git_clone/handy-sshd
1
0
Fork 0
mirror of https://github.com/nwtgck/handy-sshd.git synced 2025-06-08 07:03:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

test permissions

Browse source
This commit is contained in:
Ryo Ota 2023-08-10 23:17:03 +09:00
parent cad0e3fa23
commit 9e10ac7dea
2 changed files with 146 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

124
cmd/root_test.go
View file

@ -60,6 +60,33 @@ func TestAllPermissionsAllowed(t *testing.T) {
assertExec(t, client) assertExec(t, client)
assertLocalPortForwarding(t, client) assertLocalPortForwarding(t, client)
assertRemotePortForwardingTODO(t, client) assertRemotePortForwardingTODO(t, client)
// TODO: pty
// TODO: sftp
}
func TestEmptyPassword(t *testing.T) {
rootCmd := RootCmd()
port := getAvailableTcpPort()
rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:"})
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
go func() {
var stderrBuf bytes.Buffer
rootCmd.SetErr(&stderrBuf)
rootCmd.ExecuteContext(ctx)
}()
waitTCPServer(port)
sshClientConfig := &ssh.ClientConfig{
User: "john",
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
return nil
},
}
address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
client, err := ssh.Dial("tcp", address, sshClientConfig)
assert.NoError(t, err)
defer client.Close()
} }
func TestMultipleUsers(t *testing.T) { func TestMultipleUsers(t *testing.T) {
@ -115,5 +142,100 @@ func TestWrongPassword(t *testing.T) {
address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port)) address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
_, err := ssh.Dial("tcp", address, sshClientConfig) _, err := ssh.Dial("tcp", address, sshClientConfig)
assert.Error(t, err) assert.Error(t, err)
assert.Equal(t, err.Error(), `ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain`) assert.Equal(t, `ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain`, err.Error())
} }
func TestAllowExecute(t *testing.T) {
rootCmd := RootCmd()
port := getAvailableTcpPort()
rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypassword", "--allow-execute"})
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
go func() {
var stderrBuf bytes.Buffer
rootCmd.SetErr(&stderrBuf)
rootCmd.ExecuteContext(ctx)
}()
waitTCPServer(port)
sshClientConfig := &ssh.ClientConfig{
User: "john",
Auth: []ssh.AuthMethod{ssh.Password("mypassword")},
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
return nil
},
}
address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
client, err := ssh.Dial("tcp", address, sshClientConfig)
assert.NoError(t, err)
defer client.Close()
assert.NoError(t, err)
assertNoRemotePortForwarding(t, client)
assertNoLocalPortForwarding(t, client)
assertExec(t, client)
// TODO: no pty
// TODO: no sftp
}
func TestAllowTcpipForward(t *testing.T) {
rootCmd := RootCmd()
port := getAvailableTcpPort()
rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypassword", "--allow-tcpip-forward"})
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
go func() {
var stderrBuf bytes.Buffer
rootCmd.SetErr(&stderrBuf)
rootCmd.ExecuteContext(ctx)
}()
waitTCPServer(port)
sshClientConfig := &ssh.ClientConfig{
User: "john",
Auth: []ssh.AuthMethod{ssh.Password("mypassword")},
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
return nil
},
}
address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
client, err := ssh.Dial("tcp", address, sshClientConfig)
assert.NoError(t, err)
defer client.Close()
assert.NoError(t, err)
assertRemotePortForwardingTODO(t, client)
assertNoLocalPortForwarding(t, client)
assertNoExec(t, client)
// TODO: no pty
// TODO: no sftp
}
func TestAllowDirectTcpip(t *testing.T) {
rootCmd := RootCmd()
port := getAvailableTcpPort()
rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypassword", "--allow-direct-tcpip"})
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
go func() {
var stderrBuf bytes.Buffer
rootCmd.SetErr(&stderrBuf)
rootCmd.ExecuteContext(ctx)
}()
waitTCPServer(port)
sshClientConfig := &ssh.ClientConfig{
User: "john",
Auth: []ssh.AuthMethod{ssh.Password("mypassword")},
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
return nil
},
}
address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
client, err := ssh.Dial("tcp", address, sshClientConfig)
assert.NoError(t, err)
defer client.Close()
assert.NoError(t, err)
assertNoRemotePortForwarding(t, client)
assertLocalPortForwarding(t, client)
assertNoExec(t, client)
// TODO: no pty
// TODO: no sftp
}
// TODO: TestAllowSftp

24
cmd/test_util_test.go
View file

@ -37,7 +37,16 @@ func assertExec(t *testing.T, client *ssh.Client) {
assert.NoError(t, err) assert.NoError(t, err)
expectedWhoamiBytes, err := exec.Command("whoami").Output() expectedWhoamiBytes, err := exec.Command("whoami").Output()
assert.NoError(t, err) assert.NoError(t, err)
assert.Equal(t, string(whoamiBytes), string(expectedWhoamiBytes)) assert.Equal(t, string(expectedWhoamiBytes), string(whoamiBytes))
}
func assertNoExec(t *testing.T, client *ssh.Client) {
session, err := client.NewSession()
assert.NoError(t, err)
defer session.Close()
_, err = session.Output("whoami")
assert.Error(t, err)
assert.Equal(t, "ssh: command whoami failed", err.Error())
} }
func assertLocalPortForwarding(t *testing.T, client *ssh.Client) { func assertLocalPortForwarding(t *testing.T, client *ssh.Client) {
@ -79,6 +88,13 @@ func assertLocalPortForwarding(t *testing.T, client *ssh.Client) {
} }
} }
func assertNoLocalPortForwarding(t *testing.T, client *ssh.Client) {
raddr := &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 1234}
_, err := client.DialTCP("tcp", nil, raddr)
assert.Error(t, err)
assert.Equal(t, "ssh: rejected: administratively prohibited (direct-tcpip not allowed)", err.Error())
}
func assertRemotePortForwardingTODO(t *testing.T, client *ssh.Client) { func assertRemotePortForwardingTODO(t *testing.T, client *ssh.Client) {
remotePort := getAvailableTcpPort() remotePort := getAvailableTcpPort()
acceptedConnChan := make(chan net.Conn) acceptedConnChan := make(chan net.Conn)
@ -101,3 +117,9 @@ func assertRemotePortForwardingTODO(t *testing.T, client *ssh.Client) {
//defer acceptedConn.Close() //defer acceptedConn.Close()
// TODO: conn <--> acceptedConn communication // TODO: conn <--> acceptedConn communication
} }
func assertNoRemotePortForwarding(t *testing.T, client *ssh.Client) {
_, err := client.Listen("tcp", "127.0.0.1:5678")
assert.Error(t, err)
assert.Equal(t, "ssh: tcpip-forward request denied by peer", err.Error())
}