-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathserver_test.go
More file actions
357 lines (310 loc) · 10.6 KB
/
server_test.go
File metadata and controls
357 lines (310 loc) · 10.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
package sshd
import (
"net"
"testing"
"time"
"github.com/deis/builder/pkg/controller"
"github.com/Masterminds/cookoo"
"github.com/deis/builder/pkg/cleaner"
"golang.org/x/crypto/ssh"
)
const (
testingServerAddr = "127.0.0.1:2244"
testingServerAddr2 = "127.0.0.1:2245"
testingServerAddr3 = "127.0.0.1:2246"
gitHome = "/git"
)
// TestServer tests the SSH server.
//
// This listens on the non-standard port 2244 of localhost. This will generate
// an entry in your known_hosts file, and will tie that to the testing key
// used here. It's not recommended that you try to start another SSH server on
// the same port (at a later time) or else you will have key issues that you
// must manually resolve.
func TestReceive(t *testing.T) {
key, err := sshTestingHostKey()
if err != nil {
t.Fatal(err)
}
cfg := ssh.ServerConfig{
NoClientAuth: true,
}
cfg.AddHostKey(key)
c := NewCircuit()
pushLock := NewInMemoryRepositoryLock()
deleteLock := NewInMemoryRepositoryLock()
cxt := runServer(&cfg, c, pushLock, deleteLock, testingServerAddr, t)
// Give server time to initialize.
time.Sleep(200 * time.Millisecond)
if c.State() != ClosedState {
t.Fatalf("circuit was not in closed state")
}
// Connect to the server and issue env var set. This should return true.
client, err := ssh.Dial("tcp", testingServerAddr, &ssh.ClientConfig{})
if err != nil {
t.Fatalf("Failed to connect client to local server: %s", err)
}
sess, err := client.NewSession()
if err != nil {
t.Fatalf("Failed to create client session: %s", err)
}
defer sess.Close()
if err := sess.Setenv("HELLO", "world"); err != nil {
t.Fatal(err)
}
if out, err := sess.Output("ping"); err != nil {
t.Errorf("Output '%s' Error %s", out, err)
} else if string(out) != "pong" {
t.Errorf("Expected 'pong', got '%s'", out)
}
// Create a new session because the success of the last one closed the
// connection.
sess, err = client.NewSession()
if err != nil {
t.Fatalf("Failed to create client session: %s", err)
}
if err := sess.Run("illegal"); err == nil {
t.Fatalf("expected a failed run with command 'illegal'")
}
if err := sess.Run("illegal command"); err == nil {
t.Fatalf("expected a failed run with command 'illegal command'")
}
closer := cxt.Get("sshd.Closer", nil).(chan interface{})
closer <- true
}
func TestPush(t *testing.T) {
key, err := sshTestingHostKey()
if err != nil {
t.Fatal(err)
}
cfg := ssh.ServerConfig{
NoClientAuth: true,
}
cfg.AddHostKey(key)
c := NewCircuit()
pushLock := NewInMemoryRepositoryLock()
deleteLock := NewInMemoryRepositoryLock()
runServer(&cfg, c, pushLock, deleteLock, testingServerAddr2, t)
// Give server time to initialize.
time.Sleep(200 * time.Millisecond)
if c.State() != ClosedState {
t.Fatalf("circuit was not in closed state")
}
// Connect to the server and issue env var set. This should return true.
client, err := ssh.Dial("tcp", testingServerAddr2, &ssh.ClientConfig{})
if err != nil {
t.Fatalf("Failed to connect client to local server: %s", err)
}
sess, err := client.NewSession()
if err != nil {
t.Fatalf("Failed to create client session: %s", err)
}
// check for invalid length of arguments
if out, err := sess.Output("git-upload-pack"); err == nil {
t.Errorf("Expected an error but '%s' was received", out)
} else if string(out) != "" {
t.Errorf("Expected , got '%s'", out)
}
sess.Close()
go func() {
sess, err = client.NewSession()
if err != nil {
t.Fatalf("Failed to create client session: %s", err)
}
if out, err := sess.Output("git-upload-pack /demo.git"); err != nil {
t.Errorf("Unexpected error %s, Output '%s'", err, out)
} else if string(out) != "OK" {
t.Errorf("Expected 'OK' got '%s'", out)
}
sess.Close()
}()
time.Sleep(2 * time.Second)
sess, err = client.NewSession()
if err != nil {
t.Fatalf("Failed to create client session: %s", err)
}
if out, err := sess.Output("git-upload-pack /demo.git"); err == nil {
t.Errorf("Expected an error but returned without errors '%s'", out)
}
sess.Close()
}
func TestDelete(t *testing.T) {
key, err := sshTestingHostKey()
if err != nil {
t.Fatal(err)
}
cfg := ssh.ServerConfig{
NoClientAuth: true,
}
cfg.AddHostKey(key)
c := NewCircuit()
pushLock := NewInMemoryRepositoryLock()
deleteLock := NewInMemoryRepositoryLock()
runServer(&cfg, c, pushLock, deleteLock, testingServerAddr3, t)
// Give server time to initialize.
time.Sleep(200 * time.Millisecond)
if c.State() != ClosedState {
t.Fatalf("circuit was not in closed state")
}
// Connect to the server and issue env var set. This should return true.
client, err := ssh.Dial("tcp", testingServerAddr2, &ssh.ClientConfig{})
if err != nil {
t.Fatalf("Failed to connect client to local server: %s", err)
}
sess, err := client.NewSession()
if err != nil {
t.Fatalf("Failed to create client session: %s", err)
}
// check for invalid length of arguments
if out, err := sess.Output("git-upload-pack"); err == nil {
t.Errorf("Expected an error but '%s' was received", out)
} else if string(out) != "" {
t.Errorf("Expected , got '%s'", out)
}
sess.Close()
repoName := "demo"
if err := deleteLock.Lock(repoName, time.Duration(0)); err != nil {
t.Fatalf("Error locking the delete lock (%s)", err)
}
sess, err = client.NewSession()
if err != nil {
t.Fatalf("Failed to create client session: %s", err)
}
if out, err := sess.Output("git-upload-pack /" + repoName + ".git"); err != nil {
t.Errorf("expected no error, got %s", err)
} else if string(out) != "OK" {
t.Errorf("Expected 'OK' output, got %s", string(out))
}
sess.Close()
}
// sshTestingHostKey loads the testing key.
func sshTestingHostKey() (ssh.Signer, error) {
return ssh.ParsePrivateKey([]byte(testingHostKey))
}
func runServer(config *ssh.ServerConfig, c *Circuit, pushLock RepositoryLock, deleteLock RepositoryLock, testAddr string, t *testing.T) cookoo.Context {
reg, router, cxt := cookoo.Cookoo()
cxt.Put(ServerConfig, config)
cxt.Put(Address, testAddr)
cxt.Put("cookoo.Router", router)
reg.AddRoute(cookoo.Route{
Name: "sshPing",
Help: "Handles an ssh exec ping.",
Does: cookoo.Tasks{
cookoo.Cmd{
Name: "ping",
Fn: Ping,
Using: []cookoo.Param{
{Name: "request", From: "cxt:request"},
{Name: "channel", From: "cxt:channel"},
},
},
},
})
reg.AddRoute(cookoo.Route{
Name: "pubkeyAuth",
Does: []cookoo.Task{
cookoo.Cmd{
Name: "authN",
Fn: mockAuthKey,
Using: []cookoo.Param{
{Name: "metadata", From: "cxt:metadata"},
{Name: "key", From: "cxt:key"},
{Name: "repoName", From: "cxt:repository"},
},
},
},
})
reg.AddRoute(cookoo.Route{
Name: "sshGitReceive",
Does: []cookoo.Task{
cookoo.Cmd{
Name: "receive",
Fn: mockDummyReceive,
Using: []cookoo.Param{
{Name: "request", From: "cxt:request"},
{Name: "channel", From: "cxt:channel"},
{Name: "operation", From: "cxt:operation"},
{Name: "repoName", From: "cxt:repository"},
{Name: "permissions", From: "cxt:authN"},
{Name: "userinfo", From: "cxt:userinfo"},
},
},
},
})
cleanerRef := cleaner.NewRef()
go func() {
if err := Serve(reg, router, c, gitHome, pushLock, cleanerRef, cxt); err != nil {
t.Fatalf("Failed serving with %s", err)
}
}()
return cxt
}
func mockAuthKey(c cookoo.Context, p *cookoo.Params) (interface{}, cookoo.Interrupt) {
c.Put("userinfo", &controller.UserInfo{
Username: "deis",
Key: testingClientPubKey,
Fingerprint: "",
Apps: []string{"demo"},
})
perm := &ssh.Permissions{
Extensions: map[string]string{
"user": "deis",
},
}
return perm, nil
}
func mockDummyReceive(c cookoo.Context, p *cookoo.Params) (interface{}, cookoo.Interrupt) {
channel := p.Get("channel", nil).(ssh.Channel)
req := p.Get("request", nil).(*ssh.Request)
time.Sleep(5 * time.Second)
channel.Write([]byte("OK"))
sendExitStatus(0, channel)
req.Reply(true, nil)
return nil, nil
}
// connMetadata mocks ssh.ConnMetadata for authentication.
type connMetadata struct{}
func (cm *connMetadata) User() string { return "deis" }
func (cm *connMetadata) SessionID() []byte { return []byte("1") }
func (cm *connMetadata) ClientVersion() []byte { return []byte("2.3.4") }
func (cm *connMetadata) ServerVersion() []byte { return []byte("2.3.4") }
func (cm *connMetadata) RemoteAddr() net.Addr { return cm.localhost() }
func (cm *connMetadata) LocalAddr() net.Addr { return cm.localhost() }
func (cm *connMetadata) localhost() net.Addr {
addrs, err := net.InterfaceAddrs()
if err != nil {
panic(err)
}
return addrs[0]
}
var (
testingHostKey = `-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0xOK/wubqj+e4HNp+yAdK4WJnLZCvcjS2DwaxwF+E968kSeU
27SOqiol7Y0UwLGLpB6rpIBnSqXo70xiMUSrnteKmMejddzfbGkvnyvo0dwE4nDd
vnbz64I25xfjTldb4RtNvpk6ymr0soq0EEYssLmdnt7pIgHT71n9RNtu+RPpRe5n
B2ImVeeEsQBhxFsIkkT21JqBhZQRVpeAAOHwainWpkP2MF2ajYUoirs5qOkPxxaw
Mc4i5CSvmFDkWjqkNt84QH9M9M/ws8qX76nImYOPHiF0KRbxamWsYjvdHJCSckdC
mOM7UtsQs8wC3E0xpuPEI0pNRTHCsgH7+KGxmwIDAQABAoIBAAOQufFS7d8zUeiy
qmCeiz+X8todzgTMppsWcNFZuhp10bOV+pK3ew1uxtM7ZdVXamdsSTPvI0+Ee+nG
3YW9hjSZqXKpNJ6iC3gWUsKaiEU7NS3qACTed4JL4ceHhMRm/1tPDcIhbnfK1LVL
WH1J4ileCUaMt11msIDDgV6vYjF81733O+8kPnh5BaFLIOuPdmAPfsZC2WQfBTka
6F5bhe9mcraQohWOGC/NKBbV9o6Ua2GT5ZJILtyPwfx8ctnQHLfmlTOI7qpRyMCU
1hGwlWxyvZRyY4loZehy0c7DaEWJqWS1AST9AbUcNXciYSt/5pUP76W0L6NzwJdh
C1jIY2ECgYEA+JwlIzhsZRsN0jA3A2qWRt3WGdliujAqDvVj4e8E+QnlTh/MDVKF
x3F+w58DHRKJrH7d1nD1fq2id6vh3Sl7xGHZiztOpolY0xlOt71X+2anX+QTEX5Q
d1jB/zQliUsxzIjqn31dKUlAfoI5XiWrxuP1Py8gZSTnnBl8bkdKZysCgYEA2VnG
+bhBdw/0RJVsleyHBrq0+MnQ80dxj6XatKvniVDqjHQefq088W2ULeI5wVjdMy59
CVnDVS6759pLkWu5br7Agb+NGyVKd3o0CT0Jn6JJj9kq1Wq7iOedJF+GtabVp4gk
efIYECkS7BKe1GFH5vRM8FbyyepRFBCgrH1ep1ECgYEAiRojaO7+6CspThcE379y
LJa+MfcueRuCtkkh0kFsbqLEcHccouQ1nq26iMsyfl/wyM4WLOKSoE/FX1XM85ij
BsQnop8MWs83ywMT5ERpNt1/xGQVF/qfCZJLOiBZ6wMq7W88ZMRQEiqxhJLwbDk+
KCsi3rtwlBbsG6v6cR6jq40CgYAzH4nMvQkw7yC+bQMgdIUCETJ1/kpWnqxYZGN/
8ZtBUjYJGVr+4tKd2u9qp3Z8QuGsozen1mQ6igaKr27s4pC4Osfe/OY8x1Wvqp/I
uIGl+a8h1avcjQFVX1036/wsh/RjNoOV51q/mlmoC20ueT9HVJkwQtNSqPmvJYYV
bFuyMQKBgQCsRVEJ6eqai+Pz4bY2UfBnkU6ZHdySI+fQB/T770p0/SbrYMBxNrPQ
v3+ZZfZMlci4pxBtXqrnoyj4uUoqZtR3ENLz53SN1i0vpT7DtC6gMnEF1UWiaoJ6
6mGH5/bxCg9wpV7qpqR0EbFM/dhQFZmmnirOS8x+00hJvc1HFiuN/A==
-----END RSA PRIVATE KEY-----
`
testingClientPubKey = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/OImeiJppXJQY+fKpULj1cvM1FL5M9brc3Diqi8IbyVVvEoYMgcLri0msIOJl3SmkSFj5FAMZo/CswicedXwjB1LXBfbZRNG5cD+heYdwjE7bOZSeuMUOWkqbaj7Zd3XruJ91X0CKo0G2q47QzzzZFobL30ts09yX26ACfGjkNUjWMRKXm9iq2I4CdFK+YmfZz6GQl8pevIfuFTjL5uUMrlXPjh5KwLtuAbdlsp8oZH2aV/ajNWXMw2LYAJnny8MHGflZUtvVs9XUsemJwnTR9TdMNGcrcyTC+8Ceqnvxs3OL6i5ggDBhJnjWIc13n3otAlyGvW+zcWjypuBhotjz donotuse`
)