5 files changed, 70 insertions, 10 deletions

diff --git a/pkg/test/auth_test.go b/pkg/test/auth_test.go
index dedafa8..1741d68 100644
--- a/pkg/test/auth_test.go
+++ b/pkg/test/auth_test.go
@@ -2,6 +2,8 @@ package test
 
 import (
 	"testing"
+	"fmt"
+	"os"
 )
 
 func TestAuthHook(t *testing.T) {
@@ -10,11 +12,69 @@ func TestAuthHook(t *testing.T) {
 
 	c := e.newInstance()
 
-	c.Exec("add name T listen,addr=-:0 auth aes dial,addr=@[tunnel.X.listen]")
-	c.Exec("add name X listen,addr=-:0 /aes /auth dial,addr=@[addr]")
+	var secrets string
 
-	c.Exec("set tunnel.X.secret secret")
-	c.Exec("set tunnel.T.secret secret")
+	f, err := os.CreateTemp("", "test-auth-")
+	if err != nil {
+		e.Fatalf("create temp: %v", err)
+	}
+
+	secrets = f.Name()
+
+	fmt.Fprintln(f, "T t")
+	fmt.Fprintln(f, "X x")
+	f.Close()
+
+	defer os.Remove(secrets)
+
+	c.Exec("add name T listen,addr=%%0 auth aes dial,addr=@[tunnel.X.listen]")
+	c.Exec("add name X listen,addr=%%0 /aes /auth dial,addr=@[addr]")
+
+	c.Exec("set authfile %s", secrets)
+	c.Exec("set tunnel.T.authuser T")
+	c.Exec("set tunnel.X.authuser X")
+
+	listen := e.Listen("tcp", "127.0.0.1:0")
+	c.Set("addr", listen.Addr())
+
+	out := e.Dial("tcp", c.Get("tunnel.T.listen"))
+	in := e.Accept(listen)
+
+	e.Write(out, dummy)
+
+	buf := make([]byte, len(dummy))
+	e.ReadFull(in, buf)
+
+	if r := string(buf); r != dummy {
+		e.Fatalf("wrong reply: send '%s', recv '%s'", dummy, r)
+	}
+}
+
+func TestAuthPassiveHook(t *testing.T) {
+	e := newEnv(t)
+	defer e.Free()
+
+	c := e.newInstance()
+
+	var secrets string
+
+	f, err := os.CreateTemp("", "test-auth-passive-")
+	if err != nil {
+		e.Fatalf("create temp: %v", err)
+	}
+
+	secrets = f.Name()
+
+	fmt.Fprintln(f, "T t")
+	f.Close()
+
+	defer os.Remove(secrets)
+
+	c.Exec("add name T listen,addr=%%0 auth aes dial,addr=@[tunnel.X.listen]")
+	c.Exec("add name X listen,addr=%%0 /aes /auth,passive dial,addr=@[addr]")
+
+	c.Exec("set authfile %s", secrets)
+	c.Exec("set tunnel.T.authuser T")
 
 	listen := e.Listen("tcp", "127.0.0.1:0")
 	c.Set("addr", listen.Addr())
diff --git a/pkg/test/defer_test.go b/pkg/test/defer_test.go
index 57854b2..3e51571 100644
--- a/pkg/test/defer_test.go
+++ b/pkg/test/defer_test.go
@@ -10,7 +10,7 @@ func TestDeferSocket(t *testing.T) {
 
 	c := e.newInstance()
 
-	c.Exec("add name T listen,addr=-:0 defer,addr=@[addr]")
+	c.Exec("add name T listen,addr=%%0 defer,addr=@[addr]")
 
 	out := e.Dial("tcp", c.Get("tunnel.T.listen"))
 
diff --git a/pkg/test/exec_test.go b/pkg/test/exec_test.go
index c8d61a0..028b206 100644
--- a/pkg/test/exec_test.go
+++ b/pkg/test/exec_test.go
@@ -12,7 +12,7 @@ func TestExec(t *testing.T) {
 
 	c := e.newInstance()
 
-	c.Exec("add name T listen,addr=-:0 upper exec,cmd=cat")
+	c.Exec("add name T listen,addr=%%0 upper exec,cmd=cat")
 
 	conn := e.Dial("tcp", c.Get("tunnel.T.listen"))
 
diff --git a/pkg/test/hook_test.go b/pkg/test/hook_test.go
index 7808883..8e4fa4d 100644
--- a/pkg/test/hook_test.go
+++ b/pkg/test/hook_test.go
@@ -13,7 +13,7 @@ func TestUpperHook(t *testing.T) {
 
 	c := e.newInstance()
 
-	c.Exec("add name T listen,addr=-:0 upper loop")
+	c.Exec("add name T listen,addr=%%0 upper loop")
 
 	conn := e.Dial("tcp", c.Get("tunnel.T.listen"))
 
@@ -33,7 +33,7 @@ func TestHexHook(t *testing.T) {
 
 	c := e.newInstance()
 
-	c.Exec("add name T listen,addr=-:0 hex dial,addr=@[addr]")
+	c.Exec("add name T listen,addr=%%0 hex dial,addr=@[addr]")
 
 	listen := e.Listen("tcp", "127.0.0.1:0")
 	c.Set("addr", listen.Addr())
diff --git a/pkg/test/proxy_test.go b/pkg/test/proxy_test.go
index ae89b0a..46782d2 100644
--- a/pkg/test/proxy_test.go
+++ b/pkg/test/proxy_test.go
@@ -10,8 +10,8 @@ func TestProxyHook(t *testing.T) {
 
 	c := e.newInstance()
 
-	c.Exec("add name C listen,addr=-:0 proxy,addr=@[addr] dial,addr=@[tunnel.S.listen]")
-	c.Exec("add name S listen,addr=-:0 proxy")
+	c.Exec("add name C listen,addr=%%0 proxy,addr=@[addr] dial,addr=@[tunnel.S.listen]")
+	c.Exec("add name S listen,addr=%%0 proxy")
 
 	c.Exec("set tunnel.S.proxy.auth user:password")
 	c.Exec("set tunnel.C.proxy.auth user:password")