test(ssh): add host key verification tests

Author: fabiovincenzi

test/ssh/hostKeyManager.test.ts

@@ -0,0 +1,220 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { ensureHostKey, validateHostKeyExists } from '../../src/proxy/ssh/hostKeyManager';
+
+// Mock modules
+const { fsStub, childProcessStub } = vi.hoisted(() => {
+  return {
+    fsStub: {
+      existsSync: vi.fn(),
+      readFileSync: vi.fn(),
+      mkdirSync: vi.fn(),
+      accessSync: vi.fn(),
+      constants: { R_OK: 4 },
+    },
+    childProcessStub: {
+      execSync: vi.fn(),
+    },
+  };
+});
+
+vi.mock('fs', async () => {
+  const actual = await vi.importActual<typeof import('fs')>('fs');
+  return {
+    ...actual,
+    existsSync: fsStub.existsSync,
+    readFileSync: fsStub.readFileSync,
+    mkdirSync: fsStub.mkdirSync,
+    accessSync: fsStub.accessSync,
+    constants: fsStub.constants,
+    default: {
+      ...actual,
+      existsSync: fsStub.existsSync,
+      readFileSync: fsStub.readFileSync,
+      mkdirSync: fsStub.mkdirSync,
+      accessSync: fsStub.accessSync,
+      constants: fsStub.constants,
+    },
+  };
+});
+
+vi.mock('child_process', async () => {
+  const actual = await vi.importActual<typeof import('child_process')>('child_process');
+  return {
+    ...actual,
+    execSync: childProcessStub.execSync,
+  };
+});
+
+describe('hostKeyManager', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe('ensureHostKey', () => {
+    it('should return existing host key when it exists', () => {
+      const privateKeyPath = '/path/to/ssh_host_key';
+      const publicKeyPath = '/path/to/ssh_host_key.pub';
+      const mockKeyData = Buffer.from(
+        '-----BEGIN OPENSSH PRIVATE KEY-----\ntest\n-----END OPENSSH PRIVATE KEY-----',
+      );
+
+      fsStub.existsSync.mockReturnValue(true);
+      fsStub.readFileSync.mockReturnValue(mockKeyData);
+
+      const result = ensureHostKey({ privateKeyPath, publicKeyPath });
+
+      expect(result).toEqual(mockKeyData);
+      expect(fsStub.existsSync).toHaveBeenCalledWith(privateKeyPath);
+      expect(fsStub.readFileSync).toHaveBeenCalledWith(privateKeyPath);
+      expect(childProcessStub.execSync).not.toHaveBeenCalled();
+    });
+
+    it('should throw error when existing key cannot be read', () => {
+      const privateKeyPath = '/path/to/ssh_host_key';
+      const publicKeyPath = '/path/to/ssh_host_key.pub';
+
+      fsStub.existsSync.mockReturnValue(true);
+      fsStub.readFileSync.mockImplementation(() => {
+        throw new Error('Permission denied');
+      });
+
+      expect(() => {
+        ensureHostKey({ privateKeyPath, publicKeyPath });
+      }).toThrow('Failed to read existing SSH host key');
+    });
+
+    it('should throw error for invalid private key path with unsafe characters', () => {
+      const privateKeyPath = '/path/to/key;rm -rf /';
+      const publicKeyPath = '/path/to/key.pub';
+
+      expect(() => {
+        ensureHostKey({ privateKeyPath, publicKeyPath });
+      }).toThrow('Invalid SSH host key path');
+    });
+
+    it('should throw error for invalid public key path with unsafe characters', () => {
+      const privateKeyPath = '/path/to/key';
+      const publicKeyPath = '/path/to/key.pub && echo hacked';
+
+      expect(() => {
+        ensureHostKey({ privateKeyPath, publicKeyPath });
+      }).toThrow('Invalid SSH host key path');
+    });
+
+    it('should generate new key when it does not exist', () => {
+      const privateKeyPath = '/path/to/ssh_host_key';
+      const publicKeyPath = '/path/to/ssh_host_key.pub';
+      const mockKeyData = Buffer.from(
+        '-----BEGIN OPENSSH PRIVATE KEY-----\ngenerated\n-----END OPENSSH PRIVATE KEY-----',
+      );
+
+      fsStub.existsSync
+        .mockReturnValueOnce(false) // Check if private key exists
+        .mockReturnValueOnce(false) // Check if directory exists
+        .mockReturnValueOnce(true); // Verify key was created
+
+      fsStub.readFileSync.mockReturnValue(mockKeyData);
+      childProcessStub.execSync.mockReturnValue('');
+
+      const result = ensureHostKey({ privateKeyPath, publicKeyPath });
+
+      expect(result).toEqual(mockKeyData);
+      expect(fsStub.mkdirSync).toHaveBeenCalledWith('/path/to', { recursive: true });
+      expect(childProcessStub.execSync).toHaveBeenCalledWith(
+        `ssh-keygen -t ed25519 -f "${privateKeyPath}" -N "" -C "git-proxy-host-key"`,
+        {
+          stdio: 'pipe',
+          timeout: 10000,
+        },
+      );
+    });
+
+    it('should not create directory if it already exists when generating key', () => {
+      const privateKeyPath = '/path/to/ssh_host_key';
+      const publicKeyPath = '/path/to/ssh_host_key.pub';
+      const mockKeyData = Buffer.from(
+        '-----BEGIN OPENSSH PRIVATE KEY-----\ngenerated\n-----END OPENSSH PRIVATE KEY-----',
+      );
+
+      fsStub.existsSync
+        .mockReturnValueOnce(false) // Check if private key exists
+        .mockReturnValueOnce(true) // Directory already exists
+        .mockReturnValueOnce(true); // Verify key was created
+
+      fsStub.readFileSync.mockReturnValue(mockKeyData);
+      childProcessStub.execSync.mockReturnValue('');
+
+      ensureHostKey({ privateKeyPath, publicKeyPath });
+
+      expect(fsStub.mkdirSync).not.toHaveBeenCalled();
+    });
+
+    it('should throw error when key generation fails', () => {
+      const privateKeyPath = '/path/to/ssh_host_key';
+      const publicKeyPath = '/path/to/ssh_host_key.pub';
+
+      fsStub.existsSync.mockReturnValueOnce(false).mockReturnValueOnce(false);
+
+      childProcessStub.execSync.mockImplementation(() => {
+        throw new Error('ssh-keygen not found');
+      });
+
+      expect(() => {
+        ensureHostKey({ privateKeyPath, publicKeyPath });
+      }).toThrow('Failed to generate SSH host key: ssh-keygen not found');
+    });
+
+    it('should throw error when generated key file is not found after generation', () => {
+      const privateKeyPath = '/path/to/ssh_host_key';
+      const publicKeyPath = '/path/to/ssh_host_key.pub';
+
+      fsStub.existsSync
+        .mockReturnValueOnce(false) // Check if private key exists
+        .mockReturnValueOnce(false) // Check if directory exists
+        .mockReturnValueOnce(false); // Verify key was created - FAIL
+
+      childProcessStub.execSync.mockReturnValue('');
+
+      expect(() => {
+        ensureHostKey({ privateKeyPath, publicKeyPath });
+      }).toThrow('Key generation appeared to succeed but private key file not found');
+    });
+  });
+
+  describe('validateHostKeyExists', () => {
+    it('should return true when key exists and is readable', () => {
+      fsStub.accessSync.mockImplementation(() => {
+        // No error thrown means success
+      });
+
+      const result = validateHostKeyExists('/path/to/key');
+
+      expect(result).toBe(true);
+      expect(fsStub.accessSync).toHaveBeenCalledWith('/path/to/key', 4);
+    });
+
+    it('should return false when key does not exist', () => {
+      fsStub.accessSync.mockImplementation(() => {
+        throw new Error('ENOENT: no such file or directory');
+      });
+
+      const result = validateHostKeyExists('/path/to/key');
+
+      expect(result).toBe(false);
+    });
+
+    it('should return false when key is not readable', () => {
+      fsStub.accessSync.mockImplementation(() => {
+        throw new Error('EACCES: permission denied');
+      });
+
+      const result = validateHostKeyExists('/path/to/key');
+
+      expect(result).toBe(false);
+    });
+  });
+});

test/ssh/knownHosts.test.ts

@@ -0,0 +1,166 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import {
+  DEFAULT_KNOWN_HOSTS,
+  getKnownHosts,
+  verifyHostKey,
+  KnownHostsConfig,
+} from '../../src/proxy/ssh/knownHosts';
+
+describe('knownHosts', () => {
+  let consoleErrorSpy: any;
+
+  beforeEach(() => {
+    consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    consoleErrorSpy.mockRestore();
+  });
+
+  describe('DEFAULT_KNOWN_HOSTS', () => {
+    it('should contain GitHub host key', () => {
+      expect(DEFAULT_KNOWN_HOSTS['github.com']).toBeDefined();
+      expect(DEFAULT_KNOWN_HOSTS['github.com']).toContain('SHA256:');
+    });
+
+    it('should contain GitLab host key', () => {
+      expect(DEFAULT_KNOWN_HOSTS['gitlab.com']).toBeDefined();
+      expect(DEFAULT_KNOWN_HOSTS['gitlab.com']).toContain('SHA256:');
+    });
+  });
+
+  describe('getKnownHosts', () => {
+    it('should return default hosts when no custom hosts provided', () => {
+      const result = getKnownHosts();
+
+      expect(result['github.com']).toBe(DEFAULT_KNOWN_HOSTS['github.com']);
+      expect(result['gitlab.com']).toBe(DEFAULT_KNOWN_HOSTS['gitlab.com']);
+    });
+
+    it('should merge custom hosts with defaults', () => {
+      const customHosts: KnownHostsConfig = {
+        'custom.example.com': 'SHA256:customfingerprint',
+      };
+
+      const result = getKnownHosts(customHosts);
+
+      expect(result['github.com']).toBe(DEFAULT_KNOWN_HOSTS['github.com']);
+      expect(result['gitlab.com']).toBe(DEFAULT_KNOWN_HOSTS['gitlab.com']);
+      expect(result['custom.example.com']).toBe('SHA256:customfingerprint');
+    });
+
+    it('should allow custom hosts to override defaults', () => {
+      const customHosts: KnownHostsConfig = {
+        'github.com': 'SHA256:overriddenfingerprint',
+      };
+
+      const result = getKnownHosts(customHosts);
+
+      expect(result['github.com']).toBe('SHA256:overriddenfingerprint');
+      expect(result['gitlab.com']).toBe(DEFAULT_KNOWN_HOSTS['gitlab.com']);
+    });
+
+    it('should handle undefined custom hosts', () => {
+      const result = getKnownHosts(undefined);
+
+      expect(result['github.com']).toBe(DEFAULT_KNOWN_HOSTS['github.com']);
+    });
+  });
+
+  describe('verifyHostKey', () => {
+    it('should return true for valid GitHub host key', () => {
+      const knownHosts = getKnownHosts();
+      const githubKey = DEFAULT_KNOWN_HOSTS['github.com'];
+
+      const result = verifyHostKey('github.com', githubKey, knownHosts);
+
+      expect(result).toBe(true);
+      expect(consoleErrorSpy).not.toHaveBeenCalled();
+    });
+
+    it('should return true for valid GitLab host key', () => {
+      const knownHosts = getKnownHosts();
+      const gitlabKey = DEFAULT_KNOWN_HOSTS['gitlab.com'];
+
+      const result = verifyHostKey('gitlab.com', gitlabKey, knownHosts);
+
+      expect(result).toBe(true);
+      expect(consoleErrorSpy).not.toHaveBeenCalled();
+    });
+
+    it('should return false for unknown hostname', () => {
+      const knownHosts = getKnownHosts();
+
+      const result = verifyHostKey('unknown.host.com', 'SHA256:anything', knownHosts);
+
+      expect(result).toBe(false);
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        expect.stringContaining('Host key verification failed: Unknown host'),
+      );
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        expect.stringContaining('Add the host key to your configuration:'),
+      );
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        expect.stringContaining('"ssh": { "knownHosts": { "unknown.host.com": "SHA256:..." } }'),
+      );
+    });
+
+    it('should return false for mismatched fingerprint', () => {
+      const knownHosts = getKnownHosts();
+      const wrongFingerprint = 'SHA256:wrongfingerprint';
+
+      const result = verifyHostKey('github.com', wrongFingerprint, knownHosts);
+
+      expect(result).toBe(false);
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        expect.stringContaining('Host key verification failed for'),
+      );
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        expect.stringContaining(`Expected: ${DEFAULT_KNOWN_HOSTS['github.com']}`),
+      );
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        expect.stringContaining(`Received: ${wrongFingerprint}`),
+      );
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        expect.stringContaining('WARNING: This could indicate a man-in-the-middle attack!'),
+      );
+    });
+
+    it('should verify custom host keys', () => {
+      const customHosts: KnownHostsConfig = {
+        'custom.example.com': 'SHA256:customfingerprint123',
+      };
+      const knownHosts = getKnownHosts(customHosts);
+
+      const result = verifyHostKey('custom.example.com', 'SHA256:customfingerprint123', knownHosts);
+
+      expect(result).toBe(true);
+      expect(consoleErrorSpy).not.toHaveBeenCalled();
+    });
+
+    it('should reject custom host with wrong fingerprint', () => {
+      const customHosts: KnownHostsConfig = {
+        'custom.example.com': 'SHA256:customfingerprint123',
+      };
+      const knownHosts = getKnownHosts(customHosts);
+
+      const result = verifyHostKey('custom.example.com', 'SHA256:wrongfingerprint', knownHosts);
+
+      expect(result).toBe(false);
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        expect.stringContaining('Host key verification failed for'),
+      );
+    });
+
+    it('should handle empty known hosts object', () => {
+      const emptyHosts: KnownHostsConfig = {};
+
+      const result = verifyHostKey('github.com', 'SHA256:anything', emptyHosts);
+
+      expect(result).toBe(false);
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        expect.stringContaining('Host key verification failed: Unknown host'),
+      );
+    });
+  });
+});