test: cover SSH_AUTH_SOCK override soft-validation via Util helper (#1469)

annejan · claude · web-flow · commit ef67e0ef6c14 · 2026-05-13T12:23:59.000+02:00
The Settings dialog warning logic added in #1439 (configdialog.cpp on_accepted) had no unit tests. Extract the validation rules into a pure helper so they're testable without a Qt event loop or QMessageBox spy. Production change (mechanical, no semantic diff): - New Util::sshAuthSockOverrideStatus(QString) returning an enum: Valid / DoesNotExist / NotReadable / NotUnixDomainSocket. Same three checks as before (exists, readable, S_ISSOCK on Unix), now reusable and unit-testable. - ConfigDialog::on_accepted switches the three inline if/else branches to a switch over the enum. Translation strings stay in ConfigDialog (Util has no tr() callers). - Dropped now-unused #include <QFileInfo> and #include <sys/stat.h> from configdialog.cpp. Tests (tst_util.cpp): - sshAuthSockOverrideStatusDoesNotExist — non-existent path - sshAuthSockOverrideStatusRegularFileRejected — regular file (Unix) - sshAuthSockOverrideStatusNotReadable — chmod 0 (Unix; skipped under root since euid 0 ignores mode bits) - sshAuthSockOverrideStatusValid — bind(2) a real Unix domain socket and assert Valid POSIX socket(2)/bind(2) instead of QLocalServer to avoid pulling QtNetwork into the util test target. Unix-only tests SKIP on Windows where the production code also skips the socket check (ssh-agent uses a named pipe there). Build clean, 124/124 util tests pass (was 120, +4). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/src/configdialog.cpp b/src/configdialog.cpp
@@ -11,7 +11,6 @@
 #include <QClipboard>
 #include <QDir>
 #include <QFileDialog>
-#include <QFileInfo>
 #include <QMessageBox>
 #include <QPushButton>
 #include <QSystemTrayIcon>
@@ -21,10 +20,6 @@
 #include <windows.h>
 #endif
 
-#ifdef Q_OS_UNIX
-#include <sys/stat.h>
-#endif
-
 #ifdef QT_DEBUG
 #include "debughelper.h"
 #endif
@@ -258,21 +253,19 @@ void ConfigDialog::on_accepted() {
   const QString sshAuthSockOverride = ui->sshAuthSockOverride->text().trimmed();
   if (!sshAuthSockOverride.isEmpty()) {
     QString reason;
-    QFileInfo fi(sshAuthSockOverride);
-    if (!fi.exists()) {
+    switch (Util::sshAuthSockOverrideStatus(sshAuthSockOverride)) {
+    case Util::SshAuthSockOverrideStatus::Valid:
+      break;
+    case Util::SshAuthSockOverrideStatus::DoesNotExist:
       reason = tr("The path does not exist.");
-    } else if (!fi.isReadable()) {
+      break;
+    case Util::SshAuthSockOverrideStatus::NotReadable:
       reason = tr("The path is not readable.");
+      break;
+    case Util::SshAuthSockOverrideStatus::NotUnixDomainSocket:
+      reason = tr("The path is not a Unix domain socket.");
+      break;
     }
-#ifdef Q_OS_UNIX
-    if (reason.isEmpty()) {
-      struct stat st;
-      if (::stat(sshAuthSockOverride.toLocal8Bit().constData(), &st) != 0 ||
-          !S_ISSOCK(st.st_mode)) {
-        reason = tr("The path is not a Unix domain socket.");
-      }
-    }
-#endif
     if (!reason.isEmpty()) {
       QMessageBox::warning(
           this, tr("Potentially invalid SSH_AUTH_SOCK override"),
diff --git a/src/util.cpp b/src/util.cpp
@@ -27,6 +27,7 @@
 #ifdef Q_OS_WIN
 #include <windows.h>
 #else
+#include <sys/stat.h>
 #include <sys/time.h>
 #endif
 #include "qtpasssettings.h"
@@ -285,6 +286,29 @@ auto Util::isPathInStore(const QString &storeRoot, const QString &candidate)
          resolved.startsWith(rootCanon + QLatin1Char('/'));
 }
 
+auto Util::sshAuthSockOverrideStatus(const QString &path)
+    -> SshAuthSockOverrideStatus {
+  const QFileInfo fi(path);
+  if (!fi.exists()) {
+    return SshAuthSockOverrideStatus::DoesNotExist;
+  }
+  if (!fi.isReadable()) {
+    return SshAuthSockOverrideStatus::NotReadable;
+  }
+#ifdef Q_OS_UNIX
+  // S_ISSOCK isn't exposed by QFileInfo; go through stat(2). On Windows
+  // ssh-agent uses a named pipe (\\.\pipe\openssh-ssh-agent.<sid>) and the
+  // socket check would always fail, so skip it there — exists + readable is
+  // the best we can do.
+  struct stat st{};
+  if (::stat(path.toLocal8Bit().constData(), &st) != 0 ||
+      !S_ISSOCK(st.st_mode)) {
+    return SshAuthSockOverrideStatus::NotUnixDomainSocket;
+  }
+#endif
+  return SshAuthSockOverrideStatus::Valid;
+}
+
 /**
  * @brief Finds the absolute path of a binary by searching the PATH environment
  * variable.
diff --git a/src/util.h b/src/util.h
@@ -19,6 +19,34 @@ class StoreModel;
  */
 class Util {
 public:
+  /**
+   * @brief Classify a non-empty SSH_AUTH_SOCK override path supplied by the
+   *        user.
+   *
+   * Empty / unset input is handled by the caller (no warning when the field
+   * is blank). For a non-empty path, this returns one of:
+   *
+   * - `Valid` — exists, readable, and on Unix is a Unix domain socket.
+   * - `DoesNotExist` — `QFileInfo::exists()` returned false.
+   * - `NotReadable` — exists but `QFileInfo::isReadable()` returned false.
+   * - `NotUnixDomainSocket` — Unix-only: `stat()` says it's not `S_ISSOCK`.
+   *
+   * On Windows the socket check is skipped — ssh-agent uses a named pipe.
+   */
+  enum class SshAuthSockOverrideStatus {
+    Valid,
+    DoesNotExist,
+    NotReadable,
+    NotUnixDomainSocket,
+  };
+  /**
+   * @brief Validate an SSH_AUTH_SOCK override path. Caller is expected to
+   *        skip validation when the input is empty / whitespace-only.
+   * @param path Non-empty candidate path.
+   * @return Classification per SshAuthSockOverrideStatus.
+   */
+  static auto sshAuthSockOverrideStatus(const QString &path)
+      -> SshAuthSockOverrideStatus;
   /**
    * @brief Locate an executable by searching the process PATH and (on Windows)
    * falling back to WSL.
diff --git a/tests/auto/util/tst_util.cpp b/tests/auto/util/tst_util.cpp
@@ -11,7 +11,12 @@
 #include <QUuid>
 #include <QtTest>
 #ifndef Q_OS_WIN
+#include <sys/socket.h>
 #include <sys/stat.h>
+#include <sys/un.h>
+#include <unistd.h>
+
+#include <cstring>
 #endif
 
 #include "../../../src/enums.h"
@@ -226,6 +231,11 @@ private Q_SLOTS:
   void isPathInStoreRejectsEmptyArgs();
   // .gpg-id permission hardening (security)
   void writeGpgIdFileSetsOwnerOnlyPerms();
+  // SSH_AUTH_SOCK override soft-validation (Settings dialog warning)
+  void sshAuthSockOverrideStatusDoesNotExist();
+  void sshAuthSockOverrideStatusRegularFileRejected();
+  void sshAuthSockOverrideStatusNotReadable();
+  void sshAuthSockOverrideStatusValid();
 };
 
 /**
@@ -2327,5 +2337,115 @@ void tst_util::writeGpgIdFileSetsOwnerOnlyPerms() {
 #endif
 }
 
+// ---------------------------------------------------------------------------
+// Util::sshAuthSockOverrideStatus tests
+//
+// Backs the Settings dialog soft-warning logic added in #1439. The dialog
+// shows a non-blocking warning when the user-typed override path is bogus
+// (missing, unreadable, or not a Unix domain socket) but still saves the
+// value as entered. These tests drive the pure validation function directly
+// so we don't need a Qt event loop / QMessageBox spy.
+// ---------------------------------------------------------------------------
+
+/**
+ * @brief A non-existent path is classified DoesNotExist.
+ */
+void tst_util::sshAuthSockOverrideStatusDoesNotExist() {
+  QTemporaryDir tmp;
+  QVERIFY2(tmp.isValid(), "tmp dir should be valid");
+  QCOMPARE(Util::sshAuthSockOverrideStatus(tmp.path() + "/no-such-socket"),
+           Util::SshAuthSockOverrideStatus::DoesNotExist);
+}
+
+/**
+ * @brief A regular file that exists but isn't a Unix domain socket is
+ *        rejected on Unix. Skipped on Windows where the socket check is a
+ *        no-op (ssh-agent uses a named pipe there).
+ */
+void tst_util::sshAuthSockOverrideStatusRegularFileRejected() {
+#ifdef Q_OS_WIN
+  QSKIP("socket-type check is Unix-only");
+#else
+  QTemporaryDir tmp;
+  QVERIFY2(tmp.isValid(), "tmp dir should be valid");
+  const QString filePath = tmp.path() + "/regular-file";
+  QFile f(filePath);
+  QVERIFY2(f.open(QIODevice::WriteOnly), "should be able to create a file");
+  f.close();
+  QCOMPARE(Util::sshAuthSockOverrideStatus(filePath),
+           Util::SshAuthSockOverrideStatus::NotUnixDomainSocket);
+#endif
+}
+
+/**
+ * @brief A file that exists but has no read permission is classified
+ *        NotReadable. Skipped on Windows because Qt's permission bits
+ *        don't round-trip the same way.
+ */
+void tst_util::sshAuthSockOverrideStatusNotReadable() {
+#ifdef Q_OS_WIN
+  QSKIP("Unix permission bits don't round-trip on Windows");
+#else
+  // Root user on Linux ignores read-mode bits, so the test would
+  // falsely return Valid. Skip in that case.
+  if (::geteuid() == 0) {
+    QSKIP("root sees all files as readable; skip");
+  }
+  QTemporaryDir tmp;
+  QVERIFY2(tmp.isValid(), "tmp dir should be valid");
+  const QString filePath = tmp.path() + "/unreadable";
+  QFile f(filePath);
+  QVERIFY2(f.open(QIODevice::WriteOnly), "should be able to create a file");
+  f.close();
+  QVERIFY2(QFile::setPermissions(filePath, QFile::Permissions{}),
+           "should be able to chmod 0 on the file");
+  QCOMPARE(Util::sshAuthSockOverrideStatus(filePath),
+           Util::SshAuthSockOverrideStatus::NotReadable);
+  // Restore something so QTemporaryDir can clean up.
+  QFile::setPermissions(filePath, QFile::ReadOwner | QFile::WriteOwner);
+#endif
+}
+
+/**
+ * @brief A real Unix domain socket (bind(2)) is classified Valid.
+ *        Unix-only.
+ */
+void tst_util::sshAuthSockOverrideStatusValid() {
+#ifdef Q_OS_WIN
+  QSKIP("socket creation API differs on Windows");
+#else
+  QTemporaryDir tmp;
+  QVERIFY2(tmp.isValid(), "tmp dir should be valid");
+  const QString sockPath = tmp.path() + "/agent.sock";
+  const QByteArray sockBytes = sockPath.toLocal8Bit();
+
+  // sun_path is typically 108 bytes on Linux; QTemporaryDir gives us a
+  // short /tmp/qttest_XXXXXX prefix, so this should fit easily.
+  QVERIFY2(sockBytes.size() < static_cast<int>(sizeof(sockaddr_un{}.sun_path)),
+           "socket path too long for sockaddr_un");
+
+  const int fd = ::socket(AF_UNIX, SOCK_STREAM, 0);
+  QVERIFY2(fd >= 0, "socket(AF_UNIX) failed");
+
+  sockaddr_un addr{};
+  addr.sun_family = AF_UNIX;
+  std::memcpy(addr.sun_path, sockBytes.constData(),
+              static_cast<size_t>(sockBytes.size()));
+
+  const int br = ::bind(fd, reinterpret_cast<sockaddr *>(&addr), sizeof(addr));
+  if (br != 0) {
+    ::close(fd);
+    QFAIL("bind(AF_UNIX) failed");
+  }
+
+  QCOMPARE(Util::sshAuthSockOverrideStatus(sockPath),
+           Util::SshAuthSockOverrideStatus::Valid);
+
+  ::close(fd);
+  // QTemporaryDir will rm -rf the directory on destruction, removing the
+  // socket file along with it.
+#endif
+}
+
 QTEST_MAIN(tst_util)
 #include "tst_util.moc"
