Finish implementation of insecure mode

This change rewrite how the insecure flag dictates the implementation of
the host key validation callback and add unit tests to cover the
changes.

Author: David Pinheiro

cli/cli.go

@@ -56,7 +56,7 @@ func (c *App) Parse() error {
 	f.BoolVar(&c.Version, "version", false, "display the mole version")
 	f.BoolVar(&c.Detach, "detach", false, "(optional) run process in background")
 	f.StringVar(&c.Stop, "stop", "", "stop background process")
-	f.BoolVar(&c.InsecureMode, "insecure", false, "(optional) ignore unknown host keys when connecting to an ssh server")
+	f.BoolVar(&c.InsecureMode, "insecure", false, "(optional) skip host key validation when connecting to ssh server")
 
 	f.Parse(c.args[1:])
 

cmd/mole/main.go

@@ -214,7 +214,7 @@ func start(app cli.App) error {
 		return err
 	}
 
-	s.SetInsecureMode(app.InsecureMode)
+	s.Insecure = app.InsecureMode
 
 	log.Debugf("server: %s", s)
 

tunnel/tunnel.go

@@ -22,11 +22,12 @@ const (
 
 // Server holds the SSH Server attributes used for the client to connect to it.
 type Server struct {
-	Name     string
-	Address  string
-	User     string
-	Key      string
-	insecure bool
+	Name    string
+	Address string
+	User    string
+	Key     string
+	// Insecure is a flag to indicate if the host keys should be validated.
+	Insecure bool
 }
 
 // NewServer creates a new instance of Server using $HOME/.ssh/config to
@@ -92,11 +93,6 @@ func (s Server) String() string {
 	return fmt.Sprintf("[name=%s, address=%s, user=%s, key=%s]", s.Name, s.Address, s.User, s.Key)
 }
 
-// Set whether or not to check the known_hosts file
-func (s *Server) SetInsecureMode(flag bool) {
-	s.insecure = flag
-}
-
 // Tunnel represents the ssh tunnel used to forward a local connection to a
 // a remote endpoint through a ssh server.
 type Tunnel struct {
@@ -263,7 +259,7 @@ func sshClientConfig(server Server) (*ssh.ClientConfig, error) {
 		return nil, err
 	}
 
-	callback, err := knownHostsCallback(server)
+	clb, err := knownHostsCallback(server.Insecure)
 	if err != nil {
 		return nil, err
 	}
@@ -273,7 +269,7 @@ func sshClientConfig(server Server) (*ssh.ClientConfig, error) {
 		Auth: []ssh.AuthMethod{
 			ssh.PublicKeys(signer),
 		},
-		HostKeyCallback: callback,
+		HostKeyCallback: clb,
 		Timeout:         3 * time.Second,
 	}, nil
 }
@@ -285,23 +281,25 @@ func copyConn(writer, reader net.Conn) {
 	}
 }
 
-func knownHostsCallback(s Server) (ssh.HostKeyCallback, error) {
-	knownHostFile := filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts")
-
-	log.Debugf("known_hosts file used: %s", knownHostFile)
-
-	secureCallback, err := knownhosts.New(knownHostFile)
-	if err != nil {
-		return nil, fmt.Errorf("error while parsing 'known_hosts' file: %s: %v", knownHostFile, err)
-	}
+func knownHostsCallback(insecure bool) (ssh.HostKeyCallback, error) {
+	var clb func(hostname string, remote net.Addr, key ssh.PublicKey) error
 
-	callback := func(hostname string, remote net.Addr, key ssh.PublicKey) error {
-		if s.insecure {
+	if insecure {
+		clb = func(hostname string, remote net.Addr, key ssh.PublicKey) error {
 			return nil
 		}
-		return secureCallback(hostname, remote, key)
+	} else {
+		var err error
+		knownHostFile := filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts")
+		log.Debugf("known_hosts file used: %s", knownHostFile)
+
+		clb, err = knownhosts.New(knownHostFile)
+		if err != nil {
+			return nil, fmt.Errorf("error while parsing 'known_hosts' file: %s: %v", knownHostFile, err)
+		}
 	}
-	return callback, nil
+
+	return clb, nil
 }
 
 func reconcileHostname(givenHostname, resolvedHostname string) string {

tunnel/tunnel_test.go

@@ -166,9 +166,10 @@ func TestTunnelOptions(t *testing.T) {
 
 }
 
+//TODO teardown the tunnel
 func TestTunnel(t *testing.T) {
 	expected := "ABC"
-	tun := prepareTunnel(t)
+	tun := prepareTunnel(t, false)
 
 	select {
 	case <-tun.Ready:
@@ -191,6 +192,37 @@ func TestTunnel(t *testing.T) {
 	if expected != response {
 		t.Errorf("expected: %s, value: %s", expected, response)
 	}
+
+	tun.Stop()
+}
+
+func TestInsecureTunnel(t *testing.T) {
+	expected := "ABC"
+	tun := prepareTunnel(t, true)
+
+	select {
+	case <-tun.Ready:
+		t.Log("tunnel is ready to accept connections")
+	case <-time.After(1 * time.Second):
+		t.Errorf("no connection after a while")
+		return
+	}
+
+	resp, err := http.Get(fmt.Sprintf("http://%s/%s", tun.listener.Addr(), expected))
+	if err != nil {
+		t.Errorf("error while making local connection: %v", err)
+		return
+	}
+	defer resp.Body.Close()
+
+	body, _ := ioutil.ReadAll(resp.Body)
+	response := string(body)
+
+	if expected != response {
+		t.Errorf("expected: %s, value: %s", expected, response)
+	}
+
+	tun.Stop()
 }
 
 func TestRandomLocalPort(t *testing.T) {
@@ -244,13 +276,18 @@ func TestMain(m *testing.M) {
 
 // prepareTunnel creates a Tunnel object making sure all infrastructure
 // dependencies (ssh and http servers) are ready.
-func prepareTunnel(t *testing.T) *Tunnel {
-	sshAddr := createSSHServer(keyPath)
-	generateKnownHosts(sshAddr.String(), publicKeyPath, knownHostsPath)
-	s, _ := NewServer("mole", sshAddr.String(), "")
+func prepareTunnel(t *testing.T, insecure bool) *Tunnel {
+	ssh := createSSHServer(keyPath)
+	srv, _ := NewServer("mole", ssh.Addr().String(), "")
 
-	httpAddr := createWebServer()
-	tun := &Tunnel{local: "127.0.0.1:0", server: s, remote: httpAddr.String(), done: make(chan error), Ready: make(chan bool, 1)}
+	srv.Insecure = insecure
+
+	if !insecure {
+		generateKnownHosts(ssh.Addr().String(), publicKeyPath, knownHostsPath)
+	}
+
+	web := createWebServer()
+	tun := &Tunnel{local: "127.0.0.1:0", server: srv, remote: web.Addr().String(), done: make(chan error), Ready: make(chan bool, 1)}
 
 	go func(t *testing.T) {
 		err := tun.Start()
@@ -322,19 +359,24 @@ func get(client http.Client, resource string) (string, error) {
 //
 // Example: If the request URI is /this-is-a-test, the response will be
 // this-is-a-test
-func createWebServer() net.Addr {
+func createWebServer() net.Listener {
 
 	handler := func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, r.URL.Path[1:])
 	}
-	http.HandleFunc("/", handler)
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", handler)
+
+	server := &http.Server{
+		Handler: mux,
+	}
+
 	l, _ := net.Listen("tcp", "127.0.0.1:0")
 
-	go func(l net.Listener) {
-		http.Serve(l, nil)
-	}(l)
+	go server.Serve(l)
 
-	return l.Addr()
+	return l
 }
 
 // createSSHServer starts a SSH server that authenticates connections using
@@ -347,7 +389,7 @@ func createWebServer() net.Addr {
 // References:
 // https://gist.github.com/jpillora/b480fde82bff51a06238
 // https://tools.ietf.org/html/rfc4254#section-7.2
-func createSSHServer(keyPath string) net.Addr {
+func createSSHServer(keyPath string) net.Listener {
 	conf := &ssh.ServerConfig{
 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 			return &ssh.Permissions{}, nil
@@ -398,7 +440,7 @@ func createSSHServer(keyPath string) net.Addr {
 		}
 	}(l)
 
-	return l.Addr()
+	return l
 }
 
 // generateKnownHosts creates a new "known_hosts" file on a given path with a