||
| 431 | * authorized_keys and set and cleared via restrict keyword. | ||
| 432 | */ | ||
| 433 | #define FLAG_TEST(keybase, keyword, var) \ | ||
| 434 | do { \ | ||
| 435 | FLAG_CASE(keybase, "keys:default,yes cert:default,no", \ | ||
| 436 | "no_" keybase, keyword, 0, var, 0); \ | ||
| 437 | FLAG_CASE(keybase,"keys:-*,yes cert:default,no", \ | ||
| 438 | "no_" keybase, "restrict," keyword, 1, var, 0); \ | ||
| 439 | FLAG_CASE(keybase, "keys:default,no cert:default,no", \ | ||
| 440 | "no_" keybase, "no-" keyword, 0, var, 0); \ | ||
| 441 | FLAG_CASE(keybase, "keys:-*,no cert:default,no", \ | ||
| 442 | "no_" keybase, "restrict,no-" keyword, 1, var, 0); \ | ||
| 443 | \ | ||
| 444 | FLAG_CASE(keybase, "keys:default,yes cert:-*,yes", \ | ||
| 445 | "only_" keybase, keyword, 1, var, 1); \ | ||
| 446 | FLAG_CASE(keybase,"keys:-*,yes cert:-*,yes", \ | ||
| 447 | "only_" keybase, "restrict," keyword, 1, var, 1); \ | ||
| 448 | FLAG_CASE(keybase, "keys:default,no cert:-*,yes", \ | ||
| 449 | "only_" keybase, "no-" keyword, 1, var, 0); \ | ||
| 450 | FLAG_CASE(keybase, "keys:-*,no cert:-*,yes", \ | ||
| 451 | "only_" keybase, "restrict,no-" keyword, 1, var, 0); \ | ||
| 452 | \ | ||
| 453 | FLAG_CASE(keybase, "keys:default,yes cert:-*", \ | ||
| 454 | "no_permit", keyword, 1, var, 0); \ | ||
| 455 | FLAG_CASE(keybase,"keys:-*,yes cert:-*", \ | ||
| 456 | "no_permit", "restrict," keyword, 1, var, 0); \ | ||
| 457 | FLAG_CASE(keybase, "keys:default,no cert:-*", \ | ||
| 458 | "no_permit", "no-" keyword, 1, var, 0); \ | ||
| 459 | FLAG_CASE(keybase, "keys:-*,no cert:-*", \ | ||
| 460 | "no_permit", "restrict,no-" keyword, 1, var, 0); \ | ||
| 461 | \ | ||
| 462 | FLAG_CASE(keybase, "keys:default,yes cert:*", \ | ||
| 463 | "all_permit", keyword, 0, var, 1); \ | ||
| 464 | FLAG_CASE(keybase,"keys:-*,yes cert:*", \ | ||
| 465 | "all_permit", "restrict," keyword, 1, var, 1); \ | ||
| 466 | FLAG_CASE(keybase, "keys:default,no cert:*", \ | ||
| 467 | "all_permit", "no-" keyword, 0, var, 0); \ | ||
| 468 | FLAG_CASE(keybase, "keys:-*,no cert:*", \ | ||
| 469 | "all_permit", "restrict,no-" keyword, 1, var, 0); \ | ||
| 470 | \ | ||
| 471 | } while (0) | ||
| 472 | FLAG_TEST("portfwd", "port-forwarding", permit_port_forwarding_flag); | ||
| 473 | FLAG_TEST("agentfwd", "agent-forwarding", permit_agent_forwarding_flag); | ||
| 474 | FLAG_TEST("pty", "pty", permit_pty_flag); | ||
| 475 | FLAG_TEST("user_rc", "user-rc", permit_user_rc); | ||
| 476 | FLAG_TEST("x11fwd", "x11-forwarding", permit_x11_forwarding_flag); | ||
| 477 | #undef FLAG_TEST | ||
| 478 | |||
| 479 | PREPARE("source-address both", "sourceaddr", "from=\"127.0.0.1\""); | ||
| 480 | expected = default_authkey_opts(); | ||
| 481 | expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128"); | ||
| 482 | ASSERT_PTR_NE(expected->required_from_host_cert, NULL); | ||
| 483 | expected->required_from_host_keys = strdup("127.0.0.1"); | ||
| 484 | ASSERT_PTR_NE(expected->required_from_host_keys, NULL); | ||
| 485 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 486 | TEST_DONE(); | ||
| 487 | |||
| 488 | PREPARE("source-address none", "all_permit", ""); | ||
| 489 | expected = default_authkey_opts(); | ||
| 490 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 491 | TEST_DONE(); | ||
| 492 | |||
| 493 | PREPARE("source-address keys", "all_permit", "from=\"127.0.0.1\""); | ||
| 494 | expected = default_authkey_opts(); | ||
| 495 | expected->required_from_host_keys = strdup("127.0.0.1"); | ||
| 496 | ASSERT_PTR_NE(expected->required_from_host_keys, NULL); | ||
| 497 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 498 | TEST_DONE(); | ||
| 499 | |||
| 500 | PREPARE("source-address cert", "sourceaddr", ""); | ||
| 501 | expected = default_authkey_opts(); | ||
| 502 | expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128"); | ||
| 503 | ASSERT_PTR_NE(expected->required_from_host_cert, NULL); | ||
| 504 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 505 | TEST_DONE(); | ||
| 506 | |||
| 507 | PREPARE("force-command both", "force_command", "command=\"foo\""); | ||
| 508 | expected = default_authkey_opts(); | ||
| 509 | expected->force_command = strdup("foo"); | ||
| 510 | ASSERT_PTR_NE(expected->force_command, NULL); | ||
| 511 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 512 | TEST_DONE(); | ||
| 513 | |||
| 514 | PREPARE("force-command none", "all_permit", ""); | ||
| 515 | expected = default_authkey_opts(); | ||
| 516 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 517 | TEST_DONE(); | ||
| 518 | |||
| 519 | PREPARE("force-command keys", "all_permit", "command=\"bar\""); | ||
| 520 | expected = default_authkey_opts(); | ||
| 521 | expected->force_command = strdup("bar"); | ||
| 522 | ASSERT_PTR_NE(expected->force_command, NULL); | ||
| 523 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 524 | TEST_DONE(); | ||
| 525 | |||
| 526 | PREPARE("force-command cert", "force_command", ""); | ||
| 527 | expected = default_authkey_opts(); | ||
| 528 | expected->force_command = strdup("foo"); | ||
| 529 | ASSERT_PTR_NE(expected->force_command, NULL); | ||
| 530 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 531 | TEST_DONE(); | ||
| 532 | |||
| 533 | PREPARE("force-command mismatch", "force_command", "command=\"bar\""); | ||
| 534 | ASSERT_PTR_EQ(merge_opts, NULL); | ||
| 535 | CLEANUP(); | ||
| 536 | TEST_DONE(); | ||
| 537 | |||
| 538 | PREPARE("tunnel", "all_permit", "tunnel=\"6\""); | ||
| 539 | expected = default_authkey_opts(); | ||
| 540 | expected->force_tun_device = 6; | ||
| 541 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 542 | TEST_DONE(); | ||
| 543 | |||
| 544 | PREPARE("permitopen", "all_permit", | ||
| 545 | "permitopen=\"127.0.0.1:*\",permitopen=\"127.0.0.1:123\""); | ||
| 546 | expected = default_authkey_opts(); | ||
| 547 | expected->permitopen = commasplit("127.0.0.1:*,127.0.0.1:123", | ||
| 548 | &expected->npermitopen); | ||
| 549 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 550 | TEST_DONE(); | ||
| 551 | |||
| 552 | PREPARE("environment", "all_permit", | ||
| 553 | "environment=\"foo=a\",environment=\"bar=b\""); | ||
| 554 | expected = default_authkey_opts(); | ||
| 555 | expected->env = commasplit("foo=a,bar=b", &expected->nenv); | ||
| 556 | CHECK_SUCCESS_AND_CLEANUP(); | ||
| 557 | TEST_DONE(); | ||
| 558 | } | ||
| 559 | |||
| 560 | void | ||
| 561 | tests(void) | ||
| 562 | { | ||
| 563 | extern char *__progname; | ||
| 564 | LogLevel ll = test_is_verbose() ? | ||
| 565 | SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_QUIET; | ||
| 566 | |||
| 567 | /* test_cert_parse() are a bit spammy to error() by default... */ | ||
| 568 | log_init(__progname, ll, SYSLOG_FACILITY_USER, 1); | ||
| 569 | |||
| 570 | test_authkeys_parse(); | ||
| 571 | test_cert_parse(); | ||
| 572 | test_merge(); | ||
| 573 | } | ||