1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
package ssh
import (
"crypto/rand"
"crypto/rsa"
"encoding/pem"
"errors"
"os"
"path/filepath"
"testing"
gossh "golang.org/x/crypto/ssh"
)
func TestPrivateKeySignerLoadsUnencryptedKey(t *testing.T) {
keyFile := filepath.Join(t.TempDir(), "id_rsa")
privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
t.Fatalf("GenerateKey failed: %v", err)
}
if err := os.WriteFile(keyFile, EncodePrivateKeyToPEM(privateKey), 0o600); err != nil {
t.Fatalf("WriteFile failed: %v", err)
}
signer, err := PrivateKeySigner(keyFile)
if err != nil {
t.Fatalf("PrivateKeySigner failed: %v", err)
}
if signer == nil {
t.Fatalf("PrivateKeySigner returned nil signer")
}
}
func TestPrivateKeySignerLoadsEncryptedKeyWithEnvPassphrase(t *testing.T) {
keyFile := filepath.Join(t.TempDir(), "id_rsa")
privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
t.Fatalf("GenerateKey failed: %v", err)
}
block, err := gossh.MarshalPrivateKeyWithPassphrase(privateKey, "", []byte("secret-passphrase"))
if err != nil {
t.Fatalf("MarshalPrivateKeyWithPassphrase failed: %v", err)
}
if err := os.WriteFile(keyFile, pem.EncodeToMemory(block), 0o600); err != nil {
t.Fatalf("WriteFile failed: %v", err)
}
t.Setenv("DTAIL_KEY_PASSPHRASE", "secret-passphrase")
signer, err := PrivateKeySigner(keyFile)
if err != nil {
t.Fatalf("PrivateKeySigner failed: %v", err)
}
if signer == nil {
t.Fatalf("PrivateKeySigner returned nil signer")
}
}
func TestPrivateKeySignerReturnsPassphraseMissingWithoutEnv(t *testing.T) {
keyFile := filepath.Join(t.TempDir(), "id_rsa")
privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
t.Fatalf("GenerateKey failed: %v", err)
}
block, err := gossh.MarshalPrivateKeyWithPassphrase(privateKey, "", []byte("secret-passphrase"))
if err != nil {
t.Fatalf("MarshalPrivateKeyWithPassphrase failed: %v", err)
}
if err := os.WriteFile(keyFile, pem.EncodeToMemory(block), 0o600); err != nil {
t.Fatalf("WriteFile failed: %v", err)
}
_, err = PrivateKeySigner(keyFile)
if err == nil {
t.Fatalf("PrivateKeySigner succeeded without passphrase env")
}
var passphraseMissingErr *gossh.PassphraseMissingError
if !errors.As(err, &passphraseMissingErr) {
t.Fatalf("PrivateKeySigner returned %T, want PassphraseMissingError", err)
}
}
func TestPrivateKeySignerRejectsIncorrectEnvPassphrase(t *testing.T) {
keyFile := filepath.Join(t.TempDir(), "id_rsa")
privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
t.Fatalf("GenerateKey failed: %v", err)
}
block, err := gossh.MarshalPrivateKeyWithPassphrase(privateKey, "", []byte("secret-passphrase"))
if err != nil {
t.Fatalf("MarshalPrivateKeyWithPassphrase failed: %v", err)
}
if err := os.WriteFile(keyFile, pem.EncodeToMemory(block), 0o600); err != nil {
t.Fatalf("WriteFile failed: %v", err)
}
t.Setenv("DTAIL_KEY_PASSPHRASE", "wrong-passphrase")
_, err = PrivateKeySigner(keyFile)
if err == nil {
t.Fatalf("PrivateKeySigner succeeded with wrong passphrase env")
}
var passphraseMissingErr *gossh.PassphraseMissingError
if errors.As(err, &passphraseMissingErr) {
t.Fatalf("PrivateKeySigner returned PassphraseMissingError instead of parse failure")
}
}
|
