3 # Tests to ensure that the monkeysphere is working
6 # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
7 # Jameson Rollins <jrollins@fifthhorseman.net>
9 # License: GPL v3 or later
11 # these tests should all be able to
12 # as a non-privileged user.
14 # all subcommands in this script should complete without failure:
17 # gpg command for test admin user
19 GNUPGHOME="$TEMPDIR"/admin/.gnupg gpg "$@"
23 socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log &
26 # wait until the socket is created before continuing
27 while [ ! -S "$SOCKET" ] ; do
34 "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config testhost true"
38 # FIXME: can we be more verbose here?
40 read -p "press enter to cleanup and remove tmp:"
46 if [ "$SSHD_PID" ] && ( ps "$SSHD_PID" >/dev/null ) ; then
47 echo "### stopping still-running sshd..."
51 echo "### removing temp dir..."
58 trap failed_cleanup EXIT
60 ## set up some variables to ensure that we're operating strictly in
61 ## the tests, not system-wide:
66 TEMPDIR="$TESTDIR"/tmp
67 if [ -e "$TEMPDIR" ] ; then
68 echo "tempdir '$TEMPDIR' already exists."
73 # Use the local copy of executables first, instead of system ones.
74 # This should help us test without installing.
75 export PATH="$TESTDIR"/../src:"$TESTDIR"/../src/keytrans:"$PATH"
77 export MONKEYSPHERE_SYSDATADIR="$TEMPDIR"
78 export MONKEYSPHERE_SYSCONFIGDIR="$TEMPDIR"
79 export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src
80 export MONKEYSPHERE_MONKEYSPHERE_USER="$USER"
81 export MONKEYSPHERE_CHECK_KEYSERVER=false
83 export SSHD_CONFIG="$TEMPDIR"/sshd_config
84 export SOCKET="$TEMPDIR"/ssh-socket
87 # copy in admin and testuser home to tmp
88 echo "### copying admin and testuser homes..."
89 cp -a "$TESTDIR"/home/admin "$TEMPDIR"/
90 cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/
92 cat <<EOF >> "$TEMPDIR"/testuser/.ssh/config
93 UserKnownHostsFile $TEMPDIR/testuser/.ssh/known_hosts
94 IdentityFile $TEMPDIR/testuser/.ssh/no-such-identity
95 ProxyCommand $TEMPDIR/testuser/.ssh/proxy-command %h %p $SOCKET
98 cat <<EOF >> "$TEMPDIR"/testuser/.monkeysphere/monkeysphere.conf
99 KNOWN_HOSTS=$TEMPDIR/testuser/.ssh/known_hosts
102 # set up a simple default monkeysphere-server.conf
103 cat <<EOF >> "$TEMPDIR"/monkeysphere-server.conf
104 AUTHORIZED_USER_IDS="$TEMPDIR/testuser/.monkeysphere/authorized_user_ids"
109 # setup monkeysphere temp gnupghome directories
110 mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/gnupg-host
111 mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication
112 mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authorized_keys
113 cat <<EOF > "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication/gpg.conf
114 primary-keyring ${MONKEYSPHERE_SYSDATADIR}/gnupg-authentication/pubring.gpg
115 keyring ${MONKEYSPHERE_SYSDATADIR}/gnupg-host/pubring.gpg
118 # create a new host key
119 echo "### generating server key..."
120 # add gpg.conf with quick-random
121 echo "quick-random" >> "$MONKEYSPHERE_SYSCONFIGDIR"/gnupg-host/gpg.conf
122 echo | monkeysphere-server gen-key --length 1024 --expire 0 testhost
123 # remove the gpg.conf
124 rm "$MONKEYSPHERE_SYSCONFIGDIR"/gnupg-host/gpg.conf
126 HOSTKEYID=$( monkeysphere-server show-key | tail -n1 | cut -f3 -d\ )
128 # certify it with the "Admin's Key".
129 # (this would normally be done via keyservers)
130 echo "### certifying server key..."
131 monkeysphere-server gpg-authentication-cmd "--armor --export $HOSTKEYID" | gpgadmin --import
132 echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
134 # FIXME: how can we test publish-key without flooding junk into the
137 # add admin as identity certifier for testhost
138 echo "### adding admin as certifier..."
139 echo y | monkeysphere-server add-identity-certifier "$TEMPDIR"/admin/.gnupg/pubkey.gpg
141 # initialize base sshd_config
142 cp etc/ssh/sshd_config "$SSHD_CONFIG"
143 # write the sshd_config
144 cat <<EOF >> "$SSHD_CONFIG"
145 HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key
146 AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authorized_keys/%u
149 # launch test sshd with the new host key.
150 echo "### starting sshd..."
155 # generate an auth subkey for the test user
156 echo "### generating key for testuser..."
157 export GNUPGHOME="$TEMPDIR"/testuser/.gnupg
158 export SSH_ASKPASS="$TEMPDIR"/testuser/.ssh/askpass
159 export MONKEYSPHERE_HOME="$TEMPDIR"/testuser/.monkeysphere
161 monkeysphere gen-subkey --expire 0
163 # add server key to testuser keychain
164 echo "### export server key to testuser..."
165 gpgadmin --armor --export "$HOSTKEYID" | gpg --import
167 # teach the "server" about the testuser's key
168 echo "### export testuser key to server..."
169 gpg --export testuser | monkeysphere-server gpg-authentication-cmd --import
170 echo "### update server authorized_keys file for this testuser..."
171 monkeysphere-server update-users "$USER"
173 # connect to test sshd, using monkeysphere-ssh-proxycommand to verify
174 # the identity before connection. This should work in both directions!
175 echo "### testuser connecting to sshd socket..."
178 # kill the previous sshd process if it's still running
181 # now remove the testuser's authorized_user_ids file and reupdate
182 # authorized_keys file...
183 echo "### removing testuser authorized_user_ids and reupdating authorized_keys..."
184 rm -f "$TEMPDIR"/testuser/.monkeysphere/authorized_user_ids
185 monkeysphere-server update-users "$USER"
188 echo "### restarting sshd..."
191 # and make sure the user can no longer connect
192 echo "### testuser attempting to connect to sshd socket..."
193 ssh_test || SSH_RETURN="$?"
194 if [ "$SSH_RETURN" != '255' ] ; then
201 echo "Monkeysphere basic tests completed successfully!"