defmodule GitGud.Ssh.KeyApiTest do
@moduledoc """
Asserts that the fingerprint computed by `KeyApi.fingerprint_of/1`
(called from the SSH auth callback against a parsed OTP key) matches
the fingerprint our `SshKey` schema computes from the user's pasted
OpenSSH text. Without parity, DB-backed auth would always fail.
"""
use GitGud.DataCase, async: false
alias GitGud.Ssh.KeyApi
alias GitGud.SshKeys
alias GitGud.SshKeys.SshKey
import GitGud.AccountsFixtures
# A canned ed25519 keypair so we don't depend on OTP version-specific
# key tuple shapes. Generated via `ssh-keygen -t ed25519 -N ''`.
@openssh_pub "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDIvCK0qd2v15O96oXcAYO3FpyDC2OYa3LxOoehl0HUx test-key"
defp parse_pubkey(line) do
[{key, _attrs}] = :ssh_file.decode(line <> "\n", :public_key)
key
end
test "fingerprint_of/1 matches what SshKey stores from the pasted text" do
public_key = parse_pubkey(@openssh_pub)
user = user_fixture()
assert {:ok, %SshKey{fingerprint: stored_fp}} =
SshKeys.create_key(user, %{"title" => "test", "key" => @openssh_pub})
assert KeyApi.fingerprint_of(public_key) == stored_fp
end
test "is_auth_key/3 accepts a key registered for the matching user handle" do
user = user_fixture()
{:ok, _} = SshKeys.create_key(user, %{"title" => "k", "key" => @openssh_pub})
handle = user.email |> String.split("@") |> List.first()
public_key = parse_pubkey(@openssh_pub)
assert KeyApi.is_auth_key(public_key, String.to_charlist(handle), [])
end
test "is_auth_key/3 rejects a key registered under a different user handle" do
owner = user_fixture()
{:ok, _} = SshKeys.create_key(owner, %{"title" => "k", "key" => @openssh_pub})
public_key = parse_pubkey(@openssh_pub)
refute KeyApi.is_auth_key(public_key, ~c"someone-else", [])
end
test "is_auth_key/3 rejects an unknown key" do
other_openssh =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILbm2lqXkqJOR0fk4tw+vK7lXdQ4D0gAbqU+JFqAxOka other"
refute KeyApi.is_auth_key(parse_pubkey(other_openssh), ~c"anybody", [])
end
end
2.1 KiB · text
5af55d9