Apache MINA sshd client: test & fix password authentication

Add tests for password and keyboard-interactive authentication. Implement password authentication; the default provided by sshd is non-interactive, which is not useful for JGit. Make sure the CredentialsProvider gets reset on successive password retrieval attempts. Otherwise it might always return the same non- accepted password from a secure storage. (That one was discovered by actually trying this via EGit; the JGit tests don't catch this.) Change the default order of authentication mechanisms to prefer password over keyboard-interactive. This is a mitigation for upstream bug SSHD-866.[1] Also include a fix for upstream bug SSHD-867.[2] [1] https://issues.apache.org/jira/projects/SSHD/issues/SSHD-866 [2] https://issues.apache.org/jira/projects/SSHD/issues/SSHD-867 Bug: 520927 Change-Id: I423e548f06d3b51531016cf08938c8bd7acaa2a9 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
author: Thomas Wolf <thomas.wolf@paranor.ch> 2018-11-16 17:00:25 +0100
committer: Matthias Sohn <matthias.sohn@sap.com> 2018-11-17 07:28:08 -0800
commit: 00b235f0b86769ec6781a8114cd741f3cba08de5 (patch)
tree: 32066a6319b5b43b521abb162be76cce492ef161 /org.eclipse.jgit.test/src/org/eclipse/jgit
parent: 1316d43e51d4f687e2b0cc32665495e7bc18c9f9 (diff)
download: jgit-00b235f0b86769ec6781a8114cd741f3cba08de5.tar.gz
jgit-00b235f0b86769ec6781a8114cd741f3cba08de5.zip
1 files changed, 132 insertions, 0 deletions
diff --git a/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java b/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java
index 86dbc4edcd..92a2fbd275 100644
--- a/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java
+++ b/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java
@@ -54,6 +54,7 @@ import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.util.List;
+import java.util.Locale;
 
 import org.eclipse.jgit.api.errors.TransportException;
 import org.eclipse.jgit.transport.CredentialItem;
@@ -668,6 +669,137 @@ public abstract class SshTestBase extends SshTestHarness {
 				"IdentityFile " + privateKey1.getAbsolutePath());
 	}
 
+	@Test
+	public void testPasswordAuth() throws Exception {
+		server.enablePasswordAuthentication();
+		TestCredentialsProvider provider = new TestCredentialsProvider(
+				TEST_USER.toUpperCase(Locale.ROOT));
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"PreferredAuthentications password");
+	}
+
+	@Test
+	public void testPasswordAuthSeveralTimes() throws Exception {
+		server.enablePasswordAuthentication();
+		TestCredentialsProvider provider = new TestCredentialsProvider(
+				"wrongpass", "wrongpass", TEST_USER.toUpperCase(Locale.ROOT));
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"PreferredAuthentications password");
+	}
+
+	@Test(expected = TransportException.class)
+	public void testPasswordAuthWrongPassword() throws Exception {
+		server.enablePasswordAuthentication();
+		TestCredentialsProvider provider = new TestCredentialsProvider(
+				"wrongpass");
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"PreferredAuthentications password");
+	}
+
+	@Test(expected = TransportException.class)
+	public void testPasswordAuthNoPassword() throws Exception {
+		server.enablePasswordAuthentication();
+		TestCredentialsProvider provider = new TestCredentialsProvider();
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"PreferredAuthentications password");
+	}
+
+	@Test(expected = TransportException.class)
+	public void testPasswordAuthCorrectPasswordTooLate() throws Exception {
+		server.enablePasswordAuthentication();
+		TestCredentialsProvider provider = new TestCredentialsProvider(
+				"wrongpass", "wrongpass", "wrongpass",
+				TEST_USER.toUpperCase(Locale.ROOT));
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"PreferredAuthentications password");
+	}
+
+	@Test
+	public void testKeyboardInteractiveAuth() throws Exception {
+		server.enableKeyboardInteractiveAuthentication();
+		TestCredentialsProvider provider = new TestCredentialsProvider(
+				TEST_USER.toUpperCase(Locale.ROOT));
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"PreferredAuthentications keyboard-interactive");
+	}
+
+	@Test
+	public void testKeyboardInteractiveAuthSeveralTimes() throws Exception {
+		server.enableKeyboardInteractiveAuthentication();
+		TestCredentialsProvider provider = new TestCredentialsProvider(
+				"wrongpass", "wrongpass", TEST_USER.toUpperCase(Locale.ROOT));
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"PreferredAuthentications keyboard-interactive");
+	}
+
+	@Test(expected = TransportException.class)
+	public void testKeyboardInteractiveAuthWrongPassword() throws Exception {
+		server.enableKeyboardInteractiveAuthentication();
+		TestCredentialsProvider provider = new TestCredentialsProvider(
+				"wrongpass");
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"PreferredAuthentications keyboard-interactive");
+	}
+
+	@Test(expected = TransportException.class)
+	public void testKeyboardInteractiveAuthNoPassword() throws Exception {
+		server.enableKeyboardInteractiveAuthentication();
+		TestCredentialsProvider provider = new TestCredentialsProvider();
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"PreferredAuthentications keyboard-interactive");
+	}
+
+	@Test(expected = TransportException.class)
+	public void testKeyboardInteractiveAuthCorrectPasswordTooLate()
+			throws Exception {
+		server.enableKeyboardInteractiveAuthentication();
+		TestCredentialsProvider provider = new TestCredentialsProvider(
+				"wrongpass", "wrongpass", "wrongpass",
+				TEST_USER.toUpperCase(Locale.ROOT));
+		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //
+				"Host git", //
+				"HostName localhost", //
+				"Port " + testPort, //
+				"User " + TEST_USER, //
+				"PreferredAuthentications keyboard-interactive");
+	}
+
 	@Theory
 	public void testSshKeys(String keyName) throws Exception {
 		// JSch fails on ECDSA 384/521 keys. Compare
author	Thomas Wolf <thomas.wolf@paranor.ch>	2018-11-16 17:00:25 +0100
committer	Matthias Sohn <matthias.sohn@sap.com>	2018-11-17 07:28:08 -0800
commit	00b235f0b86769ec6781a8114cd741f3cba08de5 (patch)
tree	32066a6319b5b43b521abb162be76cce492ef161 /org.eclipse.jgit.test/src/org/eclipse/jgit
parent	1316d43e51d4f687e2b0cc32665495e7bc18c9f9 (diff)
download	jgit-00b235f0b86769ec6781a8114cd741f3cba08de5.tar.gz jgit-00b235f0b86769ec6781a8114cd741f3cba08de5.zip