diff --git a/test/entrypoint.bats b/test/entrypoint.bats index 80dfba9..53ed313 100644 --- a/test/entrypoint.bats +++ b/test/entrypoint.bats @@ -1,12 +1,13 @@ #!/usr/bin/env bats setup() { - # Create a dummy ssh agent and agent-add for sourcing + # Create dummy binaries for sourcing + echo 'echo "source"' > source echo 'echo "agent started"' > agent-start echo 'echo "key added"' > agent-add - chmod +x agent-start agent-add + chmod +x source agent-start agent-add - # Create a dummy rsync to capture its arguments + # Create dummy rsync binary to capture its arguments echo 'echo "rsync $@"' > rsync chmod +x rsync @@ -14,7 +15,7 @@ setup() { } teardown() { - rm -f agent-start agent-add rsync + rm -f source agent-start agent-add rsync ssh-keyscan hosts-add } @test "fails if INPUT_REMOTE_PATH is empty" { @@ -35,13 +36,14 @@ teardown() { export INPUT_RSH="" export INPUT_PATH="" export INPUT_REMOTE_USER="user" - export INPUT_REMOTE_HOST="host" + export INPUT_REMOTE_HOST="localhost.local" export GITHUB_WORKSPACE="/tmp" - export DSN="user@host" + export DSN="user@localhost.local" export LOCAL_PATH="/tmp/" run ./entrypoint.sh - [[ "${output}" == *"HostKeyAlgorithms=+ssh-rsa"* ]] + + [[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 22 /tmp/ user@localhost.local:remote/"* ]] } @test "does not include legacy RSA switches when not allowed" { @@ -55,11 +57,72 @@ teardown() { export INPUT_RSH="" export INPUT_PATH="" export INPUT_REMOTE_USER="user" - export INPUT_REMOTE_HOST="host" + export INPUT_REMOTE_HOST="localhost.local" export GITHUB_WORKSPACE="/tmp" - export DSN="user@host" + export DSN="user@localhost.local" export LOCAL_PATH="/tmp/" run ./entrypoint.sh - [[ "${output}" != *"HostKeyAlgorithms=+ssh-rsa"* ]] + [[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no -p 22 /tmp/ user@localhost.local:remote/"* ]] +} + +@test "includes STRICT_HOSTKEYS_CHECKING switches when allowed" { + # Set a fake HOME dir + local -r HOME="/tmp" + + export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false" + export INPUT_STRICT_HOSTKEYS_CHECKING="true" + export INPUT_REMOTE_PATH="remote/" + export INPUT_REMOTE_KEY="dummy" + export INPUT_REMOTE_KEY_PASS="dummy" + export GITHUB_ACTION="dummy" + export INPUT_SWITCHES="-avz" + export INPUT_REMOTE_PORT="22" + export INPUT_RSH="" + export INPUT_PATH="" + export INPUT_REMOTE_USER="user" + export INPUT_REMOTE_HOST="localhost.local" + export GITHUB_WORKSPACE="/tmp" + export DSN="user@localhost.local" + export LOCAL_PATH="/tmp/" + + # Generate a mock key pair to test ssh-keyscan (entrypoint.sh:32) + rm -f "$HOME/mockKeyPair" "$HOME/mockKeyPair.pub" \ + && ssh-keygen -t ed25519 -f "$HOME/mockKeyPair" -N '' -q -C '' \ + && mockPublicKey=$(< "$HOME/mockKeyPair.pub") + + # Create dummy ssh-keyscan binary to return $mockPublicKey + echo "echo 'localhost.local $mockPublicKey #Mock 1'" > ssh-keyscan + chmod +x ssh-keyscan + + # Create dummy hosts-add binary to capture its arguments + echo 'echo "hosts-add $@"' > hosts-add + chmod +x hosts-add + + run ./entrypoint.sh + + [[ "${output}" == *"hosts-add localhost.local ssh-ed25519"* ]] + [[ "${output}" == *"rsync -avz -e ssh -o UserKnownHostsFile=/tmp/.ssh/known_hosts -o StrictHostKeyChecking=yes -p 22 /tmp/ user@localhost.local:remote/"* ]] +} + +@test "does not includes STRICT_HOSTKEYS_CHECKING switches when not allowed" { + export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false" + export INPUT_STRICT_HOSTKEYS_CHECKING="false" + export INPUT_REMOTE_PATH="remote/" + export INPUT_REMOTE_KEY="dummy" + export INPUT_REMOTE_KEY_PASS="dummy" + export GITHUB_ACTION="dummy" + export INPUT_SWITCHES="-avz" + export INPUT_REMOTE_PORT="22" + export INPUT_RSH="" + export INPUT_PATH="" + export INPUT_REMOTE_USER="user" + export INPUT_REMOTE_HOST="localhost.local" + export GITHUB_WORKSPACE="/tmp" + export DSN="user@localhost.local" + export LOCAL_PATH="/tmp/" + + run ./entrypoint.sh + + [[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no -p 22 /tmp/ user@localhost.local:remote/"* ]] }