the-bastion/tests/unit/run.pl

#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use Test::More;

use File::Basename;
use lib dirname(__FILE__) . '/../../lib/perl';
use OVH::Bastion;
use OVH::Result;
use JSON;

OVH::Bastion::enable_mocking();
OVH::Bastion::set_mock_data(
    {
        "accounts" => {
            "me" => {
                "uid"               => 99982,
                "gid"               => 99982,
                "personal_accesses" => [qw{ me@1.2.3.4 }],
                "legacy_accesses"   => [qw{ me@1.2.3.5 }],
                "guest_accesses"    => {
                    "group2" => [qw{ group1@9.9.9.9 }],
                }
            },
            "wildcard" => {
                "uid"               => 99981,
                "gid"               => 99981,
                "personal_accesses" => [qw{ 0.0.0.0/0 }],
            },
        },
        "groups" => {
            "group1" => {
                "members"  => [qw{ me }],
                "accesses" => [qw{ group1@0.0.0.0/0 }],
            },
            "group2" => {}
        },
    }
);
OVH::Bastion::load_configuration(
    mock_data => {
        ingressToEgressRules => [
            [["10.19.0.0/16", "10.15.15.0/24"], ["10.20.0.0/16"], "ALLOW-EXCLUSIVE"],
            [["192.168.42.0/24"], ["192.168.42.0/24"], "ALLOW"],
            [["192.168.0.0/16"],  ["192.168.0.0/16"],  "DENY"]
        ],
        bastionName => "mock",

        # all options below are bool, we'll test for their normalization
        enableSyslog           => 1,
        enableGlobalAccessLog  => JSON::true,
        enableAccountAccessLog => "yes",
        enableGlobalSqlLog     => 0,
        enableAccountSqlLog    => JSON::false,
        displayLastLogin       => "",
        debug                  => JSON::null,
        passwordAllowed        => "no",
        telnetAllowed          => "false",
    }
);

# TESTS

is(OVH::Bastion::config("bastionName")->value, "mock", "bastion name is mocked");

ok(OVH::Bastion::is_account_valid(account => "azerty")->is_ok, "is_account_valid('azerty')");

is(OVH::Bastion::is_account_valid(account => "in valid")->err, "KO_FORBIDDEN_CHARS", "is_account_valid('in valid')");

is(OVH::Bastion::is_account_valid(account => "root")->err, "KO_FORBIDDEN_NAME", "is_account_valid('root')");

ok(OVH::Bastion::is_bastion_account_valid_and_existing(account => "me")->is_ok, "is_bastion_account_valid_and_existing('me')");

is_deeply(
    OVH::Bastion::is_access_granted(account => "me", user => "remote", ipfrom => "1.2.3.4", ip => "5.6.7.8", port => "9876"),
    R('KO_ACCESS_DENIED', msg => 'Access denied for me to remote@5.6.7.8:9876'),
    "is_access_granted(me) on denied machine"
);

ok(OVH::Bastion::is_access_granted(account => "me", user => "me", ipfrom => "1.1.1.1", ip => "1.2.3.4", port => "9876")->is_ok, "is_access_granted(me) on allowed machine");

is(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "10.15.15.15", ip => "1.2.3.4", port => "9876")->err,
    "KO_ACCESS_DENIED", "is_access_granted(wildcard) on disallowed machine due to ingressToEgressRules #1");

is(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "10.19.1.2", ip => "1.2.3.4", port => "9876")->err,
    "KO_ACCESS_DENIED", "is_access_granted(wildcard) on disallowed machine due to ingressToEgressRules #1");

ok(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "10.19.1.2", ip => "10.20.1.2", port => "9876")->is_ok,
    "is_access_granted(wildcard) on allowed machine due to ingressToEgressRules #1");

ok(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "192.168.42.1", ip => "192.168.42.4", port => "9876")->is_ok,
    "is_access_granted(wildcard) on allowed machine due to ingressToEgressRules #2");

ok(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "192.168.42.1", ip => "5.6.7.8", port => "9876")->is_ok,
    "is_access_granted(wildcard) on allowed machine due to ingressToEgressRules #2");

is(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "192.168.43.1", ip => "192.168.42.4", port => "9876")->err,
    "KO_ACCESS_DENIED", "is_access_granted(wildcard) on disallowed machine due to ingressToEgressRules #3");

ok(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "192.168.43.1", ip => "5.6.7.8", port => "9876")->is_ok,
    "is_access_granted(wildcard) on allowed machine due to ingressToEgressRules catch-all");

# check that "bool" type options are correctly normalized
is(OVH::Bastion::config("enableSyslog")->value,             1, "config bool(1)");
is(OVH::Bastion::config("enableGlobalAccessLog")->value,    1, "config bool(true)");
is(OVH::Bastion::config("enableAccountAccessLog")->value,   1, "config bool(\"yes\")");
is(OVH::Bastion::config("enableGlobalSqlLog")->value,       0, "config bool(0)");
is(OVH::Bastion::config("enableAccountSqlLog")->value,      0, "config bool(false)");
is(OVH::Bastion::config("displayLastLogin")->value,         0, "config bool(\"\")");
is(OVH::Bastion::config("interactiveModeByDefault")->value, 1, "config bool(missing, default true)");
is(OVH::Bastion::config("interactiveModeAllowed")->value,   0, "config bool(missing, default false)");
is(OVH::Bastion::config("debug")->value,                    0, "config bool(null)");
is(OVH::Bastion::config("passwordAllowed")->value,          0, "config bool(\"no\")");
is(OVH::Bastion::config("telnetAllowed")->value,            0, "config bool(\"false\")");

is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => JSON::true}
    )->value ? 1 : 0,
    1,
    "is_plugin_disabled(disabled=true)"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => JSON::false}
    )->value ? 1 : 0,
    0,
    "is_plugin_disabled(disabled=false)"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => JSON::null}
    )->value ? 1 : 0,
    0,
    "is_plugin_disabled(disabled=null)"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => "yes"}
    )->value ? 1 : 0,
    1,
    "is_plugin_disabled(disabled=\"yes\")"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => "no"}
    )->value ? 1 : 0,
    0,
    "is_plugin_disabled(disabled=\"no\")"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => "true"}
    )->value ? 1 : 0,
    1,
    "is_plugin_disabled(disabled=\"true\")"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => "false"}
    )->value ? 1 : 0,
    0,
    "is_plugin_disabled(disabled=\"false\")"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => ""}
    )->value ? 1 : 0,
    0,
    "is_plugin_disabled(disabled=\"\")"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => "0"}
    )->value ? 1 : 0,
    0,
    "is_plugin_disabled(disabled=\"0\")"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => "1"}
    )->value ? 1 : 0,
    1,
    "is_plugin_disabled(disabled=\"1\")"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => 0}
    )->value ? 1 : 0,
    0,
    "is_plugin_disabled(disabled=0)"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {disabled => 1}
    )->value ? 1 : 0,
    1,
    "is_plugin_disabled(disabled=1)"
);
is(
    OVH::Bastion::plugin_config(
        plugin    => "help",
        key       => "disabled",
        mock_data => {}
    )->value ? 1 : 0,
    0,
    "is_plugin_disabled()"
);

done_testing();
Initial commit 2020-10-16 00:32:37 +08:00			`#! /usr/bin/env perl`
			`# vim: set filetype=perl ts=4 sw=4 sts=4 et:`
			`use common::sense;`
			`use Test::More;`

			`use File::Basename;`
			`use lib dirname(__FILE__) . '/../../lib/perl';`
			`use OVH::Bastion;`
			`use OVH::Result;`
enh: config: better parsing and normalization We now warn (to syslog) for invalid values where we have to fallback to defaults, and for boolean options, actual true/false JSON values are now properly recognized. 0 and 1 will still always be parsed correctly, to not break compatibility. 2020-12-14 20:55:42 +08:00			`use JSON;`
Initial commit 2020-10-16 00:32:37 +08:00
			`OVH::Bastion::enable_mocking();`
			`OVH::Bastion::set_mock_data(`
			`{`
			`"accounts" => {`
			`"me" => {`
			`"uid" => 99982,`
			`"gid" => 99982,`
			`"personal_accesses" => [qw{ me@1.2.3.4 }],`
			`"legacy_accesses" => [qw{ me@1.2.3.5 }],`
			`"guest_accesses" => {`
			`"group2" => [qw{ group1@9.9.9.9 }],`
			`}`
			`},`
			`"wildcard" => {`
			`"uid" => 99981,`
			`"gid" => 99981,`
			`"personal_accesses" => [qw{ 0.0.0.0/0 }],`
			`},`
			`},`
			`"groups" => {`
			`"group1" => {`
			`"members" => [qw{ me }],`
			`"accesses" => [qw{ group1@0.0.0.0/0 }],`
			`},`
			`"group2" => {}`
			`},`
			`}`
			`);`
			`OVH::Bastion::load_configuration(`
			`mock_data => {`
			`ingressToEgressRules => [`
			`[["10.19.0.0/16", "10.15.15.0/24"], ["10.20.0.0/16"], "ALLOW-EXCLUSIVE"],`
			`[["192.168.42.0/24"], ["192.168.42.0/24"], "ALLOW"],`
			`[["192.168.0.0/16"], ["192.168.0.0/16"], "DENY"]`
			`],`
			`bastionName => "mock",`
enh: config: better parsing and normalization We now warn (to syslog) for invalid values where we have to fallback to defaults, and for boolean options, actual true/false JSON values are now properly recognized. 0 and 1 will still always be parsed correctly, to not break compatibility. 2020-12-14 20:55:42 +08:00
			`# all options below are bool, we'll test for their normalization`
			`enableSyslog => 1,`
chore: fixes after review 2020-12-17 21:39:23 +08:00			`enableGlobalAccessLog => JSON::true,`
enh: config: better parsing and normalization We now warn (to syslog) for invalid values where we have to fallback to defaults, and for boolean options, actual true/false JSON values are now properly recognized. 0 and 1 will still always be parsed correctly, to not break compatibility. 2020-12-14 20:55:42 +08:00			`enableAccountAccessLog => "yes",`
			`enableGlobalSqlLog => 0,`
chore: fixes after review 2020-12-17 21:39:23 +08:00			`enableAccountSqlLog => JSON::false,`
enh: config: better parsing and normalization We now warn (to syslog) for invalid values where we have to fallback to defaults, and for boolean options, actual true/false JSON values are now properly recognized. 0 and 1 will still always be parsed correctly, to not break compatibility. 2020-12-14 20:55:42 +08:00			`displayLastLogin => "",`
chore: fixes after review 2020-12-17 21:39:23 +08:00			`debug => JSON::null,`
enh: config: better parsing and normalization We now warn (to syslog) for invalid values where we have to fallback to defaults, and for boolean options, actual true/false JSON values are now properly recognized. 0 and 1 will still always be parsed correctly, to not break compatibility. 2020-12-14 20:55:42 +08:00			`passwordAllowed => "no",`
			`telnetAllowed => "false",`
Initial commit 2020-10-16 00:32:37 +08:00			`}`
			`);`

			`# TESTS`

			`is(OVH::Bastion::config("bastionName")->value, "mock", "bastion name is mocked");`

			`ok(OVH::Bastion::is_account_valid(account => "azerty")->is_ok, "is_account_valid('azerty')");`

			`is(OVH::Bastion::is_account_valid(account => "in valid")->err, "KO_FORBIDDEN_CHARS", "is_account_valid('in valid')");`

			`is(OVH::Bastion::is_account_valid(account => "root")->err, "KO_FORBIDDEN_NAME", "is_account_valid('root')");`

			`ok(OVH::Bastion::is_bastion_account_valid_and_existing(account => "me")->is_ok, "is_bastion_account_valid_and_existing('me')");`

			`is_deeply(`
			`OVH::Bastion::is_access_granted(account => "me", user => "remote", ipfrom => "1.2.3.4", ip => "5.6.7.8", port => "9876"),`
			`R('KO_ACCESS_DENIED', msg => 'Access denied for me to remote@5.6.7.8:9876'),`
			`"is_access_granted(me) on denied machine"`
			`);`

			`ok(OVH::Bastion::is_access_granted(account => "me", user => "me", ipfrom => "1.1.1.1", ip => "1.2.3.4", port => "9876")->is_ok, "is_access_granted(me) on allowed machine");`

			`is(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "10.15.15.15", ip => "1.2.3.4", port => "9876")->err,`
			`"KO_ACCESS_DENIED", "is_access_granted(wildcard) on disallowed machine due to ingressToEgressRules #1");`

			`is(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "10.19.1.2", ip => "1.2.3.4", port => "9876")->err,`
			`"KO_ACCESS_DENIED", "is_access_granted(wildcard) on disallowed machine due to ingressToEgressRules #1");`

			`ok(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "10.19.1.2", ip => "10.20.1.2", port => "9876")->is_ok,`
			`"is_access_granted(wildcard) on allowed machine due to ingressToEgressRules #1");`

			`ok(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "192.168.42.1", ip => "192.168.42.4", port => "9876")->is_ok,`
			`"is_access_granted(wildcard) on allowed machine due to ingressToEgressRules #2");`

			`ok(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "192.168.42.1", ip => "5.6.7.8", port => "9876")->is_ok,`
			`"is_access_granted(wildcard) on allowed machine due to ingressToEgressRules #2");`

			`is(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "192.168.43.1", ip => "192.168.42.4", port => "9876")->err,`
			`"KO_ACCESS_DENIED", "is_access_granted(wildcard) on disallowed machine due to ingressToEgressRules #3");`

			`ok(OVH::Bastion::is_access_granted(account => "wildcard", user => "root", ipfrom => "192.168.43.1", ip => "5.6.7.8", port => "9876")->is_ok,`
			`"is_access_granted(wildcard) on allowed machine due to ingressToEgressRules catch-all");`

enh: config: better parsing and normalization We now warn (to syslog) for invalid values where we have to fallback to defaults, and for boolean options, actual true/false JSON values are now properly recognized. 0 and 1 will still always be parsed correctly, to not break compatibility. 2020-12-14 20:55:42 +08:00			`# check that "bool" type options are correctly normalized`
			`is(OVH::Bastion::config("enableSyslog")->value, 1, "config bool(1)");`
			`is(OVH::Bastion::config("enableGlobalAccessLog")->value, 1, "config bool(true)");`
			`is(OVH::Bastion::config("enableAccountAccessLog")->value, 1, "config bool(\"yes\")");`
			`is(OVH::Bastion::config("enableGlobalSqlLog")->value, 0, "config bool(0)");`
			`is(OVH::Bastion::config("enableAccountSqlLog")->value, 0, "config bool(false)");`
			`is(OVH::Bastion::config("displayLastLogin")->value, 0, "config bool(\"\")");`
			`is(OVH::Bastion::config("interactiveModeByDefault")->value, 1, "config bool(missing, default true)");`
			`is(OVH::Bastion::config("interactiveModeAllowed")->value, 0, "config bool(missing, default false)");`
			`is(OVH::Bastion::config("debug")->value, 0, "config bool(null)");`
			`is(OVH::Bastion::config("passwordAllowed")->value, 0, "config bool(\"no\")");`
			`is(OVH::Bastion::config("telnetAllowed")->value, 0, "config bool(\"false\")");`

			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
chore: fixes after review 2020-12-17 21:39:23 +08:00			`mock_data => {disabled => JSON::true}`
enh: config: better parsing and normalization We now warn (to syslog) for invalid values where we have to fallback to defaults, and for boolean options, actual true/false JSON values are now properly recognized. 0 and 1 will still always be parsed correctly, to not break compatibility. 2020-12-14 20:55:42 +08:00			`)->value ? 1 : 0,`
			`1,`
			`"is_plugin_disabled(disabled=true)"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
chore: fixes after review 2020-12-17 21:39:23 +08:00			`mock_data => {disabled => JSON::false}`
enh: config: better parsing and normalization We now warn (to syslog) for invalid values where we have to fallback to defaults, and for boolean options, actual true/false JSON values are now properly recognized. 0 and 1 will still always be parsed correctly, to not break compatibility. 2020-12-14 20:55:42 +08:00			`)->value ? 1 : 0,`
			`0,`
			`"is_plugin_disabled(disabled=false)"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
chore: fixes after review 2020-12-17 21:39:23 +08:00			`mock_data => {disabled => JSON::null}`
enh: config: better parsing and normalization We now warn (to syslog) for invalid values where we have to fallback to defaults, and for boolean options, actual true/false JSON values are now properly recognized. 0 and 1 will still always be parsed correctly, to not break compatibility. 2020-12-14 20:55:42 +08:00			`)->value ? 1 : 0,`
			`0,`
			`"is_plugin_disabled(disabled=null)"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
			`mock_data => {disabled => "yes"}`
			`)->value ? 1 : 0,`
			`1,`
			`"is_plugin_disabled(disabled=\"yes\")"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
			`mock_data => {disabled => "no"}`
			`)->value ? 1 : 0,`
			`0,`
			`"is_plugin_disabled(disabled=\"no\")"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
			`mock_data => {disabled => "true"}`
			`)->value ? 1 : 0,`
			`1,`
			`"is_plugin_disabled(disabled=\"true\")"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
			`mock_data => {disabled => "false"}`
			`)->value ? 1 : 0,`
			`0,`
			`"is_plugin_disabled(disabled=\"false\")"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
			`mock_data => {disabled => ""}`
			`)->value ? 1 : 0,`
			`0,`
			`"is_plugin_disabled(disabled=\"\")"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
			`mock_data => {disabled => "0"}`
			`)->value ? 1 : 0,`
			`0,`
			`"is_plugin_disabled(disabled=\"0\")"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
			`mock_data => {disabled => "1"}`
			`)->value ? 1 : 0,`
			`1,`
			`"is_plugin_disabled(disabled=\"1\")"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
			`mock_data => {disabled => 0}`
			`)->value ? 1 : 0,`
			`0,`
			`"is_plugin_disabled(disabled=0)"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
			`mock_data => {disabled => 1}`
			`)->value ? 1 : 0,`
			`1,`
			`"is_plugin_disabled(disabled=1)"`
			`);`
			`is(`
			`OVH::Bastion::plugin_config(`
			`plugin => "help",`
			`key => "disabled",`
			`mock_data => {}`
			`)->value ? 1 : 0,`
			`0,`
			`"is_plugin_disabled()"`
			`);`

Initial commit 2020-10-16 00:32:37 +08:00			`done_testing();`