From 06ef24b8e15a8c27433c639846d88d11835209ec Mon Sep 17 00:00:00 2001
From: Daniel Dehennin <daniel.dehennin@baby-gnu.org>
Date: Tue, 21 Jul 2020 10:52:03 +0200
Subject: [PATCH] test(config_spec): verify /etc/ssh/ssh_known_hosts

---
 test/integration/default/controls/config_spec.rb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/test/integration/default/controls/config_spec.rb b/test/integration/default/controls/config_spec.rb
index 283c059..5a9ac25 100644
--- a/test/integration/default/controls/config_spec.rb
+++ b/test/integration/default/controls/config_spec.rb
@@ -9,6 +9,11 @@ root_group =
     'root'
   end
 
+github_known_host = 'github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
+gitlab_known_host_re = /gitlab.com,[0-9a-f.:,]* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA/
+minion_rsa_known_host = 'minion.id,alias.of.minion.id ssh-rsa [...]'
+minion_ed25519_known_host = 'minion.id,alias.of.minion.id ssh-ed25519 [...]'
+
 control 'openssh configuration' do
   title 'should match desired lines'
 
@@ -35,4 +40,15 @@ control 'openssh configuration' do
     its('content') { should include '    HashKnownHosts yes' }
     its('content') { should include '    SendEnv LANG LC_*' }
   end
+
+  describe file('/etc/ssh/ssh_known_hosts') do
+    it { should be_file }
+    its('mode') { should cmp '0644' }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('content') { should include github_known_host }
+    its('content') { should match(gitlab_known_host_re) }
+    its('content') { should include minion_rsa_known_host }
+    its('content') { should include minion_ed25519_known_host }
+  end
 end