-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathtskagent_test.go
More file actions
175 lines (155 loc) · 4.58 KB
/
tskagent_test.go
File metadata and controls
175 lines (155 loc) · 4.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
package tskagent_test
import (
"context"
"crypto/ed25519"
"net"
"net/http/httptest"
"testing"
"github.com/creachadair/taskgroup"
"github.com/google/go-cmp/cmp"
"github.com/tailscale/setec/client/setec"
"github.com/tailscale/setec/setectest"
"github.com/tailscale/tskagent"
"golang.org/x/crypto/ssh"
"golang.org/x/crypto/ssh/agent"
_ "embed"
)
//go:embed testdata/test.key
var testPrivKey string
//go:embed testdata/test.key.pub
var testPubKey []byte
func TestAgent(t *testing.T) {
const testSecret = "test/ssh-agent/key"
// Set up a fake setec server containing the test private key.
db := setectest.NewDB(t, nil)
db.MustPut(db.Superuser, testSecret, testPrivKey)
ss := setectest.NewServer(t, db, nil)
hs := httptest.NewServer(ss.Mux)
defer hs.Close()
// Set up an agent communicating with the fake setec.
ts := tskagent.NewServer(tskagent.Config{
Client: setec.Client{Server: hs.URL, DoHTTP: hs.Client().Do},
Prefix: "test/ssh-agent",
Logf: t.Logf,
})
if err := ts.Update(context.Background()); err != nil {
t.Fatalf("Initial update failed: %v", err)
}
// Parse the public key to offer.
pubKey, _, _, rest, err := ssh.ParseAuthorizedKey(testPubKey)
if err != nil {
t.Fatalf("Parse authorized key: %v", err)
} else if len(rest) != 0 {
t.Error("Extra data after authorized key")
}
// Run the agent over a pipe and make sure client calls do what they should.
cconn, sconn := net.Pipe()
cli := taskgroup.Run(func() { ts.ServeOne(sconn) })
defer func() { cconn.Close(); cli.Wait() }()
mustUpdate := func(t *testing.T) {
t.Helper()
if err := ts.Update(context.Background()); err != nil {
t.Fatalf("Update failed: %v", err)
}
}
ac := agent.NewClient(cconn)
altKey := ed25519.NewKeyFromSeed([]byte("00000000000000000000000000000000")) // throwaway
t.Run("AddDoesNotWork", func(t *testing.T) {
err := ac.Add(agent.AddedKey{
PrivateKey: altKey,
Comment: "Nothing to see here",
})
if err == nil {
t.Errorf("Add key %v: did not get expected error", altKey)
}
})
t.Run("Locking", func(t *testing.T) {
const pp = "foo"
if err := ac.Lock([]byte(pp)); err != nil {
t.Fatalf("Lock: unexpected error: %v", err)
}
if err := ac.Lock([]byte(pp)); err == nil {
t.Error("Re-lock: did not get expected error")
}
if err := ac.Unlock([]byte("wrong")); err == nil {
t.Error("Unlock wrong: did not get expected error")
}
if err := ac.Unlock([]byte(pp)); err != nil {
t.Fatalf("Unlock: unexpected error: %v", err)
}
if err := ac.Unlock([]byte(pp)); err == nil {
t.Error("Re-unlock: did not get expected error")
}
})
t.Run("List", func(t *testing.T) {
lst, err := ac.List()
if err != nil {
t.Fatalf("List: unexpected error: %v", err)
}
if diff := cmp.Diff(lst, []*agent.Key{{
Format: "ssh-ed25519",
Blob: pubKey.Marshal(),
Comment: "Dummy key for testing",
}}); diff != "" {
t.Errorf("Wrong keys (-got, +want):\n%s", diff)
}
})
t.Run("Signers", func(t *testing.T) {
lst, err := ac.Signers()
if err != nil {
t.Fatalf("Signers: unexpected error: %v", err)
}
if len(lst) != 1 {
t.Fatalf("Got %d signers, want 1", len(lst))
}
if diff := cmp.Diff(lst[0].PublicKey().Marshal(), pubKey.Marshal()); diff != "" {
t.Errorf("Wrong signer (-got, +want):\n%s", diff)
}
})
t.Run("Sign", func(t *testing.T) {
const testInput = "boo likes forests"
sig, err := ac.Sign(pubKey, []byte(testInput))
if err != nil {
t.Fatalf("Sign: unexpected error: %v", err)
}
if got, want := sig.Format, "ssh-ed25519"; got != want {
t.Errorf("Sign format: got %q, want %q", got, want)
}
if len(sig.Rest) != 0 {
t.Errorf("Sign: extra data after signature: %q", sig.Rest)
}
})
t.Run("RemoveAll", func(t *testing.T) {
defer mustUpdate(t)
if err := ac.RemoveAll(); err != nil {
t.Errorf("RemoveAll: unexpected error: %v", err)
}
lst, err := ac.List()
if err != nil {
t.Errorf("List: unexpected error: %v", err)
} else if len(lst) != 0 {
t.Errorf("List: got %+v, want empty", lst)
}
})
t.Run("RemoveMissing", func(t *testing.T) {
key, err := ssh.NewSignerFromKey(altKey)
if err != nil {
t.Fatalf("Convert key: %v", err)
}
if err := ac.Remove(key.PublicKey()); err == nil {
t.Error("Remove missing unexpectedly succeeded")
}
})
t.Run("RemovePresent", func(t *testing.T) {
defer mustUpdate(t)
if err := ac.Remove(pubKey); err != nil {
t.Errorf("Remove: unexpected error: %v", err)
}
if err := ac.Remove(pubKey); err == nil {
t.Error("Remove again: unexpectedly succeeded")
}
mustUpdate(t)
})
}