From dca45a44c59b7b1d5fdc6522b935a1722acf7766 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 8 Dec 2020 14:27:13 +0000 Subject: [PATCH 1/5] chore: fix latest centos 8 release, add tests for last 3 minors --- .github/workflows/tests.yml | 2 +- bin/admin/packages-check.sh | 2 +- docker/Dockerfile.centos7 | 1 + docker/Dockerfile.centos8 | 1 + .../docker/docker_build_and_run_tests.sh | 77 +++++++++++++++---- 5 files changed, 67 insertions(+), 16 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f75794a..b0164b6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -20,7 +20,7 @@ jobs: name: Full strategy: matrix: - platform: [centos7, centos8, debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004] + platform: [centos7@centos:7.7.1908, centos7@centos:7.8.2003, centos7@centos:7.9.2009, centos8@centos:8.1.1911, centos8@centos:8.2.2004, centos8@centos:8.3.2011, debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004] runs-on: ubuntu-latest if: contains(github.event.pull_request.labels.*.name, 'tests:full') steps: diff --git a/bin/admin/packages-check.sh b/bin/admin/packages-check.sh index 3bdc70a..7004002 100755 --- a/bin/admin/packages-check.sh +++ b/bin/admin/packages-check.sh @@ -74,7 +74,7 @@ elif echo "$DISTRO_LIKE" | grep -q -w rhel; then perl-JSON-XS inotify-tools lsof curl perl-Term-ReadLine-Gnu \ perl-libwww-perl perl-Digest perl-Net-Server cryptsetup mosh \ expect openssh-server nc bash perl-CGI perl(Test::More) passwd \ - cracklib-dicts perl-Time-Piece perl-Time-HiRes which \ + cracklib-dicts perl-Time-Piece perl-Time-HiRes diffutils \ perl-Sys-Syslog pamtester google-authenticator qrencode-libs" if [ "$DISTRO_VERSION_MAJOR" = 7 ]; then wanted_list="$wanted_list fortune-mod coreutils" diff --git a/docker/Dockerfile.centos7 b/docker/Dockerfile.centos7 index 14e8d44..71f2101 100644 --- a/docker/Dockerfile.centos7 +++ b/docker/Dockerfile.centos7 @@ -24,3 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"] ENTRYPOINT /opt/bastion/docker/entrypoint.sh # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 +# TESTFROM centos:7.9.2009 centos:7.8.2003 centos:7.7.1908 diff --git a/docker/Dockerfile.centos8 b/docker/Dockerfile.centos8 index 3607961..85bb3ca 100644 --- a/docker/Dockerfile.centos8 +++ b/docker/Dockerfile.centos8 @@ -24,3 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"] ENTRYPOINT /opt/bastion/docker/entrypoint.sh # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 +# TESTFROM centos:8.3.2011 centos:8.2.2004 centos:8.1.1911 diff --git a/tests/functional/docker/docker_build_and_run_tests.sh b/tests/functional/docker/docker_build_and_run_tests.sh index 2829e92..f75d149 100755 --- a/tests/functional/docker/docker_build_and_run_tests.sh +++ b/tests/functional/docker/docker_build_and_run_tests.sh @@ -11,22 +11,54 @@ namespace=the-bastion-test target="$1" test_script="$2" +get_supported_targets() { + local target targets subtarget + for dockerfile in "$(dirname "$0")"/../../../docker/Dockerfile.*; do + if grep -q '^# TESTENV ' "$dockerfile"; then + target=$(basename $dockerfile) + target=${target/Dockerfile./} + # if the file has a TESTFROM entry, then it's actually multiple similar targets + if grep -q '^# TESTFROM ' "$dockerfile"; then + for testfrom in $(grep '^# TESTFROM ' "$dockerfile" | cut -d' ' -f3-); do + subtarget="$target@$testfrom" + targets="$targets $subtarget" + done + fi + targets="$targets $target" + fi + done + echo $targets +} + +print_supported_targets() { + local target + for target in $(get_supported_targets | tr " " "\n" | sort); do + echo "- $target" + done + echo +} + if [ -z "$target" ] || [ "$target" = "--list-targets" ]; then - targets=$(grep -l '^# TESTENV' "$(dirname "$0")"/../../../docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==') if [ -z "$target" ]; then echo "Usage: $0 " >&2 - echo -n "Supported targets are: " >&2 - grep -l '^# TESTENV' "$(dirname "$0")"/../../../docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==' | tr '\n' " " >&2 - echo >&2 + echo "Supported targets are: " >&2 + print_supported_targets >&2 exit 1 else # shellcheck disable=SC2086 - echo $targets + print_supported_targets exit 0 fi fi -target_dockerfile="$(dirname "$0")"/../../../docker/Dockerfile."$target" +if echo "$target" | grep -q '@'; then + subtarget=$(echo "$target" | cut -d@ -f2) + target_dockerfile=$(echo "$target" | cut -d@ -f1) +else + subtarget='' + target_dockerfile="$target" +fi +target_dockerfile="$(dirname "$0")"/../../../docker/Dockerfile."$target_dockerfile" if [ ! -f "$target_dockerfile" ] ; then echo "Couldn't find a Dockerfile for $target ($target_dockerfile)" >&2 exit 1 @@ -37,10 +69,35 @@ echo "Building test environment" testenv_dockerfile="$(dirname "$0")/../../../docker/Dockerfile.tester" docker build -f "$testenv_dockerfile" -t "$namespace:tester" "$(dirname "$0")"/../../.. +# if we have a subtarget, we need to override the FROM of the target_dockerfile +# don't do this in place however, create a tempfile for this +if [ -n "$subtarget" ]; then + dockerfiletmp=$(mktemp) + trap 'rm -f $dockerfiletmp' EXIT + sed -re "s/^FROM .+/FROM $subtarget/" "$target_dockerfile" > "$dockerfiletmp" + target_dockerfile="$dockerfiletmp" +fi + # build target echo "Building target environment" +target=$(echo "$target" | sed -re 's/[^a-zA-Z0-9_-]/_/g') docker build -f "$target_dockerfile" -t "$namespace:$target" --build-arg "TEST_QUICK=$TEST_QUICK" "$(dirname "$0")"/../../.. +# get the target environment we want from the dockerfile +varstoadd='' +privileged='' +for var in $(grep '^# TESTENV' "$target_dockerfile" | tail -n1 | sed -re 's/^# TESTENV//') +do + echo "$var" | grep -Eq '^[A-Z0-9_]+=[01]$' && varstoadd="$varstoadd -e $var " + [ "$var" = "PRIVILEGED=1" ] && privileged='--privileged' +done + +# cleanup the dockerfile temp if applicable +if [ -n "$subtarget" ]; then + rm -f "$dockerfiletmp" + trap - EXIT +fi + # create temp key echo "Create user and root SSH keys" privdir=$(mktemp -d) @@ -54,14 +111,6 @@ ROOT_PUBKEY_B64=$(base64 -w0 < "$privdir"/rootkey.pub) rm -rf "$privdir" trap - EXIT -varstoadd='' -privileged='' -for var in $(grep '^# TESTENV' "$target_dockerfile" | tail -n1 | sed -re 's/^# TESTENV//') -do - echo "$var" | grep -Eq '^[A-Z0-9_]+=[01]$' && varstoadd="$varstoadd -e $var " - [ "$var" = "PRIVILEGED=1" ] && privileged='--privileged' -done - echo "Configuring network" docker rm -f "bastion_${target}_target" 2>/dev/null || true docker rm -f "bastion_${target}_tester" 2>/dev/null || true From 457a8fae82778eec3eaffdbac8228365c8c313e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 8 Dec 2020 14:27:38 +0000 Subject: [PATCH 2/5] chore: packages-check: remove unused packages --- bin/admin/packages-check.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/bin/admin/packages-check.sh b/bin/admin/packages-check.sh index 7004002..97cfa21 100755 --- a/bin/admin/packages-check.sh +++ b/bin/admin/packages-check.sh @@ -69,8 +69,8 @@ if echo "$DISTRO_LIKE" | grep -q -w debian; then install_cmd="apt-get install" elif echo "$DISTRO_LIKE" | grep -q -w rhel; then wanted_list="perl-JSON perl-Net-Netmask perl-Net-IP \ - perl-Net-DNS perl-DBD-SQLite perl-TermReadKey perl-DateTime \ - sudo fping xz sqlite binutils acl perl-TimeDate gnupg rsync \ + perl-Net-DNS perl-DBD-SQLite perl-TermReadKey \ + sudo fping xz sqlite binutils acl gnupg rsync \ perl-JSON-XS inotify-tools lsof curl perl-Term-ReadLine-Gnu \ perl-libwww-perl perl-Digest perl-Net-Server cryptsetup mosh \ expect openssh-server nc bash perl-CGI perl(Test::More) passwd \ @@ -102,14 +102,14 @@ elif echo "$DISTRO_LIKE" | grep -q -w rhel; then install_cmd="yum install" elif echo "$DISTRO_LIKE" | grep -q -w suse; then wanted_list="perl-common-sense perl-JSON perl-Net-Netmask perl-Net-IP \ - perl-Net-DNS perl-DBD-SQLite perl-TermReadKey perl-DateTime \ + perl-Net-DNS perl-DBD-SQLite perl-TermReadKey \ fortune sudo fping \ - xz sqlite binutils acl perl-TimeDate gnupg rsync \ + xz sqlite binutils acl gnupg rsync \ perl-JSON-XS inotify-tools lsof curl perl-TermReadLine-Gnu \ perl-libwww-perl perl-Digest perl-IO-Socket-SSL \ perl-Net-Server cryptsetup mosh expect openssh \ coreutils netcat-openbsd bash perl-CGI iputils \ - perl-Time-HiRes which perl-Unix-Syslog hostname" + perl-Time-HiRes perl-Unix-Syslog hostname" wanted_list="$wanted_list google-authenticator-libpam" # perl-GnuPG [ "$opt_syslogng" = 1 ] && wanted_list="$wanted_list syslog-ng" From 7707b1c351ebbe0f4a66999900419598451cb2b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 8 Dec 2020 14:27:55 +0000 Subject: [PATCH 3/5] fix: osh-groupCreate: fix for centos 8.3 --- .github/workflows/tests.yml | 2 +- bin/helper/osh-groupCreate | 41 +++++++++++++++++++------------------ 2 files changed, 22 insertions(+), 21 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b0164b6..997a02c 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -20,7 +20,7 @@ jobs: name: Full strategy: matrix: - platform: [centos7@centos:7.7.1908, centos7@centos:7.8.2003, centos7@centos:7.9.2009, centos8@centos:8.1.1911, centos8@centos:8.2.2004, centos8@centos:8.3.2011, debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004] + platform: ['centos7@centos:7.7.1908', 'centos7@centos:7.8.2003', 'centos7@centos:7.9.2009', 'centos8@centos:8.1.1911', 'centos8@centos:8.2.2004', 'centos8@centos:8.3.2011', debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004] runs-on: ubuntu-latest if: contains(github.event.pull_request.labels.*.name, 'tests:full') steps: diff --git a/bin/helper/osh-groupCreate b/bin/helper/osh-groupCreate index ef2b5a8..80c0f56 100755 --- a/bin/helper/osh-groupCreate +++ b/bin/helper/osh-groupCreate @@ -175,6 +175,27 @@ $fnret->err eq 'OK' # Building /home/$group OVH::Bastion::touch_file("/home/$group/allowed.ip"); +osh_info("Adjusting permissions..."); +my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x'); +foreach my $command ( + ['chown', '-R', "$group:$group", "/home/$group"], + ['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"], + ['chmod', '-R', "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"], + ['chmod', '0664', "/home/$group/allowed.ip"], + ) +{ + $fnret = OVH::Bastion::execute(cmd => $command, noisy_stderr => 1); + $fnret->err eq 'OK' + or HEXIT('ERR_CHMOD_FAILED', msg => "Error while running chmod to adjust permissions (" . $fnret->msg . ")"); +} +chmod 0751, "/home/$group" if !OVH::Bastion::has_acls(); + +foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") { + OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x") + or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir"); +} + + osh_debug("Adding allowkeeper to group $group"); $fnret = OVH::Bastion::add_user_to_group(group => $group, user => 'allowkeeper', groupType => 'key'); $fnret or HEXIT($fnret); @@ -239,26 +260,6 @@ if (!$no_key) { $fnret or HEXIT($fnret); } -osh_info("Adjusting permissions..."); -my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x'); -foreach my $command ( - ['chown', '-R', "$group:$group", "/home/$group"], - ['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"], - ['chmod', '-R', "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"], - ['chmod', '0664', "/home/$group/allowed.ip"], - ) -{ - $fnret = OVH::Bastion::execute(cmd => $command, noisy_stderr => 1); - $fnret->err eq 'OK' - or HEXIT('ERR_CHMOD_FAILED', msg => "Error while running chmod to adjust permissions (" . $fnret->msg . ")"); -} -chmod 0751, "/home/$group" if !OVH::Bastion::has_acls(); - -foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") { - OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x") - or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir"); -} - # allowed to sudo for the group osh_info("Configuring sudoers for this group"); $fnret = OVH::Bastion::execute(cmd => [$OVH::Bastion::BASEPATH . '/bin/sudogen/generate-sudoers.sh', 'create', 'group', $group], must_succeed => 1, noisy_stdout => 1); From 87128da9d655d9204fcc6f73891e196d01347b53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 8 Dec 2020 14:31:08 +0000 Subject: [PATCH 4/5] chore: adjust readme & docs --- README.md | 2 +- doc/sphinx/installation/basic.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 518d65a..19744c5 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Also don't forget to customize your `bastion.conf` file, which can be found in ` Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS: - Debian 10 (Buster), 9 (Stretch), 8 (Jessie) -- RHEL/CentOS 8, 7 +- RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908) - Ubuntu LTS 20.04, 18.04, 16.04, 14.04\* - OpenSUSE Leap 15.2\*, 15.1\*, 15.0\* diff --git a/doc/sphinx/installation/basic.rst b/doc/sphinx/installation/basic.rst index f680e52..849cf42 100644 --- a/doc/sphinx/installation/basic.rst +++ b/doc/sphinx/installation/basic.rst @@ -27,7 +27,7 @@ We published a Puppet module to handle The Bastion configuration and prerequisit The following Linux distros are tested with each release, but as this is a security product, you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS: - Debian 10 (Buster), 9 (Stretch), 8 (Jessie) -- RHEL/CentOS 8, 7 +- RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908) - Ubuntu LTS 20.04, 18.04, 16.04, 14.04\* - OpenSUSE Leap 15.2\*, 15.1\*, 15.0\* From c68b696702d736f43db9e58b62de6c9793798a47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 8 Dec 2020 14:34:03 +0000 Subject: [PATCH 5/5] chore: shellcheck & perltidy --- bin/helper/osh-groupCreate | 1 - tests/functional/docker/docker_build_and_run_tests.sh | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/bin/helper/osh-groupCreate b/bin/helper/osh-groupCreate index 80c0f56..5b5bf20 100755 --- a/bin/helper/osh-groupCreate +++ b/bin/helper/osh-groupCreate @@ -195,7 +195,6 @@ foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-wh or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir"); } - osh_debug("Adding allowkeeper to group $group"); $fnret = OVH::Bastion::add_user_to_group(group => $group, user => 'allowkeeper', groupType => 'key'); $fnret or HEXIT($fnret); diff --git a/tests/functional/docker/docker_build_and_run_tests.sh b/tests/functional/docker/docker_build_and_run_tests.sh index f75d149..4d4de9d 100755 --- a/tests/functional/docker/docker_build_and_run_tests.sh +++ b/tests/functional/docker/docker_build_and_run_tests.sh @@ -15,10 +15,11 @@ get_supported_targets() { local target targets subtarget for dockerfile in "$(dirname "$0")"/../../../docker/Dockerfile.*; do if grep -q '^# TESTENV ' "$dockerfile"; then - target=$(basename $dockerfile) + target=$(basename "$dockerfile") target=${target/Dockerfile./} # if the file has a TESTFROM entry, then it's actually multiple similar targets if grep -q '^# TESTFROM ' "$dockerfile"; then + # shellcheck disable=SC2013 for testfrom in $(grep '^# TESTFROM ' "$dockerfile" | cut -d' ' -f3-); do subtarget="$target@$testfrom" targets="$targets $subtarget" @@ -27,6 +28,7 @@ get_supported_targets() { targets="$targets $target" fi done + # shellcheck disable=SC2086 echo $targets }