func TestAuth(t *testing.T) {
a, b, err := netPipe()
if err != nil {
t.Fatalf("netPipe: %v", err)
}
defer a.Close()
defer b.Close()
agent, _, cleanup := startAgent(t)
defer cleanup()
if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["rsa"], Comment: "comment"}); err != nil {
t.Errorf("Add: %v", err)
}
serverConf := ssh.ServerConfig{}
serverConf.AddHostKey(testSigners["rsa"])
serverConf.PublicKeyCallback = func(c ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
return nil, nil
}
return nil, errors.New("pubkey rejected")
}
go func() {
conn, _, _, err := ssh.NewServerConn(a, &serverConf)
if err != nil {
t.Fatalf("Server: %v", err)
}
conn.Close()
}()
conf := ssh.ClientConfig{}
conf.Auth = append(conf.Auth, ssh.PublicKeysCallback(agent.Signers))
conn, _, _, err := ssh.NewClientConn(b, "", &conf)
if err != nil {
t.Fatalf("NewClientConn: %v", err)
}
conn.Close()
}
BeforeEach(func() {
targetConfigJson, err := json.Marshal(proxy.TargetConfig{
Address: sshdListener.Addr().String(),
PrivateKey: TestPrivatePem,
})
Expect(err).NotTo(HaveOccurred())
permissions = &ssh.Permissions{
CriticalOptions: map[string]string{
"proxy-target-config": string(targetConfigJson),
},
}
publicKeyAuthenticator = &fake_authenticators.FakePublicKeyAuthenticator{}
publicKeyAuthenticator.AuthenticateReturns(&ssh.Permissions{}, nil)
daemonSSHConfig.PublicKeyCallback = publicKeyAuthenticator.Authenticate
})
It("will use the public key for authentication", func() {
expectedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(TestPublicAuthorizedKey))
Expect(err).NotTo(HaveOccurred())
Expect(publicKeyAuthenticator.AuthenticateCallCount()).To(Equal(1))
_, actualKey := publicKeyAuthenticator.AuthenticateArgsForCall(0)
Expect(actualKey.Marshal()).To(Equal(expectedKey.Marshal()))
})
})
Context("when the config contains a user and a public key", func() {
var publicKeyAuthenticator *fake_authenticators.FakePublicKeyAuthenticator