sftp: Verify server fingerprint

If no fingerprint is stored -> save whatever the server gives
If a fingerprint is stored -> error if fingerprint does not match

1 files changed, 45 insertions, 15 deletions

diff --git a/libs/sftp/src/test/java/org/the_jk/cleversync/sftp/SftpTreeTest.kt b/libs/sftp/src/test/java/org/the_jk/cleversync/sftp/SftpTreeTest.kt
index da654a1..b254c4e 100644
--- a/libs/sftp/src/test/java/org/the_jk/cleversync/sftp/SftpTreeTest.kt
+++ b/libs/sftp/src/test/java/org/the_jk/cleversync/sftp/SftpTreeTest.kt
@@ -1,6 +1,7 @@
 package org.the_jk.cleversync.sftp
 
 import android.content.Context
+import android.net.Uri
 import androidx.test.core.app.ApplicationProvider
 import com.google.common.truth.Truth.assertThat
 import org.junit.After
@@ -16,7 +17,9 @@ import org.robolectric.annotation.Config
 import org.robolectric.shadows.ShadowLooper
 import org.the_jk.cleversync.TreeAbstractTest
 import org.the_jk.cleversync.io.Link
+import org.the_jk.cleversync.io.sftp.NativeSftp
 import org.the_jk.cleversync.io.sftp.SftpCredentials
+import org.the_jk.cleversync.io.sftp.SftpHostsStorage
 import java.io.File
 import java.nio.charset.StandardCharsets
 import java.nio.file.Files
@@ -28,26 +31,17 @@ class SftpTreeTest : TreeAbstractTest() {
     @get:Rule
     val testName = TestName()
 
+    private lateinit var hostsStorage: SftpHostsStorage
+
     @Before
     fun setUpTest() {
         assertThat(shareDir.listFiles()).isEmpty()
 
-        val credentials: SftpCredentials
-        // Test both password and key authentication
-        // "Stable" as it depends on the hashCode of the test method name
-        if (testName.methodName.hashCode() % 2 == 0) {
-            credentials =
-                SftpCredentials.SftpPasswordCredentials("user", "notverysecret")
-        } else {
-            val private = File(dockerDir, "user_private.pem")
-            credentials = SftpCredentials.SftpKeyCredentials(
-                "user",
-                private.readBytes(),
-                "notsecret",
-            )
-        }
+        val credentials = getCredentials()
 
-        tree = SftpTreeFactory.modifiableTree(uri, credentials).getOrThrow()
+        hostsStorage = SftpHostsStorage(ApplicationProvider.getApplicationContext())
+
+        tree = SftpTreeFactory.modifiableTree(uri, credentials, hostsStorage).getOrThrow()
     }
 
     @After
@@ -143,12 +137,48 @@ class SftpTreeTest : TreeAbstractTest() {
         assertThat(File(shareDir, "foo").isDirectory).isTrue()
     }
 
+    @Test
+    fun matchFingerprint() {
+        assertThat(hostsStorage.size()).isEqualTo(1)
+
+        val credentials = getCredentials()
+        // Connect again, this time with a cached fingerprint
+        SftpTreeFactory.tree(uri, credentials, hostsStorage).getOrThrow()
+
+        assertThat(hostsStorage.size()).isEqualTo(1)
+    }
+
+    @Test
+    fun wrongFingerprint() {
+        val actualUri = Uri.parse(uri)
+        hostsStorage.put(actualUri.host!!, actualUri.port, NativeSftp.Fingerprint(ByteArray(0)))
+
+        val credentials = getCredentials()
+        assertThat(SftpTreeFactory.tree(uri, credentials, hostsStorage)
+            .exceptionOrNull()?.message).isEqualTo("[fingerprint mismatch]")
+    }
+
     override fun supportSymlinks() = true
 
     override fun idle() {
         ShadowLooper.idleMainLooper(10, TimeUnit.SECONDS)
     }
 
+    private fun getCredentials(): SftpCredentials {
+        // Test both password and key authentication
+        // "Stable" as it depends on the hashCode of the test method name
+        return if (testName.methodName.hashCode() % 2 == 0) {
+            SftpCredentials.SftpPasswordCredentials("user", "notverysecret")
+        } else {
+            val private = File(dockerDir, "user_private.pem")
+            SftpCredentials.SftpKeyCredentials(
+                "user",
+                private.readBytes(),
+                "notsecret",
+            )
+        }
+    }
+
     companion object {
         private lateinit var uri: String
         private lateinit var dockerDir: File