Improve intergation test

author: Miklós Fazekas <mfazekas@szemafor.com> 2021-08-05 16:13:54 +0200
committer: Miklós Fazekas <mfazekas@szemafor.com> 2021-08-05 16:14:25 +0200
commit: 932f0268a2903e35f7bf9f8d1bb96dd38dd77e1f (patch)
tree: 249c735da427ac20079223b41b6926fef16cb141 /test
parent: f4f37d340dfbb405e8ad77a0ccf56ce66d4fb144 (diff)
download: net-ssh-932f0268a2903e35f7bf9f8d1bb96dd38dd77e1f.tar.gz
2 files changed, 20 insertions, 30 deletions
diff --git a/test/integration/common.rb b/test/integration/common.rb
index 0f79c68..b897ece 100644
--- a/test/integration/common.rb
+++ b/test/integration/common.rb
@@ -97,7 +97,7 @@ module IntegrationTestHelpers
       end
       f.write("\nLogLevel DEBUG3\n") if debug
       f.close
-      puts "CONFIG: #{f.path} PID: #{pidpath}"
+      puts "CONFIG: #{f.path} PID: #{pidpath}" if debug
       yield(f.path, pidpath)
     end
   end
diff --git a/test/integration/test_cert_host_auth.rb b/test/integration/test_cert_host_auth.rb
index 312be85..aeda37e 100644
--- a/test/integration/test_cert_host_auth.rb
+++ b/test/integration/test_cert_host_auth.rb
@@ -13,10 +13,7 @@ class TestCertHostAuth < NetSSHTest
 
   def setup_ssh_env(&block)
     tmpdir do |dir|
-      @badcert = "#{dir}/badca"
-      sh "rm -rf #{@badcert} #{@badcert}.pub"
-      sh "ssh-keygen -t rsa -N '' -C 'ca@hosts.netssh' -f #{@badcert}"
-
+      # create a cert, and sign the host key
       @cert = "#{dir}/ca"
       sh "rm -rf #{@cert} #{@cert}.pub"
       sh "ssh-keygen -t rsa -N '' -C 'ca@hosts.netssh' -f #{@cert}"
@@ -25,29 +22,29 @@ class TestCertHostAuth < NetSSHTest
         sh "ssh-keygen -s #{@cert} -h -I one.hosts.netssh -n one.hosts.netssh #{dir}/one.hosts.netssh.pub"
         sh "ssh-keygen -L -f one.hosts.netssh-cert.pub"
       end
-      # FileUtils.cp "#{dir}/cloud.jameshfisher.com-cert.pub", "/etc/ssh/ssh_host_ecdsa_key-cert.pub"
-      sh "sudo cp -f #{dir}/one.hosts.netssh-cert.pub /etc/ssh/ssh_host_ecdsa_key-cert.pub"
-      yield(cert_pub: "#{@cert}.pub", badcert_pub: "#{@badcert}.pub")
+      signed_host_key = "/etc/ssh/ssh_host_ecdsa_key-cert.pub"
+      sh "sudo cp -f #{dir}/one.hosts.netssh-cert.pub #{signed_host_key}"
+
+      # we don't use this for signing the cert
+      @badcert = "#{dir}/badca"
+      sh "rm -rf #{@badcert} #{@badcert}.pub"
+      sh "ssh-keygen -t rsa -N '' -C 'ca@hosts.netssh' -f #{@badcert}"
+
+      yield(cert_pub: "#{@cert}.pub", badcert_pub: "#{@badcert}.pub", signed_host_key: signed_host_key)
     end
   end
 
-  def test_smoke
-    config_lines = []
-    config_lines.push("HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub")
-
+  def test_host_should_match_when_host_key_was_signed_by_key
     Tempfile.open('cert_kh') do |f|
       setup_ssh_env do |params|
         data = File.read(params[:cert_pub])
-        puts "Data: #{data}"
         f.write("@cert-authority *.hosts.netssh #{data}")
         f.close
 
-        start_sshd_7_or_later(config: config_lines, debug: true) do |_pid, port|
-          Timeout.timeout(400) do
-            # We have our own sshd, give it a chance to come up before
-            # listening.
+        config_lines = ["HostCertificate #{params[:signed_host_key]}"]
+        start_sshd_7_or_later(config: config_lines) do |_pid, port|
+          Timeout.timeout(100) do
             ret = Net::SSH.start("one.hosts.netssh", "net_ssh_1", password: 'foopwd', port: port, verify_host_key: :always, user_known_hosts_file: [f.path], verbose: :debug) do |ssh|
-              # assert_equal ssh.transport.algorithms.kex, "curve25519-sha256"
               ssh.exec! "echo 'foo'"
             end
             assert_equal "foo\n", ret
@@ -60,26 +57,19 @@ class TestCertHostAuth < NetSSHTest
     end
   end
 
-  def test_failure
-    config_lines = []
-    config_lines.push("HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub")
-
-    Tempfile.open('empty_kh') do |f|
+  def test_with_other_pub_key_host_key_should_not_match
+    Tempfile.open('cert_kh') do |f|
       setup_ssh_env do |params|
         data = File.read(params[:badcert_pub])
-
-        puts "Data: #{data}"
         f.write("@cert-authority *.hosts.netssh #{data}")
         f.close
 
-        start_sshd_7_or_later(config: config_lines, debug: true) do |_pid, port|
-          Timeout.timeout(400) do
-            # sh "ssh net_ssh_1@one.hosts.netssh -p #{port} -o UserKnownHostsFile=#{f.path}"
-
+        config_lines = ["HostCertificate #{params[:signed_host_key]}"]
+        start_sshd_7_or_later(config: config_lines) do |_pid, port|
+          Timeout.timeout(100) do
             sleep 0.2
             assert_raises(Net::SSH::HostKeyMismatch) do
               Net::SSH.start("one.hosts.netssh", "net_ssh_1", password: 'foopwd', port: port, verify_host_key: :always, user_known_hosts_file: [f.path], verbose: :debug) do |ssh|
-                # assert_equal ssh.transport.algorithms.kex, "curve25519-sha256"
                 ssh.exec! "echo 'foo'"
               end
             end
author	Miklós Fazekas <mfazekas@szemafor.com>	2021-08-05 16:13:54 +0200
committer	Miklós Fazekas <mfazekas@szemafor.com>	2021-08-05 16:14:25 +0200
commit	932f0268a2903e35f7bf9f8d1bb96dd38dd77e1f (patch)
tree	249c735da427ac20079223b41b6926fef16cb141 /test
parent	f4f37d340dfbb405e8ad77a0ccf56ce66d4fb144 (diff)
download	net-ssh-932f0268a2903e35f7bf9f8d1bb96dd38dd77e1f.tar.gz