[GitHub] [mina-sshd] alex-sherwin commented on a change in pull request #194: [SSHD-1161] OpenSSH client certificate publickey authentication

Thu, 13 May 2021 09:14:33 -0700 


alex-sherwin commented on a change in pull request #194:
URL: https://github.com/apache/mina-sshd/pull/194#discussion_r631930497



##########
File path: 
sshd-core/src/test/java/org/apache/sshd/client/opensshcerts/ClientOpenSSHCertificatesTest.java
##########
@@ -0,0 +1,152 @@
+package org.apache.sshd.client.opensshcerts;
+
+import org.apache.sshd.client.SshClient;
+import org.apache.sshd.client.session.ClientSession;
+import org.apache.sshd.common.config.keys.PublicKeyEntry;
+import org.apache.sshd.common.keyprovider.FileKeyPairProvider;
+import org.apache.sshd.common.keyprovider.KeyIdentityProvider;
+import org.apache.sshd.common.session.SessionContext;
+import org.apache.sshd.common.util.GenericUtils;
+import org.apache.sshd.common.util.io.IoUtils;
+import org.apache.sshd.util.test.BaseTestSupport;
+import org.apache.sshd.util.test.CommonTestSupportUtils;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.images.builder.ImageFromDockerfile;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.ArrayList;
+import java.util.Arrays;
+
+@RunWith(Parameterized.class) // see 
https://github.com/junit-team/junit/wiki/Parameterized-tests
+public class ClientOpenSSHCertificatesTest {
+
+    private static final String USER_KEY_PATH = 
"org/apache/sshd/client/opensshcerts/user/";
+
+    @Parameterized.Parameters(name = "key: {0}, cert: {0}-cert.pub")
+    public static Iterable<? extends String> privateKeyParams() {
+        return Arrays.asList(
+            "user01_rsa_sha2_256_2048",
+            "user01_rsa_sha2_512_2048",
+            "user01_rsa_sha2_256_4096",
+            "user01_rsa_sha2_512_4096",
+            "user01_ed25519",
+            "user01_ecdsa_256",
+            "user01_ecdsa_384",
+            "user01_ecdsa_521"
+        );
+    }
+
+    @Parameterized.Parameter
+    public String privateKeyName;
+
+    private String getPrivateKeyResource() {
+        return USER_KEY_PATH + privateKeyName;
+    }
+
+    private String getCertificateResource() {
+        return getPrivateKeyResource() + "-cert.pub";
+    }
+
+    /**
+     * This will build a new Docker image once per test class instance
+     * <br/><br/>
+     * The {@link ImageFromDockerfile#withFileFromClasspath} calls will build 
up an in-memory tar filesystem that is sent to the
+     * docker daemon for image building from assets on the classpath, making 
this all JVM classpath friendly.
+     * <br/><br/>
+     * The Docker image built will run a sshd instance managed by supervisord 
that has:
+     *
+     * <ul>
+     *   <li>
+     *     Two users: user01, user02 with:
+     *     <ul>
+     *       <li>Passwords "password01" and "password02"</li>
+     *       <li>An authorized_keys file with a pub key for the included suite 
of keypairs (all current variants)</li>
+     *     </ul>
+     *   </li>
+     *   <li>A CA public key configured in sshd_config for the 
TrustedUserCAKeys option (for client cert publickey auth)</li>
+     *   <li>Two available host keypairs host01 and host02 (selected by env 
var SSH_HOST_KEY)</li>
+     * </ul>
+     **/
+    @ClassRule
+    public static GenericContainer<?> sshdContainer = new GenericContainer<>(
+        new ImageFromDockerfile("clientopensshcertificatestest", true)
+            .withFileFromClasspath("entrypoint.sh", 
"org/apache/sshd/client/opensshcerts/docker/entrypoint.sh")
+            .withFileFromClasspath("sshd_config", 
"org/apache/sshd/client/opensshcerts/docker/sshd_config")
+            .withFileFromClasspath("supervisord.conf", 
"org/apache/sshd/client/opensshcerts/docker/supervisord.conf")
+            .withFileFromClasspath("user01_authorized_keys", 
"org/apache/sshd/client/opensshcerts/user/user01_authorized_keys")
+            .withFileFromClasspath("user02_authorized_keys", 
"org/apache/sshd/client/opensshcerts/user/user02_authorized_keys")
+            .withFileFromClasspath("host01", 
"org/apache/sshd/client/opensshcerts/host/host01")
+            .withFileFromClasspath("host01.pub", 
"org/apache/sshd/client/opensshcerts/host/host01.pub")
+            .withFileFromClasspath("host02", 
"org/apache/sshd/client/opensshcerts/host/host02")
+            .withFileFromClasspath("host02.pub", 
"org/apache/sshd/client/opensshcerts/host/host02.pub")
+            .withFileFromClasspath("ca.pub", 
"org/apache/sshd/client/opensshcerts/ca/ca.pub")
+            .withFileFromClasspath("Dockerfile", 
"org/apache/sshd/client/opensshcerts/docker/Dockerfile")
+    )
+        // must be set to "/keys/host/host01" or "/keys/host/host02"
+        .withEnv("SSH_HOST_KEY", "/keys/host/host01")
+        .withExposedPorts(22);
+
+    @Test
+    public void clientCertAuth() throws Exception {
+
+        try (final InputStream certInputStream =
+               
Thread.currentThread().getContextClassLoader().getResourceAsStream(getCertificateResource())
+        ) {
+
+            final byte[] certBytes = IoUtils.toByteArray(certInputStream);
+            final String certLine = GenericUtils.replaceWhitespaceAndTrim(new 
String(certBytes, StandardCharsets.UTF_8));
+
+            final PublicKeyEntry certPublicKeyEntry = 
PublicKeyEntry.parsePublicKeyEntry(certLine);
+            final PublicKey certPublicKey = 
certPublicKeyEntry.resolvePublicKey(null, null, null);
+
+            final FileKeyPairProvider keyPairProvider = 
CommonTestSupportUtils.createTestKeyPairProvider(getPrivateKeyResource());
+
+            final KeyPair keypair = 
keyPairProvider.loadKeys(null).iterator().next();
+
+            final PrivateKey privateKey = keypair.getPrivate();
+
+            final SshClient client = SshClient.setUpDefaultClient();
+
+            client.setKeyIdentityProvider(new KeyIdentityProvider() {
+                @Override
+                public Iterable<KeyPair> loadKeys(SessionContext session) 
throws IOException, GeneralSecurityException {
+
+                    // build a keypair with the PrivateKey and the certificate 
as the PublicKey
+                    final KeyPair certKeypair = new KeyPair(certPublicKey, 
privateKey);
+
+                    final ArrayList<KeyPair> list = new ArrayList<>();
+                    list.add(certKeypair);
+
+                    return list;
+                }
+            });
+
+            client.start();
+
+            final Integer actualPort = sshdContainer.getMappedPort(22);
+
+            try (final ClientSession session = client.connect("user01", 
"localhost", actualPort).verify().getSession()) {

Review comment:
       Regarding testcontainers embedded BC instance... Interestingly I never 
ran into that issue locally
   
   What JDK and Maven version are you using?  I'd like to test with an 
equivalent setup




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to