mirror of
https://github.com/ovh/the-bastion.git
synced 2024-09-20 15:05:58 +08:00
chore: remove useless 'section' test info
As tests are now split by modules, the section is autodetected and taken as the module name, hence a test now only needs a name, instead of a section & a name.
This commit is contained in:
parent
4a21cfc421
commit
f6e4ec81a8
|
@ -9,7 +9,7 @@ basedir=$(readlink -f "$(dirname "$0")"/../../..)
|
|||
namespace=the-bastion-test
|
||||
|
||||
target="$1"
|
||||
shift
|
||||
shift || true
|
||||
|
||||
# all remaining options will be passed as-is on the target docker, through target_role.sh to launch-tests-on-instance.sh
|
||||
|
||||
|
@ -45,9 +45,12 @@ print_supported_targets() {
|
|||
|
||||
if [ -z "$target" ] || [ "$target" = "--list-targets" ]; then
|
||||
if [ -z "$target" ]; then
|
||||
echo "Usage: $0 <TARGET>" >&2
|
||||
echo "Supported targets are: " >&2
|
||||
print_supported_targets >&2
|
||||
echo "Usage: $0 <TARGET> [additional options]"
|
||||
echo
|
||||
echo "Supported targets are: "
|
||||
print_supported_targets
|
||||
echo "These additional options are passed directly to the worker:"
|
||||
"$basedir"/tests/functional/launch_tests_on_instance.sh --help-light
|
||||
exit 1
|
||||
else
|
||||
# shellcheck disable=SC2086
|
||||
|
|
|
@ -19,9 +19,6 @@ declare -A capabilities=( [ed25519]=1 [blacklist]=0 [mfa]=1 [mfa-password]=0 [pa
|
|||
|
||||
# set the helptext now to get the proper default values
|
||||
help_text=$(cat <<EOF
|
||||
|
||||
Usage: $0 [OPTIONS] <IP> <SSH_Port> <HTTP_Proxy_Port_or_Zero> <Remote_Admin_User_Name> <Admin_User_SSH_Key_Path> <Root_SSH_Key_Path>
|
||||
|
||||
Test Options:
|
||||
--skip-consistency-check Speed up tests by skipping the consistency check between every test
|
||||
--no-pause-on-fail Don't pause when a test fails
|
||||
|
@ -45,6 +42,13 @@ EOF
|
|||
|
||||
|
||||
usage() {
|
||||
if [ "${1:-}" != "light" ]; then
|
||||
cat <<EOF
|
||||
|
||||
Usage: $0 [OPTIONS] <IP> <SSH_Port> <HTTP_Proxy_Port_or_Zero> <Remote_Admin_User_Name> <Admin_User_SSH_Key_Path> <Root_SSH_Key_Path>
|
||||
|
||||
EOF
|
||||
fi
|
||||
echo "$help_text"
|
||||
}
|
||||
|
||||
|
@ -81,6 +85,14 @@ do
|
|||
optname=${optname/=*/}
|
||||
capabilities[$optname]=$optval
|
||||
;;
|
||||
--help)
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
--help-light)
|
||||
usage light
|
||||
exit 0
|
||||
;;
|
||||
-*)
|
||||
echo "Unknown option: $1"
|
||||
usage
|
||||
|
@ -172,8 +184,8 @@ fi
|
|||
r0=" $t ssh -F $mytmpdir/ssh_config -i $rootkeyfile root@$remote_ip -p $remote_port -- "
|
||||
};
|
||||
|
||||
grant() { success prereq grantcmd $a0 --osh accountGrantCommand --account $account0 --command "$1"; }
|
||||
revoke() { success prereq revokecmd $a0 --osh accountRevokeCommand --account $account0 --command "$1"; }
|
||||
grant() { success grantcmd $a0 --osh accountGrantCommand --account $account0 --command "$1"; }
|
||||
revoke() { success revokecmd $a0 --osh accountRevokeCommand --account $account0 --command "$1"; }
|
||||
|
||||
cat >"$mytmpdir/ssh_config" <<EOF
|
||||
StrictHostKeyChecking no
|
||||
|
@ -269,22 +281,24 @@ run()
|
|||
# now prepare for the current test
|
||||
testno=$(( testno + 1 ))
|
||||
[ "$COUNTONLY" = 1 ] && return
|
||||
name=$1
|
||||
name="$modulename"
|
||||
if [ -z "$name" ]; then
|
||||
name="main"
|
||||
fi
|
||||
case="$1"
|
||||
shift
|
||||
case=$1
|
||||
shift
|
||||
basename=$(printf '%03d-%s-%s' $testno $name $case | sed -re "s=/=_=g")
|
||||
basename=$(printf '%04d-%s-%s' $testno $name $case | sed -re "s=/=_=g")
|
||||
|
||||
# if we're about to run a script, keep a copy there
|
||||
if [ -x "$1" ] && [ "$#" -eq 1 ]; then
|
||||
cp "$1" "$outdir/$basename.script"
|
||||
fi
|
||||
|
||||
printf '%b %b*** [%03d/%03d] %b::%b %b(%b)%b\n' "$(prefix)" "$BOLD_CYAN" "$testno" "$testcount" "$name" "$case" "$NOC$DARKGRAY" "$*" "$NOC"
|
||||
printf '%b %b*** [%04d/%04d] %b::%b %b(%b)%b\n' "$(prefix)" "$BOLD_CYAN" "$testno" "$testcount" "$name" "$case" "$NOC$DARKGRAY" "$*" "$NOC"
|
||||
|
||||
# special case for scp: we need to wait a bit before terminating the test
|
||||
sleepafter=0
|
||||
[ "$name" = "scp" ] && sleepafter=2
|
||||
[[ $case =~ ^scp_ ]] && sleepafter=2
|
||||
|
||||
# put an invalid value in this file, should be overwritten. we also use it as a lock file.
|
||||
echo -1 > $outdir/$basename.retval
|
||||
|
@ -325,12 +339,10 @@ run()
|
|||
}
|
||||
|
||||
script() {
|
||||
name=$1
|
||||
shift
|
||||
section=$1
|
||||
shift
|
||||
if [ "$COUNTONLY" = 1 ]; then
|
||||
run $name $section true
|
||||
run $section true
|
||||
return
|
||||
fi
|
||||
|
||||
|
@ -338,7 +350,7 @@ script() {
|
|||
echo "#! /usr/bin/env bash" > "$tmpscript"
|
||||
echo "$*" >> "$tmpscript"
|
||||
chmod 755 "$tmpscript"
|
||||
run $name $section "$tmpscript"
|
||||
run $section "$tmpscript"
|
||||
rm -f "$tmpscript"
|
||||
}
|
||||
|
||||
|
@ -494,41 +506,56 @@ nocontain()
|
|||
|
||||
configchg()
|
||||
{
|
||||
success bastion configchange $r0 perl -pe "$*" -i $opt_remote_etc_bastion/bastion.conf
|
||||
success configchange $r0 perl -pe "$*" -i "$opt_remote_etc_bastion/bastion.conf"
|
||||
}
|
||||
|
||||
onfigsetquoted()
|
||||
{
|
||||
success configset $r0 perl -pe 's=^\\\\x22'"$1"'\\\\x22.+=\\\\x22'"$1"'\\\\x22:\\\\x22'"$2"'\\\\x22,=' -i "$opt_remote_etc_bastion/bastion.conf"
|
||||
}
|
||||
|
||||
configset()
|
||||
{
|
||||
success configset $r0 perl -pe 's=^\\\\x22'"$1"'\\\\x22.+=\\\\x22'"$1"'\\\\x22:'"$2"',=' -i "$opt_remote_etc_bastion/bastion.conf"
|
||||
}
|
||||
|
||||
|
||||
sshclientconfigchg()
|
||||
{
|
||||
success bastion sshclientconfigchange $r0 perl -pe "$*" -i /etc/ssh/ssh_config
|
||||
success sshclientconfigchange $r0 perl -pe "$*" -i /etc/ssh/ssh_config
|
||||
}
|
||||
|
||||
runtests()
|
||||
{
|
||||
# ensure syslog is clean
|
||||
ignorecodewarn 'Configuration error' # previous unit tests can provoke this
|
||||
success bastion syslog_cleanup $r0 "\": > /var/log/bastion/bastion.log\""
|
||||
success syslog_cleanup $r0 "\": > /var/log/bastion/bastion.log\""
|
||||
|
||||
modulename=main
|
||||
# backup the original default configuration on target side
|
||||
now=$(date +%s)
|
||||
success bastion backupconfig $r0 "dd if=$opt_remote_etc_bastion/bastion.conf of=$opt_remote_etc_bastion/bastion.conf.bak.$now"
|
||||
success backupconfig $r0 "dd if=$opt_remote_etc_bastion/bastion.conf of=$opt_remote_etc_bastion/bastion.conf.bak.$now"
|
||||
|
||||
grant accountRevokeCommand
|
||||
|
||||
for module in "$(dirname $0)"/tests.d/???-*.sh
|
||||
do
|
||||
module="$(readlink -f "$module")"
|
||||
modulename="$(basename "$module" .sh)"
|
||||
if [ -n "$opt_module" ] && [ "$opt_module" != "$(basename "$module")" ]; then
|
||||
echo "### SKIPPING MODULE $(basename $module)"
|
||||
echo "### SKIPPING MODULE $modulename"
|
||||
continue
|
||||
fi
|
||||
echo "### RUNNING MODULE $(basename $module)"
|
||||
echo "### RUNNING MODULE $modulename"
|
||||
|
||||
# as this is a loop, we do the check in a reversed way, see any included module for more info:
|
||||
# shellcheck disable=SC1090
|
||||
source "$module" || true
|
||||
done
|
||||
|
||||
# put the backed up configuration back
|
||||
success bastion restoreconfig $r0 "dd if=$opt_remote_etc_bastion/bastion.conf.bak.$now of=$opt_remote_etc_bastion/bastion.conf"
|
||||
# put the backed up configuration back after each module, just in case the module modified it
|
||||
modulename=main
|
||||
success configrestore $r0 "dd if=$opt_remote_etc_bastion/bastion.conf.bak.$now of=$opt_remote_etc_bastion/bastion.conf"
|
||||
done
|
||||
}
|
||||
|
||||
COUNTONLY=0
|
||||
|
|
|
@ -9,33 +9,33 @@ testsuite_activeness()
|
|||
{
|
||||
grant accountCreate
|
||||
# create account1 on local bastion
|
||||
success activeness create_account1 $a0 --osh accountCreate --account $account1 --uid $uid1 --public-key \""$(cat $account1key1file.pub)"\"
|
||||
success create_account1 $a0 --osh accountCreate --account $account1 --uid $uid1 --public-key \""$(cat $account1key1file.pub)"\"
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
success activeness create_account2 $a0 --osh accountCreate --account $account2 --uid $uid2 --public-key \""$(cat $account2key1file.pub)"\"
|
||||
success create_account2 $a0 --osh accountCreate --account $account2 --uid $uid2 --public-key \""$(cat $account2key1file.pub)"\"
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
success activeness create_account3 $a0 --osh accountCreate --account $account3 --uid $uid3 --always-active --public-key \""$(cat $account3key1file.pub)"\"
|
||||
success create_account3 $a0 --osh accountCreate --account $account3 --uid $uid3 --always-active --public-key \""$(cat $account3key1file.pub)"\"
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
revoke accountCreate
|
||||
|
||||
configchg 's=^\\\\x22accountExternalValidationProgram\\\\x22.+=\\\\x22accountExternalValidationProgram\\\\x22:\\\\x22/opt/bastion/bin/other/doesnotexist.pl\\\\x22,='
|
||||
|
||||
success activeness test_invalid_config_but_always_active $a3 --osh info
|
||||
success test_invalid_config_but_always_active $a3 --osh info
|
||||
|
||||
ignorecodewarn 'is not readable+executable'
|
||||
run activeness test_invalid_config $a1 --osh info
|
||||
run test_invalid_config $a1 --osh info
|
||||
retvalshouldbe 101
|
||||
|
||||
configchg 's=^\\\\x22accountExternalValidationProgram\\\\x22.+=\\\\x22accountExternalValidationProgram\\\\x22:\\\\x22/opt/bastion/bin/other/check-active-account-fortestsonly.pl\\\\x22,='
|
||||
|
||||
run activeness test_account1 $a1 --osh info
|
||||
run test_account1 $a1 --osh info
|
||||
retvalshouldbe 101
|
||||
|
||||
success activeness test_account2 $a2 --osh info
|
||||
success test_account2 $a2 --osh info
|
||||
|
||||
success activeness test_account3 $a3 --osh info
|
||||
success test_account3 $a3 --osh info
|
||||
|
||||
# for remaining tests, disable the feature
|
||||
configchg 's=^\\\\x22accountExternalValidationProgram\\\\x22.+=\\\\x22accountExternalValidationProgram\\\\x22:\\\\x22\\\\x22,='
|
||||
|
@ -43,14 +43,14 @@ testsuite_activeness()
|
|||
grant accountDelete
|
||||
|
||||
# delete account1
|
||||
success realm account1_cleanup $a0 --osh accountDelete --account $account1 --no-confirm
|
||||
success account1_cleanup $a0 --osh accountDelete --account $account1 --no-confirm
|
||||
|
||||
# delete account2
|
||||
script realm account2_cleanup "$a0 --osh accountDelete --account $account2 <<< \"Yes, do as I say and delete $account2, kthxbye\""
|
||||
script account2_cleanup "$a0 --osh accountDelete --account $account2 <<< \"Yes, do as I say and delete $account2, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
|
||||
# delete account3
|
||||
success realm account3_cleanup $a0 --osh accountDelete --account $account3 --no-confirm
|
||||
success account3_cleanup $a0 --osh accountDelete --account $account3 --no-confirm
|
||||
|
||||
revoke accountDelete
|
||||
}
|
||||
|
|
|
@ -11,63 +11,63 @@ testsuite_admin_superowner()
|
|||
grant groupCreate
|
||||
|
||||
# create account1
|
||||
success admin_superowner create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||||
success create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
# create a group, account1 is not a member or anything
|
||||
success admin_superowner create_g1 $a0 --osh groupCreate --owner $account0 --no-key --group $group1
|
||||
success create_g1 $a0 --osh groupCreate --owner $account0 --no-key --group $group1
|
||||
json .error_code OK .command groupCreate
|
||||
|
||||
# account1 can't add members
|
||||
run admin_superowner a1_add_members_g1_fail $a1 --osh groupAddMember --group $group1 --account $account1
|
||||
run a1_add_members_g1_fail $a1 --osh groupAddMember --group $group1 --account $account1
|
||||
retvalshouldbe 106
|
||||
json .error_code KO_RESTRICTED_COMMAND .command null
|
||||
|
||||
# now set account1 as superowner
|
||||
success admin_superowner set_a1_as_superowner $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account1 osh-superowner\""
|
||||
success set_a1_as_superowner $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account1 osh-superowner\""
|
||||
configchg 's=^\\\\x22superOwnerAccounts\\\\x22.+=\\\\x22superOwnerAccounts\\\\x22:[\\\\x22'"$account1"'\\\\x22],='
|
||||
|
||||
# account1 now can add/del members
|
||||
success admin_superowner a1_add_members_g1_ok $a1 --osh groupAddMember --group $group1 --account $account1
|
||||
success a1_add_members_g1_ok $a1 --osh groupAddMember --group $group1 --account $account1
|
||||
json .error_code OK .command groupAddMember
|
||||
contain OVERRIDE
|
||||
|
||||
success admin_superowner a1_del_members_g1_ok $a1 --osh groupDelMember --group $group1 --account $account1
|
||||
success a1_del_members_g1_ok $a1 --osh groupDelMember --group $group1 --account $account1
|
||||
json .error_code OK .command groupDelMember
|
||||
contain OVERRIDE
|
||||
|
||||
# now set account1 as admin
|
||||
success admin_superowner set_a1_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account1 osh-admin\""
|
||||
success set_a1_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account1 osh-admin\""
|
||||
configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22,\\\\x22'"$account1"'\\\\x22],='
|
||||
|
||||
# account1 now can add/del aclkeepers
|
||||
success admin_superowner a1_add_gk_g1_ok $a1 --osh groupAddAclkeeper --group $group1 --account $account1
|
||||
success a1_add_gk_g1_ok $a1 --osh groupAddAclkeeper --group $group1 --account $account1
|
||||
json .error_code OK .command groupAddAclkeeper
|
||||
contain OVERRIDE
|
||||
|
||||
success admin_superowner a1_del_gk_g1_ok $a1 --osh groupDelAclkeeper --group $group1 --account $account1
|
||||
success a1_del_gk_g1_ok $a1 --osh groupDelAclkeeper --group $group1 --account $account1
|
||||
json .error_code OK .command groupDelAclkeeper
|
||||
contain OVERRIDE
|
||||
|
||||
# now remove superowner grant from a1, the account is still admin so it should inherhit superowner powers
|
||||
success admin_superowner del_a1_as_superowner $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account1 osh-superowner\""
|
||||
success del_a1_as_superowner $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account1 osh-superowner\""
|
||||
configchg 's=^\\\\x22superOwnerAccounts\\\\x22.+=\\\\x22superOwnerAccounts\\\\x22:[],='
|
||||
|
||||
# account1 can add/del gatekeepers
|
||||
success admin_superowner a1_add_members_g1_ok2 $a1 --osh groupAddGatekeeper --group $group1 --account $account1
|
||||
success a1_add_members_g1_ok2 $a1 --osh groupAddGatekeeper --group $group1 --account $account1
|
||||
json .error_code OK .command groupAddGatekeeper
|
||||
contain OVERRIDE
|
||||
|
||||
success admin_superowner a1_del_members_g1_ok2 $a1 --osh groupDelGatekeeper --group $group1 --account $account1
|
||||
success a1_del_members_g1_ok2 $a1 --osh groupDelGatekeeper --group $group1 --account $account1
|
||||
json .error_code OK .command groupDelGatekeeper
|
||||
contain OVERRIDE
|
||||
|
||||
# and finally remove admin grant
|
||||
success admin_superowner del_a1_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account1 osh-admin\""
|
||||
success del_a1_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account1 osh-admin\""
|
||||
configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22],='
|
||||
|
||||
# account1 can no longer add members
|
||||
run admin_superowner a1_add_members_g1_fail2 $a1 --osh groupAddMember --group $group1 --account $account1
|
||||
run a1_add_members_g1_fail2 $a1 --osh groupAddMember --group $group1 --account $account1
|
||||
retvalshouldbe 106
|
||||
json .error_code KO_RESTRICTED_COMMAND .command null
|
||||
|
||||
|
@ -76,11 +76,11 @@ testsuite_admin_superowner()
|
|||
grant accountDelete
|
||||
grant groupDelete
|
||||
|
||||
script admin_superowner delete_a1 $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||||
script delete_a1 $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
json .command accountDelete .error_code OK
|
||||
|
||||
script admin_superowner delete_g1 "$a0 --osh groupDelete --group $group1 <<< $group1"
|
||||
script delete_g1 "$a0 --osh groupDelete --group $group1 <<< $group1"
|
||||
retvalshouldbe 0
|
||||
json .command groupDelete .error_code OK
|
||||
|
||||
|
|
|
@ -14,62 +14,62 @@ testsuite_realm()
|
|||
grant accountModify
|
||||
|
||||
# create account1 on local bastion
|
||||
success realm create_account1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key \""$(cat $account1key1file.pub)"\"
|
||||
success create_account1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key \""$(cat $account1key1file.pub)"\"
|
||||
json .error_code OK .command accountCreate .value null
|
||||
success realm modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account1
|
||||
success modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account1
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
# create account2 on local bastion
|
||||
success realm create_account2 $a0 --osh accountCreate --always-active --account $account2 --uid $uid2 --public-key \""$(cat $account2key1file.pub)"\"
|
||||
success create_account2 $a0 --osh accountCreate --always-active --account $account2 --uid $uid2 --public-key \""$(cat $account2key1file.pub)"\"
|
||||
json .error_code OK .command accountCreate .value null
|
||||
success realm modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account2
|
||||
success modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account2
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
revoke accountModify
|
||||
grant groupCreate
|
||||
|
||||
# create realm-egress group on local bastion
|
||||
success realm create_support_group $a0 --osh groupCreate --group $realm_egress_group --owner $account0 --algo rsa --size 4096
|
||||
success create_support_group $a0 --osh groupCreate --group $realm_egress_group --owner $account0 --algo rsa --size 4096
|
||||
local realm_group_key
|
||||
realm_group_key=$(get_json | $jq '.value.public_key.line')
|
||||
|
||||
success realm a0_delowner_egressgroup $a0 --osh groupDelOwner --group $realm_egress_group --account $account0
|
||||
success a0_delowner_egressgroup $a0 --osh groupDelOwner --group $realm_egress_group --account $account0
|
||||
|
||||
# add account1 to this group on local bastion
|
||||
success realm add_account1_to_support_group $a0 --osh groupAddMember --group $realm_egress_group --account $account1
|
||||
success add_account1_to_support_group $a0 --osh groupAddMember --group $realm_egress_group --account $account1
|
||||
|
||||
# add account1 to this group on local bastion
|
||||
success realm add_account2_to_support_group $a0 --osh groupAddMember --group $realm_egress_group --account $account2
|
||||
success add_account2_to_support_group $a0 --osh groupAddMember --group $realm_egress_group --account $account2
|
||||
|
||||
grant realmCreate
|
||||
|
||||
# fail to create a realm with forbidden name
|
||||
plgfail realm realm_forbidden_name $a0 --osh realmCreate --realm realm --from 0.0.0.0/0 --public-key \"$realm_group_key\"
|
||||
plgfail realm_forbidden_name $a0 --osh realmCreate --realm realm --from 0.0.0.0/0 --public-key \"$realm_group_key\"
|
||||
|
||||
# fail to create account with forbidden name
|
||||
plgfail realm account_forbidden_name $a0 --osh accountCreate --account realm_foobar --uid-auto --public-key \""$(cat $account1key1file.pub)"\"
|
||||
plgfail account_forbidden_name $a0 --osh accountCreate --account realm_foobar --uid-auto --public-key \""$(cat $account1key1file.pub)"\"
|
||||
|
||||
# create shared realm-account on remote bastion
|
||||
success realm create_shared_account $a0 --osh realmCreate --realm $realm_shared_account --public-key \"$realm_group_key\" --from 0.0.0.0/0
|
||||
success create_shared_account $a0 --osh realmCreate --realm $realm_shared_account --public-key \"$realm_group_key\" --from 0.0.0.0/0
|
||||
|
||||
revoke accountCreate
|
||||
revoke realmCreate
|
||||
|
||||
# add remote bastion ip on group of local bastion
|
||||
success realm add_remote_bastion_to_group $a0 --osh groupAddServer --host 127.0.0.1 --user realm_$realm_shared_account --port 22 --group $realm_egress_group --kbd-interactive
|
||||
success add_remote_bastion_to_group $a0 --osh groupAddServer --host 127.0.0.1 --user realm_$realm_shared_account --port 22 --group $realm_egress_group --kbd-interactive
|
||||
|
||||
# attempt inter-realm connection
|
||||
success realm firstconnect1 $a1 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh info
|
||||
success firstconnect1 $a1 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh info
|
||||
json .value.account $account1 .value.realm $realm_shared_account
|
||||
|
||||
# attempt inter-realm connection
|
||||
success realm firstconnect2 $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh info
|
||||
success firstconnect2 $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh info
|
||||
json .value.account $account2 .value.realm $realm_shared_account
|
||||
|
||||
# try forbidden plugins
|
||||
for plugin in selfAddPersonalAccess selfAddIngressKey selfDelIngressKey selfGenerateEgressKey selfAddPersonalAccess selfDelPersonalAccess selfPlaySession selfListSessions selfResetIngressKeys
|
||||
do
|
||||
run realm plugindenied $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh $plugin
|
||||
run plugindenied $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh $plugin
|
||||
retvalshouldbe 106
|
||||
json .error_message "Realm accounts can't execute this plugin, use --osh help to get the allowed plugin list" .error_code KO_RESTRICTED_COMMAND
|
||||
done
|
||||
|
@ -77,41 +77,41 @@ testsuite_realm()
|
|||
grant accountAddPersonalAccess
|
||||
|
||||
# add an access to account1 from realm on remote bastion
|
||||
success realm add_access_to_remote $a0 --osh accountAddPersonalAccess --account $realm_shared_account/$account1 --user-any --port-any --host 127.0.0.5
|
||||
success add_access_to_remote $a0 --osh accountAddPersonalAccess --account $realm_shared_account/$account1 --user-any --port-any --host 127.0.0.5
|
||||
json .error_code OK
|
||||
|
||||
# fail to add a dup access to account1 from realm on remote bastion
|
||||
success realm add_access_to_remote_dup $a0 --osh accountAddPersonalAccess --account $realm_shared_account/$account1 --user-any --port-any --host 127.0.0.5
|
||||
success add_access_to_remote_dup $a0 --osh accountAddPersonalAccess --account $realm_shared_account/$account1 --user-any --port-any --host 127.0.0.5
|
||||
json .error_code OK_NO_CHANGE
|
||||
|
||||
# list accesses remotely
|
||||
success realm list_my_accesses1 $a1 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh selfListAccesses
|
||||
success list_my_accesses1 $a1 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh selfListAccesses
|
||||
json .error_code OK .value[0].acl[0].addedBy $account0 .value[0].acl[0].ip 127.0.0.5
|
||||
|
||||
# list accesses remotely
|
||||
success realm list_my_accesses2 $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh selfListAccesses
|
||||
success list_my_accesses2 $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh selfListAccesses
|
||||
json .error_code OK_EMPTY
|
||||
|
||||
# try to access remotely (success)
|
||||
run realm access1 $a1 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- test@127.0.0.5
|
||||
run access1 $a1 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- test@127.0.0.5
|
||||
retvalshouldbe 255
|
||||
nocontain 'Access denied'
|
||||
contain 'will try the following accesses you have'
|
||||
|
||||
# try to access remotely (fail)
|
||||
run realm access2 $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- test@127.0.0.5
|
||||
run access2 $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- test@127.0.0.5
|
||||
retvalshouldbe 107
|
||||
contain "Access denied for $realm_shared_account/$account2 to test@127.0.0.5:22"
|
||||
|
||||
# create a group on remote bastion
|
||||
success realm create_normal_group $a0 --osh groupCreate --group $group1 --owner $account0 --algo rsa --size 4096
|
||||
success create_normal_group $a0 --osh groupCreate --group $group1 --owner $account0 --algo rsa --size 4096
|
||||
|
||||
# can't add a realm user as gk, aclk or owner of group
|
||||
for acc in "realm_$realm_shared_account" "$realm_shared_account/$account1"
|
||||
do
|
||||
for role in Owner Gatekeeper Aclkeeper
|
||||
do
|
||||
plgfail realm add_${acc}_as_$role $a0 --osh groupAdd$role --group $group1 --account $acc
|
||||
plgfail add_${acc}_as_$role $a0 --osh groupAdd$role --group $group1 --account $acc
|
||||
if [ "$acc" = "$realm_shared_account/$account1" ]; then
|
||||
json .error_code ERR_REALM_USER
|
||||
else
|
||||
|
@ -119,150 +119,150 @@ testsuite_realm()
|
|||
fi
|
||||
done
|
||||
done
|
||||
plgfail realm add_support_account_as_member $a0 --osh groupAddMember --group $group1 --account realm_$realm_shared_account
|
||||
plgfail add_support_account_as_member $a0 --osh groupAddMember --group $group1 --account realm_$realm_shared_account
|
||||
|
||||
# add account1 as member
|
||||
success realm add_account1_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/$account1
|
||||
success add_account1_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/$account1
|
||||
json .error_code OK
|
||||
|
||||
success realm add_account1_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/$account1
|
||||
success add_account1_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/$account1
|
||||
json .error_code OK_NO_CHANGE
|
||||
|
||||
# check groupInfo
|
||||
success realm groupinfo $a0 --osh groupInfo --group $group1
|
||||
success groupinfo $a0 --osh groupInfo --group $group1
|
||||
json --arg want "$realm_shared_account/$account1 $account0" '.value.members|sort == ($want|split(" ")|sort)' true
|
||||
|
||||
# add a remote account as member
|
||||
success realm add_account2_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/alien
|
||||
success add_account2_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/alien
|
||||
json .error_code OK
|
||||
|
||||
success realm add_account2_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/alien
|
||||
success add_account2_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/alien
|
||||
json .error_code OK_NO_CHANGE
|
||||
|
||||
# check groupInfo
|
||||
success realm groupinfo $a0 --osh groupInfo --group $group1
|
||||
success groupinfo $a0 --osh groupInfo --group $group1
|
||||
json --arg want "$realm_shared_account/$account1 $realm_shared_account/alien $account0" '.value.members|sort == ($want|split(" ")|sort)' true
|
||||
|
||||
# add a dummy host to the group, to see it in the accountListAccesses afterwards
|
||||
success realm add_server_to_group1 $a0 --osh groupAddServer --group $group1 --host 172.16.4.4 --user nobody --port 12345 --force
|
||||
success realm add_server_to_group1 $a0 --osh groupAddServer --group $group1 --host 172.16.4.4 --user nobody --port 12346 --force
|
||||
success add_server_to_group1 $a0 --osh groupAddServer --group $group1 --host 172.16.4.4 --user nobody --port 12345 --force
|
||||
success add_server_to_group1 $a0 --osh groupAddServer --group $group1 --host 172.16.4.4 --user nobody --port 12346 --force
|
||||
|
||||
success realm removemyselffromaclk $a0 --osh groupDelAclkeeper --group $group1 --account $account0
|
||||
success realm a0_delowner_group1 $a0 --osh groupDelOwner --group $group1 --account $account0
|
||||
success removemyselffromaclk $a0 --osh groupDelAclkeeper --group $group1 --account $account0
|
||||
success a0_delowner_group1 $a0 --osh groupDelOwner --group $group1 --account $account0
|
||||
grant accountListAccesses
|
||||
|
||||
# check access list
|
||||
success realm access_list_account1 $a0 --osh accountListAccesses --account $realm_shared_account/$account1
|
||||
success access_list_account1 $a0 --osh accountListAccesses --account $realm_shared_account/$account1
|
||||
json '.value|[.[]|.type]|sort' '["group-member","personal"]'
|
||||
json '.value[]|select(.type == "personal")|.acl[]|.ip' 127.0.0.5
|
||||
json '.value[]|select(.type == "group-member")|[.acl[]|.port]' '["12345","12346"]'
|
||||
|
||||
# revoke group membership
|
||||
success realm del_account1_as_member $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/$account1
|
||||
success del_account1_as_member $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/$account1
|
||||
json .error_code OK
|
||||
|
||||
success realm del_account1_as_member_dup $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/$account1
|
||||
success del_account1_as_member_dup $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/$account1
|
||||
json .error_code OK_NO_CHANGE
|
||||
|
||||
# check groupInfo
|
||||
success realm groupinfo $a0 --osh groupInfo --group $group1
|
||||
success groupinfo $a0 --osh groupInfo --group $group1
|
||||
json --arg want "$realm_shared_account/alien $account0" '.value.members|sort == ($want|split(" ")|sort)' true
|
||||
|
||||
# check access list
|
||||
success realm access_list_account1_again $a0 --osh accountListAccesses --account $realm_shared_account/$account1
|
||||
success access_list_account1_again $a0 --osh accountListAccesses --account $realm_shared_account/$account1
|
||||
json '.value|[.[]|.type]|sort' '["personal"]'
|
||||
json '.value[]|select(.type == "personal")|.acl[]|.ip' 127.0.0.5
|
||||
|
||||
# check access list
|
||||
success realm access_list_account2_again $a0 --osh accountListAccesses --account $realm_shared_account/alien
|
||||
success access_list_account2_again $a0 --osh accountListAccesses --account $realm_shared_account/alien
|
||||
json '.value|[.[]|.type]|sort' '["group-member"]'
|
||||
json '.value[]|select(.type == "group-member")|[.acl[]|.port]' '["12345","12346"]'
|
||||
|
||||
# revoke group membership
|
||||
success realm del_account2_as_member $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/alien
|
||||
success del_account2_as_member $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/alien
|
||||
json .error_code OK
|
||||
|
||||
success realm del_account2_as_member_dup $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/alien
|
||||
success del_account2_as_member_dup $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/alien
|
||||
json .error_code OK_NO_CHANGE
|
||||
|
||||
# check groupInfo
|
||||
success realm groupinfo $a0 --osh groupInfo --group $group1
|
||||
success groupinfo $a0 --osh groupInfo --group $group1
|
||||
json '.value.members|sort' "[\"$account0\"]"
|
||||
|
||||
# add guest access
|
||||
success realm add_guest_account1 $a0 --osh groupAddGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12345
|
||||
success realm add_guest_account1 $a0 --osh groupAddGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12346
|
||||
success add_guest_account1 $a0 --osh groupAddGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12345
|
||||
success add_guest_account1 $a0 --osh groupAddGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12346
|
||||
|
||||
# add other guest access
|
||||
success realm add_guest_account2 $a0 --osh groupAddGuestAccess --account $realm_shared_account/second --group $group1 --host 172.16.4.4 --user nobody --port 12345
|
||||
success add_guest_account2 $a0 --osh groupAddGuestAccess --account $realm_shared_account/second --group $group1 --host 172.16.4.4 --user nobody --port 12345
|
||||
|
||||
# check groupInfo
|
||||
success realm groupinfo $a0 --osh groupInfo --group $group1
|
||||
success groupinfo $a0 --osh groupInfo --group $group1
|
||||
json '.value.members|sort' "[\"$account0\"]"
|
||||
json '.value.guests|sort' "[\"$realm_shared_account/first\",\"$realm_shared_account/second\"]"
|
||||
|
||||
# check access list of account
|
||||
success realm access_list_account1_guest $a0 --osh accountListAccesses --account $realm_shared_account/first
|
||||
success access_list_account1_guest $a0 --osh accountListAccesses --account $realm_shared_account/first
|
||||
json '.value|[.[]|.type]|sort' '["group-guest"]'
|
||||
json '.value[]|select(.type == "group-guest")|[.acl[]|.port]' '["12345","12346"]'
|
||||
|
||||
# remove guest access 1
|
||||
success realm del_guest_account1 $a0 --osh groupDelGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12345
|
||||
success del_guest_account1 $a0 --osh groupDelGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12345
|
||||
nocontain "removed group key"
|
||||
|
||||
# check access list of account
|
||||
success realm access_list_account1_guest $a0 --osh accountListAccesses --account $realm_shared_account/first
|
||||
success access_list_account1_guest $a0 --osh accountListAccesses --account $realm_shared_account/first
|
||||
json '.value|[.[]|.type]|sort' '["group-guest"]'
|
||||
json '.value[]|select(.type == "group-guest")|.acl[]|.port' 12346
|
||||
|
||||
# remove guest access 1
|
||||
success realm del_guest_account1 $a0 --osh groupDelGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12346
|
||||
success del_guest_account1 $a0 --osh groupDelGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12346
|
||||
nocontain "removed group key"
|
||||
|
||||
# check groupInfo
|
||||
success realm groupinfo $a0 --osh groupInfo --group $group1
|
||||
success groupinfo $a0 --osh groupInfo --group $group1
|
||||
json '.value.members|sort' "[\"$account0\"]"
|
||||
json '.value.guests|sort' "[\"$realm_shared_account/second\"]"
|
||||
|
||||
# remove last guest access
|
||||
success realm del_guest_account2 $a0 --osh groupDelGuestAccess --account $realm_shared_account/second --group $group1 --host 172.16.4.4 --user nobody --port 12345
|
||||
success del_guest_account2 $a0 --osh groupDelGuestAccess --account $realm_shared_account/second --group $group1 --host 172.16.4.4 --user nobody --port 12345
|
||||
contain "removed group key"
|
||||
|
||||
# check groupInfo
|
||||
success realm groupinfo $a0 --osh groupInfo --group $group1
|
||||
success groupinfo $a0 --osh groupInfo --group $group1
|
||||
json '.value.members|sort' "[\"$account0\"]"
|
||||
json '.value.guests|sort' "[]"
|
||||
|
||||
# check max account length
|
||||
success realm add_guest_account3 $a0 --osh groupAddGuestAccess --account $realm_shared_account/verylongaccountnam --group $group1 --host 172.16.4.4 --user nobody --port 12345
|
||||
success add_guest_account3 $a0 --osh groupAddGuestAccess --account $realm_shared_account/verylongaccountnam --group $group1 --host 172.16.4.4 --user nobody --port 12345
|
||||
|
||||
grant accountDelete
|
||||
|
||||
# delete account1
|
||||
success realm account1_cleanup $a0 --osh accountDelete --account $account1 --no-confirm
|
||||
success account1_cleanup $a0 --osh accountDelete --account $account1 --no-confirm
|
||||
|
||||
# delete account2
|
||||
script realm account2_cleanup "$a0 --osh accountDelete --account $account2 <<< \"Yes, do as I say and delete $account2, kthxbye\""
|
||||
script account2_cleanup "$a0 --osh accountDelete --account $account2 <<< \"Yes, do as I say and delete $account2, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
|
||||
revoke accountDelete
|
||||
grant groupDelete
|
||||
|
||||
# delete realm-egress group
|
||||
run realm cleanup_realm_support_group $a0 --osh groupDelete --group $realm_egress_group --no-confirm
|
||||
run cleanup_realm_support_group $a0 --osh groupDelete --group $realm_egress_group --no-confirm
|
||||
retvalshouldbe 0
|
||||
|
||||
revoke groupDelete
|
||||
grant accountDelete
|
||||
|
||||
# delete shared realm-account
|
||||
script realm cleanup_shared_realm_account_fail "$a0 --osh accountDelete --account realm_$realm_shared_account <<< \"Yes, do as I say and delete realm_$realm_shared_account, kthxbye\""
|
||||
script cleanup_shared_realm_account_fail "$a0 --osh accountDelete --account realm_$realm_shared_account <<< \"Yes, do as I say and delete realm_$realm_shared_account, kthxbye\""
|
||||
retvalshouldbe 100
|
||||
json .error_code KO_FORBIDDEN_PREFIX
|
||||
|
||||
grant realmDelete
|
||||
|
||||
script realm cleanup_shared_realm_account "$a0 --osh realmDelete --realm $realm_shared_account <<< \"Yes, do as I say and delete $realm_shared_account, kthxbye\""
|
||||
script cleanup_shared_realm_account "$a0 --osh realmDelete --realm $realm_shared_account <<< \"Yes, do as I say and delete $realm_shared_account, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
|
||||
revoke realmDelete
|
||||
|
@ -270,7 +270,7 @@ testsuite_realm()
|
|||
grant groupDelete
|
||||
|
||||
# delete group1
|
||||
script realm group_cleanup "$a0 --osh groupDelete --group $group1 <<< \"$group1\""
|
||||
script group_cleanup "$a0 --osh groupDelete --group $group1 <<< \"$group1\""
|
||||
retvalshouldbe 0
|
||||
|
||||
revoke groupDelete
|
||||
|
|
|
@ -9,39 +9,39 @@ testsuite_base()
|
|||
{
|
||||
grant accountCreate
|
||||
# create regular account to compare info access between auditor and non auditor
|
||||
success accountCreate a0_create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||||
success a0_create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||||
json .error_code OK .command accountCreate .value null
|
||||
revoke accountCreate
|
||||
|
||||
# basic stuff and help
|
||||
run base nocmd $a0
|
||||
run nocmd $a0
|
||||
retvalshouldbe 112
|
||||
contain "command specified and no host to connect to"
|
||||
json .command null .error_code KO_NO_HOST .value null
|
||||
|
||||
success osh empty $a0 -osh
|
||||
success empty $a0 -osh
|
||||
contain "OSH help"
|
||||
json .command help .error_code OK .value null
|
||||
|
||||
success osh help1 $a0 -osh help
|
||||
success help1 $a0 -osh help
|
||||
contain "OSH help"
|
||||
json .error_code OK .command help .value null
|
||||
|
||||
success osh help2 $a0 --osh help
|
||||
success help2 $a0 --osh help
|
||||
contain "OSH help"
|
||||
json .error_code OK .command help .value null
|
||||
|
||||
run osh boguscmd $a0 --osh nonexistent
|
||||
run boguscmd $a0 --osh nonexistent
|
||||
retvalshouldbe 104
|
||||
contain "Unknown command"
|
||||
json .error_code KO_UNKNOWN_COMMAND .command null .value null
|
||||
|
||||
# grant account0 as admin
|
||||
success admin_superowner set_a0_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account0 osh-admin\""
|
||||
success set_a0_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account0 osh-admin\""
|
||||
configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22],='
|
||||
# grant account1 as auditor
|
||||
success osh accountGrantAuditor $a0 --osh accountGrantCommand --command auditor --account $account1
|
||||
success osh info $a1 --osh info
|
||||
success accountGrantAuditor $a0 --osh accountGrantCommand --command auditor --account $account1
|
||||
success info $a1 --osh info
|
||||
contain "Your alias to connect"
|
||||
contain "My admins are: "
|
||||
contain "My super owners are: "
|
||||
|
@ -49,7 +49,7 @@ testsuite_base()
|
|||
|
||||
|
||||
# now check that regular user do not see admins list
|
||||
success osh info $a0 -osh info
|
||||
success info $a0 -osh info
|
||||
contain "Your alias to connect"
|
||||
nocontain "My admins are: "
|
||||
nocontain "My super owners are: "
|
||||
|
@ -57,7 +57,7 @@ testsuite_base()
|
|||
|
||||
# delete account1
|
||||
grant accountDelete
|
||||
success admin_superowner delete_a1 $a0 --osh accountDelete --account $account1 --no-confirm
|
||||
success delete_a1 $a0 --osh accountDelete --account $account1 --no-confirm
|
||||
revoke accountDelete
|
||||
|
||||
}
|
||||
|
|
|
@ -9,31 +9,31 @@ testsuite_accountinfo()
|
|||
{
|
||||
grant accountCreate
|
||||
# create regular account to compare info access between auditor and non auditor
|
||||
success 325-accountinfo a0_create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||||
success a0_create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
# create another target account we'll use for accountInfo
|
||||
success 325-accountinfo a0_create_a2 $a0 --osh accountCreate --always-active --account $account2 --uid $uid2 --public-key "\"$(cat $account2key1file.pub)\"" --comment "\"'this is a comment'\""
|
||||
success a0_create_a2 $a0 --osh accountCreate --always-active --account $account2 --uid $uid2 --public-key "\"$(cat $account2key1file.pub)\"" --comment "\"'this is a comment'\""
|
||||
json .error_code OK .command accountCreate .value null
|
||||
revoke accountCreate
|
||||
|
||||
# grant account0 as admin
|
||||
success 325-accountinfo set_a0_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account0 osh-admin\""
|
||||
success set_a0_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account0 osh-admin\""
|
||||
configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22],='
|
||||
|
||||
# grant account1 as auditor
|
||||
success 325-accountinfo a0_grant_a1_as_auditor $a0 --osh accountGrantCommand --command auditor --account $account1
|
||||
success a0_grant_a1_as_auditor $a0 --osh accountGrantCommand --command auditor --account $account1
|
||||
|
||||
# grant accountInfo to a0 and a1
|
||||
success 325-accountinfo a0_grant_a0_accountinfo $a0 --osh accountGrantCommand --command accountInfo --account $account0
|
||||
success 325-accountinfo a0_grant_a1_accountinfo $a0 --osh accountGrantCommand --command accountInfo --account $account1
|
||||
success a0_grant_a0_accountinfo $a0 --osh accountGrantCommand --command accountInfo --account $account0
|
||||
success a0_grant_a1_accountinfo $a0 --osh accountGrantCommand --command accountInfo --account $account1
|
||||
|
||||
# a0 should see basic info about a2
|
||||
success 325-accountinfo a0_accountinfo_a2_basic $a0 --osh accountInfo --account $account2
|
||||
json_document '{"error_message":"OK","command":"accountInfo","error_code":"OK","value":{"always_active":1,"is_active":1,"allowed_commands":[],}}'
|
||||
success a0_accountinfo_a2_basic $a0 --osh accountInfo --account $account2
|
||||
json_document '{"error_message":"OK","command":"accountInfo","error_code":"OK","value":{"always_active":1,"is_active":1,"allowed_commands":[],"groups":{}}}'
|
||||
|
||||
# a1 should see detailed info about a2
|
||||
success 325-accountinfo a1_accountinfo_a2_detailed $a1 --osh accountInfo --account $account2
|
||||
success a1_accountinfo_a2_detailed $a1 --osh accountInfo --account $account2
|
||||
json .error_code OK .command accountInfo .value.always_active 1 .value.is_active 1 .value.allowed_commands "[]"
|
||||
json .value.ingress_piv_policy null .value.personal_egress_mfa_required none .value.pam_auth_bypass 0
|
||||
json .value.password.min_days 0 .value.password.warn_days 7 .value.password.user "$account2" .value.password.password locked
|
||||
|
@ -44,44 +44,44 @@ testsuite_accountinfo()
|
|||
json .value.max_inactive_days null
|
||||
|
||||
# a2 connects, which will update already_seen_before
|
||||
success 325-accountinfo a2_connects $a2 --osh info
|
||||
success a2_connects $a2 --osh info
|
||||
json .command info .error_code OK
|
||||
|
||||
# a1 should see the updated fields
|
||||
success 325-accountinfo a1_accountinfo_a2_detailed2 $a1 --osh accountInfo --account $account2
|
||||
success a1_accountinfo_a2_detailed2 $a1 --osh accountInfo --account $account2
|
||||
json .value.already_seen_before 1
|
||||
contain "Last seen on"
|
||||
|
||||
grant accountModify
|
||||
|
||||
# a0 changes a2 expiration policy
|
||||
success 325-accountinfo a0_accountmodify_a2_expi_15 $a0 --osh accountModify --account $account2 --max-inactive-days 15
|
||||
success a0_accountmodify_a2_expi_15 $a0 --osh accountModify --account $account2 --max-inactive-days 15
|
||||
|
||||
# a1 should see the updated field
|
||||
success 325-accountinfo a1_accountinfo_a2_inactive_days $a1 --osh accountInfo --account $account2
|
||||
success a1_accountinfo_a2_inactive_days $a1 --osh accountInfo --account $account2
|
||||
json .value.max_inactive_days 15
|
||||
|
||||
# a0 changes a2 expiration policy
|
||||
success 325-accountinfo a0_accountmodify_a2_expi_disabled $a0 --osh accountModify --account $account2 --max-inactive-days 0
|
||||
success a0_accountmodify_a2_expi_disabled $a0 --osh accountModify --account $account2 --max-inactive-days 0
|
||||
|
||||
# a1 should see the updated field
|
||||
success 325-accountinfo a1_accountinfo_a2_inactive_days_disabled $a1 --osh accountInfo --account $account2
|
||||
success a1_accountinfo_a2_inactive_days_disabled $a1 --osh accountInfo --account $account2
|
||||
json .value.max_inactive_days 0
|
||||
|
||||
# a0 changes a2 expiration policy
|
||||
success 325-accountinfo a0_accountmodify_a2_expi_default $a0 --osh accountModify --account $account2 --max-inactive-days -1
|
||||
success a0_accountmodify_a2_expi_default $a0 --osh accountModify --account $account2 --max-inactive-days -1
|
||||
|
||||
# a1 should see the updated field
|
||||
success 325-accountinfo a1_accountinfo_a2_inactive_days_default $a1 --osh accountInfo --account $account2
|
||||
success a1_accountinfo_a2_inactive_days_default $a1 --osh accountInfo --account $account2
|
||||
json .value.max_inactive_days null
|
||||
|
||||
# should work with accountcreate too
|
||||
grant accountCreate
|
||||
success 325-accountinfo a0_accountcreate_a4_max_inactive_days $a0 --osh accountCreate --account $account4 --uid $uid4 --max-inactive-days 42 --no-key
|
||||
success a0_accountcreate_a4_max_inactive_days $a0 --osh accountCreate --account $account4 --uid $uid4 --max-inactive-days 42 --no-key
|
||||
revoke accountCreate
|
||||
|
||||
grant auditor
|
||||
success 325-accountinfo a0_accountinfo_a4_max_inactive_days $a0 --osh accountInfo --account $account4
|
||||
success a0_accountinfo_a4_max_inactive_days $a0 --osh accountInfo --account $account4
|
||||
json .value.max_inactive_days 42
|
||||
revoke auditor
|
||||
|
||||
|
@ -89,9 +89,9 @@ testsuite_accountinfo()
|
|||
|
||||
# delete account1 & account2
|
||||
grant accountDelete
|
||||
success 325-accountinfo a0_delete_a1 $a0 --osh accountDelete --account $account1 --no-confirm
|
||||
success 325-accountinfo a0_delete_a2 $a0 --osh accountDelete --account $account2 --no-confirm
|
||||
success 325-accountinfo a0_delete_a4 $a0 --osh accountDelete --account $account4 --no-confirm
|
||||
success a0_delete_a1 $a0 --osh accountDelete --account $account1 --no-confirm
|
||||
success a0_delete_a2 $a0 --osh accountDelete --account $account2 --no-confirm
|
||||
success a0_delete_a4 $a0 --osh accountDelete --account $account4 --no-confirm
|
||||
revoke accountDelete
|
||||
}
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ _ingress_from_test()
|
|||
keytoadd="$4"
|
||||
fingerprint="$5"
|
||||
|
||||
script selfAddIngressKey $name "echo '$keytoadd' | $a1 --osh selfAddIngressKey"
|
||||
script $name "echo '$keytoadd' | $a1 --osh selfAddIngressKey"
|
||||
retvalshouldbe 0
|
||||
json .value.connect_only_from[0] $ip1
|
||||
json .value.connect_only_from[1] $ip2
|
||||
|
@ -27,7 +27,7 @@ _ingress_from_test()
|
|||
json .value.key.prefix "from=\"$ip1,$ip2\""
|
||||
fi
|
||||
|
||||
success selfListIngressKeys $name $a1 --osh selfListIngressKeys
|
||||
success $name $a1 --osh selfListIngressKeys
|
||||
json .value.keys[1].from_list[0] $ip1
|
||||
json .value.keys[1].from_list[1] $ip2
|
||||
if [ "$ip1" = null ] && [ "$ip2" = null ]; then
|
||||
|
@ -36,18 +36,18 @@ _ingress_from_test()
|
|||
json .value.keys[1].prefix "from=\"$ip1,$ip2\""
|
||||
fi
|
||||
|
||||
success selfDelIngressKey $name $a1 --osh selfDelIngressKey -f "$fingerprint"
|
||||
success $name $a1 --osh selfDelIngressKey -f "$fingerprint"
|
||||
|
||||
# now on account creation
|
||||
grant accountCreate
|
||||
|
||||
script accountCreate $name "echo '$keytoadd' | $a0 --osh accountCreate --account $account2 --uid $uid2"
|
||||
script $name "echo '$keytoadd' | $a0 --osh accountCreate --account $account2 --uid $uid2"
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
revoke accountCreate
|
||||
grant accountListIngressKeys
|
||||
|
||||
success accountListIngressKeys $name $a0 --osh accountListIngressKeys --account $account2
|
||||
success $name $a0 --osh accountListIngressKeys --account $account2
|
||||
json .value.keys[0].from_list[0] $ip1
|
||||
json .value.keys[0].from_list[1] $ip2
|
||||
if [ "$ip1" = null ] && [ "$ip2" = null ]; then
|
||||
|
@ -59,7 +59,7 @@ _ingress_from_test()
|
|||
revoke accountListIngressKeys
|
||||
grant accountDelete
|
||||
|
||||
script accountDelete $name "$a0 --osh accountDelete --account $account2" "<<< \"Yes, do as I say and delete $account2, kthxbye\""
|
||||
script $name "$a0 --osh accountDelete --account $account2" "<<< \"Yes, do as I say and delete $account2, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
json .error_code OK .command accountDelete
|
||||
|
||||
|
@ -70,7 +70,7 @@ testsuite_selfkeys()
|
|||
{
|
||||
grant accountCreate
|
||||
|
||||
success osh accountCreate $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key \""$(cat $account1key1file.pub)"\"
|
||||
success accountCreate $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key \""$(cat $account1key1file.pub)"\"
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
revoke accountCreate
|
||||
|
@ -82,55 +82,55 @@ testsuite_selfkeys()
|
|||
|
||||
configchg 's=^\\\\x22minimumIngressRsaKeySize\\\\x22.+=\\\\x22minimumIngressRsaKeySize\\\\x22:4096,='
|
||||
|
||||
success accountssh info0 $a0 --osh accountInfo --account $account1
|
||||
success info0 $a0 --osh accountInfo --account $account1
|
||||
json .error_code OK .command accountInfo
|
||||
json .value.account_egress_ssh_config.type default
|
||||
|
||||
success accountssh modifyssh1 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking no
|
||||
success modifyssh1 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking no
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
success accountssh info1 $a0 --osh accountInfo --account $account1
|
||||
success info1 $a0 --osh accountInfo --account $account1
|
||||
json .error_code OK .command accountInfo
|
||||
json .value.account_egress_ssh_config.type custom
|
||||
json .value.account_egress_ssh_config.items.stricthostkeychecking no
|
||||
|
||||
success accountssh modifyssh2 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking accept-new
|
||||
success modifyssh2 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking accept-new
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
success accountssh info2 $a0 --osh accountInfo --account $account1
|
||||
success info2 $a0 --osh accountInfo --account $account1
|
||||
json .error_code OK .command accountInfo
|
||||
json .value.account_egress_ssh_config.type custom
|
||||
json .value.account_egress_ssh_config.items.stricthostkeychecking accept-new
|
||||
|
||||
success accountssh modifyssh2 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking yes
|
||||
success modifyssh2 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking yes
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
success accountssh info2 $a0 --osh accountInfo --account $account1
|
||||
success info2 $a0 --osh accountInfo --account $account1
|
||||
json .error_code OK .command accountInfo
|
||||
json .value.account_egress_ssh_config.type custom
|
||||
json .value.account_egress_ssh_config.items.stricthostkeychecking yes
|
||||
|
||||
success accountssh modifyssh3 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking ask
|
||||
success modifyssh3 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking ask
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
success accountssh info3 $a0 --osh accountInfo --account $account1
|
||||
success info3 $a0 --osh accountInfo --account $account1
|
||||
json .error_code OK .command accountInfo
|
||||
json .value.account_egress_ssh_config.type custom
|
||||
json .value.account_egress_ssh_config.items.stricthostkeychecking ask
|
||||
|
||||
success accountssh modifyssh4 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking bypass
|
||||
success modifyssh4 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking bypass
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
success accountssh info4 $a0 --osh accountInfo --account $account1
|
||||
success info4 $a0 --osh accountInfo --account $account1
|
||||
json .error_code OK .command accountInfo
|
||||
json .value.account_egress_ssh_config.type custom
|
||||
json .value.account_egress_ssh_config.items.stricthostkeychecking no
|
||||
json .value.account_egress_ssh_config.items.userknownhostsfile /dev/null
|
||||
|
||||
success accountssh modifyssh5 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking default
|
||||
success modifyssh5 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking default
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
success accountssh info5 $a0 --osh accountInfo --account $account1
|
||||
success info5 $a0 --osh accountInfo --account $account1
|
||||
json .error_code OK .command accountInfo
|
||||
json .value.account_egress_ssh_config.type default
|
||||
|
||||
|
@ -138,13 +138,13 @@ testsuite_selfkeys()
|
|||
revoke accountInfo
|
||||
# </accountModify --egress-strict-host-key-checking>
|
||||
|
||||
success realm modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account1
|
||||
success modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account1
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
revoke accountModify
|
||||
grant accountListEgressKeys
|
||||
|
||||
success osh accountListEgressKeys $a0 --osh accountListEgressKeys --account $account1
|
||||
success accountListEgressKeys $a0 --osh accountListEgressKeys --account $account1
|
||||
contain "keyline"
|
||||
json .error_code OK .command accountListEgressKeys
|
||||
set +e
|
||||
|
@ -166,7 +166,7 @@ EOS
|
|||
revoke accountListEgressKeys
|
||||
|
||||
# add del list pub keys
|
||||
success selfListIngressKeys beforeadd $a1 -osh selfListIngressKeys
|
||||
success beforeadd $a1 -osh selfListIngressKeys
|
||||
json $(cat <<EOS
|
||||
.command selfListIngressKeys
|
||||
.error_code OK
|
||||
|
@ -178,10 +178,10 @@ EOS
|
|||
)
|
||||
account1key1fp=$(get_json | $jq '.value.keys[0].fingerprint')
|
||||
|
||||
script selfAddIngressKey flood $a1 -osh selfAddIngressKey '<' /dev/urandom
|
||||
script flood $a1 -osh selfAddIngressKey '<' /dev/urandom
|
||||
retvalshouldbe 255
|
||||
|
||||
script selfAddIngressKey privkey $a1 -osh selfAddIngressKey '<<< "-----BEGIN DSA PRIVATE KEY-----
|
||||
script privkey $a1 -osh selfAddIngressKey '<<< "-----BEGIN DSA PRIVATE KEY-----
|
||||
MIIBugIBAAKBgQCawvohH0r9B4NxdaYHiBT5pLWDe14o3MTE3WwtKF0l7az+zw0P"'
|
||||
retvalshouldbe 100
|
||||
contain "HOLY SH"
|
||||
|
@ -192,36 +192,36 @@ EOS
|
|||
EOS
|
||||
)
|
||||
|
||||
script selfAddIngressKey privkey $a1 -osh selfAddIngressKey '<<< "-----BEGIN RSA PRIVATE KEY-----
|
||||
script privkey $a1 -osh selfAddIngressKey '<<< "-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIBugIBAAKBgQCawvohH0r9B4NxdaYHiBT5pLWDe14o3MTE3WwtKF0l7az+zw0P"'
|
||||
retvalshouldbe 100
|
||||
contain "HOLY SH"
|
||||
json .command selfAddIngressKey .error_code KO_PRIVATE_KEY .value null
|
||||
|
||||
script selfAddIngressKey privkey $a1 -osh selfAddIngressKey '<<< "-----BEGIN EC PRIVATE KEY-----
|
||||
script privkey $a1 -osh selfAddIngressKey '<<< "-----BEGIN EC PRIVATE KEY-----
|
||||
MIIBugIBAAKBgQCawvohH0r9B4NxdaYHiBT5pLWDe14o3MTE3WwtKF0l7az+zw0P"'
|
||||
retvalshouldbe 100
|
||||
contain "HOLY SH"
|
||||
json .command selfAddIngressKey .error_code KO_PRIVATE_KEY .value null
|
||||
|
||||
script selfAddIngressKey privkey $a1 -osh selfAddIngressKey '<<< "-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
script privkey $a1 -osh selfAddIngressKey '<<< "-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
MIIBugIBAAKBgQCawvohH0r9B4NxdaYHiBT5pLWDe14o3MTE3WwtKF0l7az+zw0P"'
|
||||
retvalshouldbe 100
|
||||
contain "HOLY SH"
|
||||
json .command selfAddIngressKey .error_code KO_PRIVATE_KEY .value null
|
||||
|
||||
script selfAddIngressKey bogus $a1 -osh selfAddIngressKey '<<<' "bogus"
|
||||
script bogus $a1 -osh selfAddIngressKey '<<<' "bogus"
|
||||
retvalshouldbe 100
|
||||
contain "look like an SSH public key"
|
||||
json .command selfAddIngressKey .error_code KO_NOT_A_KEY .value.key.line bogus
|
||||
|
||||
script selfAddIngressKey eof $a1 -osh selfAddIngressKey '</dev/null'
|
||||
script eof $a1 -osh selfAddIngressKey '</dev/null'
|
||||
retvalshouldbe 100
|
||||
contain "look like an SSH public key"
|
||||
json .command selfAddIngressKey .error_code KO_NOT_A_KEY .value null
|
||||
|
||||
b64='AAAAB3NzaC1kc3MAAACBAPOCqEho94k9fEArLgR1kuNTMo52aozaw1jr7sKLTjt3BZslvt3zl264THsIN4XeuI6noiD7QwCO3PSMUsPnrlreQEGff8f97IE+LpH7rZQB7kSM50PGk0QfS1qpVnWbsi5NAvV3ib12gErtXg/YiJfx0x+lWaZTMkaFUdwpyaEXAAAAFQCOng3YNx+KK38h6675jJD78k6bpwAAAIEA2Y/3CZHgzIIBtddVssfLBv3196SAbYMA/eDmsbTM9dyhWdAGPc36/sfveITpbQ2kZYvR4S1pstQ4ZNMM3cdD6GHy+CkDXYEH7SbEa60jEaIue3OK4FhtBLSs4n7sIzNYgRm8hoXYNM4jpC+zf1dpUqIZd1d742JPFJAk07vnj2AAAACAWWpKTEg9ArdpkkvX6FC5lxq7uhVN1uo7+5TBCE8C31fXppHfp9M2FvL2hubbIRYJ+QNDzU+f0UYJr2Nv1v3tyG8LJ2942B9ym+TYb6SzMJ20jWW5v+wfSXuwaPLIAWYFLIbUCp/pv+BnQKAXrVLIsM+iWj6amB/2NrZH5q0j/8k='
|
||||
script selfAddIngressKey dsa $a1 -osh selfAddIngressKey "<<< \"ssh-dss $b64 test@dsa\""
|
||||
script dsa $a1 -osh selfAddIngressKey "<<< \"ssh-dss $b64 test@dsa\""
|
||||
retvalshouldbe 100
|
||||
contain "Wait, DSA key"
|
||||
# here we need to determine if ssh-keygen is using MD5 or SHA256 for fingerprints
|
||||
|
@ -246,7 +246,7 @@ EOS
|
|||
.value.key.line "ssh-dss $b64 test@dsa" \
|
||||
.value.key.prefix ""
|
||||
|
||||
script selfAddIngressKey dsaDup $a1 -osh selfAddIngressKey "<<< \"ssh-dss $b64 test@dsaduplicate\""
|
||||
script dsaDup $a1 -osh selfAddIngressKey "<<< \"ssh-dss $b64 test@dsaduplicate\""
|
||||
retvalshouldbe 100
|
||||
contain "Wait, DSA key"
|
||||
json $(cat <<EOS
|
||||
|
@ -267,7 +267,7 @@ EOS
|
|||
b64='AAAAB3NzaC1yc2EAAAADAQABAAAAgQDNbJemAKF6u4xZtbbkHtQeXeh9EvsYgBdUlnES1oBSS/ICKU7lcUrW4UvUpYLQ0+N1f0XaYfGO01BnEPwJDYJngkybh1Qwo6IbCBySpIFJG7ToK4M1U2arALGelwgoVP3AE+HoLjSH9W0ZisBvWtiyCekBWnzf+kD5hLkblPXYkQ=='
|
||||
fp1024="SHA256:tHu5MD2vgUWxduQUnXqtHaRCCbez7CB9hOvD7zMZu/U"
|
||||
[ "$FP_TYPE" = md5 ] && fp1024="65:94:cc:f1:5d:29:6e:11:70:44:ce:a8:61:df:25:0a"
|
||||
script selfAddIngressKey rsa1024 $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa1024\""
|
||||
script rsa1024 $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa1024\""
|
||||
retvalshouldbe 100
|
||||
contain "This is too small"
|
||||
json $(cat <<EOS
|
||||
|
@ -288,7 +288,7 @@ EOS
|
|||
b64='AAAAB3NzaC1yc2EAAAADAQABAAABAQDUcjtSpPwY9kdBtmfAURXEIwvUnfJ41acboaNyXU0Vv9C0hg6DNemm8FjDC4xp9AtQgKc8Sq2VGrUXIMO/xxD8LA9u3DjwWLYAzoBYGzKZ9p7QynoeEAa/Fpv811LmSJMVw1NPDahMrv1mVR4vXrU5Z/S4VkIEY19DnO0TlpciWPC9ePLhcF/MIb2dwzRlWaKm0JRw8D/V3aPbacyZL1zO+Gdk8an95DZ7T8KbxDdLxf6pLLWbtdMxZKnTQeAJGW7JXsf6ybmHgOqHTI3gWfydbRe0bHBcqORT21resFcqqyqKrKjGedWYqDraAi3k8G+U0T8RwDGMJpC2EFDk7c0H'
|
||||
fp2048="SHA256:ZdeU0HZyYoqz+ysPxoZ5cUX8eDIV4PIn7s0oDipqUnI"
|
||||
[ "$FP_TYPE" = md5 ] && fp2048="a0:cf:72:54:59:b5:61:26:37:5f:98:14:83:c7:d3:8f"
|
||||
script selfAddIngressKey rsa2048 $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa2048\""
|
||||
script rsa2048 $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa2048\""
|
||||
retvalshouldbe 100
|
||||
contain "This is too small"
|
||||
json $(cat <<EOS
|
||||
|
@ -309,7 +309,7 @@ EOS
|
|||
b64='AAAAB3NzaC1yc2EAAAADAQABAAACAQDC6clamfZUjOfWR9T5TG/QbN8lTDwdJXPmKXa7P4F9+QKDRoKfcRn0hTW4LeTsBlbnPoeolRPNuhjW/l1Sv1MLCVqzwUljbbvAZ4QBAMhXIFy0Z2i2zE/jpi2oC7J7+/2sHtznW0mxQppcb6pMWLRNuU4p85l+XZanzbQoR+7aEdvjn1eTYa/jkAJwMCS+HO3F9nVkV7EyVYXoPYEDya/mrdgLcZktSuE42zD9TVpBXlW5pONeuo2q0h7soJp1VhJwwO1/VXPmz7JfvFhFrHit+Bh+RJeTOrLRG1kE/5DZoLbOiXpBzG08bbyQQS17DynHk2afMrbqQx3tV6a/TqCF0LJTaNPDTKmYinsremHXxKpzStNkJ7UArgfipoUk20QyPJX3P5T0JF1LLu8rfE6GpqB7CVgYDjPIKcfiG5o+gKrwYrLkyDaEKkhdD0KSAZ5HmL/Z4t/3aDYUK96/IiYE49PI6rsuD5RRCASv8U68v2Kk14X7MmR7mZxJZ2oRMtPftS/Z+nvoStyUQF5LBOTKlrJd5PTjC6OlMG85qLmYjbDViUK/b/KtdwgQPhupzsHIq3hAaSvudjMWqbOQ/YlwwOxqAC7EVe9nv6cZTyBHIq2AINlNRqL1f6hzxrL6oBAMAvirNYI8/B/8yYGYwbNdTTNIZOXxWqHW8OIeA+QgMQ=='
|
||||
fp4096="SHA256:esuEP68vVxW7uJd1jxUXfmMj0Hk3my/Lv181K/XFlfY"
|
||||
[ "$FP_TYPE" = md5 ] && fp4096="84:0a:ae:13:62:1e:c4:bc:d7:2b:b4:d4:fe:c8:6d:0a"
|
||||
script selfAddIngressKey rsa4096 $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa4096\""
|
||||
script rsa4096 $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa4096\""
|
||||
retvalshouldbe 0
|
||||
contain "key successfully added"
|
||||
json $(cat <<EOS
|
||||
|
@ -326,7 +326,7 @@ EOS
|
|||
.value.key.line "ssh-rsa $b64 test@rsa4096" \
|
||||
.value.key.prefix ""
|
||||
|
||||
script selfAddIngressKey rsa4096dup $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa4096duplicate\""
|
||||
script rsa4096dup $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa4096duplicate\""
|
||||
retvalshouldbe 100
|
||||
contain "already exists"
|
||||
json $(cat <<EOS
|
||||
|
@ -347,7 +347,7 @@ EOS
|
|||
b64='AAAAB3NzaC1yc2EAAAADAQABAAAEAQD2anHdMJgmE87uinVQjvg1BgsiLZm8Ra6b0xknf6IGd/ZK3FHq5FxBAHUtubqAsM5DyKgf9DtG+MIb43Zv3ECXWppPcplyM5B0L4Y/QVlPf6cgL6gug4ct6XiK1Ck+CH9kc5tkEdk10GV89teTBhq9xXw0tcVkoMwrc9mNGb7OVG6RQRROk+LzoWYiIMUPRW0gYRBxQnliBqQmlbs5lZbWbFhsjBJPSEeY2h0OEtoEItZyM6om2IwI2o9D8QzgoL8KbYEknuBS5zJIkT82HRBxKvttjaZakiEoT3Ir82YavFgwHpkA4N6Gz6IAyWofcB+qp2p0Wi1VILim07gXdWOmVbX/WN6NsY4g05V2FQVqECIR/dHwePkzA0DvHLbeY720nm6YV2v29i5imd1jOzgFPFDSQ12HL0JyHw0Cl8XH/1DpGYTIG1hXgCxi6wAtKKEg/hYaEvAA5Jl/GtVOWbRT9dZ0FNQyfvfPeM64+SBWVHeAIKpyr+Gpq81JbYDcUlm566ukwfUi1cif87ZU4MQZKIYJet1FDkEnOi8n20jeZH6EgCWROdPtXYHohT6u6g3JC4MEUl1V7fr2CXAP/XMQfjz31UycZjtI9/76YIF0N6NORSQ/eN0MY1kCvFaDahkaJwp98t6UxUMfTtDf1IImWWatWMB+viNhH5gi26ar3zWeBXRlwuUmz7t64qmwgywc7qYtGCfWAxuMhVS88rbnGSj/Dcw6dJFJu1+5ysYY7Z4tgbShFeOioFIf9hg/j1+Ouubcjs2wZELjfXr9KHCwoDINvn+wVDn/02V7OYxeP/a8UxECKPRL6qa1JfIKYlx9w8Kt0TDSAEOc5P+rsZFfTYeUro7V/gv9gXxI/GuWkCQOexaeDGqo9+QVtlxInWrjd+vXAzEs977oSkNmRD9Ev7pSTZSEHd9bYvoMB2dzJgeYwl9YsQ7mLNMLX/du/q7s7L8qvS4thHi68XmypFUtrq0g6K2ybodgdjUEd2IGuLDdqDw2EmXN9yXu/giVd0/XKx4eRf82OK6UAjr2ZSvBQE7CQN+HsvKrnS+V4xd758BWIjR78PUGIR0tNt8pZmpE7mbluWcBTPkPalSna5l4bigtJkKKjrKHELhsVr6LtBjMy+VVOBworsaqFXwDzj0a39vRwEcfuY7YPe12hrNI9zjq/3exr1GaK4YDa/mojsfxoyKgNaoOarIAX0RRBLqmJt3lTyAkvnxe23CVPAjNcOx/m1HjqbbxJ+GWXpOHvh3RXIZbvyAKYrgM3YydGaDGfMjgmWUHeYFcydfyRuNoCXKl0fCgduQAdjpyyUSFLvdeI4HEfVsWF4AUn7A4IwUmh2kcQ56naHABgpIbf+8V'
|
||||
fp8192="SHA256:nQl/AkakKTV25MKXZQpEBAEECq2BKLBqrRICR0YBn8s"
|
||||
[ "$FP_TYPE" = md5 ] && fp8192="cd:26:73:ff:7e:b5:72:d7:7d:d5:dd:da:d7:c0:8d:35"
|
||||
script selfAddIngressKey rsa8192 $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa8192\""
|
||||
script rsa8192 $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa8192\""
|
||||
retvalshouldbe 0
|
||||
contain "key successfully added"
|
||||
json $(cat <<EOS
|
||||
|
@ -368,7 +368,7 @@ EOS
|
|||
b64='AAAAB3NzaC1yc2EAAAADAQABAAAIAQDyGaS7u6eW9Zd363u8XFDxn8Bz5tvPM7pAjI401xETUnEQ+f4Gyp+68EJFFiKo64AN+V8jCR0vY1CIe/za6yau+b88dg5HxwN922FKeudhpIX5qOE98U0Q3KMWQVsCcFDGHcb8M5RthOswylsYQvFNooWxGyEDeNQnb7zpwPPTz02wisv962zxZuvlFtz+K76dgHSPb/sRS7/gdYkuCa+w/FRTfUu7Xf2gZ49pQJa6O6R0nGvoq7vP4UNtfF3aVRta5lv3z1jRrJwExVmJYLFgIVsR72SvzZIyMePaawb1cMiMzsO2+e5TK8ozIK5e5PoP4CFvBeif7IiK/rmhW4CUT83vX76cAt4MdVkLT4ah1ZRbnNq+8YieAYMb5gkShcCpTew/6mDUTGQs4zgByoPeOpBl3ggXTDHG2nZP7HJL/rSAUGD8KN/lMhINgiISlq7ZJnEZwvgv2azI1xu6wGYYa4qOkVxSNO0nfVDCzPAU+gye5GOHWGvOhGvVdM29EEZ4TEg07XVlHjwxEHzv0XaUA65c4500ROKTWbx1XIIiJZmritlyOIGA6ekuw9c0iU4hDFUBdW8WwvCjqSTCdLRRWvcIjznazB3azuBSX9UqjoCmrAKcRL/L9mhF+Q7/k1ntbBZMbu7JC3VrnrW13djlF8Ix5ke05h4IZxyDHOtTWPUsDWv5MhGaV5UO3phkgAD4pQOOqjWqn0/746tAqdpehOo3B45nh+kfaUlJv6SWgvYd/erOMubn3Givh/cT2Jy89C8UNL8/Jz72sTOA4bU7ul2pcXwN2j3ltQSEgVZE2yMCe18oBiSv9wnk0x2D4OK0AQcQNgD9wMmaKutl7DtHRw0exuMr7yYttsAb+oE+EifRZlPXgWXN8EK6u5WJrb+7sDC/zzkIk8XaREZjFO4dTADdeCIeE4i74pj/uw29U75ZG3AauU/Nxri9Mg4/k/ZRGl1cNyQ6cUlnNHSDtnGtXOaq0Zmn3pMVAOLdOh4UhVPW+rByHDkvbsu11mPo8xi9nh5X3hYr1jrwS0gqfnB5kpX5P8jiwkf6MUDwHlcRjTJmIta3oaw6Meyh69GRTb6pURGyurSSp7+WIYBCrwsgk54Y4ABAGmBUVlWlYRDGddSeZsX1yG+CBqaTtlUpTcvFFwzDonuzT6CymFf5RT5gnTenWaJpGrB3wxVQX6IxC2g6g9vlKuVnaRGnQ780ks157FFly+yW0VwTBJlppse1ZAM+pTI/5+b1a22rA7utnb38syCAs/Bto8qfeOg1UwCYraXEypkKnGiOxKSw+hPtEDuyoHBGuYi1AxVkEVXn9YlYrToF6JoGb392GG0F/wAGNp9VyXCKkghxo2kXMExj4s0AGzhqa3yqWesMYUqffTbxKSUdLpdQ12hSButmuc8YsiMyTI804NlfSm62aa7R5AS6FICJh0sU0lWOyiMPlYg0EAo2wCBId+k0fJ21bswJ7eof5Tea52tWG687b9GsOtNZZvFdU8tBXASTUaBHZkhsfMyT6jKzvm+FHykwebePeZHtOD3oBq4wWGx+IsCn9gb5Djp8Plp8k1fPKOXVa/2V5biVx3B7Bvs84VVGsHIeBv6hmLQCw/PiuSItnF9T6uxQL0FImGhRz3Kz/dEVYXS+1KW/VuE565p6F3LFjHrtqligIjDHXlWSF4v45LmaaD4v2WBEnZD2VsniwD7RFt/GftAyFMMqv9KgrBL9mUMqcL5bOLYjFbBy3jgegiNvIW0jlOv0aDUxqTbdNq7ghfTmho/P90D2JO0SLx40T4OrsaYEOCb2B5336rT2UqTNsIWDu1861dzEs3NaiqHLnF9NhWDLCaUO28JKW5+PT+YRHpv/wYMyDq/RRifjWpP9j+S74BA4KKiS5ZhomCQZi4uza2kX3OeMObzreVoXpnd080/tdaOb1pXawYXjWu+KyBLsX+FqefuBOhXiL92fRUNc0Zajt1ou5wgayTMeVHkrbCNmgMD6zSLmEeI5A5/a0TVVPzuaVDj6r/Bnbx+VcOeyVnKtIfKg5OBaE52HHE92BO3R/RjyFhBA+tam69hZMxI284AHLxP3JNhEP4VHd/c4k9oOGRc3l8izjMf72fPmj3tMHB/ex1JVzZGF40R/jJrTS6dJMB/mJPf8v5d1IBStL91jahV7rI5vc7nfEZUcKuIoGHD2StVTSaTLGjgqeM6orUsXgxNy3OToCObdEH6idvpxbrNWAahO2E02n52B/kH+idsPHxxNBoCbkPpAhD8udOWxU8NDGUSH0SqIu538NIeI8vol5+bF51emY/aSVNJNKlS4moroCJNo5QfF5y5kbx6sL2MEC04gUVG4IvURoviVAn6299AEdDHL+ahxJzCyD3Gc1FG5RgzPpYH4Dqi/gT01BEoBtF1Em8NEzZtFVj0tTdc+4kZdlBhcBQR/bsfpaYvehC+LuL5YMiWxLKA/XS9GZbB02EtY57osVZAVxqttrqsMdy68pWWDaLJ5mNQRS5eM+YWKJjmteN3hFeE1Sefqd/m6ELEN/XZ9v+Zyf6S2Z2VfTMEUsTVeDU4HUnUGe5PEioYtiA7nH9Ga+dFBbI31H0vQexx3iPBsRAJt53SR1u7RMGUFSlVG5ezHEOY+tQxx9VqSf3QPfeqzfqkJpAroNTtN5FKVNLb8rLhouzIQfUEdJOX7esoncyxpMw1bEdnuz/KEZAHcxHnpaKJ8Hp7a5RJ1BhzYePC+Ww=='
|
||||
fp16384="SHA256:xexcqmW+ZCLf5ulEQvVoldakfEJMcD51myTuxQbkgIA"
|
||||
[ "$FP_TYPE" = md5 ] && fp16384="fc:67:ee:6d:0e:d4:19:46:38:8f:2c:6b:e1:e8:07:f3"
|
||||
script selfAddIngressKey rsa16384 $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa16384\""
|
||||
script rsa16384 $a1 -osh selfAddIngressKey "<<< \"ssh-rsa $b64 test@rsa16384\""
|
||||
retvalshouldbe 0
|
||||
contain "key successfully added"
|
||||
json $(cat <<EOS
|
||||
|
@ -389,7 +389,7 @@ EOS
|
|||
b64='AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBezrCa6RsyyWnHDypyGZ4/72UsiLaDmJ+A04vVuxO0XsjrhX52Q7zkz5NOA2VccAFJCLwN9h/+LLrIxM6FK64k='
|
||||
fpe256="SHA256:7jAGgQXAu4DfrL5cpa1Gh5gDJjwLDGLr0Ahc5TwTPOA"
|
||||
[ "$FP_TYPE" = md5 ] && fpe256="4d:35:52:9f:0f:c7:54:68:7e:57:c5:10:32:54:da:bc"
|
||||
script selfAddIngressKey ecdsa256 $a1 -osh selfAddIngressKey "<<< \"ecdsa-sha2-nistp256 $b64 test@ecdsa256\""
|
||||
script ecdsa256 $a1 -osh selfAddIngressKey "<<< \"ecdsa-sha2-nistp256 $b64 test@ecdsa256\""
|
||||
retvalshouldbe 0
|
||||
contain "key successfully added"
|
||||
json $(cat <<EOS
|
||||
|
@ -406,7 +406,7 @@ EOS
|
|||
.value.key.line "ecdsa-sha2-nistp256 $b64 test@ecdsa256" \
|
||||
.value.key.prefix ""
|
||||
|
||||
script selfAddIngressKey ecdsa256D $a1 -osh selfAddIngressKey "<<< \"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBezrCa6RsyyWnHDypyGZ4/72UsiLaDmJ+A04vVuxO0XsjrhX52Q7zkz5NOA2VccAFJCLwN9h/+LLrIxM6FK64k= test@ecdsa256duplicate\""
|
||||
script ecdsa256D $a1 -osh selfAddIngressKey "<<< \"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBezrCa6RsyyWnHDypyGZ4/72UsiLaDmJ+A04vVuxO0XsjrhX52Q7zkz5NOA2VccAFJCLwN9h/+LLrIxM6FK64k= test@ecdsa256duplicate\""
|
||||
retvalshouldbe 100
|
||||
contain "already exists"
|
||||
json $(cat <<EOS
|
||||
|
@ -427,7 +427,7 @@ EOS
|
|||
b64='AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBICjCWYk5lCOX/977vdlDqcuF1ZWb4cX8cZuskRCSJBwMaCBHKvSwxzcbVdS++4MAaCsQisDSgwAhK6KcbjwitKAiSUWmRhIxFrPQojrfrDlw20bgFqc/RGiSykMTbL1jg=='
|
||||
fpe384="SHA256:P2NDAsOb6ZelE6dwCdqnnSaw/KVXhXMgFWI/pwNF2z0"
|
||||
[ "$FP_TYPE" = md5 ] && fpe384="4d:e3:e3:c2:13:79:69:e9:f7:3d:4f:18:21:d3:1b:ef"
|
||||
script selfAddIngressKey ecdsa384 $a1 -osh selfAddIngressKey "<<< \"ecdsa-sha2-nistp384 $b64 test@ecdsa384\""
|
||||
script ecdsa384 $a1 -osh selfAddIngressKey "<<< \"ecdsa-sha2-nistp384 $b64 test@ecdsa384\""
|
||||
retvalshouldbe 0
|
||||
contain "key successfully added"
|
||||
json $(cat <<EOS
|
||||
|
@ -448,7 +448,7 @@ EOS
|
|||
b64='AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADaVbKH5FN1Dcb/jXbb4Xa1UM/l4qVKFSHQKo1o0Zk/T9eHt+vpgvMUnbyZpawktdBgF4ScnPvO7qzgM+fgy62LYACbExQvYLcrYTK+h6TxISptpCFNli4XjjW88YhL7qGmZDlezZTUCHDZryVato7Fzfe66mqZcT6aMWO+Lyr5RLc4uw=='
|
||||
fpe521="SHA256:qK+FmUoa7OBqzyiuH+hp974f/pt8L9SWTsjzId2I4/w"
|
||||
[ "$FP_TYPE" = md5 ] && fpe521="2d:af:3a:b1:b7:9f:74:71:f9:8e:3f:85:03:f8:4e:c0"
|
||||
script selfAddIngressKey ecdsa521 $a1 -osh selfAddIngressKey "<<< \"ecdsa-sha2-nistp521 $b64 test@ecdsa521\""
|
||||
script ecdsa521 $a1 -osh selfAddIngressKey "<<< \"ecdsa-sha2-nistp521 $b64 test@ecdsa521\""
|
||||
retvalshouldbe 0
|
||||
contain "key successfully added"
|
||||
json $(cat <<EOS
|
||||
|
@ -470,7 +470,7 @@ EOS
|
|||
fped="SHA256:DFITA8tNfJknq6a/xbro1SxTLTWn/vwZkEROk4IB2LM"
|
||||
[ "$FP_TYPE" = md5 ] && fped="d7:92:5b:77:8b:69:03:cb:e7:5a:11:76:d1:a6:ea:e4"
|
||||
fplist="$fp4096 $fp8192 $fp16384 $fpe256 $fpe384 $fpe521"
|
||||
script selfAddIngressKey ed25519 $a1 -osh selfAddIngressKey "<<< \"ssh-ed25519 $b64 test@ed25519\""
|
||||
script ed25519 $a1 -osh selfAddIngressKey "<<< \"ssh-ed25519 $b64 test@ed25519\""
|
||||
if [ "${capabilities[ed25519]}" = "1" ] ; then
|
||||
fplist="$fplist $fped"
|
||||
retvalshouldbe 0
|
||||
|
@ -507,27 +507,27 @@ EOS
|
|||
fi
|
||||
|
||||
if [ "${capabilities[blacklist]}" = 1 ] ; then
|
||||
script selfAddIngressKey rsa1024fucked $a1 -osh selfAddIngressKey "<<< \"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA90Td1GTx+tYMbsti93lyiyKYelBgaXRrnweoYJXjUFNU93jZ+RmBR8yp5J6mx7jz9ECaMS7Dn49fNQi5uG75+m+DTUgq3bfNv8cygoVC4g3NhzA3e+uA22D+iI53j3Gm9YxaJVOypGXGkOoWnmXZy7FQ4aSBFvgqa81xfnoa+4M= compromised@rsa1024\""
|
||||
script rsa1024fucked $a1 -osh selfAddIngressKey "<<< \"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA90Td1GTx+tYMbsti93lyiyKYelBgaXRrnweoYJXjUFNU93jZ+RmBR8yp5J6mx7jz9ECaMS7Dn49fNQi5uG75+m+DTUgq3bfNv8cygoVC4g3NhzA3e+uA22D+iI53j3Gm9YxaJVOypGXGkOoWnmXZy7FQ4aSBFvgqa81xfnoa+4M= compromised@rsa1024\""
|
||||
retvalshouldbe 100
|
||||
contain "IT IS VULNERABLE"
|
||||
json .command selfAddIngressKey .error_code KO_VULNERABLE_KEY
|
||||
|
||||
script selfAddIngressKey rsa2048fucked $a1 -osh selfAddIngressKey "<<< \"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxP84hsnxNGSGczfSZTYwb7YCu7yFEyYq5r5qS0dKc6EVQkqdYCn5FrFj8d0+Qn9vglQyCMk+Aa9VLlmKV8/e43FqIq7oh4RDe3YhKKvQ28gLGB/nh2oBLDCB/AYMOjjkCsGU344mrcKQDZlPQsk7lJsied1YphOzHFD7MZVdWd0oUpKFdZSuGbpLRWR+bq29fx7JSiT2tw3G3+EQSW9bdqvzKgwQOAg94FFUTjiK/nVDXAowKMP3+R3cV/CxccA9q5glGw6Xh+K54oZRQ9frzEGmxOlDhMhthQCSRrAvwQQn9kBmcX8qiugHJGS91R5lWv+HU2ndyCQ6xTxRtYvMOw== compromised@rsa2048\""
|
||||
script rsa2048fucked $a1 -osh selfAddIngressKey "<<< \"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxP84hsnxNGSGczfSZTYwb7YCu7yFEyYq5r5qS0dKc6EVQkqdYCn5FrFj8d0+Qn9vglQyCMk+Aa9VLlmKV8/e43FqIq7oh4RDe3YhKKvQ28gLGB/nh2oBLDCB/AYMOjjkCsGU344mrcKQDZlPQsk7lJsied1YphOzHFD7MZVdWd0oUpKFdZSuGbpLRWR+bq29fx7JSiT2tw3G3+EQSW9bdqvzKgwQOAg94FFUTjiK/nVDXAowKMP3+R3cV/CxccA9q5glGw6Xh+K54oZRQ9frzEGmxOlDhMhthQCSRrAvwQQn9kBmcX8qiugHJGS91R5lWv+HU2ndyCQ6xTxRtYvMOw== compromised@rsa2048\""
|
||||
retvalshouldbe 100
|
||||
contain "IT IS VULNERABLE"
|
||||
json .command selfAddIngressKey .error_code KO_VULNERABLE_KEY
|
||||
fi
|
||||
|
||||
run info user1key2beforeadd $a1k2 -osh info
|
||||
run user1key2beforeadd $a1k2 -osh info
|
||||
retvalshouldbe 255
|
||||
contain "Permission denied"
|
||||
|
||||
script selfAddIngressKey user1key2 $a1 -osh selfAddIngressKey '<' $account1key2file.pub
|
||||
script user1key2 $a1 -osh selfAddIngressKey '<' $account1key2file.pub
|
||||
retvalshouldbe 0
|
||||
contain "key successfully added"
|
||||
json .command selfAddIngressKey .error_code OK
|
||||
|
||||
success selfListIngressKeys afteradd $a1 -osh selfListIngressKeys
|
||||
success afteradd $a1 -osh selfListIngressKeys
|
||||
account1key1fp=""
|
||||
account1key2fp=""
|
||||
for i in {0..20}
|
||||
|
@ -540,21 +540,21 @@ EOS
|
|||
unset tmpline
|
||||
json .command selfListIngressKeys .error_code OK .value.account $account1
|
||||
|
||||
script gotfingerprint key1 grep -Eq "'^SHA256:|([0-9a-f]{2}:){7}'" "<<<" "$account1key1fp"
|
||||
script key1 grep -Eq "'^SHA256:|([0-9a-f]{2}:){7}'" "<<<" "$account1key1fp"
|
||||
retvalshouldbe 0
|
||||
|
||||
script gotfingerprint key2 grep -Eq "'^SHA256:|([0-9a-f]{2}:){7}'" "<<<" "$account1key2fp"
|
||||
script key2 grep -Eq "'^SHA256:|([0-9a-f]{2}:){7}'" "<<<" "$account1key2fp"
|
||||
retvalshouldbe 0
|
||||
|
||||
# remove all keys except key1 key2
|
||||
for fp in $fplist ; do
|
||||
success selfDelIngressKey otherkeys $a1 -osh selfDelIngressKey -f $fp
|
||||
success otherkeys $a1 -osh selfDelIngressKey -f $fp
|
||||
contain "successfully deleted"
|
||||
json .command selfDelIngressKey .error_code OK
|
||||
done
|
||||
unset fplist
|
||||
|
||||
success selfListIngressKeys afterdel $a1 -osh selfListIngressKeys
|
||||
success afterdel $a1 -osh selfListIngressKeys
|
||||
json $(cat <<EOS
|
||||
.command selfListIngressKeys
|
||||
.error_code OK
|
||||
|
@ -565,17 +565,17 @@ EOS
|
|||
EOS
|
||||
)
|
||||
|
||||
success info user1key2aftereadd $a1k2 -osh info
|
||||
success user1key2aftereadd $a1k2 -osh info
|
||||
contain "Your alias to connect"
|
||||
json .command info .error_code OK .value.account $account1
|
||||
|
||||
success selfDelIngressKey key2 $a1k2 -osh selfDelIngressKey -f "$account1key2fp"
|
||||
success key2 $a1k2 -osh selfDelIngressKey -f "$account1key2fp"
|
||||
json .command selfDelIngressKey .error_code OK .value.deleted_key.err OK
|
||||
|
||||
plgfail selfDelIngressKey a1k1mustfail $a1 -osh selfDelIngressKey -f "$account1key1fp"
|
||||
plgfail a1k1mustfail $a1 -osh selfDelIngressKey -f "$account1key1fp"
|
||||
json .command selfDelIngressKey .error_code ERR_ONLY_ONE_KEY .value null
|
||||
|
||||
success selfListIngressKeys afterdel2only1remain $a1 -osh selfListIngressKeys
|
||||
success afterdel2only1remain $a1 -osh selfListIngressKeys
|
||||
contain "$account1key1fp"
|
||||
nocontain "$account1key2fp"
|
||||
json $(cat <<EOS
|
||||
|
@ -619,12 +619,12 @@ EOS
|
|||
|
||||
# delete account1
|
||||
grant accountDelete
|
||||
script accountDelete cleanup $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||||
script cleanup $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
revoke accountDelete
|
||||
|
||||
# restore default config
|
||||
success bastion configrestore $r0 "dd if=$opt_remote_etc_bastion/bastion.conf.bak.$now of=$opt_remote_etc_bastion/bastion.conf"
|
||||
success configrestore $r0 "dd if=$opt_remote_etc_bastion/bastion.conf.bak.$now of=$opt_remote_etc_bastion/bastion.conf"
|
||||
}
|
||||
|
||||
testsuite_selfkeys
|
||||
|
|
|
@ -13,7 +13,7 @@ testsuite_selfaccesses()
|
|||
grant accountCreate
|
||||
|
||||
for i in {1..10}; do
|
||||
success selfaccess a0_create_a1_uidauto_nokey_$i $a0 --osh accountCreate --account delme$i --uid-auto --no-key
|
||||
success a0_create_a1_uidauto_nokey_$i $a0 --osh accountCreate --account delme$i --uid-auto --no-key
|
||||
json .error_code OK .command accountCreate
|
||||
done
|
||||
|
||||
|
@ -22,7 +22,7 @@ testsuite_selfaccesses()
|
|||
|
||||
# delete those accounts
|
||||
for i in {1..10}; do
|
||||
script selfaccess a0_delete_a1_uidauto_nokey_$i $a0 --osh accountDelete --account delme$i "<<< \"Yes, do as I say and delete delme$i, kthxbye\""
|
||||
script a0_delete_a1_uidauto_nokey_$i $a0 --osh accountDelete --account delme$i "<<< \"Yes, do as I say and delete delme$i, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
json .error_code OK .command accountDelete
|
||||
done
|
||||
|
@ -31,29 +31,29 @@ testsuite_selfaccesses()
|
|||
grant accountCreate
|
||||
|
||||
# create account1
|
||||
success osh accountCreate $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||||
success accountCreate $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
revoke accountCreate
|
||||
grant accountModify
|
||||
|
||||
success realm modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account1
|
||||
success modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account1
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
# test osh-only
|
||||
success accountModify enable_osh_only $a0 --osh accountModify --osh-only yes --account $account1
|
||||
success enable_osh_only $a0 --osh accountModify --osh-only yes --account $account1
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
# account1 can not connect to anything
|
||||
run accountModify no_ssh_after_osh_only $a1 anybody@127.0.0.1
|
||||
run no_ssh_after_osh_only $a1 anybody@127.0.0.1
|
||||
retvalshouldbe 107
|
||||
json .error_code KO_ACCESS_DENIED .error_message "You don't have the right to connect anywhere"
|
||||
|
||||
success accountModify disable_osh_only $a0 --osh accountModify --osh-only no --account $account1
|
||||
success disable_osh_only $a0 --osh accountModify --osh-only no --account $account1
|
||||
json .error_code OK .command accountModify
|
||||
|
||||
# account1 can connect now (or could if they were granted)
|
||||
run accountModify can_ssh_after_osh_only_disable $a1 anybody@127.0.0.1
|
||||
run can_ssh_after_osh_only_disable $a1 anybody@127.0.0.1
|
||||
retvalshouldbe 107
|
||||
json .error_code KO_ACCESS_DENIED
|
||||
contain "Access denied"
|
||||
|
@ -61,16 +61,16 @@ testsuite_selfaccesses()
|
|||
|
||||
revoke accountModify
|
||||
|
||||
success selfListEgressKeys beforeadd $a1 -osh selfListEgressKeys
|
||||
success beforeadd $a1 -osh selfListEgressKeys
|
||||
tmpfp=$(get_json | $jq '.value|keys[0]')
|
||||
json .command selfListEgressKeys .error_code OK '.value|keys[1]' null
|
||||
pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp\"]|.comment")"
|
||||
|
||||
success osh selfGenerateEgressKey $a1 --osh selfGenerateEgressKey --algo rsa --size 4096
|
||||
success selfGenerateEgressKey $a1 --osh selfGenerateEgressKey --algo rsa --size 4096
|
||||
json .error_code OK .command selfGenerateEgressKey .value.size 4096 .value.family RSA
|
||||
tmpfp2=$(get_json | $jq '.value.fingerprint')
|
||||
|
||||
success selfListEgressKeys afteradd $a1 -osh selfListEgressKeys
|
||||
success afteradd $a1 -osh selfListEgressKeys
|
||||
json .command selfListEgressKeys .error_code OK '.value|keys[2]' null
|
||||
pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp\"]|.comment")"
|
||||
pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp2\"]|.comment")"
|
||||
|
@ -79,7 +79,7 @@ testsuite_selfaccesses()
|
|||
|
||||
# batch plugin
|
||||
|
||||
script plugin-batch one "printf \"%b\\n\" \"info\\naccountInfo --account $account0\\nselfListEgressKeys\" | $a1 --osh batch"
|
||||
script one "printf \"%b\\n\" \"info\\naccountInfo --account $account0\\nselfListEgressKeys\" | $a1 --osh batch"
|
||||
retvalshouldbe 0
|
||||
json .command batch .error_code OK
|
||||
json '.value[0].result.error_code' OK '.value[0].command' info '.value[0].result.value.account' "$account1"
|
||||
|
@ -88,81 +88,81 @@ testsuite_selfaccesses()
|
|||
|
||||
# ssh
|
||||
|
||||
run ssh a1atlo2 $a1 127.0.0.2 -- id
|
||||
run a1atlo2 $a1 127.0.0.2 -- id
|
||||
retvalshouldbe 107
|
||||
contain "Access denied for"
|
||||
json .command null .error_code KO_ACCESS_DENIED
|
||||
|
||||
run ssh invalid_host $a1 127.0./0.1 -- id
|
||||
run invalid_host $a1 127.0./0.1 -- id
|
||||
retvalshouldbe 102
|
||||
json .error_code KO_HOST_NOT_FOUND
|
||||
|
||||
run ssh invalid_host $a1 127.0.%0.1 -- id
|
||||
run invalid_host $a1 127.0.%0.1 -- id
|
||||
retvalshouldbe 128
|
||||
json .error_code KO_INVALID_REMOTE_HOST
|
||||
|
||||
run ssh invalid_user $a1 ro/ot@127.0.0.1 -- id
|
||||
run invalid_user $a1 ro/ot@127.0.0.1 -- id
|
||||
retvalshouldbe 127
|
||||
json .error_code KO_INVALID_REMOTE_USER
|
||||
|
||||
grant selfAddPersonalAccess
|
||||
grant selfDelPersonalAccess
|
||||
|
||||
run selfAddPersonalAccess mustfail $a1 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22
|
||||
run mustfail $a1 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22
|
||||
retvalshouldbe 106
|
||||
contain "you to be specifically granted"
|
||||
json .command null .error_code KO_RESTRICTED_COMMAND
|
||||
|
||||
success selfAddPersonalAccess mustwork $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 --kbd-interactive
|
||||
success mustwork $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 --kbd-interactive
|
||||
nocontain "already"
|
||||
json .command selfAddPersonalAccess .error_code OK .value.ip 127.0.0.2 .value.user $shellaccount .value.port 22
|
||||
|
||||
success selfAddPersonalAccess dupe $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 --kbd-interactive
|
||||
success dupe $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 --kbd-interactive
|
||||
contain "already"
|
||||
json .command selfAddPersonalAccess .error_code OK_NO_CHANGE .value null
|
||||
|
||||
success selfAddPersonalAccess withttl $a0 -osh selfAddPersonalAccess -h 127.0.0.4 -u $shellaccount -p 22 --force --ttl 0d0h0m3s
|
||||
success withttl $a0 -osh selfAddPersonalAccess -h 127.0.0.4 -u $shellaccount -p 22 --force --ttl 0d0h0m3s
|
||||
json .command selfAddPersonalAccess .error_code OK .value.ip 127.0.0.4 .value.user $shellaccount .value.port 22 .value.ttl 3
|
||||
|
||||
run ssh a1atlo2_login8 $a0 127.0.0.2 -- id
|
||||
run a1atlo2_login8 $a0 127.0.0.2 -- id
|
||||
retvalshouldbe 107
|
||||
contain "Access denied for"
|
||||
json .command null .value null .error_code KO_ACCESS_DENIED
|
||||
|
||||
# auto hostname=$host comment
|
||||
|
||||
success selfAddPersonalAccess self_add_personal_access_auto_comment $a0 --osh selfAddPersonalAccess --host localhost -u autocomment -p 1234 --force --ttl 1
|
||||
success self_add_personal_access_auto_comment $a0 --osh selfAddPersonalAccess --host localhost -u autocomment -p 1234 --force --ttl 1
|
||||
json .command selfAddPersonalAccess .error_code OK .value.comment "hostname=localhost" .value.user autocomment .value.port 1234 .value.ttl 1
|
||||
|
||||
# forcekey
|
||||
|
||||
success selfListIngressKeys for_force_key $a0 --osh selfListEgressKeys
|
||||
success for_force_key $a0 --osh selfListEgressKeys
|
||||
account0key1fp=$(get_json | $jq '.value|keys[0]')
|
||||
|
||||
success selfAddPersonalAccess forcekey $a0 --osh selfAddPersonalAccess -h 127.7.7.7 -u $shellaccount -p 22 --force --force-key "$account0key1fp"
|
||||
success forcekey $a0 --osh selfAddPersonalAccess -h 127.7.7.7 -u $shellaccount -p 22 --force --force-key "$account0key1fp"
|
||||
|
||||
success selfListAccesses forcekey $a0 --osh selfListAccesses
|
||||
success forcekey $a0 --osh selfListAccesses
|
||||
contain "$account0key1fp"
|
||||
|
||||
# try to use the force key
|
||||
|
||||
success ssh forcekey $a0 $shellaccount@127.7.7.7 --kbd-interactive -- id
|
||||
success forcekey $a0 $shellaccount@127.7.7.7 --kbd-interactive -- id
|
||||
contain 'FORCED IN ACL'
|
||||
|
||||
success selfDelPersonalAccess forcekey $a0 -osh selfDelPersonalAccess -h 127.7.7.7 -u $shellaccount -p 22
|
||||
success forcekey $a0 -osh selfDelPersonalAccess -h 127.7.7.7 -u $shellaccount -p 22
|
||||
|
||||
# /forcekey
|
||||
|
||||
success ssh shellaccountatlo2_mustwork $a0 $shellaccount@127.0.0.2 --kbd-interactive -- echo $randomstr
|
||||
success shellaccountatlo2_mustwork $a0 $shellaccount@127.0.0.2 --kbd-interactive -- echo $randomstr
|
||||
contain REGEX "$shellaccount@[a-zA-Z0-9._-]+:22"
|
||||
contain "allowed ... log on"
|
||||
nocontain "Permission denied"
|
||||
contain "$randomstr"
|
||||
|
||||
# scp
|
||||
success accountAddPersonalAccess forscp $a0 --osh selfAddPersonalAccess --host 127.0.0.2 --scpup --port 22
|
||||
success forscp $a0 --osh selfAddPersonalAccess --host 127.0.0.2 --scpup --port 22
|
||||
|
||||
success osh scp $a0 --osh scp
|
||||
success scp $a0 --osh scp
|
||||
if [ "$COUNTONLY" != 1 ]; then
|
||||
tmpb64=$(get_json | $jq '.value.script')
|
||||
base64 -d <<< "$tmpb64" | gunzip -c > /tmp/scphelpertmp
|
||||
|
@ -172,207 +172,207 @@ testsuite_selfaccesses()
|
|||
unset tmpb64
|
||||
fi
|
||||
|
||||
run scp downloadfailnoright scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded
|
||||
run scp_downloadfailnoright scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded
|
||||
retvalshouldbe 1
|
||||
contain "Sorry, but even"
|
||||
|
||||
success accountAddPersonalAccess forscp $a0 --osh selfAddPersonalAccess --host 127.0.0.2 --scpdown --port 22
|
||||
success forscp $a0 --osh selfAddPersonalAccess --host 127.0.0.2 --scpdown --port 22
|
||||
|
||||
run scp downloadfailnofile scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded
|
||||
run scp_downloadfailnofile scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded
|
||||
retvalshouldbe 1
|
||||
contain "through the bastion from"
|
||||
contain "Error launching transfer"
|
||||
contain "No such file or directory"
|
||||
nocontain "Permission denied"
|
||||
|
||||
run scp invalidhostname scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@_invalid._invalid:uptest /tmp/downloaded
|
||||
run scp_invalidhostname scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@_invalid._invalid:uptest /tmp/downloaded
|
||||
retvalshouldbe 1
|
||||
contain "Sorry, couldn't resolve the host you specified"
|
||||
|
||||
success scp upload scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file /etc/passwd $shellaccount@127.0.0.2:uptest
|
||||
success scp_upload scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file /etc/passwd $shellaccount@127.0.0.2:uptest
|
||||
contain "through the bastion to"
|
||||
contain "Done,"
|
||||
|
||||
success scp download scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded
|
||||
success scp_download scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded
|
||||
contain "through the bastion from"
|
||||
contain "Done,"
|
||||
|
||||
success accountAddPersonalAccess forscpremove1 $a0 --osh selfDelPersonalAccess --host 127.0.0.2 --scpup --port 22
|
||||
success accountAddPersonalAccess forscpremove2 $a0 --osh selfDelPersonalAccess --host 127.0.0.2 --scpdown --port 22
|
||||
success forscpremove1 $a0 --osh selfDelPersonalAccess --host 127.0.0.2 --scpup --port 22
|
||||
success forscpremove2 $a0 --osh selfDelPersonalAccess --host 127.0.0.2 --scpdown --port 22
|
||||
|
||||
# /scp
|
||||
|
||||
# (forced commands)
|
||||
|
||||
# ESCAPE HELL
|
||||
success ssh escapehell1ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo 'test1;test1' ; id\""
|
||||
success escapehell1ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo 'test1;test1' ; id\""
|
||||
contain "'test1"
|
||||
contain 'uid='
|
||||
contain REGEX "test1': (command )?not found"
|
||||
nocontain 'test1;test1'
|
||||
nocontain 'crazy'
|
||||
|
||||
success ssh escapehell2ae $a0 --always-escape $shellaccount@127.0.0.2 -- "'echo \"test1;test1\" ; id'"
|
||||
success escapehell2ae $a0 --always-escape $shellaccount@127.0.0.2 -- "'echo \"test1;test1\" ; id'"
|
||||
contain "test1;test1"
|
||||
contain 'uid='
|
||||
nocontain 'not found'
|
||||
nocontain 'crazy'
|
||||
|
||||
success ssh escapehell3ae $a0 --always-escape $shellaccount@127.0.0.2 -- "'echo \\\"test1;test1\\\" ; id'"
|
||||
success escapehell3ae $a0 --always-escape $shellaccount@127.0.0.2 -- "'echo \\\"test1;test1\\\" ; id'"
|
||||
contain '"test1'
|
||||
contain 'uid='
|
||||
contain REGEX 'test1": (command )?not found'
|
||||
nocontain 'crazy'
|
||||
|
||||
success ssh escapehell4ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1;test1\\\" ; id\""
|
||||
success escapehell4ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1;test1\\\" ; id\""
|
||||
contain 'test1;test1'
|
||||
contain 'uid='
|
||||
nocontain 'not found'
|
||||
nocontain 'crazy'
|
||||
|
||||
success ssh escapehell5ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1';'test1\\\" ; id\""
|
||||
success escapehell5ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1';'test1\\\" ; id\""
|
||||
contain "test1\\';\\'test1"
|
||||
contain 'uid='
|
||||
nocontain 'not found'
|
||||
nocontain 'crazy'
|
||||
|
||||
success ssh escapehell1ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo 'test1;test1' ; id\""
|
||||
success escapehell1ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo 'test1;test1' ; id\""
|
||||
contain "test1;test1"
|
||||
contain 'uid='
|
||||
nocontain 'not found'
|
||||
nocontain 'crazy'
|
||||
|
||||
success ssh escapehell2ne $a0 --never-escape $shellaccount@127.0.0.2 -- "'echo \"test1;test1\" ; id'"
|
||||
success escapehell2ne $a0 --never-escape $shellaccount@127.0.0.2 -- "'echo \"test1;test1\" ; id'"
|
||||
contain "test1;test1"
|
||||
contain 'uid='
|
||||
nocontain 'not found'
|
||||
nocontain 'crazy'
|
||||
|
||||
success ssh escapehell3ne $a0 --never-escape $shellaccount@127.0.0.2 -- "'echo \\\"test1;test1\\\" ; id'"
|
||||
success escapehell3ne $a0 --never-escape $shellaccount@127.0.0.2 -- "'echo \\\"test1;test1\\\" ; id'"
|
||||
contain '"test1'
|
||||
contain 'uid='
|
||||
contain REGEX 'test1": (command )?not found'
|
||||
nocontain 'crazy'
|
||||
|
||||
success ssh escapehell4ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1;test1\\\" ; id\""
|
||||
success escapehell4ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1;test1\\\" ; id\""
|
||||
contain 'test1;test1'
|
||||
contain 'uid='
|
||||
nocontain 'not found'
|
||||
nocontain 'crazy'
|
||||
|
||||
success ssh escapehell5ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1';'test1\\\" ; id\""
|
||||
success escapehell5ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1';'test1\\\" ; id\""
|
||||
contain "test1';'test1"
|
||||
contain 'uid='
|
||||
nocontain 'not found'
|
||||
nocontain 'crazy'
|
||||
|
||||
success ssh escapehellnoprotect1ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo 'test1;test1' ; id\""
|
||||
success escapehellnoprotect1ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo 'test1;test1' ; id\""
|
||||
contain "test1"
|
||||
contain 'uid='
|
||||
contain REGEX "test1: (command )?not found"
|
||||
nocontain 'test1;test1'
|
||||
contain 'crazy'
|
||||
|
||||
success ssh escapehellnoprotect2ae $a0 --always-escape $shellaccount@127.0.0.2 "'echo \"test1;test1\" ; id'"
|
||||
success escapehellnoprotect2ae $a0 --always-escape $shellaccount@127.0.0.2 "'echo \"test1;test1\" ; id'"
|
||||
contain "test1"
|
||||
contain 'uid='
|
||||
contain REGEX 'test1: (command )?not found'
|
||||
nocontain 'test1;test1'
|
||||
contain 'crazy'
|
||||
|
||||
success ssh escapehellnoprotect3ae $a0 --always-escape $shellaccount@127.0.0.2 "'echo \\\"test1;test1\\\" ; id'"
|
||||
success escapehellnoprotect3ae $a0 --always-escape $shellaccount@127.0.0.2 "'echo \\\"test1;test1\\\" ; id'"
|
||||
contain 'test1;test1'
|
||||
contain 'uid='
|
||||
nocontain REGEX ': (command )?not found'
|
||||
contain 'crazy'
|
||||
|
||||
success ssh escapehellnoprotect4ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo \\\"test1;test1\\\" ; id\""
|
||||
success escapehellnoprotect4ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo \\\"test1;test1\\\" ; id\""
|
||||
contain "test1"
|
||||
contain 'uid='
|
||||
contain REGEX 'test1: (command )?not found'
|
||||
nocontain 'test1;test1'
|
||||
contain 'crazy'
|
||||
|
||||
success ssh escapehellnoprotect5ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo \\\"test1';'test1\\\" ; id\""
|
||||
success escapehellnoprotect5ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo \\\"test1';'test1\\\" ; id\""
|
||||
contain 'test1;test1'
|
||||
contain 'uid='
|
||||
nocontain 'not found'
|
||||
contain 'crazy'
|
||||
|
||||
success ssh escapehellnoprotect1ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo 'test1;test1' ; id\""
|
||||
success escapehellnoprotect1ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo 'test1;test1' ; id\""
|
||||
contain "test1"
|
||||
contain 'uid='
|
||||
contain REGEX 'test1: (command )?not found'
|
||||
nocontain 'test1;test1'
|
||||
contain 'crazy'
|
||||
|
||||
success ssh escapehellnoprotect2ne $a0 --never-escape $shellaccount@127.0.0.2 "'echo \"test1;test1\" ; id'"
|
||||
success escapehellnoprotect2ne $a0 --never-escape $shellaccount@127.0.0.2 "'echo \"test1;test1\" ; id'"
|
||||
contain "test1"
|
||||
contain 'uid='
|
||||
contain REGEX 'test1: (command )?not found'
|
||||
nocontain 'test1;test1'
|
||||
contain 'crazy'
|
||||
|
||||
success ssh escapehellnoprotect3ne $a0 --never-escape $shellaccount@127.0.0.2 "'echo \\\"test1;test1\\\" ; id'"
|
||||
success escapehellnoprotect3ne $a0 --never-escape $shellaccount@127.0.0.2 "'echo \\\"test1;test1\\\" ; id'"
|
||||
contain 'test1;test1'
|
||||
contain 'uid='
|
||||
nocontain 'not found'
|
||||
contain 'crazy'
|
||||
|
||||
success ssh escapehellnoprotect4ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo \\\"test1;test1\\\" ; id\""
|
||||
success escapehellnoprotect4ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo \\\"test1;test1\\\" ; id\""
|
||||
contain "test1"
|
||||
contain 'uid='
|
||||
contain REGEX 'test1: (command )?not found'
|
||||
nocontain 'test1;test1'
|
||||
contain 'crazy'
|
||||
|
||||
success ssh escapehellnoprotect5ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo \\\"test1';'test1\\\" ; id\""
|
||||
success escapehellnoprotect5ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo \\\"test1';'test1\\\" ; id\""
|
||||
contain 'test1;test1'
|
||||
contain 'uid='
|
||||
nocontain 'not found'
|
||||
contain 'crazy'
|
||||
|
||||
run ssh shellaccountatlo_badport $a0 $shellaccount@127.0.0.2 -p 223 -- echo $randomstr
|
||||
run shellaccountatlo_badport $a0 $shellaccount@127.0.0.2 -p 223 -- echo $randomstr
|
||||
retvalshouldbe 107
|
||||
contain "Access denied for"
|
||||
nocontain "$randomstr"
|
||||
json .command null .value null .error_code KO_ACCESS_DENIED
|
||||
|
||||
run ssh shellaccountatlo_badip $a0 $shellaccount@127.0.0.1 -- echo $randomstr
|
||||
run shellaccountatlo_badip $a0 $shellaccount@127.0.0.1 -- echo $randomstr
|
||||
retvalshouldbe 107
|
||||
contain "Access denied for"
|
||||
nocontain "$randomstr"
|
||||
json .command null .value null .error_code KO_ACCESS_DENIED
|
||||
|
||||
run ssh shellaccountatlo_badroot $a0 root@127.0.0.2 -- echo $randomstr
|
||||
run shellaccountatlo_badroot $a0 root@127.0.0.2 -- echo $randomstr
|
||||
retvalshouldbe 107
|
||||
contain "Access denied for"
|
||||
nocontain "$randomstr"
|
||||
json .command null .value null .error_code KO_ACCESS_DENIED
|
||||
|
||||
run selfDelPersonalAccess mustfailnosudo $a1 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22
|
||||
run mustfailnosudo $a1 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22
|
||||
retvalshouldbe 106
|
||||
contain "you to be specifically granted"
|
||||
json .command null .value null .error_code KO_RESTRICTED_COMMAND
|
||||
|
||||
#sudo usermod -a -G osh-selfDelPersonalAccess $account1
|
||||
success selfDelPersonalAccess mustwork $a0 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22
|
||||
success mustwork $a0 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22
|
||||
contain "Access to $shellaccount@127.0.0.2:22"
|
||||
json .command selfDelPersonalAccess .error_code OK .value.ip 127.0.0.2 .value.user $shellaccount .value.port 22
|
||||
|
||||
run ssh shellaccountatlo2_mustfail $a1 $shellaccount@127.0.0.2 -- echo $randomstr
|
||||
run shellaccountatlo2_mustfail $a1 $shellaccount@127.0.0.2 -- echo $randomstr
|
||||
retvalshouldbe 107
|
||||
contain "Access denied for"
|
||||
nocontain "$randomstr"
|
||||
json .command null .value null .error_code KO_ACCESS_DENIED
|
||||
|
||||
success selfAddPersonalAccess mustwork $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 226
|
||||
success mustwork $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 226
|
||||
nocontain "already"
|
||||
json .command selfAddPersonalAccess .error_code OK .value.ip 127.0.0.2 .value.user $shellaccount .value.port 226
|
||||
|
||||
# shouldn't work
|
||||
|
||||
run ssh shellaccountatlo2_badport2 $a0 $shellaccount@127.0.0.2 -- echo $randomstr
|
||||
run shellaccountatlo2_badport2 $a0 $shellaccount@127.0.0.2 -- echo $randomstr
|
||||
retvalshouldbe 107
|
||||
contain "Access denied for"
|
||||
nocontain "$randomstr"
|
||||
|
@ -380,66 +380,66 @@ testsuite_selfaccesses()
|
|||
|
||||
# should
|
||||
|
||||
success ssh shellaccountatlo2_mustwork226 $a0 $shellaccount@127.0.0.2 -p 226 -- echo $randomstr
|
||||
success shellaccountatlo2_mustwork226 $a0 $shellaccount@127.0.0.2 -p 226 -- echo $randomstr
|
||||
contain REGEX "$shellaccount@[a-zA-Z0-9._-]+:226"
|
||||
contain "allowed ... log on"
|
||||
nocontain "Permission denied"
|
||||
contain "$randomstr"
|
||||
|
||||
success selfDelPersonalAccess mustwork $a0 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 226
|
||||
success mustwork $a0 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 226
|
||||
contain "Access to $shellaccount@127.0.0.2:226"
|
||||
json .command selfDelPersonalAccess .error_code OK .value.ip 127.0.0.2 .value.user $shellaccount .value.port 226
|
||||
|
||||
run ssh shellaccountatlo2_mustfailnow $a0 $shellaccount@127.0.0.2 -p 226 -- echo $randomstr
|
||||
run shellaccountatlo2_mustfailnow $a0 $shellaccount@127.0.0.2 -p 226 -- echo $randomstr
|
||||
retvalshouldbe 107
|
||||
contain "Access denied for"
|
||||
nocontain "$randomstr"
|
||||
json .command null .value null .error_code KO_ACCESS_DENIED
|
||||
|
||||
plgfail selfAddPersonalAccess nousernoportnoforce $a0 -osh selfAddPersonalAccess -h 127.0.0.4
|
||||
plgfail nousernoportnoforce $a0 -osh selfAddPersonalAccess -h 127.0.0.4
|
||||
nocontain "already"
|
||||
contain REGEX "Couldn't connect to $account0@127.0.0.4 \\(ssh returned error (255|124)\\)"
|
||||
json .command selfAddPersonalAccess .error_code ERR_CONNECTION_FAILED .value null
|
||||
|
||||
success selfAddPersonalAccess nousernoport $a0 -osh selfAddPersonalAccess -h 127.0.0.4 --force
|
||||
success nousernoport $a0 -osh selfAddPersonalAccess -h 127.0.0.4 --force
|
||||
nocontain "already"
|
||||
contain "Forcing add as asked"
|
||||
json .command selfAddPersonalAccess .error_code OK .value.ip 127.0.0.4 .value.port null .value.user null
|
||||
|
||||
run ssh rootport22 $a0 root@127.0.0.4 -- echo $randomstr
|
||||
run rootport22 $a0 root@127.0.0.4 -- echo $randomstr
|
||||
retvalshouldbe 255
|
||||
contain "allowed ... log on"
|
||||
contain "Permission denied"
|
||||
nocontain "$randomstr"
|
||||
|
||||
run ssh anyuserport22 $a0 whatevaah@127.0.0.4 -- echo $randomstr
|
||||
run anyuserport22 $a0 whatevaah@127.0.0.4 -- echo $randomstr
|
||||
retvalshouldbe 255
|
||||
contain "allowed ... log on"
|
||||
contain "Permission denied"
|
||||
nocontain "$randomstr"
|
||||
|
||||
success ssh gooduserport22 $a0 $shellaccount@127.0.0.4 -- echo $randomstr
|
||||
success gooduserport22 $a0 $shellaccount@127.0.0.4 -- echo $randomstr
|
||||
contain "allowed ... log on"
|
||||
contain "$randomstr"
|
||||
|
||||
run ssh exitcode $a0 $shellaccount@127.0.0.4 -- exit 43
|
||||
run exitcode $a0 $shellaccount@127.0.0.4 -- exit 43
|
||||
retvalshouldbe 43
|
||||
contain "allowed ... log on"
|
||||
|
||||
success ssh gooduserport226 $a0 $shellaccount@127.0.0.4 -p 226 -- echo $randomstr
|
||||
success gooduserport226 $a0 $shellaccount@127.0.0.4 -p 226 -- echo $randomstr
|
||||
contain "allowed ... log on"
|
||||
contain "$randomstr"
|
||||
|
||||
run ssh anyuseaarrport226 $a0 pokpozkpab@127.0.0.4 -p 226 -- echo $randomstr
|
||||
run anyuseaarrport226 $a0 pokpozkpab@127.0.0.4 -p 226 -- echo $randomstr
|
||||
retvalshouldbe 255
|
||||
contain "allowed ... log on"
|
||||
nocontain "$randomstr"
|
||||
|
||||
success selfDelPersonalAccess nousernoport $a0 -osh selfDelPersonalAccess -h 127.0.0.4
|
||||
success nousernoport $a0 -osh selfDelPersonalAccess -h 127.0.0.4
|
||||
contain "Access to 127.0.0.4 "
|
||||
json .command selfDelPersonalAccess .error_code OK .value.ip 127.0.0.4 .value.port null .value.user null
|
||||
|
||||
success selfDelPersonalAccess nousernoport_dupe $a0 -osh selfDelPersonalAccess -h 127.0.0.4
|
||||
success nousernoport_dupe $a0 -osh selfDelPersonalAccess -h 127.0.0.4
|
||||
nocontain "no longer has a personal access"
|
||||
json .command selfDelPersonalAccess .error_code OK_NO_CHANGE .value null
|
||||
|
||||
|
@ -447,7 +447,7 @@ testsuite_selfaccesses()
|
|||
# ... then try to ssh with all combinations
|
||||
|
||||
# TODO try partial group thing, and try to ssh to ip pertaining to group
|
||||
success selfListAccesses oka0 $a0 --osh selfListAccesses
|
||||
success oka0 $a0 --osh selfListAccesses
|
||||
contain 'no registered accesses'
|
||||
nocontain 'personal'
|
||||
nocontain 'group-member'
|
||||
|
@ -455,60 +455,60 @@ testsuite_selfaccesses()
|
|||
json .command selfListAccesses .error_code OK_EMPTY .value null
|
||||
|
||||
# FIXME with bastion config => auto-added private accesses ?
|
||||
success selfListAccesses oka1 $a1 --osh selfListAccesses
|
||||
success oka1 $a1 --osh selfListAccesses
|
||||
contain 'no registered accesses'
|
||||
nocontain 'personal'
|
||||
nocontain 'group-member'
|
||||
nocontain 'group-guest'
|
||||
json .command selfListAccesses .error_code OK_EMPTY .value null
|
||||
|
||||
success selfForgetHostKey loportnomatch $a0 --osh selfForgetHostKey --host 127.0.0.1 --port 1234
|
||||
success loportnomatch $a0 --osh selfForgetHostKey --host 127.0.0.1 --port 1234
|
||||
json .command selfForgetHostKey .error_code OK '.value."[127.0.0.1]:1234".action' OK_NO_MATCH
|
||||
|
||||
success selfForgetHostKey lonomatch $a0 --osh selfForgetHostKey --host 127.0.0.1
|
||||
success lonomatch $a0 --osh selfForgetHostKey --host 127.0.0.1
|
||||
json .command selfForgetHostKey .error_code OK '.value."127.0.0.1".action' OK_NO_MATCH
|
||||
|
||||
success selfForgetHostKey lonofile $a1 --osh selfForgetHostKey --host 127.0.0.1
|
||||
success lonofile $a1 --osh selfForgetHostKey --host 127.0.0.1
|
||||
json .command selfForgetHostKey .error_code OK_NO_CHANGE .value null
|
||||
|
||||
success selfForgetHostKey works $a0 --osh selfForgetHostKey --host 127.0.0.2
|
||||
success works $a0 --osh selfForgetHostKey --host 127.0.0.2
|
||||
json .command selfForgetHostKey .error_code OK '.value."127.0.0.2".action' OK_DELETED
|
||||
|
||||
success selfForgetHostKey dupe $a0 --osh selfForgetHostKey --host 127.0.0.2
|
||||
success dupe $a0 --osh selfForgetHostKey --host 127.0.0.2
|
||||
json .command selfForgetHostKey .error_code OK '.value."127.0.0.2".action' OK_NO_MATCH
|
||||
|
||||
grant accountUnexpire
|
||||
|
||||
success accountUnexpire nochange $a0 --osh accountUnexpire --account $account1
|
||||
success nochange $a0 --osh accountUnexpire --account $account1
|
||||
json .command accountUnexpire .error_code OK_NO_CHANGE
|
||||
|
||||
# artificially expire account1
|
||||
configchg 's=^\\\\x22accountMaxInactiveDays\\\\x22.+=\\\\x22accountMaxInactiveDays\\\\x22:2,='
|
||||
success bastion manuallyExpireAccount1 $r0 "touch -t 201501010101 /home/$account1/lastlog"
|
||||
success manuallyExpireAccount1 $r0 "touch -t 201501010101 /home/$account1/lastlog"
|
||||
|
||||
run account expired $a1 --osh info
|
||||
run expired $a1 --osh info
|
||||
retvalshouldbe 113
|
||||
|
||||
success accountUnexpire works $a0 --osh accountUnexpire --account $account1
|
||||
success works $a0 --osh accountUnexpire --account $account1
|
||||
json .command accountUnexpire .error_code OK
|
||||
|
||||
success account unexpired $a1 --osh info
|
||||
success unexpired $a1 --osh info
|
||||
json .error_code OK
|
||||
|
||||
success accountUnexpire worksnochange $a0 --osh accountUnexpire --account $account1
|
||||
success worksnochange $a0 --osh accountUnexpire --account $account1
|
||||
json .command accountUnexpire .error_code OK_NO_CHANGE
|
||||
|
||||
# try on never logged-in account (different code path)
|
||||
success bastion manuallyRemoveLastlog $r0 "rm -f /home/$account1/lastlog"
|
||||
success manuallyRemoveLastlog $r0 "rm -f /home/$account1/lastlog"
|
||||
|
||||
success accountUnexpire worksnochange $a0 --osh accountUnexpire --account $account1
|
||||
success worksnochange $a0 --osh accountUnexpire --account $account1
|
||||
json .command accountUnexpire .error_code OK_NO_CHANGE
|
||||
|
||||
revoke accountUnexpire
|
||||
|
||||
# delete account1
|
||||
grant accountDelete
|
||||
script accountDelete cleanup $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||||
script cleanup $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
revoke accountDelete
|
||||
}
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -7,7 +7,7 @@
|
|||
|
||||
testsuite_plugins()
|
||||
{
|
||||
success plugin-ping withHost $a0 --osh ping -w 2 --host 127.0.0.1 -c 2
|
||||
success withHost $a0 --osh ping -w 2 --host 127.0.0.1 -c 2
|
||||
json .command ping .error_code OK
|
||||
# in some tests environments, ping is not allowed...
|
||||
_sysret=$(get_json | $jq .value.sysret)
|
||||
|
@ -20,7 +20,7 @@ testsuite_plugins()
|
|||
fi
|
||||
unset _sysret
|
||||
|
||||
success plugin-ping withoutHost $a0 --osh ping -c 1 127.0.0.1 -w 1
|
||||
success withoutHost $a0 --osh ping -c 1 127.0.0.1 -w 1
|
||||
json .command ping .error_code OK
|
||||
_sysret=$(get_json | $jq .value.sysret)
|
||||
if [ "$_sysret" = 0 ]; then
|
||||
|
@ -32,7 +32,7 @@ testsuite_plugins()
|
|||
fi
|
||||
unset _sysret
|
||||
|
||||
success plugin-ping loss $a0 --osh ping 192.0.2.1 -w 1 -c 1
|
||||
success loss $a0 --osh ping 192.0.2.1 -w 1 -c 1
|
||||
json .command ping .error_code OK
|
||||
_sysret=$(get_json | $jq .value.sysret)
|
||||
if [ "$_sysret" = 1 ]; then
|
||||
|
@ -44,7 +44,7 @@ testsuite_plugins()
|
|||
fi
|
||||
unset _sysret
|
||||
|
||||
success plugin-nc withHost $a0 --osh nc --port 22 --host 127.0.0.1 --timeout 1
|
||||
success withHost $a0 --osh nc --port 22 --host 127.0.0.1 --timeout 1
|
||||
json $(cat <<EOS
|
||||
.command nc
|
||||
.error_code OK
|
||||
|
@ -55,7 +55,7 @@ testsuite_plugins()
|
|||
EOS
|
||||
)
|
||||
|
||||
success plugin-nc withoutHost $a0 --osh nc 127.0.0.1 22 --timeout 1
|
||||
success withoutHost $a0 --osh nc 127.0.0.1 22 --timeout 1
|
||||
json $(cat <<EOS
|
||||
.command nc
|
||||
.error_code OK
|
||||
|
@ -66,7 +66,7 @@ EOS
|
|||
EOS
|
||||
)
|
||||
|
||||
success plugin-nc closed $a0 --osh nc 127.0.0.1 1 --timeout 1
|
||||
success closed $a0 --osh nc 127.0.0.1 1 --timeout 1
|
||||
json $(cat <<EOS
|
||||
.command nc
|
||||
.error_code OK
|
||||
|
@ -77,7 +77,7 @@ EOS
|
|||
EOS
|
||||
)
|
||||
|
||||
success plugin-nc timeout $a0 --osh nc --timeout 1 192.0.2.1 22
|
||||
success timeout $a0 --osh nc --timeout 1 192.0.2.1 22
|
||||
json $(cat <<EOS
|
||||
.command nc
|
||||
.error_code OK
|
||||
|
@ -89,12 +89,12 @@ EOS
|
|||
)
|
||||
|
||||
# tests can fail under e.g. OpenSUSE + docker because of raw sockets: ignore those cases
|
||||
success plugin-alive withHost $a0 --osh alive --host 127.0.0.1
|
||||
success withHost $a0 --osh alive --host 127.0.0.1
|
||||
if ! get_stdout | grep -q "can't create raw socket"; then
|
||||
json .command alive .error_code OK .value.waited_for 0
|
||||
fi
|
||||
|
||||
success plugin-alive withoutHost $a0 --osh alive 127.0.0.1
|
||||
success withoutHost $a0 --osh alive 127.0.0.1
|
||||
json .command alive .error_code OK .value.waited_for 0
|
||||
if ! get_stdout | grep -q "can't create raw socket"; then
|
||||
json .command alive .error_code OK .value.waited_for 0
|
||||
|
|
|
@ -11,31 +11,31 @@ testsuite_mfa()
|
|||
grant accountModify
|
||||
|
||||
# create account4
|
||||
success mfa a0_create_a4 $a0 --osh accountCreate --always-active --account $account4 --uid $uid4 --public-key "\"$(cat $account4key1file.pub)\""
|
||||
success a0_create_a4 $a0 --osh accountCreate --always-active --account $account4 --uid $uid4 --public-key "\"$(cat $account4key1file.pub)\""
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
# set account4 as mfa password required
|
||||
success mfa a0_accountModify_passreq_a4 $a0 --osh accountModify --account $account4 --mfa-password-required yes
|
||||
success a0_accountModify_passreq_a4 $a0 --osh accountModify --account $account4 --mfa-password-required yes
|
||||
json .error_code OK .command accountModify .value.mfa_password_required.error_code OK
|
||||
|
||||
# set account4 as mfa password required (dupe)
|
||||
success mfa a0_accountModify_passreq_a4_dupe $a0 --osh accountModify --account $account4 --mfa-password-required yes
|
||||
success a0_accountModify_passreq_a4_dupe $a0 --osh accountModify --account $account4 --mfa-password-required yes
|
||||
json .error_code OK .command accountModify .value.mfa_password_required.error_code OK_NO_CHANGE
|
||||
|
||||
# now try to connect with account4
|
||||
run mfa a4_connect_with_passreq $a4 --osh groupList
|
||||
run a4_connect_with_passreq $a4 --osh groupList
|
||||
retvalshouldbe 122
|
||||
json .error_code KO_MFA_PASSWORD_SETUP_REQUIRED
|
||||
|
||||
# setup our password, step1
|
||||
run mfa a4_setup_pass_step1of2 $a4f --osh selfMFASetupPassword --yes
|
||||
run a4_setup_pass_step1of2 $a4f --osh selfMFASetupPassword --yes
|
||||
retvalshouldbe 124
|
||||
contain 'enter this:'
|
||||
a4_password_tmp=$(get_stdout | grep -Eo 'enter this: [a-zA-Z0-9_-]+' | sed -e 's/enter this: //')
|
||||
|
||||
# setup our password, step2
|
||||
a4_password=']BkL>3x#T)g~~B#rLv^!T2&N'
|
||||
script mfa a4_setup_pass_step2of2 "echo 'set timeout 30; \
|
||||
script a4_setup_pass_step2of2 "echo 'set timeout 30; \
|
||||
spawn $a4 --osh selfMFASetupPassword --yes; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password_tmp\\n\"; }; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
|
@ -51,7 +51,7 @@ testsuite_mfa()
|
|||
json .command selfMFASetupPassword .error_code OK
|
||||
|
||||
# now try to connect after we have a pass
|
||||
run mfa a4_connect_after_pass $a4f --osh groupList
|
||||
run a4_connect_after_pass $a4f --osh groupList
|
||||
if [ "${capabilities[mfa]}" = 1 ] || [ "${capabilities[mfa-password]}" = 1 ]; then
|
||||
# now we need a password, we don't enter it so it'll timeout (124)
|
||||
retvalshouldbe 124
|
||||
|
@ -69,12 +69,12 @@ testsuite_mfa()
|
|||
if [ "${capabilities[pamtester]}" = 1 ]; then
|
||||
grant groupCreate
|
||||
|
||||
success mfa a0_create_g3 $a0 --osh groupCreate --group $group3 --algo rsa --size 4096 --owner $account4
|
||||
success a0_create_g3 $a0 --osh groupCreate --group $group3 --algo rsa --size 4096 --owner $account4
|
||||
|
||||
revoke groupCreate
|
||||
|
||||
# setup group to force JIT egress MFA
|
||||
script mfa a4_modify_g3_egress_mfa "echo 'set timeout 30; \
|
||||
script a4_modify_g3_egress_mfa "echo 'set timeout 30; \
|
||||
spawn $a4 --osh groupModify --group $group3 --mfa-required any; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect eof; \
|
||||
|
@ -86,7 +86,7 @@ testsuite_mfa()
|
|||
json .command groupModify .error_code OK
|
||||
|
||||
# check that the MFA is set for the group
|
||||
script mfa a4_verify_g3_egress_mfa "echo 'set timeout 30; \
|
||||
script a4_verify_g3_egress_mfa "echo 'set timeout 30; \
|
||||
spawn $a4 --osh groupInfo --group $group3; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect eof; \
|
||||
|
@ -99,7 +99,7 @@ testsuite_mfa()
|
|||
json .value.mfa_required any
|
||||
|
||||
# add 127.7.7.7 to this group
|
||||
script mfa a4_add_g3_server "echo 'set timeout 30; \
|
||||
script a4_add_g3_server "echo 'set timeout 30; \
|
||||
spawn $a4 --osh groupAddServer --group $group3 --host 127.7.7.7 --user-any --port-any --force; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect eof; \
|
||||
|
@ -110,7 +110,7 @@ testsuite_mfa()
|
|||
contain REGEX 'Password:|Password for'
|
||||
|
||||
# connect to 127.7.7.7 with MFA JIT, bad password
|
||||
script mfa a4_connect_g3_server_badpass "echo 'set timeout 45; \
|
||||
script a4_connect_g3_server_badpass "echo 'set timeout 45; \
|
||||
spawn $a4 root@127.7.7.7; \
|
||||
expect \"is required (password)\" { sleep 0.1; }; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
|
@ -130,7 +130,7 @@ testsuite_mfa()
|
|||
nocontain 'Permission denied'
|
||||
|
||||
# connect to 127.7.7.7 with MFA JIT, good password
|
||||
script mfa a4_connect_g3_server_goodpass "echo 'set timeout 30; \
|
||||
script a4_connect_g3_server_goodpass "echo 'set timeout 30; \
|
||||
spawn $a4 root@127.7.7.7; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect \"is required (password)\" { sleep 0.1; }; \
|
||||
|
@ -145,15 +145,15 @@ testsuite_mfa()
|
|||
contain 'Permission denied'
|
||||
|
||||
# create another account
|
||||
success mfa a0_create_a3 $a0 --osh accountCreate --always-active --account $account3 --uid $uid3 --public-key "\"$(cat $account3key1file.pub)\""
|
||||
success a0_create_a3 $a0 --osh accountCreate --always-active --account $account3 --uid $uid3 --public-key "\"$(cat $account3key1file.pub)\""
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
# set the account as bypass
|
||||
success mfa a0_set_a3_as_robot $a0 --osh accountModify --account $account3 --mfa-password-required bypass
|
||||
success a0_set_a3_as_robot $a0 --osh accountModify --account $account3 --mfa-password-required bypass
|
||||
json .command accountModify .error_code OK
|
||||
|
||||
# add to JIT MFA group
|
||||
script mfa a0_add_a3_as_member "echo 'set timeout 30; \
|
||||
script a0_add_a3_as_member "echo 'set timeout 30; \
|
||||
spawn $a4 --osh groupAddMember --group $group3 --account $account3; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect eof; \
|
||||
|
@ -162,28 +162,28 @@ testsuite_mfa()
|
|||
json .command groupAddMember .error_code OK
|
||||
|
||||
# connect to 127.7.7.7 with MFA JIT, no MFA needed
|
||||
run mfa a3_connect_g3_server_mfa_bypass $a3 root@127.7.7.7
|
||||
run a3_connect_g3_server_mfa_bypass $a3 root@127.7.7.7
|
||||
retvalshouldbe 255
|
||||
nocontain 'pamtester: successfully authenticated'
|
||||
contain 'Permission denied'
|
||||
|
||||
# remove the account bypass
|
||||
success mfa a0_unset_a3_as_robot $a0 --osh accountModify --account $account3 --mfa-password-required no
|
||||
success a0_unset_a3_as_robot $a0 --osh accountModify --account $account3 --mfa-password-required no
|
||||
json .command accountModify .error_code OK
|
||||
|
||||
# connect to 127.7.7.7 with MFA JIT, password setup needed
|
||||
run mfa a3_connect_mfa_jit_need_pass_setup $a3 root@127.7.7.7
|
||||
run a3_connect_mfa_jit_need_pass_setup $a3 root@127.7.7.7
|
||||
json .error_code KO_MFA_ANY_SETUP_REQUIRED
|
||||
|
||||
grant groupDelete
|
||||
|
||||
script mfa a0_delete_g3 "$a0 --osh groupDelete --group $group3 <<< \"$group3\""
|
||||
script a0_delete_g3 "$a0 --osh groupDelete --group $group3 <<< \"$group3\""
|
||||
|
||||
revoke groupDelete
|
||||
|
||||
grant accountDelete
|
||||
|
||||
script mfa a0_delete_a3 $a0 --osh accountDelete --account $account3 "<<< \"Yes, do as I say and delete $account3, kthxbye\""
|
||||
script a0_delete_a3 $a0 --osh accountDelete --account $account3 "<<< \"Yes, do as I say and delete $account3, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
json .command accountDelete .error_code OK
|
||||
|
||||
|
@ -193,7 +193,7 @@ testsuite_mfa()
|
|||
# change our password
|
||||
a4_password_new="rkw=*Ffyqs23"
|
||||
if [ "${capabilities[mfa]}" = 1 ] || [ "${capabilities[mfa-password]}" = 1 ]; then
|
||||
script mfa a4_change_pass "echo 'set timeout 30; \
|
||||
script a4_change_pass "echo 'set timeout 30; \
|
||||
spawn $a4 --osh selfMFASetupPassword --yes; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
|
@ -206,7 +206,7 @@ testsuite_mfa()
|
|||
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
|
||||
contain REGEX 'Password:|Password for'
|
||||
else
|
||||
script mfa a4_change_pass "echo 'set timeout 30; \
|
||||
script a4_change_pass "echo 'set timeout 30; \
|
||||
spawn $a4 --osh selfMFASetupPassword --yes; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password_new\\n\"; }; \
|
||||
|
@ -225,7 +225,7 @@ testsuite_mfa()
|
|||
unset a4_password_new
|
||||
|
||||
if [ "${capabilities[mfa]}" = 1 ] || [ "${capabilities[mfa-password]}" = 1 ]; then
|
||||
script mfa a4_connect_with_pass "echo 'set timeout 30; \
|
||||
script a4_connect_with_pass "echo 'set timeout 30; \
|
||||
spawn $a4 --osh groupList; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect eof; \
|
||||
|
@ -238,30 +238,30 @@ testsuite_mfa()
|
|||
fi
|
||||
|
||||
# set account4 as mfa totp required
|
||||
success mfa a0_accountModify_totpreq_a4 $a0 --osh accountModify --account $account4 --mfa-totp-required yes
|
||||
success a0_accountModify_totpreq_a4 $a0 --osh accountModify --account $account4 --mfa-totp-required yes
|
||||
json .error_code OK .command accountModify .value.mfa_totp_required.error_code OK
|
||||
|
||||
# set account4 as mfa totp required (dupe)
|
||||
success mfa a0_accountModify_totpreq_a4_dupe $a0 --osh accountModify --account $account4 --mfa-totp-required yes
|
||||
success a0_accountModify_totpreq_a4_dupe $a0 --osh accountModify --account $account4 --mfa-totp-required yes
|
||||
json .error_code OK .command accountModify .value.mfa_totp_required.error_code OK_NO_CHANGE
|
||||
|
||||
# now try to connect with account4
|
||||
if [ "${capabilities[mfa]}" = 1 ] || [ "${capabilities[mfa-password]}" = 1 ]; then
|
||||
script mfa a4_connect_with_totpreq "echo 'set timeout 30; \
|
||||
script a4_connect_with_totpreq "echo 'set timeout 30; \
|
||||
spawn $a4 --osh groupList; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect eof; \
|
||||
lassign [wait] pid spawnid value value; \
|
||||
exit \$value' | expect -f -"
|
||||
else
|
||||
run mfa a4_connect_with_totpreq $a4 --osh groupList
|
||||
run a4_connect_with_totpreq $a4 --osh groupList
|
||||
fi
|
||||
retvalshouldbe 123
|
||||
json .error_code KO_MFA_TOTP_SETUP_REQUIRED
|
||||
|
||||
if [ "${capabilities[mfa]}" = 1 ]; then
|
||||
# setup totp
|
||||
script mfa a4_setup_totp "echo 'set timeout 30; \
|
||||
script a4_setup_totp "echo 'set timeout 30; \
|
||||
spawn $a4 --osh selfMFASetupTOTP --no-confirm; \
|
||||
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
|
@ -278,7 +278,7 @@ testsuite_mfa()
|
|||
#a4_totp_code_4=$(get_stdout | grep -A4 'Your emergency scratch codes are:' | tail -n1 | tr -d '[:space:]')
|
||||
|
||||
# login and fail without totp (timeout)
|
||||
script mfa a4_connect_after_totp_fail "echo 'set timeout 30; \
|
||||
script a4_connect_after_totp_fail "echo 'set timeout 30; \
|
||||
spawn $a4 --osh groupList; \
|
||||
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect eof; \
|
||||
|
@ -294,7 +294,7 @@ testsuite_mfa()
|
|||
nocontain 'JSON_OUTPUT'
|
||||
|
||||
# success with password + totp
|
||||
script mfa a4_connect_after_totp_ok "echo 'set timeout 30; \
|
||||
script a4_connect_after_totp_ok "echo 'set timeout 30; \
|
||||
spawn $a4 --osh groupList; \
|
||||
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect \"code:\" { sleep 0.2; send \"$a4_totp_code_1\\n\"; }; \
|
||||
|
@ -309,7 +309,7 @@ testsuite_mfa()
|
|||
json .command groupList .error_code OK_EMPTY
|
||||
|
||||
# totp scratch codes don't work twice
|
||||
script mfa a4_connect_after_totp_dupe "echo 'set timeout 30; \
|
||||
script a4_connect_after_totp_dupe "echo 'set timeout 30; \
|
||||
spawn $a4 --osh groupList; \
|
||||
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect \"code:\" { sleep 0.2; send \"$a4_totp_code_1\\n\"; }; \
|
||||
|
@ -325,23 +325,23 @@ testsuite_mfa()
|
|||
nocontain 'JSON_OUTPUT'
|
||||
|
||||
# set pam bypass on account4 (dupe)
|
||||
success mfa a0_set_pambypass_a4 $a0 --osh accountModify --account $account4 --pam-auth-bypass yes
|
||||
success a0_set_pambypass_a4 $a0 --osh accountModify --account $account4 --pam-auth-bypass yes
|
||||
json .error_code OK .command accountModify .value.pam_auth_bypass.error_code OK
|
||||
|
||||
# set pam bypass on account4
|
||||
success mfa a0_set_pambypass_a4_dupe $a0 --osh accountModify --account $account4 --pam-auth-bypass yes
|
||||
success a0_set_pambypass_a4_dupe $a0 --osh accountModify --account $account4 --pam-auth-bypass yes
|
||||
json .error_code OK .command accountModify .value.pam_auth_bypass.error_code OK_NO_CHANGE
|
||||
|
||||
# we don't provide password or totp, it should work because bypass
|
||||
success mfa a4_pam_auth_bypass $a4 --osh groupList
|
||||
success a4_pam_auth_bypass $a4 --osh groupList
|
||||
json .command groupList .error_code OK_EMPTY
|
||||
|
||||
# remove requirement of password and totp for account4, also remove bypass
|
||||
success mfa a0_remove_mfa_req_a4 $a0 --osh accountModify --account $account4 --pam-auth-bypass no --mfa-totp-required no --mfa-password-required no
|
||||
success a0_remove_mfa_req_a4 $a0 --osh accountModify --account $account4 --pam-auth-bypass no --mfa-totp-required no --mfa-password-required no
|
||||
json .error_code OK .command accountModify .value.pam_auth_bypass.error_code OK .value.mfa_totp_required.error_code OK .value.mfa_password_required.error_code OK
|
||||
|
||||
# remove requirement of password and totp for account4, also remove bypass (dupe)
|
||||
success mfa a0_remove_mfa_req_a4_dupe $a0 --osh accountModify --account $account4 --pam-auth-bypass no --mfa-totp-required no --mfa-password-required no
|
||||
success a0_remove_mfa_req_a4_dupe $a0 --osh accountModify --account $account4 --pam-auth-bypass no --mfa-totp-required no --mfa-password-required no
|
||||
json .error_code OK .command accountModify .value.pam_auth_bypass.error_code OK_NO_CHANGE .value.mfa_totp_required.error_code OK_NO_CHANGE .value.mfa_password_required.error_code OK_NO_CHANGE
|
||||
|
||||
# FIXME
|
||||
|
@ -378,7 +378,7 @@ testsuite_mfa()
|
|||
grant accountDelete
|
||||
|
||||
# remove account
|
||||
script mfa a0_delete_a4 $a0 --osh accountDelete --account $account4 "<<< \"Yes, do as I say and delete $account4, kthxbye\""
|
||||
script a0_delete_a4 $a0 --osh accountDelete --account $account4 "<<< \"Yes, do as I say and delete $account4, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
json .command accountDelete .error_code OK
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ testsuite_mfa_realm()
|
|||
grant accountCreate
|
||||
|
||||
# create account4
|
||||
success mfarealm a0_create_a4 $a0 --osh accountCreate --always-active --account $account4 --uid $uid4 --public-key "\"$(cat $account4key1file.pub)\""
|
||||
success a0_create_a4 $a0 --osh accountCreate --always-active --account $account4 --uid $uid4 --public-key "\"$(cat $account4key1file.pub)\""
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
revoke accountCreate
|
||||
|
@ -21,54 +21,54 @@ testsuite_mfa_realm()
|
|||
grant groupCreate
|
||||
|
||||
# create realm-egress group on local bastion
|
||||
success realm create_support_group $a0 --osh groupCreate --group $realm_egress_group --owner $account4 --algo ed25519
|
||||
success create_support_group $a0 --osh groupCreate --group $realm_egress_group --owner $account4 --algo ed25519
|
||||
local realm_group_key
|
||||
realm_group_key=$(get_json | $jq '.value.public_key.line')
|
||||
|
||||
grant realmCreate
|
||||
|
||||
# create shared realm-account on remote bastion
|
||||
success realm create_shared_account $a0 --osh realmCreate --realm $realm_shared_account --public-key \"$realm_group_key\" --from 0.0.0.0/0
|
||||
success create_shared_account $a0 --osh realmCreate --realm $realm_shared_account --public-key \"$realm_group_key\" --from 0.0.0.0/0
|
||||
|
||||
revoke realmCreate
|
||||
|
||||
# add remote bastion ip on group of local bastion
|
||||
success realm add_remote_bastion_to_group $a4 --osh groupAddServer --host 127.0.0.1 --user realm_$realm_shared_account --port 22 --group $realm_egress_group --kbd-interactive
|
||||
success add_remote_bastion_to_group $a4 --osh groupAddServer --host 127.0.0.1 --user realm_$realm_shared_account --port 22 --group $realm_egress_group --kbd-interactive
|
||||
|
||||
# attempt inter-realm connection
|
||||
success realm firstconnect1 $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh info
|
||||
success firstconnect1 $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh info
|
||||
json .value.account $account4 .value.realm $realm_shared_account
|
||||
|
||||
# create a remote-group on which we'll add the realm user
|
||||
success mfarealm remote_group_create $a0 --osh groupCreate --group remotegrp --owner $account0 --algo ed25519
|
||||
success remote_group_create $a0 --osh groupCreate --group remotegrp --owner $account0 --algo ed25519
|
||||
revoke groupCreate
|
||||
|
||||
success mfarealm remote_group_add_server $a0 --osh groupAddServer --group remotegrp --host 127.0.0.5 --port 22 --user nevermind --force
|
||||
success remote_group_add_server $a0 --osh groupAddServer --group remotegrp --host 127.0.0.5 --port 22 --user nevermind --force
|
||||
|
||||
# try to connect, as a realm user, to 127.0.0.5 through the realm: won't work
|
||||
run mfarealm realm_user_fail_connect_not_member $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js nevermind@127.0.0.5
|
||||
run realm_user_fail_connect_not_member $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js nevermind@127.0.0.5
|
||||
retvalshouldbe 107
|
||||
json .error_code KO_ACCESS_DENIED .error_message "Access denied for $realm_shared_account/$account4 to nevermind@127.0.0.5:22"
|
||||
|
||||
# now add the realm user and retry
|
||||
success mfarealm remote_group_add_user $a0 --osh groupAddMember --group remotegrp --account $realm_shared_account/$account4
|
||||
success remote_group_add_user $a0 --osh groupAddMember --group remotegrp --account $realm_shared_account/$account4
|
||||
|
||||
run mfarealm realm_user_fail_connect_not_member $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js nevermind@127.0.0.5
|
||||
run realm_user_fail_connect_not_member $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js nevermind@127.0.0.5
|
||||
retvalshouldbe 255
|
||||
contain "group-member of remotegrp"
|
||||
contain "Permission denied (publickey)"
|
||||
|
||||
# now setup mandatory MFA on the group
|
||||
success mfarealm remote_group_set_mfa $a0 --osh groupModify --group remotegrp --mfa-required password
|
||||
success remote_group_set_mfa $a0 --osh groupModify --group remotegrp --mfa-required password
|
||||
|
||||
# try to connect won't work
|
||||
run mfarealm realm_user_fail_connect_no_mfa $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js nevermind@127.0.0.5
|
||||
run realm_user_fail_connect_no_mfa $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js nevermind@127.0.0.5
|
||||
retvalshouldbe 122
|
||||
json .error_code KO_MFA_PASSWORD_SETUP_REQUIRED
|
||||
|
||||
# setup our MFA
|
||||
# setup our password, step1
|
||||
run mfa a4_setup_pass_step1of2 $a4f --osh selfMFASetupPassword --yes
|
||||
run a4_setup_pass_step1of2 $a4f --osh selfMFASetupPassword --yes
|
||||
retvalshouldbe 124
|
||||
contain 'enter this:'
|
||||
local a4_password_tmp
|
||||
|
@ -76,7 +76,7 @@ testsuite_mfa_realm()
|
|||
|
||||
# setup our password, step2
|
||||
local a4_password='Hfv$!OKiG:(xl>Th8Kv!alz4436BFt~'
|
||||
script mfa a4_setup_pass_step2of2 "echo 'set timeout 30; \
|
||||
script a4_setup_pass_step2of2 "echo 'set timeout 30; \
|
||||
spawn $a4 --osh selfMFASetupPassword --yes; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password_tmp\\n\"; }; \
|
||||
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
|
@ -94,22 +94,22 @@ testsuite_mfa_realm()
|
|||
# set account4 as nopam, to only use JIT MFA because that's what we want to test
|
||||
grant accountModify
|
||||
|
||||
success mfarealm a4_set_nopam $a0 --osh accountModify --account $account4 --pam-auth-bypass yes
|
||||
success a4_set_nopam $a0 --osh accountModify --account $account4 --pam-auth-bypass yes
|
||||
json .command accountModify .error_code OK
|
||||
|
||||
revoke accountModify
|
||||
|
||||
# try to connect will still not work because we have MFA but we're asked for it on our first bastion
|
||||
run mfarealm realm_user_still_fail_connect_no_mfa $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js nevermind@127.0.0.5
|
||||
run realm_user_still_fail_connect_no_mfa $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js nevermind@127.0.0.5
|
||||
retvalshouldbe 122
|
||||
json .error_code KO_MFA_PASSWORD_SETUP_REQUIRED
|
||||
|
||||
# force MFA for the support group
|
||||
success mfarealm set_mfa_for_support_group $a4 --osh groupModify --group $realm_egress_group --mfa-required password
|
||||
success set_mfa_for_support_group $a4 --osh groupModify --group $realm_egress_group --mfa-required password
|
||||
json .command groupModify .error_code OK
|
||||
|
||||
# try to connect, this one will finally work
|
||||
script mfarealm a4_connect_success_realm_with_remote_mfa "echo 'set timeout 30; \
|
||||
script a4_connect_success_realm_with_remote_mfa "echo 'set timeout 30; \
|
||||
spawn $a4 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js nevermind@127.0.0.5; \
|
||||
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
|
||||
expect eof; \
|
||||
|
@ -122,19 +122,19 @@ testsuite_mfa_realm()
|
|||
# cleanup
|
||||
grant realmDelete
|
||||
|
||||
success mfarealm realmDelete $a0 --osh realmDelete --realm $realm_shared_account "<<< \"Yes, do as I say and delete $realm_shared_account, kthxbye\""
|
||||
success realmDelete $a0 --osh realmDelete --realm $realm_shared_account "<<< \"Yes, do as I say and delete $realm_shared_account, kthxbye\""
|
||||
|
||||
revoke realmDelete
|
||||
grant accountDelete
|
||||
|
||||
script mfarealm a0_delete_a4 $a0 --osh accountDelete --account $account4 "<<< \"Yes, do as I say and delete $account4, kthxbye\""
|
||||
script a0_delete_a4 $a0 --osh accountDelete --account $account4 "<<< \"Yes, do as I say and delete $account4, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
json .command accountDelete .error_code OK
|
||||
|
||||
revoke accountDelete
|
||||
grant groupDelete
|
||||
|
||||
success mfarealm groupDelete $a0 --osh groupDelete --group $realm_egress_group --no-confirm
|
||||
success groupDelete $a0 --osh groupDelete --group $realm_egress_group --no-confirm
|
||||
|
||||
revoke groupDelete
|
||||
}
|
||||
|
|
|
@ -57,7 +57,7 @@ EOF
|
|||
|
||||
grant accountCreate
|
||||
|
||||
success osh accountCreate $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key \""$(cat $account1key1file.pub)"\"
|
||||
success accountCreate $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key \""$(cat $account1key1file.pub)"\"
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
revoke accountCreate
|
||||
|
@ -65,7 +65,7 @@ EOF
|
|||
grant accountPIV
|
||||
grant accountListIngressKeys
|
||||
|
||||
script selfAddIngressKey piv_nopivspecified $a1 --osh selfAddIngressKey --piv "< $account2key1file.pub"
|
||||
script piv_nopivspecified $a1 --osh selfAddIngressKey --piv "< $account2key1file.pub"
|
||||
retvalshouldbe 100
|
||||
json .command selfAddIngressKey .error_code ERR_NO_PEM_START_MARKER
|
||||
|
||||
|
@ -73,73 +73,73 @@ EOF
|
|||
configchg 's=^\\\\x22minimumIngressRsaKeySize\\\\x22.+=\\\\x22minimumIngressRsaKeySize\\\\x22:2048,='
|
||||
|
||||
# add a key which doesn't match the certs
|
||||
script selfAddIngressKey piv_badcert "( cat $account2key1file.pub; echo \"$piv_attestation\"; echo \"$piv_certificate\" ) | $a1 --osh selfAddIngressKey --piv"
|
||||
script piv_badcert "( cat $account2key1file.pub; echo \"$piv_attestation\"; echo \"$piv_certificate\" ) | $a1 --osh selfAddIngressKey --piv"
|
||||
retvalshouldbe 100
|
||||
json .command selfAddIngressKey .error_code ERR_PIV_VALIDATION_FAILED
|
||||
|
||||
# add a proper PIV key
|
||||
script selfAddIngressKey piv_ok "( echo \"$piv_pub\"; echo \"$piv_attestation\"; echo \"$piv_certificate\" ) | $a1 --osh selfAddIngressKey --piv"
|
||||
script piv_ok "( echo \"$piv_pub\"; echo \"$piv_attestation\"; echo \"$piv_certificate\" ) | $a1 --osh selfAddIngressKey --piv"
|
||||
retvalshouldbe 0
|
||||
json .command selfAddIngressKey .error_code OK .value.key.isPiv 1 .value.key.pivInfo.SSHKey.FingerprintMD5 '01:de:fa:fd:0a:3e:9d:45:d2:0c:a1:9c:1b:97:79:dd'
|
||||
|
||||
# we should see it here
|
||||
success selfListIngressKeys piv_list $a1 --osh selfListIngressKeys
|
||||
success piv_list $a1 --osh selfListIngressKeys
|
||||
json .command selfListIngressKeys .error_code OK .value.keys[1].isPiv 1 .value.keys[1].pivInfo.Yubikey.SerialNumber 10595103
|
||||
# save the fp for later
|
||||
local piv_fp
|
||||
piv_fp=$(get_json | $jq '.value.keys[1].fingerprint')
|
||||
|
||||
# add a third normal key (needed for a test few lines below)
|
||||
success selfAddIngressKey normalkey $a1 --osh selfAddIngressKey "< $account1key2file.pub"
|
||||
success normalkey $a1 --osh selfAddIngressKey "< $account1key2file.pub"
|
||||
json .command selfAddIngressKey .error_code OK
|
||||
# save the fp for later too
|
||||
local other_fp
|
||||
other_fp=$(get_json | $jq '.value.key.fingerprint')
|
||||
|
||||
# enforce PIV only on account1
|
||||
success accountPIV a0_piv_enforce_a1 $a0 --osh accountPIV --policy enforce --account $account1
|
||||
success a0_piv_enforce_a1 $a0 --osh accountPIV --policy enforce --account $account1
|
||||
json .command accountPIV .error_code OK
|
||||
|
||||
# account1 can no longer connect because only its PIV key is active, and this testcase doesn't have the corresponding private key (obviously)
|
||||
run selfListIngressKeys a1_listkeys $a1 --osh selfListIngressKeys
|
||||
run a1_listkeys $a1 --osh selfListIngressKeys
|
||||
retvalshouldbe 255
|
||||
contain "Permission denied"
|
||||
|
||||
# account0 checks the ingress keys of account1, only the PIV key must remain.
|
||||
success accountListIngressKeys a0_listkeys_a1 $a0 --osh accountListIngressKeys --account $account1
|
||||
success a0_listkeys_a1 $a0 --osh accountListIngressKeys --account $account1
|
||||
json .command accountListIngressKeys .error_code OK .value.keys[1] null .value.keys[0].isPiv 1 .value.keys[0].pivInfo.Yubikey.SerialNumber 10595103
|
||||
|
||||
# account0 sudo account1 to try to add a non-piv key. this must not work.
|
||||
# for this trick, a0 needs to use adminSudo hence needs to be an admin
|
||||
configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22],='
|
||||
|
||||
success root set_a0_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account0 osh-admin\""
|
||||
success set_a0_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account0 osh-admin\""
|
||||
|
||||
script sudo-selfListIngressKeys a0_sudo_a1_selfaddnonpiv $a0 --osh adminSudo -- --sudo-as $account1 --sudo-cmd selfAddIngressKey -- $js "< $account2key1file.pub"
|
||||
script a0_sudo_a1_selfaddnonpiv $a0 --osh adminSudo -- --sudo-as $account1 --sudo-cmd selfAddIngressKey -- $js "< $account2key1file.pub"
|
||||
retvalshouldbe 0
|
||||
json .command adminSudo .error_code OK_NON_ZERO_EXIT .value.status 100
|
||||
contain ERR_NO_PEM_START_MARKER
|
||||
|
||||
# account0 sudo account1 remove the PIV key
|
||||
script sudo-selfDelIngressKey a0_sudo_a1_selfdelpiv $a0 --osh adminSudo -- --sudo-as $account1 --sudo-cmd selfDelIngressKey -- --fingerprint-to-delete "$piv_fp" $js
|
||||
script a0_sudo_a1_selfdelpiv $a0 --osh adminSudo -- --sudo-as $account1 --sudo-cmd selfDelIngressKey -- --fingerprint-to-delete "$piv_fp" $js
|
||||
retvalshouldbe 0
|
||||
json .command adminSudo .error_code OK
|
||||
|
||||
# account0 list the keys of account1; no key must remain because all non-PIV keys are disabled and the PIV key is gone
|
||||
success accountListIngressKeys a0_listkeys_a1_empty $a0 --osh accountListIngressKeys --account $account1
|
||||
success a0_listkeys_a1_empty $a0 --osh accountListIngressKeys --account $account1
|
||||
json .command accountListIngressKeys .error_code OK '.value.keys|length' 0
|
||||
|
||||
# account1 still can't connect
|
||||
run info a1_noconnect $a1 --osh info
|
||||
run a1_noconnect $a1 --osh info
|
||||
retvalshouldbe 255
|
||||
contain "Permission denied"
|
||||
|
||||
# set PIV grace on account1
|
||||
success accountPIV a0_piv_grace_a1 $a0 --osh accountPIV --policy grace --ttl 10 --account $account1
|
||||
success a0_piv_grace_a1 $a0 --osh accountPIV --policy grace --ttl 10 --account $account1
|
||||
json .command accountPIV .error_code OK
|
||||
|
||||
# account1 should be able to connect now
|
||||
success selfListIngressKeys a1_listkeys_after_piv_grace $a1 --osh selfListIngressKeys
|
||||
success a1_listkeys_after_piv_grace $a1 --osh selfListIngressKeys
|
||||
json .command selfListIngressKeys .error_code OK '.value.keys|length' 2
|
||||
|
||||
# sleep to ensure grace expires
|
||||
|
@ -148,27 +148,27 @@ EOF
|
|||
|
||||
# manually launch the grace reaper (normally done by cron)
|
||||
echo "manually launching piv grace reaper..."
|
||||
success root grace_reaper $r0 $opt_remote_basedir/bin/cron/osh-piv-grace-reaper.pl
|
||||
success grace_reaper $r0 $opt_remote_basedir/bin/cron/osh-piv-grace-reaper.pl
|
||||
|
||||
# account1 should no longer be able to connect, as PIV grace expired
|
||||
run info a1_noconnect_grace_expired $a1 --osh info
|
||||
run a1_noconnect_grace_expired $a1 --osh info
|
||||
retvalshouldbe 255
|
||||
contain "Permission denied"
|
||||
|
||||
# remove PIV only from account1
|
||||
success accountPIV a0_piv_none_a1 $a0 --osh accountPIV --policy default --account $account1
|
||||
success a0_piv_none_a1 $a0 --osh accountPIV --policy default --account $account1
|
||||
json .command accountPIV .error_code OK
|
||||
|
||||
# account1 can connect
|
||||
success selfListIngressKeys a1_listkeys_piv_none $a1 --osh selfListIngressKeys
|
||||
success a1_listkeys_piv_none $a1 --osh selfListIngressKeys
|
||||
json .command selfListIngressKeys .error_code OK '.value.keys|length' 2
|
||||
|
||||
# remove the test key
|
||||
success selfDelIngressKey a1_delkey_test $a1 --osh selfDelIngressKey --fingerprint-to-delete $other_fp
|
||||
success a1_delkey_test $a1 --osh selfDelIngressKey --fingerprint-to-delete $other_fp
|
||||
json .command selfDelIngressKey .error_code OK
|
||||
|
||||
# remove a0 from admins
|
||||
success root del_a0_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account0 osh-admin\""
|
||||
success del_a0_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account0 osh-admin\""
|
||||
|
||||
revoke accountListIngressKeys
|
||||
revoke accountPIV
|
||||
|
@ -176,13 +176,13 @@ EOF
|
|||
|
||||
# delete account1
|
||||
grant accountDelete
|
||||
script accountDelete cleanup $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||||
script cleanup $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
|
||||
revoke accountDelete
|
||||
|
||||
# restore default config
|
||||
success bastion configrestore $r0 "dd if=$opt_remote_etc_bastion/bastion.conf.bak.$now of=$opt_remote_etc_bastion/bastion.conf"
|
||||
success configrestore $r0 "dd if=$opt_remote_etc_bastion/bastion.conf.bak.$now of=$opt_remote_etc_bastion/bastion.conf"
|
||||
}
|
||||
|
||||
if [ "${capabilities[piv]}" = 1 ]; then
|
||||
|
|
|
@ -11,12 +11,12 @@ testsuite_proxy()
|
|||
# as a --no-color or similar option doesn't seem to exist for curl.
|
||||
|
||||
# check that the proxy is up
|
||||
script 500-http-proxy monitoring "curl -ski https://$remote_ip:$remote_proxy_port/bastion-health-check | cat; exit \${PIPESTATUS[0]}"
|
||||
script monitoring "curl -ski https://$remote_ip:$remote_proxy_port/bastion-health-check | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain 'running nominally'
|
||||
|
||||
# and let's go
|
||||
script 500-http-proxy noauth "curl -ski https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script noauth "curl -ski https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain 'HTTP/1.0 401 Authorization required (no auth provided)'
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -26,7 +26,7 @@ testsuite_proxy()
|
|||
contain 'Content-Type: text/plain'
|
||||
contain 'No authentication provided, and authentication is mandatory'
|
||||
|
||||
script 500-http-proxy bad_auth_format "curl -ski -u test:test https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script bad_auth_format "curl -ski -u test:test https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain 'HTTP/1.0 400 Bad Request (bad login format)'
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -36,7 +36,7 @@ testsuite_proxy()
|
|||
contain 'Content-Type: text/plain'
|
||||
contain 'Expected an Authorization line with credentials of the form'
|
||||
|
||||
script 500-http-proxy bad_auth "curl -ski -u test@test@test:test https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script bad_auth "curl -ski -u test@test@test:test https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain 'HTTP/1.0 403 Access Denied'
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -47,13 +47,13 @@ testsuite_proxy()
|
|||
contain 'Incorrect username (test) or password (#REDACTED#, length=4)'
|
||||
|
||||
# create valid credentials
|
||||
success 500-http-proxy generate_proxy_password $a0 --osh selfGenerateProxyPassword --do-it
|
||||
success generate_proxy_password $a0 --osh selfGenerateProxyPassword --do-it
|
||||
json .command selfGenerateProxyPassword .error_code OK
|
||||
local proxy_password
|
||||
proxy_password=$(get_json | jq -r '.value.password')
|
||||
|
||||
# now try to use these
|
||||
script 500-http-proxy good_auth_bad_host "curl -ski -u '$account0@test@test.invalid:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script good_auth_bad_host "curl -ski -u '$account0@test@test.invalid:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain 'HTTP/1.0 400 Bad Request (host not resolved)'
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -68,13 +68,13 @@ testsuite_proxy()
|
|||
contain "Specified remote host couldn't be resolved through the DNS"
|
||||
|
||||
# change credentials again
|
||||
success 500-http-proxy generate_proxy_password2 $a0 --osh selfGenerateProxyPassword --do-it
|
||||
success generate_proxy_password2 $a0 --osh selfGenerateProxyPassword --do-it
|
||||
json .command selfGenerateProxyPassword .error_code OK
|
||||
local proxy_password2
|
||||
proxy_password2=$(get_json | jq -r '.value.password')
|
||||
|
||||
# attempt to use the previous credentials (and fail)
|
||||
script 500-http-proxy bad_auth2 "curl -ski -u test@test@test:test https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script bad_auth2 "curl -ski -u test@test@test:test https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain 'HTTP/1.0 403 Access Denied'
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -86,7 +86,7 @@ testsuite_proxy()
|
|||
|
||||
proxy_password="$proxy_password2"
|
||||
|
||||
script 500-http-proxy good_auth_no_access "curl -ski -u '$account0@test@127.0.0.1:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script good_auth_no_access "curl -ski -u '$account0@test@127.0.0.1:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain 'HTTP/1.0 403 Access Denied (access denied to remote)'
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -101,7 +101,7 @@ testsuite_proxy()
|
|||
contain 'Content-Type: text/plain'
|
||||
contain "This account doesn't have access to this user@host tuple (Access denied for $account0 to test@127.0.0.1:443)"
|
||||
|
||||
script 500-http-proxy good_auth_no_access_other_port "curl -ski -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script good_auth_no_access_other_port "curl -ski -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain 'HTTP/1.0 403 Access Denied (access denied to remote)'
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -119,12 +119,12 @@ testsuite_proxy()
|
|||
# add ourselves access
|
||||
grant selfAddPersonalAccess
|
||||
|
||||
success 500-http-proxy add_personal_access $a0 --osh selfAddPersonalAccess --host 127.0.0.1 --port 9443 --user test --force
|
||||
success add_personal_access $a0 --osh selfAddPersonalAccess --host 127.0.0.1 --port 9443 --user test --force
|
||||
json .command selfAddPersonalAccess .error_code OK
|
||||
|
||||
revoke selfAddPersonalAccess
|
||||
|
||||
script 500-http-proxy missing_egress_pwd "curl -ski -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script missing_egress_pwd "curl -ski -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain 'HTTP/1.0 412 Precondition Failed (egress password missing)'
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -140,11 +140,11 @@ testsuite_proxy()
|
|||
contain "Unable to find (or read) a password file in context 'self' and name '$account0'"
|
||||
|
||||
# generate an egress password
|
||||
success 500-http-proxy generate_egress_pwd $a0 --osh selfGeneratePassword --do-it
|
||||
success generate_egress_pwd $a0 --osh selfGeneratePassword --do-it
|
||||
json .command selfGeneratePassword .error_code OK .value.account $account0 .value.context account
|
||||
|
||||
# and retry
|
||||
script 500-http-proxy bad_certificate "curl -ski -H 'X-Bastion-Enforce-Secure: 1' -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script bad_certificate "curl -ski -H 'X-Bastion-Enforce-Secure: 1' -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
# not all versions of LWP add "(certificate verify failed)" at the end of the below error message, so omit it
|
||||
contain "HTTP/1.0 500 Can't connect to 127.0.0.1:9443"
|
||||
|
@ -160,7 +160,7 @@ testsuite_proxy()
|
|||
contain 'Content-Type: text/plain'
|
||||
contain "Can't connect to 127.0.0.1:9443"
|
||||
|
||||
script 500-http-proxy insecure "curl -ski -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script insecure "curl -ski -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain "HTTP/1.0 200 OK"
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -181,7 +181,7 @@ testsuite_proxy()
|
|||
contain "Content-Length: 64"
|
||||
|
||||
# generate 1MB of data
|
||||
script 500-http-proxy one_megabyte "curl -ski -H 'X-Test-Add-Response-Header-Content-Type: application/json' -H 'X-Test-Wanted-Response-Size: 1000000' -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script one_megabyte "curl -ski -H 'X-Test-Add-Response-Header-Content-Type: application/json' -H 'X-Test-Wanted-Response-Size: 1000000' -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain "HTTP/1.0 200 OK"
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -202,7 +202,7 @@ testsuite_proxy()
|
|||
contain "Content-Length: 1000000"
|
||||
|
||||
# use a disallowed verb
|
||||
script 500-http-proxy forbidden_verb "curl -ski -X OPTIONS -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script forbidden_verb "curl -ski -X OPTIONS -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain 'HTTP/1.0 400 Bad Request (method forbidden)'
|
||||
contain 'Server: The Bastion'
|
||||
|
@ -213,7 +213,7 @@ testsuite_proxy()
|
|||
contain 'Only GET and POST methods are allowed'
|
||||
|
||||
# post some data
|
||||
script 500-http-proxy post_data "curl -ski -d somedata -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
script post_data "curl -ski -d somedata -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}"
|
||||
retvalshouldbe 0
|
||||
contain "HTTP/1.0 200 OK"
|
||||
contain 'Server: The Bastion'
|
||||
|
|
|
@ -12,25 +12,25 @@ testsuite_strict_checking()
|
|||
grant accountCreate
|
||||
|
||||
# first we need to create account1
|
||||
success strict-checking a0_create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||||
success a0_create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
|
||||
json .error_code OK .command accountCreate .value null
|
||||
|
||||
revoke accountCreate
|
||||
grant accountAddPersonalAccess
|
||||
|
||||
# add access to root@127.0.0.1 (there are no keys deployed, but we don't care, connection should fail early due to the hostkey change)
|
||||
success strict-checking add_local_access $a0 --osh accountAddPersonalAccess --account $account1 --host 127.0.0.1 --port 22 --user root
|
||||
success add_local_access $a0 --osh accountAddPersonalAccess --account $account1 --host 127.0.0.1 --port 22 --user root
|
||||
json .command accountAddPersonalAccess .error_code OK
|
||||
|
||||
revoke accountAddPersonalAccess
|
||||
|
||||
# try to connect a first time, so that our bastion known_hosts is populated
|
||||
run strict-checking connect_before $a1 root@127.0.0.1
|
||||
run connect_before $a1 root@127.0.0.1
|
||||
retvalshouldbe 255
|
||||
contain "Permanently added"
|
||||
|
||||
# change the remote hostkeys
|
||||
success strict-checking change_host_keys $r0 "\"find /etc/ssh/ -type f -name 'ssh_host_*' -delete; ssh-keygen -A\""
|
||||
success change_host_keys $r0 "\"find /etc/ssh/ -type f -name 'ssh_host_*' -delete; ssh-keygen -A\""
|
||||
|
||||
# set bastion ssh_client config to StrictHostKeyChecking yes
|
||||
sshclientconfigchg 's=StrictHostKeyChecking.*=StrictHostKeyChecking\\\\x20yes=g'
|
||||
|
@ -42,7 +42,7 @@ testsuite_strict_checking()
|
|||
rm -f $HOME/.ssh/known_hosts
|
||||
|
||||
# now try to connect again
|
||||
run strict-checking connect_after $a1 root@127.0.0.1
|
||||
run connect_after $a1 root@127.0.0.1
|
||||
retvalshouldbe 255
|
||||
contain NASTY
|
||||
contain "strict checking"
|
||||
|
@ -51,7 +51,7 @@ testsuite_strict_checking()
|
|||
|
||||
# delete account1
|
||||
grant accountDelete
|
||||
script strict-checking a0_delete_a1 $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||||
script a0_delete_a1 $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
|
||||
retvalshouldbe 0
|
||||
json .command accountDelete .error_code OK
|
||||
revoke accountDelete
|
||||
|
|
Loading…
Reference in a new issue