Add tests for skip_host_key_verification

paramiko · Jan 11, 2024 · f1352ac · f1352ac
1 parent 3e415b1
commit f1352ac
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/tests/test_client.py b/tests/test_client.py
@@ -43,6 +43,8 @@
 
 from ._util import _support, requires_sha1_signing, slow
 
+from cryptography.exceptions import UnsupportedAlgorithm
+
 
 requires_gss_auth = unittest.skipUnless(
     paramiko.GSS_AUTH_AVAILABLE, "GSS auth not available"
@@ -501,6 +503,57 @@ def test_client_can_be_used_as_context_manager(self):
 
         self.assertTrue(self.tc._transport is None)
 
+    @requires_sha1_signing
+    def test_host_key_verification_with_bad_key(self):
+        """
+        verify that host key verification raises an exception on failure
+        """
+        # Note that _test_connection uses an RSA host key,
+        # so that's what we mock
+        with patch.object(paramiko.RSAKey, "verify_ssh_sig") as verifier:
+            verifier.return_value = False
+            with self.assertRaises(SSHException) as cm:
+                self._test_connection(key_filename=_support("ed25519.key"))
+            self.assertEqual(
+                str(cm.exception), "Signature verification (ssh-rsa) failed."
+            )
+
+    @requires_sha1_signing
+    def test_host_key_verification_with_unsupported_key(self):
+        """
+        verify that host key verification raises an exception on
+        getting a host key with an unsupported algorithm
+        """
+        with patch.object(paramiko.RSAKey, "verify_ssh_sig") as verifier:
+            verifier.side_effect = UnsupportedAlgorithm("oops")
+            with self.assertRaises(UnsupportedAlgorithm) as cm:
+                self._test_connection(key_filename=_support("ed25519.key"))
+            self.assertEqual(str(cm.exception), "oops")
+
+    @requires_sha1_signing
+    def test_skip_host_key_verification_with_bad_key(self):
+        """
+        verify that a bad host key can be ignored
+        """
+        with patch.object(paramiko.RSAKey, "verify_ssh_sig") as verifier:
+            verifier.return_value = False
+            self._test_connection(
+                key_filename=_support("ed25519.key"),
+                skip_host_key_verification=True,
+            )
+
+    @requires_sha1_signing
+    def test_skip_host_key_verification_with_unsupported_key(self):
+        """
+        verify that an unsupported host key can be ignored
+        """
+        with patch.object(paramiko.RSAKey, "verify_ssh_sig") as verifier:
+            verifier.side_effect = UnsupportedAlgorithm("oops")
+            self._test_connection(
+                key_filename=_support("ed25519.key"),
+                skip_host_key_verification=True,
+            )
+
     def test_banner_timeout(self):
         """
         verify that the SSHClient has a configurable banner timeout.