mirrors
/
jgit
mirror of https://github.com/eclipse/jgit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 204 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6529 Commits
49 Branches
Tree: db627c4177
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'db627c4177'
${ noResults }
jgit/org.eclipse.jgit.test/src/org/eclipse/jgit/transport/ssh/SshTestBase.java

SshTestBase.java 31KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844 
  1. /*

  2.  * Copyright (C) 2018, Thomas Wolf <thomas.wolf@paranor.ch>

  3.  * and other copyright owners as documented in the project's IP log.

  4.  *

  5.  * This program and the accompanying materials are made available

  6.  * under the terms of the Eclipse Distribution License v1.0 which

  7.  * accompanies this distribution, is reproduced below, and is

  8.  * available at http://www.eclipse.org/org/documents/edl-v10.php

  9.  *

  10.  * All rights reserved.

  11.  *

  12.  * Redistribution and use in source and binary forms, with or

  13.  * without modification, are permitted provided that the following

  14.  * conditions are met:

  15.  *

  16.  * - Redistributions of source code must retain the above copyright

  17.  *   notice, this list of conditions and the following disclaimer.

  18.  *

  19.  * - Redistributions in binary form must reproduce the above

  20.  *   copyright notice, this list of conditions and the following

  21.  *   disclaimer in the documentation and/or other materials provided

  22.  *   with the distribution.

  23.  *

  24.  * - Neither the name of the Eclipse Foundation, Inc. nor the

  25.  *   names of its contributors may be used to endorse or promote

  26.  *   products derived from this software without specific prior

  27.  *   written permission.

  28.  *

  29.  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND

  30.  * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,

  31.  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

  32.  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  33.  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR

  34.  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  35.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  36.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  37.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

  38.  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  39.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  40.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF

  41.  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

  42.  */

  43. package org.eclipse.jgit.transport.ssh;

  44. 

  45. import static org.junit.Assert.assertArrayEquals;

  46. import static org.junit.Assert.assertEquals;

  47. import static org.junit.Assert.assertFalse;

  48. import static org.junit.Assert.assertNotNull;

  49. import static org.junit.Assert.assertTrue;

  50. import static org.junit.Assume.assumeTrue;

  51. 

  52. import java.io.File;

  53. import java.io.IOException;

  54. import java.nio.charset.StandardCharsets;

  55. import java.nio.file.Files;

  56. import java.util.List;

  57. import java.util.Locale;

  58. 

  59. import org.eclipse.jgit.api.errors.TransportException;

  60. import org.eclipse.jgit.transport.CredentialItem;

  61. import org.eclipse.jgit.transport.JschConfigSessionFactory;

  62. import org.junit.Test;

  63. import org.junit.experimental.theories.DataPoints;

  64. import org.junit.experimental.theories.Theory;

  65. 

  66. /**

  67.  * The ssh tests. Concrete subclasses can re-use these tests by implementing the

  68.  * abstract operations from {@link SshTestHarness}. This gives a way to test

  69.  * different ssh clients against a unified test suite.

  70.  */

  71. public abstract class SshTestBase extends SshTestHarness {

  72. 

  73. 	@DataPoints

  74. 	public static String[] KEY_RESOURCES = { //

  75. 			"id_dsa", //

  76. 			"id_rsa_1024", //

  77. 			"id_rsa_2048", //

  78. 			"id_rsa_3072", //

  79. 			"id_rsa_4096", //

  80. 			"id_ecdsa_256", //

  81. 			"id_ecdsa_384", //

  82. 			"id_ecdsa_521", //

  83. 			"id_ed25519", //

  84. 			// And now encrypted. Passphrase is "testpass".

  85. 			"id_dsa_testpass", //

  86. 			"id_rsa_1024_testpass", //

  87. 			"id_rsa_2048_testpass", //

  88. 			"id_rsa_3072_testpass", //

  89. 			"id_rsa_4096_testpass", //

  90. 			"id_ecdsa_256_testpass", //

  91. 			"id_ecdsa_384_testpass", //

  92. 			"id_ecdsa_521_testpass" };

  93. 

  94. 	protected File defaultCloneDir;

  95. 

  96. 	@Override

  97. 	public void setUp() throws Exception {

  98. 		super.setUp();

  99. 		defaultCloneDir = new File(getTemporaryDirectory(), "cloned");

  100. 	}

  101. 

  102. 	@Test(expected = TransportException.class)

  103. 	public void testSshWithoutConfig() throws Exception {

  104. 		cloneWith("ssh://" + TEST_USER + "@localhost:" + testPort

  105. 				+ "/doesntmatter", defaultCloneDir, null);

  106. 	}

  107. 

  108. 	@Test

  109. 	public void testSshWithGlobalIdentity() throws Exception {

  110. 		cloneWith(

  111. 				"ssh://" + TEST_USER + "@localhost:" + testPort

  112. 						+ "/doesntmatter",

  113. 				defaultCloneDir, null,

  114. 				"IdentityFile " + privateKey1.getAbsolutePath());

  115. 	}

  116. 

  117. 	@Test

  118. 	public void testSshWithDefaultIdentity() throws Exception {

  119. 		File idRsa = new File(privateKey1.getParentFile(), "id_rsa");

  120. 		Files.copy(privateKey1.toPath(), idRsa.toPath());

  121. 		// We expect the session factory to pick up these keys...

  122. 		cloneWith("ssh://" + TEST_USER + "@localhost:" + testPort

  123. 				+ "/doesntmatter", defaultCloneDir, null);

  124. 	}

  125. 

  126. 	@Test

  127. 	public void testSshWithConfig() throws Exception {

  128. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, null, //

  129. 				"Host localhost", //

  130. 				"HostName localhost", //

  131. 				"Port " + testPort, //

  132. 				"User " + TEST_USER, //

  133. 				"IdentityFile " + privateKey1.getAbsolutePath());

  134. 	}

  135. 

  136. 	@Test

  137. 	public void testSshWithConfigEncryptedUnusedKey() throws Exception {

  138. 		// Copy the encrypted test key from the bundle.

  139. 		File encryptedKey = new File(sshDir, "id_dsa");

  140. 		copyTestResource("id_dsa_testpass", encryptedKey);

  141. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  142. 				"testpass");

  143. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, provider, //

  144. 				"Host localhost", //

  145. 				"HostName localhost", //

  146. 				"Port " + testPort, //

  147. 				"User " + TEST_USER, //

  148. 				"IdentityFile " + privateKey1.getAbsolutePath());

  149. 		assertEquals("CredentialsProvider should not have been called", 0,

  150. 				provider.getLog().size());

  151. 	}

  152. 

  153. 	@Test

  154. 	public void testSshWithConfigEncryptedUnusedKeyInConfigLast()

  155. 			throws Exception {

  156. 		// Copy the encrypted test key from the bundle.

  157. 		File encryptedKey = new File(sshDir, "id_dsa_test_key");

  158. 		copyTestResource("id_dsa_testpass", encryptedKey);

  159. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  160. 				"testpass");

  161. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, provider, //

  162. 				"Host localhost", //

  163. 				"HostName localhost", //

  164. 				"Port " + testPort, //

  165. 				"User " + TEST_USER, //

  166. 				"IdentityFile " + privateKey1.getAbsolutePath(),

  167. 				"IdentityFile " + encryptedKey.getAbsolutePath());

  168. 		// This test passes with JSch per chance because JSch completely ignores

  169. 		// the second IdentityFile

  170. 		assertEquals("CredentialsProvider should not have been called", 0,

  171. 				provider.getLog().size());

  172. 	}

  173. 

  174. 	@Test

  175. 	public void testSshWithConfigEncryptedUnusedKeyInConfigFirst()

  176. 			throws Exception {

  177. 		// Test cannot pass with JSch; it handles only one IdentityFile.

  178. 		// assumeTrue(!(getSessionFactory() instanceof

  179. 		// JschConfigSessionFactory)); gives in bazel a failure with "Never

  180. 		// found parameters that satisfied method assumptions."

  181. 		// In maven it's fine!?

  182. 		if (getSessionFactory() instanceof JschConfigSessionFactory) {

  183. 			return;

  184. 		}

  185. 		// Copy the encrypted test key from the bundle.

  186. 		File encryptedKey = new File(sshDir, "id_dsa_test_key");

  187. 		copyTestResource("id_dsa_testpass", encryptedKey);

  188. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  189. 				"testpass");

  190. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, provider, //

  191. 				"Host localhost", //

  192. 				"HostName localhost", //

  193. 				"Port " + testPort, //

  194. 				"User " + TEST_USER, //

  195. 				"IdentityFile " + encryptedKey.getAbsolutePath(),

  196. 				"IdentityFile " + privateKey1.getAbsolutePath());

  197. 		assertEquals("CredentialsProvider should have been called once", 1,

  198. 				provider.getLog().size());

  199. 	}

  200. 

  201. 	@Test

  202. 	public void testSshEncryptedUsedKeyCached() throws Exception {

  203. 		// Make sure we are asked for the password only once if we do several

  204. 		// operations with an encrypted key.

  205. 		File encryptedKey = new File(sshDir, "id_dsa_test_key");

  206. 		copyTestResource("id_dsa_testpass", encryptedKey);

  207. 		File encryptedPublicKey = new File(sshDir, "id_dsa_test_key.pub");

  208. 		copyTestResource("id_dsa_testpass.pub", encryptedPublicKey);

  209. 		server.setTestUserPublicKey(encryptedPublicKey.toPath());

  210. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  211. 				"testpass");

  212. 		pushTo(provider,

  213. 				cloneWith("ssh://localhost/doesntmatter", //

  214. 						defaultCloneDir, provider, //

  215. 						"Host localhost", //

  216. 						"HostName localhost", //

  217. 						"Port " + testPort, //

  218. 						"User " + TEST_USER, //

  219. 						"IdentityFile " + encryptedKey.getAbsolutePath()));

  220. 		assertEquals("CredentialsProvider should have been called once", 1,

  221. 				provider.getLog().size());

  222. 	}

  223. 

  224. 	@Test(expected = TransportException.class)

  225. 	public void testSshEncryptedUsedKeyWrongPassword() throws Exception {

  226. 		File encryptedKey = new File(sshDir, "id_dsa_test_key");

  227. 		copyTestResource("id_dsa_testpass", encryptedKey);

  228. 		File encryptedPublicKey = new File(sshDir, "id_dsa_test_key.pub");

  229. 		copyTestResource("id_dsa_testpass.pub", encryptedPublicKey);

  230. 		server.setTestUserPublicKey(encryptedPublicKey.toPath());

  231. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  232. 				"wrongpass");

  233. 		cloneWith("ssh://localhost/doesntmatter", //

  234. 				defaultCloneDir, provider, //

  235. 				"Host localhost", //

  236. 				"HostName localhost", //

  237. 				"Port " + testPort, //

  238. 				"User " + TEST_USER, //

  239. 				"NumberOfPasswordPrompts 1", //

  240. 				"IdentityFile " + encryptedKey.getAbsolutePath());

  241. 	}

  242. 

  243. 	@Test

  244. 	public void testSshEncryptedUsedKeySeveralPassword() throws Exception {

  245. 		File encryptedKey = new File(sshDir, "id_dsa_test_key");

  246. 		copyTestResource("id_dsa_testpass", encryptedKey);

  247. 		File encryptedPublicKey = new File(sshDir, "id_dsa_test_key.pub");

  248. 		copyTestResource("id_dsa_testpass.pub", encryptedPublicKey);

  249. 		server.setTestUserPublicKey(encryptedPublicKey.toPath());

  250. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  251. 				"wrongpass", "wrongpass2", "testpass");

  252. 		cloneWith("ssh://localhost/doesntmatter", //

  253. 				defaultCloneDir, provider, //

  254. 				"Host localhost", //

  255. 				"HostName localhost", //

  256. 				"Port " + testPort, //

  257. 				"User " + TEST_USER, //

  258. 				"IdentityFile " + encryptedKey.getAbsolutePath());

  259. 		assertEquals("CredentialsProvider should have been called 3 times", 3,

  260. 				provider.getLog().size());

  261. 	}

  262. 

  263. 	@Test(expected = TransportException.class)

  264. 	public void testSshWithoutKnownHosts() throws Exception {

  265. 		assertTrue("Could not delete known_hosts", knownHosts.delete());

  266. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, null, //

  267. 				"Host localhost", //

  268. 				"HostName localhost", //

  269. 				"Port " + testPort, //

  270. 				"User " + TEST_USER, //

  271. 				"IdentityFile " + privateKey1.getAbsolutePath());

  272. 	}

  273. 

  274. 	@Test

  275. 	public void testSshWithoutKnownHostsWithProviderAsk()

  276. 			throws Exception {

  277. 		File copiedHosts = new File(knownHosts.getParentFile(),

  278. 				"copiedKnownHosts");

  279. 		assertTrue("Failed to rename known_hosts",

  280. 				knownHosts.renameTo(copiedHosts));

  281. 		// The provider will answer "yes" to all questions, so we should be able

  282. 		// to connect and end up with a new known_hosts file with the host key.

  283. 		TestCredentialsProvider provider = new TestCredentialsProvider();

  284. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, provider, //

  285. 				"Host localhost", //

  286. 				"HostName localhost", //

  287. 				"Port " + testPort, //

  288. 				"User " + TEST_USER, //

  289. 				"IdentityFile " + privateKey1.getAbsolutePath());

  290. 		List<LogEntry> messages = provider.getLog();

  291. 		assertFalse("Expected user interaction", messages.isEmpty());

  292. 		if (getSessionFactory() instanceof JschConfigSessionFactory) {

  293. 			// JSch doesn't create a non-existing file.

  294. 			assertEquals("Expected to be asked about the key", 1,

  295. 					messages.size());

  296. 			return;

  297. 		}

  298. 		assertEquals(

  299. 				"Expected to be asked about the key, and the file creation",

  300. 				2, messages.size());

  301. 		assertTrue("~/.ssh/known_hosts should exist now", knownHosts.exists());

  302. 		// Instead of checking the file contents, let's just clone again

  303. 		// without provider. If it works, the server host key was written

  304. 		// correctly.

  305. 		File clonedAgain = new File(getTemporaryDirectory(), "cloned2");

  306. 		cloneWith("ssh://localhost/doesntmatter", clonedAgain, provider, //

  307. 				"Host localhost", //

  308. 				"HostName localhost", //

  309. 				"Port " + testPort, //

  310. 				"User " + TEST_USER, //

  311. 				"IdentityFile " + privateKey1.getAbsolutePath());

  312. 	}

  313. 

  314. 	@Test

  315. 	public void testSshWithoutKnownHostsWithProviderAcceptNew()

  316. 			throws Exception {

  317. 		File copiedHosts = new File(knownHosts.getParentFile(),

  318. 				"copiedKnownHosts");

  319. 		assertTrue("Failed to rename known_hosts",

  320. 				knownHosts.renameTo(copiedHosts));

  321. 		TestCredentialsProvider provider = new TestCredentialsProvider();

  322. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, provider, //

  323. 				"Host localhost", //

  324. 				"HostName localhost", //

  325. 				"Port " + testPort, //

  326. 				"User " + TEST_USER, //

  327. 				"StrictHostKeyChecking accept-new", //

  328. 				"IdentityFile " + privateKey1.getAbsolutePath());

  329. 		if (getSessionFactory() instanceof JschConfigSessionFactory) {

  330. 			// JSch doesn't create new files.

  331. 			assertTrue("CredentialsProvider not called",

  332. 					provider.getLog().isEmpty());

  333. 			return;

  334. 		}

  335. 		assertEquals("Expected to be asked about the file creation", 1,

  336. 				provider.getLog().size());

  337. 		assertTrue("~/.ssh/known_hosts should exist now", knownHosts.exists());

  338. 		// Instead of checking the file contents, let's just clone again

  339. 		// without provider. If it works, the server host key was written

  340. 		// correctly.

  341. 		File clonedAgain = new File(getTemporaryDirectory(), "cloned2");

  342. 		cloneWith("ssh://localhost/doesntmatter", clonedAgain, null, //

  343. 				"Host localhost", //

  344. 				"HostName localhost", //

  345. 				"Port " + testPort, //

  346. 				"User " + TEST_USER, //

  347. 				"IdentityFile " + privateKey1.getAbsolutePath());

  348. 	}

  349. 

  350. 	@Test(expected = TransportException.class)

  351. 	public void testSshWithoutKnownHostsDeny() throws Exception {

  352. 		File copiedHosts = new File(knownHosts.getParentFile(),

  353. 				"copiedKnownHosts");

  354. 		assertTrue("Failed to rename known_hosts",

  355. 				knownHosts.renameTo(copiedHosts));

  356. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, null, //

  357. 				"Host localhost", //

  358. 				"HostName localhost", //

  359. 				"Port " + testPort, //

  360. 				"User " + TEST_USER, //

  361. 				"StrictHostKeyChecking yes", //

  362. 				"IdentityFile " + privateKey1.getAbsolutePath());

  363. 	}

  364. 

  365. 	@Test(expected = TransportException.class)

  366. 	public void testSshModifiedHostKeyDeny()

  367. 			throws Exception {

  368. 		File copiedHosts = new File(knownHosts.getParentFile(),

  369. 				"copiedKnownHosts");

  370. 		assertTrue("Failed to rename known_hosts",

  371. 				knownHosts.renameTo(copiedHosts));

  372. 		// Now produce a new known_hosts file containing some other key.

  373. 		createKnownHostsFile(knownHosts, "localhost", testPort, publicKey1);

  374. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, null, //

  375. 				"Host localhost", //

  376. 				"HostName localhost", //

  377. 				"Port " + testPort, //

  378. 				"User " + TEST_USER, //

  379. 				"StrictHostKeyChecking yes", //

  380. 				"IdentityFile " + privateKey1.getAbsolutePath());

  381. 	}

  382. 

  383. 	@Test(expected = TransportException.class)

  384. 	public void testSshModifiedHostKeyWithProviderDeny() throws Exception {

  385. 		File copiedHosts = new File(knownHosts.getParentFile(),

  386. 				"copiedKnownHosts");

  387. 		assertTrue("Failed to rename known_hosts",

  388. 				knownHosts.renameTo(copiedHosts));

  389. 		// Now produce a new known_hosts file containing some other key.

  390. 		createKnownHostsFile(knownHosts, "localhost", testPort, publicKey1);

  391. 		TestCredentialsProvider provider = new TestCredentialsProvider();

  392. 		try {

  393. 			cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, provider, //

  394. 					"Host localhost", //

  395. 					"HostName localhost", //

  396. 					"Port " + testPort, //

  397. 					"User " + TEST_USER, //

  398. 					"StrictHostKeyChecking yes", //

  399. 					"IdentityFile " + privateKey1.getAbsolutePath());

  400. 		} catch (Exception e) {

  401. 			assertEquals("Expected to be told about the modified key", 1,

  402. 					provider.getLog().size());

  403. 			assertTrue("Only messages expected", provider.getLog().stream()

  404. 					.flatMap(l -> l.getItems().stream()).allMatch(

  405. 							c -> c instanceof CredentialItem.InformationalMessage));

  406. 			throw e;

  407. 		}

  408. 	}

  409. 

  410. 	private void checkKnownHostsModifiedHostKey(File backup, File newFile,

  411. 			String wrongKey) throws IOException {

  412. 		List<String> oldLines = Files.readAllLines(backup.toPath(),

  413. 				StandardCharsets.UTF_8);

  414. 		// Find the original entry. We should have that again in known_hosts.

  415. 		String oldKeyPart = null;

  416. 		for (String oldLine : oldLines) {

  417. 			if (oldLine.contains("[localhost]:")) {

  418. 				String[] parts = oldLine.split("\\s+");

  419. 				if (parts.length > 2) {

  420. 					oldKeyPart = parts[parts.length - 2] + ' '

  421. 							+ parts[parts.length - 1];

  422. 					break;

  423. 				}

  424. 			}

  425. 		}

  426. 		assertNotNull("Old key not found", oldKeyPart);

  427. 		List<String> newLines = Files.readAllLines(newFile.toPath(),

  428. 				StandardCharsets.UTF_8);

  429. 		assertFalse("Old host key still found in known_hosts file" + newFile,

  430. 				hasHostKey("localhost", testPort, wrongKey, newLines));

  431. 		assertTrue("New host key not found in known_hosts file" + newFile,

  432. 				hasHostKey("localhost", testPort, oldKeyPart, newLines));

  433. 

  434. 	}

  435. 

  436. 	@Test

  437. 	public void testSshModifiedHostKeyAllow() throws Exception {

  438. 		assertTrue("Failed to delete known_hosts", knownHosts.delete());

  439. 		createKnownHostsFile(knownHosts, "localhost", testPort, publicKey1);

  440. 		File backup = new File(getTemporaryDirectory(), "backupKnownHosts");

  441. 		Files.copy(knownHosts.toPath(), backup.toPath());

  442. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, null, //

  443. 				"Host localhost", //

  444. 				"HostName localhost", //

  445. 				"Port " + testPort, //

  446. 				"User " + TEST_USER, //

  447. 				"StrictHostKeyChecking no", //

  448. 				"IdentityFile " + privateKey1.getAbsolutePath());

  449. 		// File should not have been updated!

  450. 		String[] oldLines = Files

  451. 				.readAllLines(backup.toPath(), StandardCharsets.UTF_8)

  452. 				.toArray(new String[0]);

  453. 		String[] newLines = Files

  454. 				.readAllLines(knownHosts.toPath(), StandardCharsets.UTF_8)

  455. 				.toArray(new String[0]);

  456. 		assertArrayEquals("Known hosts file should not be modified", oldLines,

  457. 				newLines);

  458. 	}

  459. 

  460. 	@Test

  461. 	public void testSshModifiedHostKeyAsk() throws Exception {

  462. 		File copiedHosts = new File(knownHosts.getParentFile(),

  463. 				"copiedKnownHosts");

  464. 		assertTrue("Failed to rename known_hosts",

  465. 				knownHosts.renameTo(copiedHosts));

  466. 		String wrongKeyPart = createKnownHostsFile(knownHosts, "localhost",

  467. 				testPort, publicKey1);

  468. 		TestCredentialsProvider provider = new TestCredentialsProvider();

  469. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, provider, //

  470. 				"Host localhost", //

  471. 				"HostName localhost", //

  472. 				"Port " + testPort, //

  473. 				"User " + TEST_USER, //

  474. 				"IdentityFile " + privateKey1.getAbsolutePath());

  475. 		checkKnownHostsModifiedHostKey(copiedHosts, knownHosts, wrongKeyPart);

  476. 		assertEquals("Expected to be asked about the modified key", 1,

  477. 				provider.getLog().size());

  478. 	}

  479. 

  480. 	@Test

  481. 	public void testSshCloneWithConfigAndPush() throws Exception {

  482. 		pushTo(cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, null, //

  483. 				"Host localhost", //

  484. 				"HostName localhost", //

  485. 				"Port " + testPort, //

  486. 				"User " + TEST_USER, //

  487. 				"IdentityFile " + privateKey1.getAbsolutePath()));

  488. 	}

  489. 

  490. 	@Test

  491. 	public void testSftpWithConfig() throws Exception {

  492. 		cloneWith("sftp://localhost/.git", defaultCloneDir, null, //

  493. 				"Host localhost", //

  494. 				"HostName localhost", //

  495. 				"Port " + testPort, //

  496. 				"User " + TEST_USER, //

  497. 				"IdentityFile " + privateKey1.getAbsolutePath());

  498. 	}

  499. 

  500. 	@Test

  501. 	public void testSftpCloneWithConfigAndPush() throws Exception {

  502. 		pushTo(cloneWith("sftp://localhost/.git", defaultCloneDir, null, //

  503. 				"Host localhost", //

  504. 				"HostName localhost", //

  505. 				"Port " + testPort, //

  506. 				"User " + TEST_USER, //

  507. 				"IdentityFile " + privateKey1.getAbsolutePath()));

  508. 	}

  509. 

  510. 	@Test(expected = TransportException.class)

  511. 	public void testSshWithConfigWrongKey() throws Exception {

  512. 		cloneWith("ssh://localhost/doesntmatter", defaultCloneDir, null, //

  513. 				"Host localhost", //

  514. 				"HostName localhost", //

  515. 				"Port " + testPort, //

  516. 				"User " + TEST_USER, //

  517. 				"IdentityFile " + privateKey2.getAbsolutePath());

  518. 	}

  519. 

  520. 	@Test

  521. 	public void testSshWithWrongUserNameInConfig() throws Exception {

  522. 		// Bug 526778

  523. 		cloneWith(

  524. 				"ssh://" + TEST_USER + "@localhost:" + testPort

  525. 						+ "/doesntmatter",

  526. 				defaultCloneDir, null, //

  527. 				"Host localhost", //

  528. 				"HostName localhost", //

  529. 				"User sombody_else", //

  530. 				"IdentityFile " + privateKey1.getAbsolutePath());

  531. 	}

  532. 

  533. 	@Test

  534. 	public void testSshWithWrongPortInConfig() throws Exception {

  535. 		// Bug 526778

  536. 		cloneWith(

  537. 				"ssh://" + TEST_USER + "@localhost:" + testPort

  538. 						+ "/doesntmatter",

  539. 				defaultCloneDir, null, //

  540. 				"Host localhost", //

  541. 				"HostName localhost", //

  542. 				"Port 22", //

  543. 				"User " + TEST_USER, //

  544. 				"IdentityFile " + privateKey1.getAbsolutePath());

  545. 	}

  546. 

  547. 	@Test

  548. 	public void testSshWithAliasInConfig() throws Exception {

  549. 		// Bug 531118

  550. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //

  551. 				"Host git", //

  552. 				"HostName localhost", //

  553. 				"Port " + testPort, //

  554. 				"User " + TEST_USER, //

  555. 				"IdentityFile " + privateKey1.getAbsolutePath(), "", //

  556. 				"Host localhost", //

  557. 				"HostName localhost", //

  558. 				"Port 22", //

  559. 				"User someone_else", //

  560. 				"IdentityFile " + privateKey2.getAbsolutePath());

  561. 	}

  562. 

  563. 	@Test

  564. 	public void testSshWithUnknownCiphersInConfig() throws Exception {

  565. 		// Bug 535672

  566. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //

  567. 				"Host git", //

  568. 				"HostName localhost", //

  569. 				"Port " + testPort, //

  570. 				"User " + TEST_USER, //

  571. 				"IdentityFile " + privateKey1.getAbsolutePath(), //

  572. 				"Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr");

  573. 	}

  574. 

  575. 	@Test

  576. 	public void testSshWithUnknownHostKeyAlgorithmsInConfig()

  577. 			throws Exception {

  578. 		// Bug 535672

  579. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //

  580. 				"Host git", //

  581. 				"HostName localhost", //

  582. 				"Port " + testPort, //

  583. 				"User " + TEST_USER, //

  584. 				"IdentityFile " + privateKey1.getAbsolutePath(), //

  585. 				"HostKeyAlgorithms foobar,ssh-rsa,ssh-dss");

  586. 	}

  587. 

  588. 	@Test

  589. 	public void testSshWithUnknownKexAlgorithmsInConfig()

  590. 			throws Exception {

  591. 		// Bug 535672

  592. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //

  593. 				"Host git", //

  594. 				"HostName localhost", //

  595. 				"Port " + testPort, //

  596. 				"User " + TEST_USER, //

  597. 				"IdentityFile " + privateKey1.getAbsolutePath(), //

  598. 				"KexAlgorithms foobar,diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521");

  599. 	}

  600. 

  601. 	@Test

  602. 	public void testSshWithMinimalHostKeyAlgorithmsInConfig()

  603. 			throws Exception {

  604. 		// Bug 537790

  605. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //

  606. 				"Host git", //

  607. 				"HostName localhost", //

  608. 				"Port " + testPort, //

  609. 				"User " + TEST_USER, //

  610. 				"IdentityFile " + privateKey1.getAbsolutePath(), //

  611. 				"HostKeyAlgorithms ssh-rsa,ssh-dss");

  612. 	}

  613. 

  614. 	@Test

  615. 	public void testSshWithUnknownAuthInConfig() throws Exception {

  616. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //

  617. 				"Host git", //

  618. 				"HostName localhost", //

  619. 				"Port " + testPort, //

  620. 				"User " + TEST_USER, //

  621. 				"IdentityFile " + privateKey1.getAbsolutePath(), //

  622. 				"PreferredAuthentications gssapi-with-mic,hostbased,publickey,keyboard-interactive,password");

  623. 	}

  624. 

  625. 	@Test(expected = TransportException.class)

  626. 	public void testSshWithNoMatchingAuthInConfig() throws Exception {

  627. 		// Server doesn't do password, and anyway we set no password.

  628. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //

  629. 				"Host git", //

  630. 				"HostName localhost", //

  631. 				"Port " + testPort, //

  632. 				"User " + TEST_USER, //

  633. 				"IdentityFile " + privateKey1.getAbsolutePath(), //

  634. 				"PreferredAuthentications password");

  635. 	}

  636. 

  637. 	@Test

  638. 	public void testRsaHostKeySecond() throws Exception {

  639. 		// See https://git.eclipse.org/r/#/c/130402/ : server has EcDSA

  640. 		// (preferred), RSA, we have RSA in known_hosts: client and server

  641. 		// should agree on RSA.

  642. 		File newHostKey = new File(getTemporaryDirectory(), "newhostkey");

  643. 		copyTestResource("id_ecdsa_256", newHostKey);

  644. 		server.addHostKey(newHostKey.toPath(), true);

  645. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //

  646. 				"Host git", //

  647. 				"HostName localhost", //

  648. 				"Port " + testPort, //

  649. 				"User " + TEST_USER, //

  650. 				"IdentityFile " + privateKey1.getAbsolutePath());

  651. 	}

  652. 

  653. 	@Test

  654. 	public void testEcDsaHostKey() throws Exception {

  655. 		// See https://git.eclipse.org/r/#/c/130402/ : server has RSA

  656. 		// (preferred), EcDSA, we have EcDSA in known_hosts: client and server

  657. 		// should agree on EcDSA.

  658. 		File newHostKey = new File(getTemporaryDirectory(), "newhostkey");

  659. 		copyTestResource("id_ecdsa_256", newHostKey);

  660. 		server.addHostKey(newHostKey.toPath(), false);

  661. 		File newHostKeyPub = new File(getTemporaryDirectory(),

  662. 				"newhostkey.pub");

  663. 		copyTestResource("id_ecdsa_256.pub", newHostKeyPub);

  664. 		createKnownHostsFile(knownHosts, "localhost", testPort, newHostKeyPub);

  665. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, null, //

  666. 				"Host git", //

  667. 				"HostName localhost", //

  668. 				"Port " + testPort, //

  669. 				"User " + TEST_USER, //

  670. 				"IdentityFile " + privateKey1.getAbsolutePath());

  671. 	}

  672. 

  673. 	@Test

  674. 	public void testPasswordAuth() throws Exception {

  675. 		server.enablePasswordAuthentication();

  676. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  677. 				TEST_USER.toUpperCase(Locale.ROOT));

  678. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //

  679. 				"Host git", //

  680. 				"HostName localhost", //

  681. 				"Port " + testPort, //

  682. 				"User " + TEST_USER, //

  683. 				"PreferredAuthentications password");

  684. 	}

  685. 

  686. 	@Test

  687. 	public void testPasswordAuthSeveralTimes() throws Exception {

  688. 		server.enablePasswordAuthentication();

  689. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  690. 				"wrongpass", "wrongpass", TEST_USER.toUpperCase(Locale.ROOT));

  691. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //

  692. 				"Host git", //

  693. 				"HostName localhost", //

  694. 				"Port " + testPort, //

  695. 				"User " + TEST_USER, //

  696. 				"PreferredAuthentications password");

  697. 	}

  698. 

  699. 	@Test(expected = TransportException.class)

  700. 	public void testPasswordAuthWrongPassword() throws Exception {

  701. 		server.enablePasswordAuthentication();

  702. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  703. 				"wrongpass");

  704. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //

  705. 				"Host git", //

  706. 				"HostName localhost", //

  707. 				"Port " + testPort, //

  708. 				"User " + TEST_USER, //

  709. 				"PreferredAuthentications password");

  710. 	}

  711. 

  712. 	@Test(expected = TransportException.class)

  713. 	public void testPasswordAuthNoPassword() throws Exception {

  714. 		server.enablePasswordAuthentication();

  715. 		TestCredentialsProvider provider = new TestCredentialsProvider();

  716. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //

  717. 				"Host git", //

  718. 				"HostName localhost", //

  719. 				"Port " + testPort, //

  720. 				"User " + TEST_USER, //

  721. 				"PreferredAuthentications password");

  722. 	}

  723. 

  724. 	@Test(expected = TransportException.class)

  725. 	public void testPasswordAuthCorrectPasswordTooLate() throws Exception {

  726. 		server.enablePasswordAuthentication();

  727. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  728. 				"wrongpass", "wrongpass", "wrongpass",

  729. 				TEST_USER.toUpperCase(Locale.ROOT));

  730. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //

  731. 				"Host git", //

  732. 				"HostName localhost", //

  733. 				"Port " + testPort, //

  734. 				"User " + TEST_USER, //

  735. 				"PreferredAuthentications password");

  736. 	}

  737. 

  738. 	@Test

  739. 	public void testKeyboardInteractiveAuth() throws Exception {

  740. 		server.enableKeyboardInteractiveAuthentication();

  741. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  742. 				TEST_USER.toUpperCase(Locale.ROOT));

  743. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //

  744. 				"Host git", //

  745. 				"HostName localhost", //

  746. 				"Port " + testPort, //

  747. 				"User " + TEST_USER, //

  748. 				"PreferredAuthentications keyboard-interactive");

  749. 	}

  750. 

  751. 	@Test

  752. 	public void testKeyboardInteractiveAuthSeveralTimes() throws Exception {

  753. 		server.enableKeyboardInteractiveAuthentication();

  754. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  755. 				"wrongpass", "wrongpass", TEST_USER.toUpperCase(Locale.ROOT));

  756. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //

  757. 				"Host git", //

  758. 				"HostName localhost", //

  759. 				"Port " + testPort, //

  760. 				"User " + TEST_USER, //

  761. 				"PreferredAuthentications keyboard-interactive");

  762. 	}

  763. 

  764. 	@Test(expected = TransportException.class)

  765. 	public void testKeyboardInteractiveAuthWrongPassword() throws Exception {

  766. 		server.enableKeyboardInteractiveAuthentication();

  767. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  768. 				"wrongpass");

  769. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //

  770. 				"Host git", //

  771. 				"HostName localhost", //

  772. 				"Port " + testPort, //

  773. 				"User " + TEST_USER, //

  774. 				"PreferredAuthentications keyboard-interactive");

  775. 	}

  776. 

  777. 	@Test(expected = TransportException.class)

  778. 	public void testKeyboardInteractiveAuthNoPassword() throws Exception {

  779. 		server.enableKeyboardInteractiveAuthentication();

  780. 		TestCredentialsProvider provider = new TestCredentialsProvider();

  781. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //

  782. 				"Host git", //

  783. 				"HostName localhost", //

  784. 				"Port " + testPort, //

  785. 				"User " + TEST_USER, //

  786. 				"PreferredAuthentications keyboard-interactive");

  787. 	}

  788. 

  789. 	@Test(expected = TransportException.class)

  790. 	public void testKeyboardInteractiveAuthCorrectPasswordTooLate()

  791. 			throws Exception {

  792. 		server.enableKeyboardInteractiveAuthentication();

  793. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  794. 				"wrongpass", "wrongpass", "wrongpass",

  795. 				TEST_USER.toUpperCase(Locale.ROOT));

  796. 		cloneWith("ssh://git/doesntmatter", defaultCloneDir, provider, //

  797. 				"Host git", //

  798. 				"HostName localhost", //

  799. 				"Port " + testPort, //

  800. 				"User " + TEST_USER, //

  801. 				"PreferredAuthentications keyboard-interactive");

  802. 	}

  803. 

  804. 	@Theory

  805. 	public void testSshKeys(String keyName) throws Exception {

  806. 		// JSch fails on ECDSA 384/521 keys. Compare

  807. 		// https://sourceforge.net/p/jsch/patches/10/

  808. 		assumeTrue(!(getSessionFactory() instanceof JschConfigSessionFactory

  809. 				&& (keyName.contains("ed25519")

  810. 						|| keyName.startsWith("id_ecdsa_384")

  811. 						|| keyName.startsWith("id_ecdsa_521"))));

  812. 		File cloned = new File(getTemporaryDirectory(), "cloned");

  813. 		String keyFileName = keyName + "_key";

  814. 		File privateKey = new File(sshDir, keyFileName);

  815. 		copyTestResource(keyName, privateKey);

  816. 		File publicKey = new File(sshDir, keyFileName + ".pub");

  817. 		copyTestResource(keyName + ".pub", publicKey);

  818. 		server.setTestUserPublicKey(publicKey.toPath());

  819. 		TestCredentialsProvider provider = new TestCredentialsProvider(

  820. 				"testpass");

  821. 		pushTo(provider,

  822. 				cloneWith("ssh://localhost/doesntmatter", //

  823. 						cloned, provider, //

  824. 						"Host localhost", //

  825. 						"HostName localhost", //

  826. 						"Port " + testPort, //

  827. 						"User " + TEST_USER, //

  828. 						"IdentityFile " + privateKey.getAbsolutePath()));

  829. 		int expectedCalls = keyName.endsWith("testpass") ? 1 : 0;

  830. 		assertEquals("Unexpected calls to CredentialsProvider", expectedCalls,

  831. 				provider.getLog().size());

  832. 		// Should now also work without credentials provider, even if the key

  833. 		// was encrypted.

  834. 		cloned = new File(getTemporaryDirectory(), "cloned2");

  835. 		pushTo(null,

  836. 				cloneWith("ssh://localhost/doesntmatter", //

  837. 						cloned, null, //

  838. 						"Host localhost", //

  839. 						"HostName localhost", //

  840. 						"Port " + testPort, //

  841. 						"User " + TEST_USER, //

  842. 						"IdentityFile " + privateKey.getAbsolutePath()));

  843. 	}

  844. }