mirror of
https://github.com/ovh/the-bastion.git
synced 2025-09-07 05:24:25 +08:00
Stéphane Lesimple
GitHub
commit
3031b6ff0c
8 changed files with 96 additions and 43 deletions
2
.github/workflows/tests.yml
vendored
2
.github/workflows/tests.yml
vendored
|
|
@ -20,7 +20,7 @@ jobs:
|
|||
name: Full
|
||||
strategy:
|
||||
matrix:
|
||||
platform: [centos7, centos8, debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004]
|
||||
platform: ['centos7@centos:7.7.1908', 'centos7@centos:7.8.2003', 'centos7@centos:7.9.2009', 'centos8@centos:8.1.1911', 'centos8@centos:8.2.2004', 'centos8@centos:8.3.2011', debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004]
|
||||
runs-on: ubuntu-latest
|
||||
if: contains(github.event.pull_request.labels.*.name, 'tests:full')
|
||||
steps:
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ Also don't forget to customize your `bastion.conf` file, which can be found in `
|
|||
Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS:
|
||||
|
||||
- Debian 10 (Buster), 9 (Stretch), 8 (Jessie)
|
||||
- RHEL/CentOS 8, 7
|
||||
- RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908)
|
||||
- Ubuntu LTS 20.04, 18.04, 16.04, 14.04\*
|
||||
- OpenSUSE Leap 15.2\*, 15.1\*, 15.0\*
|
||||
|
||||
|
|
|
|||
|
|
@ -69,12 +69,12 @@ if echo "$DISTRO_LIKE" | grep -q -w debian; then
|
|||
install_cmd="apt-get install"
|
||||
elif echo "$DISTRO_LIKE" | grep -q -w rhel; then
|
||||
wanted_list="perl-JSON perl-Net-Netmask perl-Net-IP \
|
||||
perl-Net-DNS perl-DBD-SQLite perl-TermReadKey perl-DateTime \
|
||||
sudo fping xz sqlite binutils acl perl-TimeDate gnupg rsync \
|
||||
perl-Net-DNS perl-DBD-SQLite perl-TermReadKey \
|
||||
sudo fping xz sqlite binutils acl gnupg rsync \
|
||||
perl-JSON-XS inotify-tools lsof curl perl-Term-ReadLine-Gnu \
|
||||
perl-libwww-perl perl-Digest perl-Net-Server cryptsetup mosh \
|
||||
expect openssh-server nc bash perl-CGI perl(Test::More) passwd \
|
||||
cracklib-dicts perl-Time-Piece perl-Time-HiRes which \
|
||||
cracklib-dicts perl-Time-Piece perl-Time-HiRes diffutils \
|
||||
perl-Sys-Syslog pamtester google-authenticator qrencode-libs"
|
||||
if [ "$DISTRO_VERSION_MAJOR" = 7 ]; then
|
||||
wanted_list="$wanted_list fortune-mod coreutils"
|
||||
|
|
@ -102,14 +102,14 @@ elif echo "$DISTRO_LIKE" | grep -q -w rhel; then
|
|||
install_cmd="yum install"
|
||||
elif echo "$DISTRO_LIKE" | grep -q -w suse; then
|
||||
wanted_list="perl-common-sense perl-JSON perl-Net-Netmask perl-Net-IP \
|
||||
perl-Net-DNS perl-DBD-SQLite perl-TermReadKey perl-DateTime \
|
||||
perl-Net-DNS perl-DBD-SQLite perl-TermReadKey \
|
||||
fortune sudo fping \
|
||||
xz sqlite binutils acl perl-TimeDate gnupg rsync \
|
||||
xz sqlite binutils acl gnupg rsync \
|
||||
perl-JSON-XS inotify-tools lsof curl perl-TermReadLine-Gnu \
|
||||
perl-libwww-perl perl-Digest perl-IO-Socket-SSL \
|
||||
perl-Net-Server cryptsetup mosh expect openssh \
|
||||
coreutils netcat-openbsd bash perl-CGI iputils \
|
||||
perl-Time-HiRes which perl-Unix-Syslog hostname"
|
||||
perl-Time-HiRes perl-Unix-Syslog hostname"
|
||||
wanted_list="$wanted_list google-authenticator-libpam"
|
||||
# perl-GnuPG
|
||||
[ "$opt_syslogng" = 1 ] && wanted_list="$wanted_list syslog-ng"
|
||||
|
|
|
|||
|
|
@ -175,6 +175,26 @@ $fnret->err eq 'OK'
|
|||
# Building /home/$group
|
||||
OVH::Bastion::touch_file("/home/$group/allowed.ip");
|
||||
|
||||
osh_info("Adjusting permissions...");
|
||||
my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x');
|
||||
foreach my $command (
|
||||
['chown', '-R', "$group:$group", "/home/$group"],
|
||||
['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"],
|
||||
['chmod', '-R', "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"],
|
||||
['chmod', '0664', "/home/$group/allowed.ip"],
|
||||
)
|
||||
{
|
||||
$fnret = OVH::Bastion::execute(cmd => $command, noisy_stderr => 1);
|
||||
$fnret->err eq 'OK'
|
||||
or HEXIT('ERR_CHMOD_FAILED', msg => "Error while running chmod to adjust permissions (" . $fnret->msg . ")");
|
||||
}
|
||||
chmod 0751, "/home/$group" if !OVH::Bastion::has_acls();
|
||||
|
||||
foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") {
|
||||
OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x")
|
||||
or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir");
|
||||
}
|
||||
|
||||
osh_debug("Adding allowkeeper to group $group");
|
||||
$fnret = OVH::Bastion::add_user_to_group(group => $group, user => 'allowkeeper', groupType => 'key');
|
||||
$fnret or HEXIT($fnret);
|
||||
|
|
@ -239,26 +259,6 @@ if (!$no_key) {
|
|||
$fnret or HEXIT($fnret);
|
||||
}
|
||||
|
||||
osh_info("Adjusting permissions...");
|
||||
my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x');
|
||||
foreach my $command (
|
||||
['chown', '-R', "$group:$group", "/home/$group"],
|
||||
['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"],
|
||||
['chmod', '-R', "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"],
|
||||
['chmod', '0664', "/home/$group/allowed.ip"],
|
||||
)
|
||||
{
|
||||
$fnret = OVH::Bastion::execute(cmd => $command, noisy_stderr => 1);
|
||||
$fnret->err eq 'OK'
|
||||
or HEXIT('ERR_CHMOD_FAILED', msg => "Error while running chmod to adjust permissions (" . $fnret->msg . ")");
|
||||
}
|
||||
chmod 0751, "/home/$group" if !OVH::Bastion::has_acls();
|
||||
|
||||
foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") {
|
||||
OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x")
|
||||
or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir");
|
||||
}
|
||||
|
||||
# allowed to sudo for the group
|
||||
osh_info("Configuring sudoers for this group");
|
||||
$fnret = OVH::Bastion::execute(cmd => [$OVH::Bastion::BASEPATH . '/bin/sudogen/generate-sudoers.sh', 'create', 'group', $group], must_succeed => 1, noisy_stdout => 1);
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ We published a Puppet module to handle The Bastion configuration and prerequisit
|
|||
The following Linux distros are tested with each release, but as this is a security product, you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS:
|
||||
|
||||
- Debian 10 (Buster), 9 (Stretch), 8 (Jessie)
|
||||
- RHEL/CentOS 8, 7
|
||||
- RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908)
|
||||
- Ubuntu LTS 20.04, 18.04, 16.04, 14.04\*
|
||||
- OpenSUSE Leap 15.2\*, 15.1\*, 15.0\*
|
||||
|
||||
|
|
|
|||
|
|
@ -24,3 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
|
||||
# TESTFROM centos:7.9.2009 centos:7.8.2003 centos:7.7.1908
|
||||
|
|
|
|||
|
|
@ -24,3 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
|
||||
# TESTFROM centos:8.3.2011 centos:8.2.2004 centos:8.1.1911
|
||||
|
|
|
|||
|
|
@ -11,22 +11,56 @@ namespace=the-bastion-test
|
|||
target="$1"
|
||||
test_script="$2"
|
||||
|
||||
get_supported_targets() {
|
||||
local target targets subtarget
|
||||
for dockerfile in "$(dirname "$0")"/../../../docker/Dockerfile.*; do
|
||||
if grep -q '^# TESTENV ' "$dockerfile"; then
|
||||
target=$(basename "$dockerfile")
|
||||
target=${target/Dockerfile./}
|
||||
# if the file has a TESTFROM entry, then it's actually multiple similar targets
|
||||
if grep -q '^# TESTFROM ' "$dockerfile"; then
|
||||
# shellcheck disable=SC2013
|
||||
for testfrom in $(grep '^# TESTFROM ' "$dockerfile" | cut -d' ' -f3-); do
|
||||
subtarget="$target@$testfrom"
|
||||
targets="$targets $subtarget"
|
||||
done
|
||||
fi
|
||||
targets="$targets $target"
|
||||
fi
|
||||
done
|
||||
# shellcheck disable=SC2086
|
||||
echo $targets
|
||||
}
|
||||
|
||||
print_supported_targets() {
|
||||
local target
|
||||
for target in $(get_supported_targets | tr " " "\n" | sort); do
|
||||
echo "- $target"
|
||||
done
|
||||
echo
|
||||
}
|
||||
|
||||
if [ -z "$target" ] || [ "$target" = "--list-targets" ]; then
|
||||
targets=$(grep -l '^# TESTENV' "$(dirname "$0")"/../../../docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==')
|
||||
if [ -z "$target" ]; then
|
||||
echo "Usage: $0 <TARGET>" >&2
|
||||
echo -n "Supported targets are: " >&2
|
||||
grep -l '^# TESTENV' "$(dirname "$0")"/../../../docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==' | tr '\n' " " >&2
|
||||
echo >&2
|
||||
echo "Supported targets are: " >&2
|
||||
print_supported_targets >&2
|
||||
exit 1
|
||||
else
|
||||
# shellcheck disable=SC2086
|
||||
echo $targets
|
||||
print_supported_targets
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
target_dockerfile="$(dirname "$0")"/../../../docker/Dockerfile."$target"
|
||||
if echo "$target" | grep -q '@'; then
|
||||
subtarget=$(echo "$target" | cut -d@ -f2)
|
||||
target_dockerfile=$(echo "$target" | cut -d@ -f1)
|
||||
else
|
||||
subtarget=''
|
||||
target_dockerfile="$target"
|
||||
fi
|
||||
target_dockerfile="$(dirname "$0")"/../../../docker/Dockerfile."$target_dockerfile"
|
||||
if [ ! -f "$target_dockerfile" ] ; then
|
||||
echo "Couldn't find a Dockerfile for $target ($target_dockerfile)" >&2
|
||||
exit 1
|
||||
|
|
@ -37,10 +71,35 @@ echo "Building test environment"
|
|||
testenv_dockerfile="$(dirname "$0")/../../../docker/Dockerfile.tester"
|
||||
docker build -f "$testenv_dockerfile" -t "$namespace:tester" "$(dirname "$0")"/../../..
|
||||
|
||||
# if we have a subtarget, we need to override the FROM of the target_dockerfile
|
||||
# don't do this in place however, create a tempfile for this
|
||||
if [ -n "$subtarget" ]; then
|
||||
dockerfiletmp=$(mktemp)
|
||||
trap 'rm -f $dockerfiletmp' EXIT
|
||||
sed -re "s/^FROM .+/FROM $subtarget/" "$target_dockerfile" > "$dockerfiletmp"
|
||||
target_dockerfile="$dockerfiletmp"
|
||||
fi
|
||||
|
||||
# build target
|
||||
echo "Building target environment"
|
||||
target=$(echo "$target" | sed -re 's/[^a-zA-Z0-9_-]/_/g')
|
||||
docker build -f "$target_dockerfile" -t "$namespace:$target" --build-arg "TEST_QUICK=$TEST_QUICK" "$(dirname "$0")"/../../..
|
||||
|
||||
# get the target environment we want from the dockerfile
|
||||
varstoadd=''
|
||||
privileged=''
|
||||
for var in $(grep '^# TESTENV' "$target_dockerfile" | tail -n1 | sed -re 's/^# TESTENV//')
|
||||
do
|
||||
echo "$var" | grep -Eq '^[A-Z0-9_]+=[01]$' && varstoadd="$varstoadd -e $var "
|
||||
[ "$var" = "PRIVILEGED=1" ] && privileged='--privileged'
|
||||
done
|
||||
|
||||
# cleanup the dockerfile temp if applicable
|
||||
if [ -n "$subtarget" ]; then
|
||||
rm -f "$dockerfiletmp"
|
||||
trap - EXIT
|
||||
fi
|
||||
|
||||
# create temp key
|
||||
echo "Create user and root SSH keys"
|
||||
privdir=$(mktemp -d)
|
||||
|
|
@ -54,14 +113,6 @@ ROOT_PUBKEY_B64=$(base64 -w0 < "$privdir"/rootkey.pub)
|
|||
rm -rf "$privdir"
|
||||
trap - EXIT
|
||||
|
||||
varstoadd=''
|
||||
privileged=''
|
||||
for var in $(grep '^# TESTENV' "$target_dockerfile" | tail -n1 | sed -re 's/^# TESTENV//')
|
||||
do
|
||||
echo "$var" | grep -Eq '^[A-Z0-9_]+=[01]$' && varstoadd="$varstoadd -e $var "
|
||||
[ "$var" = "PRIVILEGED=1" ] && privileged='--privileged'
|
||||
done
|
||||
|
||||
echo "Configuring network"
|
||||
docker rm -f "bastion_${target}_target" 2>/dev/null || true
|
||||
docker rm -f "bastion_${target}_tester" 2>/dev/null || true
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue