mirror of
https://github.com/ovh/the-bastion.git
synced 2025-01-10 09:23:52 +08:00
62 lines
2.4 KiB
Bash
62 lines
2.4 KiB
Bash
|
# vim: set filetype=sh ts=4 sw=4 sts=4 et:
|
||
|
# shellcheck shell=bash
|
||
|
# shellcheck disable=SC2086,SC2016,SC2046
|
||
|
# below: convoluted way that forces shellcheck to source our caller
|
||
|
# shellcheck source=tests/functional/launch_tests_on_instance.sh
|
||
|
. "$(dirname "${BASH_SOURCE[0]}")"/dummy
|
||
|
|
||
|
testsuite_strict_checking()
|
||
|
{
|
||
|
# test that strict host key checking with hostkey change is detected by the bastion and prints a help message
|
||
|
|
||
|
grant accountCreate
|
||
|
|
||
|
# first we need to create account1
|
||
|
success strict-checking a0_create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||
|
json .error_code OK .command accountCreate .value null
|
||
|
|
||
|
revoke accountCreate
|
||
|
grant accountAddPersonalAccess
|
||
|
|
||
|
# add access to root@127.0.0.1 (there are no keys deployed, but we don't care, connection should fail early due to the hostkey change)
|
||
|
success strict-checking add_local_access $a0 --osh accountAddPersonalAccess --account $account1 --host 127.0.0.1 --port 22 --user root
|
||
|
json .command accountAddPersonalAccess .error_code OK
|
||
|
|
||
|
revoke accountAddPersonalAccess
|
||
|
|
||
|
# try to connect a first time, so that our bastion known_hosts is populated
|
||
|
run strict-checking connect_before $a1 root@127.0.0.1
|
||
|
retvalshouldbe 255
|
||
|
contain "Permanently added"
|
||
|
|
||
|
# change the remote hostkeys
|
||
|
success strict-checking change_host_keys $r0 "\"find /etc/ssh/ -type f -name 'ssh_host_*' -delete; ssh-keygen -A\""
|
||
|
|
||
|
# set bastion ssh_client config to StrictHostKeyChecking yes
|
||
|
sshclientconfigchg 's=StrictHostKeyChecking.*=StrictHostKeyChecking\\\\x20yes=g'
|
||
|
|
||
|
# forget our local hostkeys cache
|
||
|
#local a1home
|
||
|
#a1home=$(getent passwd "$account1" | cut -d: -f6)
|
||
|
#success strict-checking remove_local_host_keys_cache mv $a1home/.ssh/known_hosts $a1home/.ssh/known_hosts.bak
|
||
|
rm -f $HOME/.ssh/known_hosts
|
||
|
|
||
|
# now try to connect again
|
||
|
run strict-checking connect_after $a1 root@127.0.0.1
|
||
|
retvalshouldbe 255
|
||
|
contain NASTY
|
||
|
contain "strict checking"
|
||
|
contain "BASTION SAYS"
|
||
|
contain selfForgetHostKey
|
||
|
|
||
|
# delete account1
|
||
|
grant accountDelete
|
||
|
script strict-checking a0_delete_a1 $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||
|
retvalshouldbe 0
|
||
|
json .command accountDelete .error_code OK
|
||
|
revoke accountDelete
|
||
|
}
|
||
|
|
||
|
testsuite_strict_checking
|
||
|
unset -f testsuite_strict_checking
|