florian/git-hardening
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: tests, device-not-found retry, remove Qubes CTAP2 warning

Browse Source 
Add 20 BATS tests and 1 interactive test for v0.5.0 edge-case
fixes. FIDO2 keygen now prompts to retry on "device not found"
instead of exiting. Remove stale Qubes vhci_hcd warning. Update
hardware test matrix in README.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Flo
2026-04-05 04:22:52 -07:00
parent c5bbe5b44a
commit cd2afdb308
7 changed files with 464 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

323
test/git-harden.bats
View File

@@ -570,18 +570,29 @@ SSHEOF
[ "$SIGNING_PUB_PATH" = "${TEST_HOME}/.ssh/id_ed25519.pub" ]
}
@test "detect_existing_keys prefers sk key over software key" {
@test "detect_existing_keys prefers dedicated signing key over general key" {
ssh-keygen -t ed25519 -f "${TEST_HOME}/.ssh/id_ed25519" -N "" -q
# Fake an sk key (can't generate real one without hardware)
cp "${TEST_HOME}/.ssh/id_ed25519" "${TEST_HOME}/.ssh/id_ed25519_sk"
# Write a fake pub key with sk type prefix
printf 'sk-ssh-ed25519@openssh.com AAAAFakeKey test\n' > "${TEST_HOME}/.ssh/id_ed25519_sk.pub"
ssh-keygen -t ed25519 -f "${TEST_HOME}/.ssh/id_ed25519_signing" -N "" -q
source_functions
detect_existing_keys
[ "$SIGNING_KEY_FOUND" = true ]
[ "$SIGNING_PUB_PATH" = "${TEST_HOME}/.ssh/id_ed25519_sk.pub" ]
[ "$SIGNING_PUB_PATH" = "${TEST_HOME}/.ssh/id_ed25519_signing.pub" ]
}
@test "detect_existing_keys prefers sk signing key over software key" {
ssh-keygen -t ed25519 -f "${TEST_HOME}/.ssh/id_ed25519" -N "" -q
# Fake an sk signing key (can't generate real one without hardware)
cp "${TEST_HOME}/.ssh/id_ed25519" "${TEST_HOME}/.ssh/id_ed25519_sk_signing"
# Write a fake pub key with sk type prefix
printf 'sk-ssh-ed25519@openssh.com AAAAFakeKey test\n' > "${TEST_HOME}/.ssh/id_ed25519_sk_signing.pub"
source_functions
detect_existing_keys
[ "$SIGNING_KEY_FOUND" = true ]
[ "$SIGNING_PUB_PATH" = "${TEST_HOME}/.ssh/id_ed25519_sk_signing.pub" ]
}
@test "detect_existing_keys finds key from IdentityFile directive" {
@@ -691,15 +702,16 @@ SSHEOF
[ "$count" -eq 1 ]
}
@test "setup_allowed_signers skips when no email set" {
@test "setup_allowed_signers skips when no email provided" {
ssh-keygen -t ed25519 -f "${TEST_HOME}/.ssh/id_ed25519" -N "" -q
git config --global --unset user.email
source_functions
SIGNING_PUB_PATH="${TEST_HOME}/.ssh/id_ed25519.pub"
# In non-interactive context, read from /dev/tty fails — empty email
run setup_allowed_signers
assert_output --partial "user.email not set"
assert_output --partial "No email provided"
}
# ===========================================================================
@@ -1153,10 +1165,297 @@ EOF
}
# ===========================================================================
# v0.2.0: Version bump
# v0.5.0: Identity guard (useConfigOnly)
# ===========================================================================
@test "--version reports 0.4.0" {
run bash "$SCRIPT" --version
assert_output --partial "0.4.0"
@test "audit warns when useConfigOnly=true but identity missing" {
git config --global --unset user.name
git config --global --unset user.email
source_functions
run audit_git_config
assert_output --partial "user.name/user.email not set"
}
@test "audit does not warn about identity when name and email set" {
source_functions
run audit_git_config
refute_output --partial "user.name/user.email not set"
}
@test "-y mode applies useConfigOnly when identity exists" {
source_functions
AUTO_YES=true
PLATFORM="macos"
DETECTED_CRED_HELPER="osxkeychain"
run apply_git_config
assert_success
[ "$(git config --global user.useConfigOnly)" = "true" ]
}
@test "-y mode skips useConfigOnly when user.name missing" {
git config --global --unset user.name
source_functions
AUTO_YES=true
PLATFORM="macos"
DETECTED_CRED_HELPER="osxkeychain"
run apply_git_config
assert_success
assert_output --partial "Skipping user.useConfigOnly"
local result
result="$(git config --global --get user.useConfigOnly 2>/dev/null || true)"
[ -z "$result" ]
}
@test "-y mode skips useConfigOnly when user.email missing" {
git config --global --unset user.email
source_functions
AUTO_YES=true
PLATFORM="macos"
DETECTED_CRED_HELPER="osxkeychain"
run apply_git_config
assert_success
assert_output --partial "Skipping user.useConfigOnly"
local result
result="$(git config --global --get user.useConfigOnly 2>/dev/null || true)"
[ -z "$result" ]
}
# ===========================================================================
# v0.5.0: pull.rebase unset during apply
# ===========================================================================
@test "-y mode unsets pull.rebase when set" {
git config --global pull.rebase true
source_functions
AUTO_YES=true
PLATFORM="macos"
DETECTED_CRED_HELPER="osxkeychain"
run apply_git_config
assert_success
assert_output --partial "Unset pull.rebase"
local result
result="$(git config --global --get pull.rebase 2>/dev/null || true)"
[ -z "$result" ]
}
@test "-y mode does not unset pull.rebase when not set" {
source_functions
AUTO_YES=true
PLATFORM="macos"
DETECTED_CRED_HELPER="osxkeychain"
run apply_git_config
assert_success
refute_output --partial "Unset pull.rebase"
}
# ===========================================================================
# v0.5.0: SSH directives in Host * block
# ===========================================================================
@test "apply places new SSH directive in Host * block when blocks exist" {
cat > "${TEST_HOME}/.ssh/config" <<'SSHEOF'
Host github.com
IdentityFile ~/.ssh/github_key
SSHEOF
source_functions
apply_single_ssh_directive "StrictHostKeyChecking" "accept-new"
# Should have created a Host * block
grep -q "^Host \*$" "${TEST_HOME}/.ssh/config"
grep -q "StrictHostKeyChecking accept-new" "${TEST_HOME}/.ssh/config"
}
@test "apply inserts into existing Host * block" {
cat > "${TEST_HOME}/.ssh/config" <<'SSHEOF'
Host *
HashKnownHosts yes
Host github.com
IdentityFile ~/.ssh/github_key
SSHEOF
source_functions
apply_single_ssh_directive "IdentitiesOnly" "yes"
# Should be inside Host * block (indented), not appended bare
grep -q "IdentitiesOnly yes" "${TEST_HOME}/.ssh/config"
# Only one Host * line
local count
count="$(grep -c '^Host \*$' "${TEST_HOME}/.ssh/config")"
[ "$count" -eq 1 ]
}
@test "apply appends bare when no Host/Match blocks exist" {
: > "${TEST_HOME}/.ssh/config"
source_functions
apply_single_ssh_directive "HashKnownHosts" "yes"
grep -q "HashKnownHosts yes" "${TEST_HOME}/.ssh/config"
# No Host * block should be created for a simple file
! grep -q "^Host" "${TEST_HOME}/.ssh/config"
}
# ===========================================================================
# v0.5.0: SSH config backup
# ===========================================================================
@test "apply_ssh_config creates backup of existing SSH config" {
printf 'StrictHostKeyChecking ask\n' > "${TEST_HOME}/.ssh/config"
source_functions
AUTO_YES=true
run apply_ssh_config
assert_success
assert_output --partial "SSH config backed up"
# Verify backup file exists
local backup_count
backup_count="$(find "${TEST_HOME}/.ssh" -name 'config.pre-harden-*' | wc -l | tr -d ' ')"
[ "$backup_count" -eq 1 ]
# Verify backup contains original content
local backup_file
backup_file="$(find "${TEST_HOME}/.ssh" -name 'config.pre-harden-*' -print -quit)"
grep -q "StrictHostKeyChecking ask" "$backup_file"
}
@test "apply_ssh_config does not create backup for new SSH config" {
rm -f "${TEST_HOME}/.ssh/config"
source_functions
AUTO_YES=true
run apply_ssh_config
assert_success
refute_output --partial "SSH config backed up"
}
# ===========================================================================
# v0.5.0: Dedicated signing key names
# ===========================================================================
@test "detect_existing_keys finds dedicated signing key" {
ssh-keygen -t ed25519 -f "${TEST_HOME}/.ssh/id_ed25519_signing" -N "" -q
source_functions
detect_existing_keys
[ "$SIGNING_KEY_FOUND" = true ]
[ "$SIGNING_PUB_PATH" = "${TEST_HOME}/.ssh/id_ed25519_signing.pub" ]
}
@test "detect_existing_keys falls back to general key when no signing key" {
ssh-keygen -t ed25519 -f "${TEST_HOME}/.ssh/id_ed25519" -N "" -q
source_functions
detect_existing_keys
[ "$SIGNING_KEY_FOUND" = true ]
[ "$SIGNING_PUB_PATH" = "${TEST_HOME}/.ssh/id_ed25519.pub" ]
}
@test "-y mode enables signing with dedicated signing key" {
ssh-keygen -t ed25519 -f "${TEST_HOME}/.ssh/id_ed25519_signing" -N "" -q
source_functions
AUTO_YES=true
run apply_signing_config
assert_success
[ "$(git config --global commit.gpgsign)" = "true" ]
local sigkey
sigkey="$(git config --global user.signingkey)"
[[ "$sigkey" = *"id_ed25519_signing.pub"* ]]
}
# ===========================================================================
# v0.5.0: core.hooksPath separate prompt
# ===========================================================================
@test "-y mode applies core.hooksPath separately from filesystem group" {
source_functions
AUTO_YES=true
PLATFORM="macos"
DETECTED_CRED_HELPER="osxkeychain"
run apply_git_config
assert_success
[ "$(git config --global core.hooksPath)" = "~/.config/git/hooks" ]
}
@test "-y mode skips core.hooksPath when already set" {
git config --global core.hooksPath "~/.config/git/hooks"
source_functions
AUTO_YES=true
PLATFORM="macos"
DETECTED_CRED_HELPER="osxkeychain"
run apply_git_config
assert_success
refute_output --partial "Global Hooks Path"
}
# ===========================================================================
# v0.5.0: reset-signing cleans configured key path
# ===========================================================================
@test "reset-signing cleans actual configured key path" {
# Create a custom-named key
ssh-keygen -t ed25519 -f "${TEST_HOME}/.ssh/my_org_key" -N "" -q
git config --global user.signingkey "${TEST_HOME}/.ssh/my_org_key.pub"
git config --global commit.gpgsign true
source_functions
AUTO_YES=true
run reset_signing
assert_success
# git config entries should be removed
local sigkey
sigkey="$(git config --global --get user.signingkey 2>/dev/null || true)"
[ -z "$sigkey" ]
# Key files should be listed for cleanup
assert_output --partial "my_org_key"
}
@test "reset-signing includes dedicated signing key names" {
# Create dedicated signing keys
ssh-keygen -t ed25519 -f "${TEST_HOME}/.ssh/id_ed25519_signing" -N "" -q
source_functions
AUTO_YES=true
run reset_signing
assert_success
assert_output --partial "id_ed25519_signing"
}
# ===========================================================================
# v0.5.0: Version bump
# ===========================================================================
@test "--version reports 0.5.0" {
run bash "$SCRIPT" --version
assert_output --partial "0.5.0"
}

106
test/interactive/test-identity-guard.sh Executable file
View File

@@ -0,0 +1,106 @@
#!/usr/bin/env bash
# Interactive test: identity guard prevents useConfigOnly lockout
# Verifies: when user.name/email are missing, the script prompts for them
# before enabling useConfigOnly; after providing both, useConfigOnly is set.
set -o errexit
set -o nounset
set -o pipefail
IFS=$'\n\t'
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
# shellcheck source=helpers.sh
source "${SCRIPT_DIR}/helpers.sh"
main() {
trap cleanup EXIT
printf 'Test: Identity guard — missing name/email\n' >&2
# Remove identity AND useConfigOnly so the guard triggers
git config --global --unset user.name 2>/dev/null || true
git config --global --unset user.email 2>/dev/null || true
git config --global --unset user.useConfigOnly 2>/dev/null || true
# Remove signing keys so wizard shows options (not existing key prompt)
rm -f "${HOME}/.ssh/id_ed25519_signing" "${HOME}/.ssh/id_ed25519_signing.pub"
rm -f "${HOME}/.ssh/id_ed25519" "${HOME}/.ssh/id_ed25519.pub"
start_session
# Safety review gate
wait_for "reviewed this script"
send "y" Enter
# Proceed with hardening
wait_for "Proceed with hardening"
send "y" Enter
# Accept settings until identity guard prompt appears
local pane_content
for _ in $(seq 1 50); do
sleep 0.3
pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
if printf '%s' "$pane_content" | grep -qF "Enter your name"; then
break
fi
if printf '%s' "$pane_content" | grep -qF "Hardening complete"; then
fail "Identity guard did not trigger — reached completion"
exit 1
fi
send "y" Enter
done
# Identity guard: enter name
wait_for "Enter your name" 15
send "Test User" Enter
# Identity guard: enter email
wait_for "Enter your email" 10
send "test@example.com" Enter
# Continue accepting remaining prompts
for _ in $(seq 1 50); do
sleep 0.3
pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
break
fi
if printf '%s' "$pane_content" | grep -qF "Hardening complete"; then
break
fi
send "y" Enter
done
# Skip signing
if tmux capture-pane -t "$TMUX_SESSION" -p | grep -qF "Signing key options"; then
send "s" Enter
fi
# Wait for completion
sleep 2
capture_output >/dev/null 2>&1 || true
# Verify: useConfigOnly was set
local use_config_only
use_config_only="$(git config --global --get user.useConfigOnly 2>/dev/null || true)"
if [ "$use_config_only" = "true" ]; then
pass "Identity guard: useConfigOnly=true set after providing name/email"
else
fail "Identity guard: useConfigOnly not set (expected true, got '${use_config_only}')"
exit 1
fi
# Verify: name and email were set
local name email
name="$(git config --global --get user.name 2>/dev/null || true)"
email="$(git config --global --get user.email 2>/dev/null || true)"
if [ "$name" = "Test User" ] && [ "$email" = "test@example.com" ]; then
pass "Identity guard: user.name and user.email configured"
else
fail "Identity guard: identity not configured (name='${name}', email='${email}')"
exit 1
fi
}
main

13
test/interactive/test-signing-generate.sh
View File

@@ -16,7 +16,12 @@ main() {
printf 'Test: Signing wizard - generate ed25519 key\n' >&2
# Ensure no existing keys
# Ensure identity is set (prior tests may have cleared it)
git config --global user.name "Test User" 2>/dev/null || true
git config --global user.email "test@example.com" 2>/dev/null || true
# Ensure no existing signing keys (new dedicated names + legacy)
rm -f "${HOME}/.ssh/id_ed25519_signing" "${HOME}/.ssh/id_ed25519_signing.pub"
rm -f "${HOME}/.ssh/id_ed25519" "${HOME}/.ssh/id_ed25519.pub"
start_session
@@ -61,9 +66,9 @@ main() {
sleep 3
capture_output >/dev/null 2>&1 || true
# Verify key exists
if [ -f "${HOME}/.ssh/id_ed25519.pub" ]; then
pass "Key generated: ~/.ssh/id_ed25519.pub exists"
# Verify key exists (new dedicated signing key name)
if [ -f "${HOME}/.ssh/id_ed25519_signing.pub" ]; then
pass "Key generated: ~/.ssh/id_ed25519_signing.pub exists"
else
fail "Key not generated"
exit 1

3
test/interactive/test-signing-skip.sh
View File

@@ -17,6 +17,9 @@ main() {
printf 'Test: Signing wizard - skip\n' >&2
# Remove any keys from prior tests so wizard shows key generation options
rm -f "${HOME}/.ssh/id_ed25519_signing" "${HOME}/.ssh/id_ed25519_signing.pub"
rm -f "${HOME}/.ssh/id_ed25519_sk_signing" "${HOME}/.ssh/id_ed25519_sk_signing.pub"
rm -f "${HOME}/.ssh/id_ecdsa_sk_signing" "${HOME}/.ssh/id_ecdsa_sk_signing.pub"
rm -f "${HOME}/.ssh/id_ed25519" "${HOME}/.ssh/id_ed25519.pub"
rm -f "${HOME}/.ssh/id_ed25519_sk" "${HOME}/.ssh/id_ed25519_sk.pub"
git config --global --unset user.signingkey 2>/dev/null || true