summaryrefslogtreecommitdiff
path: root/tests/basic
blob: 6eb0b2777eb1ee2268a33430c861147f6d9a2e94 (plain)
  1. #!/usr/bin/env bash
  2. # Tests to ensure that the monkeysphere is working
  3. #
  4. # unset MONKEYSPHERE_TEST_NO_EXAMINE to get a prompt to examine the
  5. # test state after failure.
  6. # Authors:
  7. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  8. # Jameson Rollins <jrollins@fifthhorseman.net>
  9. # Micah Anderson <micah@riseup.net>
  10. #
  11. # Copyright: 2008-2009
  12. # License: GPL v3 or later
  13. # these tests should all be able to run as a non-privileged user.
  14. # put all the test output to stdout
  15. exec 2>&1
  16. # all subcommands in this script should complete without failure:
  17. set -e
  18. # piped commands should return the code of the first non-zero return
  19. set -o pipefail
  20. # make sure the TESTDIR is an absolute path, not a relative one.
  21. export TESTDIR=$(cd $(dirname "$0") && pwd)
  22. source "$TESTDIR"/common
  23. ## make sure that the right tools are installed to run the test. the
  24. ## test has *more* requirements than plain ol' monkeysphere:
  25. [ -f /usr/sbin/sshd ] || { echo "You must have sshd installed to run this test." ; exit 1; }
  26. which socat >/dev/null || { echo "You must have socat installed to run this test." ; exit 1; }
  27. perl -MCrypt::OpenSSL::RSA -e 1 2>/dev/null || { echo "You must have the perl module Crypt::OpenSSL::RSA installed to run this test.
  28. On debian-derived systems, you can set this up with:
  29. apt-get install libcrypt-openssl-rsa-perl" ; exit 1; }
  30. perl -MDigest::SHA -e 1 2>/dev/null || { echo "You must have the perl module Digest::SHA installed to run this test.
  31. On debian-derived systems, you can set this up with:
  32. apt-get install libdigest-sha-perl" ; exit 1; }
  33. ## FIXME: other checks?
  34. ######################################################################
  35. ### FUNCTIONS
  36. # gpg command for test admin user
  37. gpgadmin() {
  38. chmod 0700 "$TEMPDIR"/admin
  39. GNUPGHOME="$TEMPDIR"/admin/.gnupg gpg --no-tty "$@"
  40. }
  41. # test ssh connection
  42. # first argument is expected return code from ssh connection
  43. ssh_test() {
  44. local RETURN=0
  45. umask 0077
  46. CODE=${1:-0}
  47. # start the ssh daemon on the socket
  48. echo "##### starting ssh server..."
  49. socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log &
  50. SSHD_PID="$!"
  51. # wait until the socket is created before continuing
  52. while [ ! -S "$SOCKET" ] ; do
  53. sleep 1
  54. done
  55. # make a client connection to the socket
  56. echo "##### starting ssh client..."
  57. ssh-agent bash -c \
  58. "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config ${target_hostname:-testhost} true" \
  59. || RETURN="$?"
  60. # kill the sshd process if it's still running
  61. kill "$SSHD_PID" || true
  62. wait
  63. SSHD_PID=
  64. if [ "$RETURN" = "$CODE" ] ; then
  65. echo "##### ssh connection test PASSED. returned: $RETURN"
  66. return 0
  67. else
  68. echo "##### ssh connection test FAILED. returned: $RETURN, expected: $CODE"
  69. return 1
  70. fi
  71. }
  72. SSHD_PID=
  73. ## setup trap
  74. trap failed_cleanup EXIT
  75. ######################################################################
  76. ### SETUP VARIABLES
  77. ## set up some variables to ensure that we're operating strictly in
  78. ## the tests, not system-wide:
  79. # set up temp dir
  80. # NOTE: /tmp can not be used as the temp dir here, since the
  81. # permissions on /tmp are usually such that they will not pass the
  82. # monkeysphere/ssh path permission checking. If you need to use a
  83. # different location than the current source, please set $TMPDIR
  84. # somewhere with tighter permissions.
  85. mkdir -p "$TESTDIR"/tmp
  86. TEMPDIR=$(mktemp -d "${TMPDIR:-$TESTDIR/tmp}/monkeyspheretest.XXXXXXX")
  87. # Use the local copy of executables first, instead of system ones.
  88. # This should help us test without installing.
  89. export PATH="$TESTDIR"/../src:"$PATH"
  90. export MONKEYSPHERE_SYSDATADIR="$TEMPDIR"
  91. export MONKEYSPHERE_SYSCONFIGDIR="$TEMPDIR"
  92. export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src/share
  93. export MONKEYSPHERE_MONKEYSPHERE_USER=$(whoami)
  94. export MONKEYSPHERE_CHECK_KEYSERVER=false
  95. # example.org does not respond to the HKP port, so this should cause
  96. # any keyserver connection attempts that do happen (they shouldn't!)
  97. # to hang, so we'll notice them:
  98. export MONKEYSPHERE_KEYSERVER=example.org
  99. export MONKEYSPHERE_LOG_LEVEL=DEBUG
  100. export MONKEYSPHERE_CORE_KEYLENGTH=1024
  101. export MONKEYSPHERE_PROMPT=false
  102. # unset SUBKEYS_FOR_AGENT variable which, if set, would confuse the
  103. # into trying to use the user's key, instead of the testuser's key
  104. unset MONKEYSPHERE_SUBKEYS_FOR_AGENT
  105. export SSHD_CONFIG="$TEMPDIR"/sshd_config
  106. export SOCKET="$TEMPDIR"/ssh-socket
  107. # Make sure $DISPLAY is set to convince ssh and monkeysphere to fall
  108. # back on $SSH_ASKPASS. Make sure it's not set to the current actual
  109. # $DISPLAY (if one exists) because this test suite should not be doing
  110. # *anything* with any running X11 session.
  111. export DISPLAY=monkeys
  112. ## we cannot do proper directory permissions checking if the current
  113. ## working directory has unsatisfactory permissions:
  114. if ( . "$MONKEYSPHERE_SYSSHAREDIR"/common && check_key_file_permissions $(whoami) "$TEMPDIR" ) ; then
  115. echo "Permissions on temporary directory '$TEMPDIR' are OK for permissions checks."
  116. TEMPDIR_PERMISSIONS_SAFE=yes
  117. else
  118. cat <<EOF
  119. !!!WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING!!!
  120. Permissions on testing directory '$TEMPDIR' are
  121. too loose to do proper strict permissions checking. Some tests
  122. will be disabled or ignored.
  123. To avoid this warning (and to make sure that all tests are run
  124. properly), please run these tests within a directory that meets
  125. sshd's standards for "StrictModes yes" -- the directory (and every
  126. one of its parents) should be owned only be the user running this
  127. test or root, and should not be writable by group or other.
  128. !!!WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING!!!
  129. EOF
  130. # FIXME: what should we do with this knowledge to make sure that
  131. # the appropriate tests are handled properly?
  132. TEMPDIR_PERMISSIONS_SAFE=no
  133. fi
  134. ######################################################################
  135. ### CONFIGURE ENVIRONMENTS
  136. # copy in admin and testuser home to tmp
  137. echo
  138. echo "##################################################"
  139. echo "### configuring testuser home..."
  140. (cd "$TESTDIR"/home && find testuser | cpio -pdu "$TEMPDIR")
  141. # set up environment for testuser
  142. export TESTHOME="$TEMPDIR"/testuser
  143. export GNUPGHOME="$TESTHOME"/.gnupg
  144. chmod 0700 "$GNUPGHOME"
  145. export SSH_ASKPASS="$TESTHOME"/.ssh/askpass
  146. export MONKEYSPHERE_HOME="$TESTHOME"/.monkeysphere
  147. cat <<EOF >> "$TESTHOME"/.ssh/config
  148. UserKnownHostsFile $TESTHOME/.ssh/known_hosts
  149. IdentityFile $TESTHOME/.ssh/no-such-identity
  150. ProxyCommand $TESTHOME/.ssh/proxy-command %h %p $SOCKET
  151. EOF
  152. cat <<EOF >> "$MONKEYSPHERE_HOME"/monkeysphere.conf
  153. KNOWN_HOSTS=$TESTHOME/.ssh/known_hosts
  154. EOF
  155. get_gpg_prng_arg >> "$GNUPGHOME"/gpg.conf
  156. echo
  157. echo "##################################################"
  158. echo "### configuring admin home..."
  159. (cd "$TESTDIR"/home && find admin | cpio -pdu "$TEMPDIR")
  160. # set up sshd
  161. echo
  162. echo "##################################################"
  163. echo "### configuring sshd..."
  164. cp "$TESTDIR"/etc/ssh/sshd_config "$SSHD_CONFIG"
  165. # write the sshd_config
  166. cat <<EOF >> "$SSHD_CONFIG"
  167. HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key
  168. AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authorized_keys/%u
  169. EOF
  170. # disable sshd's strict permissions settings so that some tests can
  171. # complete when running under a dubious path:
  172. if [ "$TEMPDIR_PERMISSIONS_SAFE" != yes ] ; then
  173. cat <<EOF >> "$SSHD_CONFIG"
  174. StrictModes no
  175. EOF
  176. fi
  177. ######################################################################
  178. ### SERVER HOST SETUP
  179. # import host key
  180. echo
  181. echo "##################################################"
  182. echo "### import host key..."
  183. ssh-keygen -b 1024 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
  184. monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key testhost
  185. echo
  186. echo "##################################################"
  187. echo "### getting host key fingerprint..."
  188. HOSTKEYID=$( monkeysphere-host show-key | grep '^OpenPGP fingerprint: ' | cut -f3 -d\ )
  189. echo "$HOSTKEYID"
  190. # change host key expiration
  191. echo
  192. echo "##################################################"
  193. echo "### setting host key expiration..."
  194. monkeysphere-host set-expire 1
  195. # FIXME: how do we check that the expiration has really been set?
  196. # certify host key with the "Admin's Key".
  197. # (this would normally be done via keyservers)
  198. echo
  199. echo "##################################################"
  200. echo "### certifying server host key..."
  201. < "$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg gpgadmin --import
  202. echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
  203. # FIXME: add revoker?
  204. # FIXME: how can we test publish-key without flooding junk into the
  205. # keyservers?
  206. # FIXME: should we run "diagnostics" here to test setup?
  207. ######################################################################
  208. ### SERVER AUTHENTICATION SETUP
  209. # set up monkeysphere authentication
  210. echo
  211. echo "##################################################"
  212. echo "### setup monkeysphere authentication..."
  213. cp "$TESTDIR"/etc/monkeysphere/monkeysphere-authentication.conf "$TEMPDIR"/
  214. cat <<EOF >> "$TEMPDIR"/monkeysphere-authentication.conf
  215. AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authorized_user_ids"
  216. EOF
  217. monkeysphere-authentication setup
  218. get_gpg_prng_arg >> "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
  219. # add admin as identity certifier for testhost
  220. echo
  221. echo "##################################################"
  222. echo "### adding admin as certifier..."
  223. monkeysphere-authentication add-id-certifier "$TEMPDIR"/admin/.gnupg/pubkey.gpg
  224. echo
  225. echo "##################################################"
  226. echo "### list certifiers..."
  227. monkeysphere-authentication list-certifiers
  228. # FIXME: should we run "diagnostics" here to test setup?
  229. ######################################################################
  230. ### TESTUSER SETUP
  231. # generate an auth subkey for the test user that expires in 2 days
  232. echo
  233. echo "##################################################"
  234. echo "### generating key for testuser..."
  235. monkeysphere gen-subkey
  236. # add server key to testuser keychain
  237. echo
  238. echo "##################################################"
  239. echo "### export server key to testuser..."
  240. gpgadmin --armor --export "$HOSTKEYID" | gpg --import
  241. # teach the "server" about the testuser's key
  242. echo
  243. echo "##################################################"
  244. echo "### export testuser key to server..."
  245. gpg --export testuser | monkeysphere-authentication gpg-cmd --import
  246. # update authorized_keys for user
  247. echo
  248. echo "##################################################"
  249. echo "### update server authorized_keys file for this testuser..."
  250. monkeysphere-authentication update-users $(whoami)
  251. # FIXME: this is maybe not failing properly for:
  252. # ms: improper group or other writability on path '/tmp'.
  253. ######################################################################
  254. ### TESTS
  255. # connect to test sshd, using monkeysphere ssh-proxycommand to verify
  256. # the identity before connection. This should work in both directions!
  257. echo
  258. echo "##################################################"
  259. echo "### ssh connection test for success..."
  260. ssh_test
  261. # remove the testuser's authorized_user_ids file, update, and make
  262. # sure that the ssh authentication FAILS
  263. echo
  264. echo "##################################################"
  265. echo "### removing testuser authorized_user_ids and updating..."
  266. mv "$TESTHOME"/.monkeysphere/authorized_user_ids{,.bak}
  267. monkeysphere-authentication update-users $(whoami)
  268. echo
  269. echo "##################################################"
  270. echo "### ssh connection test for failure..."
  271. ssh_test 255
  272. mv "$TESTHOME"/.monkeysphere/authorized_user_ids{.bak,}
  273. # put improper permissions on authorized_user_ids file, update, and
  274. # make sure ssh authentication FAILS
  275. echo
  276. echo "##################################################"
  277. echo "### setting group writability on authorized_user_ids and updating..."
  278. chmod g+w "$TESTHOME"/.monkeysphere/authorized_user_ids
  279. monkeysphere-authentication update-users $(whoami)
  280. echo
  281. echo "##################################################"
  282. echo "### ssh connection test for failure..."
  283. ssh_test 255
  284. chmod g-w "$TESTHOME"/.monkeysphere/authorized_user_ids
  285. echo
  286. echo "##################################################"
  287. echo "### setting other writability on authorized_user_ids and updating..."
  288. chmod o+w "$TESTHOME"/.monkeysphere/authorized_user_ids
  289. monkeysphere-authentication update-users $(whoami)
  290. echo
  291. echo "##################################################"
  292. echo "### ssh connection test for failure..."
  293. ssh_test 255
  294. chmod o-w "$TESTHOME"/.monkeysphere/authorized_user_ids
  295. monkeysphere-authentication update-users $(whoami)
  296. # test symlinks
  297. echo
  298. echo "##################################################"
  299. echo "### setup for symlink tests..."
  300. cp -a "$TESTHOME"/.monkeysphere{,.linktest}
  301. echo
  302. echo "##################################################"
  303. echo "### make authorized_user_ids an absolute symlink and updating..."
  304. mv "$TESTHOME"/.monkeysphere/authorized_user_ids{,.bak}
  305. ln -s "$TESTHOME"/.monkeysphere{.linktest,}/authorized_user_ids
  306. monkeysphere-authentication update-users $(whoami)
  307. echo
  308. echo "##################################################"
  309. echo "### ssh connection test for success..."
  310. ssh_test
  311. echo
  312. echo "##################################################"
  313. echo "### create bad permissions on link dir and updating..."
  314. chmod o+w "$TESTHOME"/.monkeysphere.linktest
  315. monkeysphere-authentication update-users $(whoami)
  316. echo
  317. echo "##################################################"
  318. echo "### ssh connection test for failure..."
  319. ssh_test 255
  320. chmod o-w "$TESTHOME"/.monkeysphere.linktest
  321. echo
  322. echo "##################################################"
  323. echo "### make authorized_user_ids a relative symlink and updating..."
  324. ln -sf ../.monkeysphere.linktest/authorized_user_ids "$TESTHOME"/.monkeysphere/authorized_user_ids
  325. monkeysphere-authentication update-users $(whoami)
  326. echo
  327. echo "##################################################"
  328. echo "### ssh connection test for success..."
  329. ssh_test
  330. echo
  331. echo "##################################################"
  332. echo "### create bad permissions on link dir updating..."
  333. chmod o+w "$TESTHOME"/.monkeysphere.linktest
  334. monkeysphere-authentication update-users $(whoami)
  335. echo
  336. echo "##################################################"
  337. echo "### ssh connection test for failure..."
  338. ssh_test 255
  339. chmod o-w "$TESTHOME"/.monkeysphere.linktest
  340. # FIXME: implement check of link path, and uncomment this test
  341. # echo
  342. # echo "##################################################"
  343. # echo "### create bad permissions on link dir and updating..."
  344. # chmod o+w "$TESTHOME"/.monkeysphere
  345. # monkeysphere-authentication update-users $(whoami)
  346. # echo
  347. # echo "##################################################"
  348. # echo "### ssh connection test for failure..."
  349. # ssh_test 255
  350. # chmod o-w "$TESTHOME"/.monkeysphere
  351. rm "$TESTHOME"/.monkeysphere/authorized_user_ids
  352. mv "$TESTHOME"/.monkeysphere/authorized_user_ids{.bak,}
  353. echo
  354. echo "##################################################"
  355. echo "### make .monkeysphere directory an absolute symlink and updating..."
  356. mv "$TESTHOME"/.monkeysphere{,.bak}
  357. ln -s "$TESTHOME"/.monkeysphere{.linktest,}
  358. monkeysphere-authentication update-users $(whoami)
  359. echo
  360. echo "##################################################"
  361. echo "### ssh connection test for success..."
  362. ssh_test
  363. echo
  364. echo "##################################################"
  365. echo "### create bad permissions on link dir and updating..."
  366. chmod o+w "$TESTHOME"/.monkeysphere.linktest
  367. monkeysphere-authentication update-users $(whoami)
  368. echo
  369. echo "##################################################"
  370. echo "### ssh connection test for failure..."
  371. ssh_test 255
  372. chmod o-w "$TESTHOME"/.monkeysphere.linktest
  373. echo
  374. echo "##################################################"
  375. echo "### make .monkeysphere directory a relative symlink and updating..."
  376. ln -sfn .monkeysphere{.linktest,}
  377. monkeysphere-authentication update-users $(whoami)
  378. echo
  379. echo "##################################################"
  380. echo "### ssh connection test for success..."
  381. ssh_test
  382. echo
  383. echo "##################################################"
  384. echo "### create bad permissions on link dir updating..."
  385. chmod o+w "$TESTHOME"/.monkeysphere.linktest
  386. monkeysphere-authentication update-users $(whoami)
  387. echo
  388. echo "##################################################"
  389. echo "### ssh connection test for failure..."
  390. ssh_test 255
  391. chmod o-w "$TESTHOME"/.monkeysphere.linktest
  392. rm "$TESTHOME"/.monkeysphere
  393. mv "$TESTHOME"/.monkeysphere{.bak,}
  394. # ensure we're back to normal:
  395. echo
  396. echo "##################################################"
  397. echo "### making sure we are back to normal..."
  398. monkeysphere-authentication update-users $(whoami)
  399. ssh_test
  400. echo
  401. echo "##################################################"
  402. echo "### ssh connection test directly to 'testhost2' without new name..."
  403. target_hostname=testhost2 ssh_test 255
  404. echo
  405. echo "##################################################"
  406. echo "### add hostname, certify by admin, import by user..."
  407. monkeysphere-host add-hostname testhost2
  408. < "$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg gpgadmin --import
  409. printf "y\ny\n" | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
  410. echo
  411. echo "##################################################"
  412. echo "### ssh connection test with hostname 'testhost2' added..."
  413. gpgadmin --export "$HOSTKEYID" | gpg --import
  414. gpg --check-trustdb
  415. ssh_test
  416. echo
  417. echo "##################################################"
  418. echo "### ssh connection test directly to 'testhost2' ..."
  419. gpg --import <"$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg
  420. gpg --check-trustdb
  421. target_hostname=testhost2 ssh_test
  422. echo
  423. echo "##################################################"
  424. echo "### ssh connection test for failure with 'testhost2' revoked..."
  425. monkeysphere-host revoke-hostname testhost2
  426. gpg --import <"$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg
  427. gpg --check-trustdb
  428. target_hostname=testhost2 ssh_test 255
  429. # FIXME: addtest: remove admin as id-certifier and check ssh failure
  430. # FIXME: addtest: how do we test that set-expire makes sense after new
  431. # hostnames have been added?
  432. # FIXME: addtest: revoke the host key and check ssh failure
  433. # test to make sure things are OK after the previous tests:
  434. echo
  435. echo "##################################################"
  436. echo "### settings reset, updating..."
  437. monkeysphere-authentication update-users $(whoami)
  438. echo
  439. echo "##################################################"
  440. echo "### ssh connection test for success..."
  441. ssh_test
  442. echo
  443. echo "##################################################"
  444. echo "### revoking host key..."
  445. # generate the revocation certificate and feed it directly to the test
  446. # user's keyring (we're not publishing to the keyservers)
  447. monkeysphere-host revoke-key | gpg --import
  448. echo
  449. echo "##################################################"
  450. echo "### ssh connection test for failure..."
  451. ssh_test 255
  452. ######################################################################
  453. trap - EXIT
  454. echo
  455. echo "##################################################"
  456. echo " Monkeysphere basic tests completed successfully!"
  457. echo "##################################################"
  458. cleanup