forked from mirrors/jj
168 lines
5 KiB
Rust
168 lines
5 KiB
Rust
|
// Copyright 2023 The Jujutsu Authors
|
||
|
//
|
||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
// you may not use this file except in compliance with the License.
|
||
|
// You may obtain a copy of the License at
|
||
|
//
|
||
|
// https://www.apache.org/licenses/LICENSE-2.0
|
||
|
//
|
||
|
// Unless required by applicable law or agreed to in writing, software
|
||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
// See the License for the specific language governing permissions and
|
||
|
// limitations under the License.
|
||
|
|
||
|
use std::fs;
|
||
|
#[cfg(unix)]
|
||
|
use std::fs::Permissions;
|
||
|
use std::io::Write;
|
||
|
#[cfg(unix)]
|
||
|
use std::os::unix::prelude::PermissionsExt;
|
||
|
use std::path::{Path, PathBuf};
|
||
|
|
||
|
use jj_lib::signing::{SigStatus, SigningBackend};
|
||
|
use jj_lib::ssh_signing::SshBackend;
|
||
|
|
||
|
static PRIVATE_KEY: &str = r#"-----BEGIN OPENSSH PRIVATE KEY-----
|
||
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||
|
QyNTUxOQAAACBo/iejekjvuD/HTman0daImstssYYR52oB+dmr1KsOYQAAAIiuGFMFrhhT
|
||
|
BQAAAAtzc2gtZWQyNTUxOQAAACBo/iejekjvuD/HTman0daImstssYYR52oB+dmr1KsOYQ
|
||
|
AAAECcUtn/J/jk/+D5+/+WbQRNN4eInj5L60pt6FioP0nQfGj+J6N6SO+4P8dOZqfR1oia
|
||
|
y2yxhhHnagH52avUqw5hAAAAAAECAwQF
|
||
|
-----END OPENSSH PRIVATE KEY-----
|
||
|
"#;
|
||
|
|
||
|
static PUBLIC_KEY: &str =
|
||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGj+J6N6SO+4P8dOZqfR1oiay2yxhhHnagH52avUqw5h";
|
||
|
|
||
|
struct SshEnvironment {
|
||
|
_keys: tempfile::TempDir,
|
||
|
private_key_path: PathBuf,
|
||
|
allowed_signers: Option<tempfile::TempPath>,
|
||
|
}
|
||
|
|
||
|
impl SshEnvironment {
|
||
|
fn new() -> Result<Self, std::process::Output> {
|
||
|
let keys_dir = tempfile::Builder::new()
|
||
|
.prefix("jj-test-signing-keys-")
|
||
|
.tempdir()
|
||
|
.unwrap();
|
||
|
|
||
|
let private_key_path = Path::new(keys_dir.path()).join("key");
|
||
|
|
||
|
fs::write(&private_key_path, PRIVATE_KEY).unwrap();
|
||
|
|
||
|
#[cfg(unix)]
|
||
|
std::fs::set_permissions(&private_key_path, Permissions::from_mode(0o700)).unwrap();
|
||
|
|
||
|
let mut env = SshEnvironment {
|
||
|
_keys: keys_dir,
|
||
|
private_key_path,
|
||
|
allowed_signers: None,
|
||
|
};
|
||
|
|
||
|
env.with_good_public_key();
|
||
|
|
||
|
Ok(env)
|
||
|
}
|
||
|
|
||
|
fn with_good_public_key(&mut self) {
|
||
|
let mut allowed_signers = tempfile::Builder::new()
|
||
|
.prefix("jj-test-allowed-signers-")
|
||
|
.tempfile()
|
||
|
.unwrap();
|
||
|
|
||
|
allowed_signers
|
||
|
.write_all("test@example.com ".as_bytes())
|
||
|
.unwrap();
|
||
|
allowed_signers.write_all(PUBLIC_KEY.as_bytes()).unwrap();
|
||
|
allowed_signers.flush().unwrap();
|
||
|
|
||
|
let allowed_signers_path = allowed_signers.into_temp_path();
|
||
|
|
||
|
self.allowed_signers = Some(allowed_signers_path);
|
||
|
}
|
||
|
|
||
|
fn with_bad_public_key(&mut self) {
|
||
|
let mut allowed_signers = tempfile::Builder::new()
|
||
|
.prefix("jj-test-allowed-signers-")
|
||
|
.tempfile()
|
||
|
.unwrap();
|
||
|
|
||
|
allowed_signers
|
||
|
.write_all("test@example.com ".as_bytes())
|
||
|
.unwrap();
|
||
|
allowed_signers
|
||
|
.write_all("INVALID PUBLIC KEY".as_bytes())
|
||
|
.unwrap();
|
||
|
allowed_signers.flush().unwrap();
|
||
|
|
||
|
let allowed_signers_path = allowed_signers.into_temp_path();
|
||
|
|
||
|
self.allowed_signers = Some(allowed_signers_path);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
fn backend(env: &SshEnvironment) -> SshBackend {
|
||
|
SshBackend::new(
|
||
|
"ssh-keygen".into(),
|
||
|
env.allowed_signers
|
||
|
.as_ref()
|
||
|
.map(|allowed_signers| allowed_signers.as_os_str().into()),
|
||
|
)
|
||
|
}
|
||
|
|
||
|
#[test]
|
||
|
fn ssh_signing_roundtrip() {
|
||
|
let env = SshEnvironment::new().unwrap();
|
||
|
let backend = backend(&env);
|
||
|
let data = b"hello world";
|
||
|
|
||
|
let signature = backend
|
||
|
.sign(data, Some(env.private_key_path.to_str().unwrap()))
|
||
|
.unwrap();
|
||
|
|
||
|
let check = backend.verify(data, &signature).unwrap();
|
||
|
assert_eq!(check.status, SigStatus::Good);
|
||
|
|
||
|
assert_eq!(check.display.unwrap(), "test@example.com");
|
||
|
|
||
|
let check = backend.verify(b"invalid-commit-data", &signature).unwrap();
|
||
|
assert_eq!(check.status, SigStatus::Bad);
|
||
|
assert_eq!(check.display.unwrap(), "test@example.com");
|
||
|
}
|
||
|
|
||
|
#[test]
|
||
|
fn ssh_signing_bad_allowed_signers() {
|
||
|
let mut env = SshEnvironment::new().unwrap();
|
||
|
env.with_bad_public_key();
|
||
|
|
||
|
let backend = backend(&env);
|
||
|
let data = b"hello world";
|
||
|
|
||
|
let signature = backend
|
||
|
.sign(data, Some(env.private_key_path.to_str().unwrap()))
|
||
|
.unwrap();
|
||
|
|
||
|
let check = backend.verify(data, &signature).unwrap();
|
||
|
assert_eq!(check.status, SigStatus::Unknown);
|
||
|
assert_eq!(check.display.unwrap(), "Signature OK. Unknown principal");
|
||
|
}
|
||
|
|
||
|
#[test]
|
||
|
fn ssh_signing_missing_allowed_signers() {
|
||
|
let mut env = SshEnvironment::new().unwrap();
|
||
|
env.allowed_signers = None;
|
||
|
|
||
|
let backend = backend(&env);
|
||
|
let data = b"hello world";
|
||
|
|
||
|
let signature = backend
|
||
|
.sign(data, Some(env.private_key_path.to_str().unwrap()))
|
||
|
.unwrap();
|
||
|
|
||
|
let check = backend.verify(data, &signature).unwrap();
|
||
|
assert_eq!(check.status, SigStatus::Unknown);
|
||
|
assert_eq!(check.display.unwrap(), "Signature OK. Unknown principal");
|
||
|
}
|