# vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash # shellcheck disable=SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy testsuite_selfaccesses() { # now bastion key stuff # create 10 accounts with no keys and with default uids grant accountCreate for i in {1..10}; do success selfaccess a0_create_a1_uidauto_nokey_$i $a0 --osh accountCreate --account delme$i --uid-auto --no-key json .error_code OK .command accountCreate done revoke accountCreate grant accountDelete # delete those accounts for i in {1..10}; do script selfaccess a0_delete_a1_uidauto_nokey_$i $a0 --osh accountDelete --account delme$i "<<< \"Yes, do as I say and delete delme$i, kthxbye\"" retvalshouldbe 0 json .error_code OK .command accountDelete done revoke accountDelete grant accountCreate # create account1 success osh accountCreate $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\"" json .error_code OK .command accountCreate .value null revoke accountCreate grant accountModify success realm modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account1 json .error_code OK .command accountModify # test osh-only success accountModify enable_osh_only $a0 --osh accountModify --osh-only yes --account $account1 json .error_code OK .command accountModify # account1 can not connect to anything run accountModify no_ssh_after_osh_only $a1 anybody@127.0.0.1 retvalshouldbe 107 json .error_code KO_ACCESS_DENIED .error_message "You don't have the right to connect anywhere" success accountModify disable_osh_only $a0 --osh accountModify --osh-only no --account $account1 json .error_code OK .command accountModify # account1 can connect now (or could if they were granted) run accountModify can_ssh_after_osh_only_disable $a1 anybody@127.0.0.1 retvalshouldbe 107 json .error_code KO_ACCESS_DENIED contain "Access denied" nocontain "anywhere" revoke accountModify success selfListEgressKeys beforeadd $a1 -osh selfListEgressKeys tmpfp=$(get_json | $jq '.value|keys[0]') json .command selfListEgressKeys .error_code OK '.value|keys[1]' null pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp\"]|.comment")" success osh selfGenerateEgressKey $a1 --osh selfGenerateEgressKey --algo rsa --size 4096 json .error_code OK .command selfGenerateEgressKey .value.size 4096 .value.family RSA tmpfp2=$(get_json | $jq '.value.fingerprint') success selfListEgressKeys afteradd $a1 -osh selfListEgressKeys json .command selfListEgressKeys .error_code OK '.value|keys[2]' null pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp\"]|.comment")" pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp2\"]|.comment")" unset tmpfp unset tmpfp2 # batch plugin script plugin-batch one "printf \"%b\\n\" \"info\\naccountInfo --account $account0\\nselfListEgressKeys\" | $a1 --osh batch" retvalshouldbe 0 json .command batch .error_code OK json '.value[0].result.error_code' OK '.value[0].command' info '.value[0].result.value.account' "$account1" json '.value[1].result.error_code' KO_RESTRICTED_COMMAND '.value[1].command' "accountInfo --account $account0" json '.value[2].result.error_code' OK '.value[2].command' selfListEgressKeys # ssh run ssh a1atlo2 $a1 127.0.0.2 -- id retvalshouldbe 107 contain "Access denied for" json .command null .error_code KO_ACCESS_DENIED run ssh invalid_host $a1 127.0./0.1 -- id retvalshouldbe 102 json .error_code KO_HOST_NOT_FOUND run ssh invalid_host $a1 127.0.%0.1 -- id retvalshouldbe 128 json .error_code KO_INVALID_REMOTE_HOST run ssh invalid_user $a1 ro/ot@127.0.0.1 -- id retvalshouldbe 127 json .error_code KO_INVALID_REMOTE_USER grant selfAddPersonalAccess grant selfDelPersonalAccess run selfAddPersonalAccess mustfail $a1 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 retvalshouldbe 106 contain "you to be specifically granted" json .command null .error_code KO_RESTRICTED_COMMAND success selfAddPersonalAccess mustwork $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 --kbd-interactive nocontain "already" contain "Access to $shellaccount@127.0.0.2:22 successfully added" json .command selfAddPersonalAccess .error_code OK .value null success selfAddPersonalAccess dupe $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 --kbd-interactive contain "already" json .command selfAddPersonalAccess .error_code OK_NO_CHANGE .value null success selfAddPersonalAccess withttl $a0 -osh selfAddPersonalAccess -h 127.0.0.4 -u $shellaccount -p 22 --force --ttl 0d0h0m3s contain "Access to $shellaccount@127.0.0.4:22 successfully added (expires in 00:00:0" json .command selfAddPersonalAccess .error_code OK .value null run ssh a1atlo2_login8 $a0 127.0.0.2 -- id retvalshouldbe 107 contain "Access denied for" json .command null .value null .error_code KO_ACCESS_DENIED # forcekey success selfListIngressKeys for_force_key $a0 --osh selfListEgressKeys account0key1fp=$(get_json | $jq '.value|keys[0]') success selfAddPersonalAccess forcekey $a0 --osh selfAddPersonalAccess -h 127.7.7.7 -u $shellaccount -p 22 --force --force-key "$account0key1fp" success selfListAccesses forcekey $a0 --osh selfListAccesses contain "$account0key1fp" # try to use the force key success ssh forcekey $a0 $shellaccount@127.7.7.7 --kbd-interactive -- id contain 'FORCED IN ACL' success selfDelPersonalAccess forcekey $a0 -osh selfDelPersonalAccess -h 127.7.7.7 -u $shellaccount -p 22 # /forcekey # this should work... set +e if [ "$COUNTONLY" = 1 ]; then targethostname=dummy else targethostname=$($r0 hostname | tail -n1 | grep -E -o '[a-z0-9._-]+') fi set -e success ssh shellaccountatlo2_mustwork $a0 $shellaccount@127.0.0.2 --kbd-interactive -- echo $randomstr contain REGEX "$shellaccount@($targethostname|127.0.0.2|fv-[a-z0-9-]+):22" contain "allowed ... log on" nocontain "Permission denied" contain "$randomstr" # scp success accountAddPersonalAccess forscp $a0 --osh selfAddPersonalAccess --host 127.0.0.2 --scpup --port 22 success osh scp $a0 --osh scp if [ "$COUNTONLY" != 1 ]; then tmpb64=$(get_json | $jq '.value.script') base64 -d <<< "$tmpb64" | gunzip -c > /tmp/scphelpertmp perl -pe "s/ssh $account0\\@\\S+/ssh -p $remote_port $account0\\@$remote_ip/" /tmp/scphelpertmp > /tmp/scphelper chmod +x /tmp/scphelper cat /tmp/scphelper unset tmpb64 fi run scp downloadfailnoright scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded retvalshouldbe 1 contain "Sorry, but even" success accountAddPersonalAccess forscp $a0 --osh selfAddPersonalAccess --host 127.0.0.2 --scpdown --port 22 run scp downloadfailnofile scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded retvalshouldbe 1 contain "through the bastion from" contain "Error launching transfer" contain "No such file or directory" nocontain "Permission denied" success scp upload scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file /etc/passwd $shellaccount@127.0.0.2:uptest contain "through the bastion to" contain "Done," success scp download scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded contain "through the bastion from" contain "Done," success accountAddPersonalAccess forscpremove1 $a0 --osh selfDelPersonalAccess --host 127.0.0.2 --scpup --port 22 success accountAddPersonalAccess forscpremove2 $a0 --osh selfDelPersonalAccess --host 127.0.0.2 --scpdown --port 22 # /scp # (forced commands) # ESCAPE HELL success ssh escapehell1ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo 'test1;test1' ; id\"" contain "'test1" contain 'uid=' contain REGEX "test1': (command )?not found" nocontain 'test1;test1' nocontain 'crazy' success ssh escapehell2ae $a0 --always-escape $shellaccount@127.0.0.2 -- "'echo \"test1;test1\" ; id'" contain "test1;test1" contain 'uid=' nocontain 'not found' nocontain 'crazy' success ssh escapehell3ae $a0 --always-escape $shellaccount@127.0.0.2 -- "'echo \\\"test1;test1\\\" ; id'" contain '"test1' contain 'uid=' contain REGEX 'test1": (command )?not found' nocontain 'crazy' success ssh escapehell4ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1;test1\\\" ; id\"" contain 'test1;test1' contain 'uid=' nocontain 'not found' nocontain 'crazy' success ssh escapehell5ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1';'test1\\\" ; id\"" contain "test1\\';\\'test1" contain 'uid=' nocontain 'not found' nocontain 'crazy' success ssh escapehell1ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo 'test1;test1' ; id\"" contain "test1;test1" contain 'uid=' nocontain 'not found' nocontain 'crazy' success ssh escapehell2ne $a0 --never-escape $shellaccount@127.0.0.2 -- "'echo \"test1;test1\" ; id'" contain "test1;test1" contain 'uid=' nocontain 'not found' nocontain 'crazy' success ssh escapehell3ne $a0 --never-escape $shellaccount@127.0.0.2 -- "'echo \\\"test1;test1\\\" ; id'" contain '"test1' contain 'uid=' contain REGEX 'test1": (command )?not found' nocontain 'crazy' success ssh escapehell4ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1;test1\\\" ; id\"" contain 'test1;test1' contain 'uid=' nocontain 'not found' nocontain 'crazy' success ssh escapehell5ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1';'test1\\\" ; id\"" contain "test1';'test1" contain 'uid=' nocontain 'not found' nocontain 'crazy' success ssh escapehellnoprotect1ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo 'test1;test1' ; id\"" contain "test1" contain 'uid=' contain REGEX "test1: (command )?not found" nocontain 'test1;test1' contain 'crazy' success ssh escapehellnoprotect2ae $a0 --always-escape $shellaccount@127.0.0.2 "'echo \"test1;test1\" ; id'" contain "test1" contain 'uid=' contain REGEX 'test1: (command )?not found' nocontain 'test1;test1' contain 'crazy' success ssh escapehellnoprotect3ae $a0 --always-escape $shellaccount@127.0.0.2 "'echo \\\"test1;test1\\\" ; id'" contain 'test1;test1' contain 'uid=' nocontain REGEX ': (command )?not found' contain 'crazy' success ssh escapehellnoprotect4ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo \\\"test1;test1\\\" ; id\"" contain "test1" contain 'uid=' contain REGEX 'test1: (command )?not found' nocontain 'test1;test1' contain 'crazy' success ssh escapehellnoprotect5ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo \\\"test1';'test1\\\" ; id\"" contain 'test1;test1' contain 'uid=' nocontain 'not found' contain 'crazy' success ssh escapehellnoprotect1ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo 'test1;test1' ; id\"" contain "test1" contain 'uid=' contain REGEX 'test1: (command )?not found' nocontain 'test1;test1' contain 'crazy' success ssh escapehellnoprotect2ne $a0 --never-escape $shellaccount@127.0.0.2 "'echo \"test1;test1\" ; id'" contain "test1" contain 'uid=' contain REGEX 'test1: (command )?not found' nocontain 'test1;test1' contain 'crazy' success ssh escapehellnoprotect3ne $a0 --never-escape $shellaccount@127.0.0.2 "'echo \\\"test1;test1\\\" ; id'" contain 'test1;test1' contain 'uid=' nocontain 'not found' contain 'crazy' success ssh escapehellnoprotect4ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo \\\"test1;test1\\\" ; id\"" contain "test1" contain 'uid=' contain REGEX 'test1: (command )?not found' nocontain 'test1;test1' contain 'crazy' success ssh escapehellnoprotect5ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo \\\"test1';'test1\\\" ; id\"" contain 'test1;test1' contain 'uid=' nocontain 'not found' contain 'crazy' run ssh shellaccountatlo_badport $a0 $shellaccount@127.0.0.2 -p 223 -- echo $randomstr retvalshouldbe 107 contain "Access denied for" nocontain "$randomstr" json .command null .value null .error_code KO_ACCESS_DENIED run ssh shellaccountatlo_badip $a0 $shellaccount@127.0.0.1 -- echo $randomstr retvalshouldbe 107 contain "Access denied for" nocontain "$randomstr" json .command null .value null .error_code KO_ACCESS_DENIED run ssh shellaccountatlo_badroot $a0 root@127.0.0.2 -- echo $randomstr retvalshouldbe 107 contain "Access denied for" nocontain "$randomstr" json .command null .value null .error_code KO_ACCESS_DENIED run selfDelPersonalAccess mustfailnosudo $a1 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 retvalshouldbe 106 contain "you to be specifically granted" json .command null .value null .error_code KO_RESTRICTED_COMMAND #sudo usermod -a -G osh-selfDelPersonalAccess $account1 success selfDelPersonalAccess mustwork $a0 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 contain "Access to $shellaccount@127.0.0.2:22 successfully removed" json .command selfDelPersonalAccess .error_code OK .value null run ssh shellaccountatlo2_mustfail $a1 $shellaccount@127.0.0.2 -- echo $randomstr retvalshouldbe 107 contain "Access denied for" nocontain "$randomstr" json .command null .value null .error_code KO_ACCESS_DENIED success selfAddPersonalAccess mustwork $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 226 nocontain "already" contain "Access to $shellaccount@127.0.0.2:226 successfully added" json .command selfAddPersonalAccess .error_code OK .value null # shouldn't work run ssh shellaccountatlo2_badport2 $a0 $shellaccount@127.0.0.2 -- echo $randomstr retvalshouldbe 107 contain "Access denied for" nocontain "$randomstr" json .command null .value null .error_code KO_ACCESS_DENIED # should success ssh shellaccountatlo2_mustwork226 $a0 $shellaccount@127.0.0.2 -p 226 -- echo $randomstr contain REGEX "$shellaccount@(127.0.0.2|$targethostname|fv-[a-z0-9-]+):226" contain "allowed ... log on" nocontain "Permission denied" contain "$randomstr" success selfDelPersonalAccess mustwork $a0 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 226 contain "Access to $shellaccount@127.0.0.2:226 successfully removed" json .command selfDelPersonalAccess .error_code OK .value null run ssh shellaccountatlo2_mustfailnow $a0 $shellaccount@127.0.0.2 -p 226 -- echo $randomstr retvalshouldbe 107 contain "Access denied for" nocontain "$randomstr" json .command null .value null .error_code KO_ACCESS_DENIED plgfail selfAddPersonalAccess nousernoportnoforce $a0 -osh selfAddPersonalAccess -h 127.0.0.4 nocontain "already" contain REGEX "Couldn't connect to $account0@127.0.0.4 \\(ssh returned error (255|124)\\)" json .command selfAddPersonalAccess .error_code ERR_CONNECTION_FAILED .value null success selfAddPersonalAccess nousernoport $a0 -osh selfAddPersonalAccess -h 127.0.0.4 --force nocontain "already" contain "Forcing add as asked" contain "Access to 127.0.0.4 successfully added" json .command selfAddPersonalAccess .error_code OK .value null run ssh rootport22 $a0 root@127.0.0.4 -- echo $randomstr retvalshouldbe 255 contain "allowed ... log on" contain "Permission denied" nocontain "$randomstr" run ssh anyuserport22 $a0 whatevaah@127.0.0.4 -- echo $randomstr retvalshouldbe 255 contain "allowed ... log on" contain "Permission denied" nocontain "$randomstr" success ssh gooduserport22 $a0 $shellaccount@127.0.0.4 -- echo $randomstr contain "allowed ... log on" contain "$randomstr" run ssh exitcode $a0 $shellaccount@127.0.0.4 -- exit 43 retvalshouldbe 43 contain "allowed ... log on" success ssh gooduserport226 $a0 $shellaccount@127.0.0.4 -p 226 -- echo $randomstr contain "allowed ... log on" contain "$randomstr" run ssh anyuseaarrport226 $a0 pokpozkpab@127.0.0.4 -p 226 -- echo $randomstr retvalshouldbe 255 contain "allowed ... log on" nocontain "$randomstr" success selfDelPersonalAccess nousernoport $a0 -osh selfDelPersonalAccess -h 127.0.0.4 contain "Access to 127.0.0.4 successfully removed" json .command selfDelPersonalAccess .error_code OK .value null success selfDelPersonalAccess nousernoport_dupe $a0 -osh selfDelPersonalAccess -h 127.0.0.4 nocontain "no longer has a personal access" json .command selfDelPersonalAccess .error_code OK_NO_CHANGE .value null # TODO try add/del accesses with and without port/user specification # ... then try to ssh with all combinations # TODO try partial group thing, and try to ssh to ip pertaining to group success selfListAccesses oka0 $a0 --osh selfListAccesses contain 'no registered accesses' nocontain 'personal' nocontain 'group-member' nocontain 'group-guest' json .command selfListAccesses .error_code OK_EMPTY .value null # FIXME with bastion config => auto-added private accesses ? success selfListAccesses oka1 $a1 --osh selfListAccesses contain 'no registered accesses' nocontain 'personal' nocontain 'group-member' nocontain 'group-guest' json .command selfListAccesses .error_code OK_EMPTY .value null success selfForgetHostKey loportnomatch $a0 --osh selfForgetHostKey --host 127.0.0.1 --port 1234 json .command selfForgetHostKey .error_code OK '.value."[127.0.0.1]:1234".action' OK_NO_MATCH success selfForgetHostKey lonomatch $a0 --osh selfForgetHostKey --host 127.0.0.1 json .command selfForgetHostKey .error_code OK '.value."127.0.0.1".action' OK_NO_MATCH success selfForgetHostKey lonofile $a1 --osh selfForgetHostKey --host 127.0.0.1 json .command selfForgetHostKey .error_code OK_NO_CHANGE .value null success selfForgetHostKey works $a0 --osh selfForgetHostKey --host 127.0.0.2 json .command selfForgetHostKey .error_code OK '.value."127.0.0.2".action' OK_DELETED success selfForgetHostKey dupe $a0 --osh selfForgetHostKey --host 127.0.0.2 json .command selfForgetHostKey .error_code OK '.value."127.0.0.2".action' OK_NO_MATCH grant accountUnexpire success accountUnexpire nochange $a0 --osh accountUnexpire --account $account1 json .command accountUnexpire .error_code OK_NO_CHANGE # artificially expire account1 configchg 's=^\\\\x22accountMaxInactiveDays\\\\x22.+=\\\\x22accountMaxInactiveDays\\\\x22:2,=' success bastion manuallyExpireAccount1 $r0 "touch -t 201501010101 /home/$account1/lastlog" run account expired $a1 --osh info retvalshouldbe 113 success accountUnexpire works $a0 --osh accountUnexpire --account $account1 json .command accountUnexpire .error_code OK success account unexpired $a1 --osh info json .error_code OK success accountUnexpire worksnochange $a0 --osh accountUnexpire --account $account1 json .command accountUnexpire .error_code OK_NO_CHANGE # try on never logged-in account (different code path) success bastion manuallyRemoveLastlog $r0 "rm -f /home/$account1/lastlog" success accountUnexpire worksnochange $a0 --osh accountUnexpire --account $account1 json .command accountUnexpire .error_code OK_NO_CHANGE revoke accountUnexpire # delete account1 grant accountDelete script accountDelete cleanup $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\"" retvalshouldbe 0 revoke accountDelete } testsuite_selfaccesses