# vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash # shellcheck disable=SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy testsuite_realm() { local realm_egress_group=realm local realm_shared_account=UniVerse grant accountCreate grant accountModify # create account1 on local bastion success realm create_account1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key \""$(cat $account1key1file.pub)"\" json .error_code OK .command accountCreate .value null success realm modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account1 json .error_code OK .command accountModify # create account2 on local bastion success realm create_account2 $a0 --osh accountCreate --always-active --account $account2 --uid $uid2 --public-key \""$(cat $account2key1file.pub)"\" json .error_code OK .command accountCreate .value null success realm modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account2 json .error_code OK .command accountModify revoke accountModify grant groupCreate # create realm-egress group on local bastion success realm create_support_group $a0 --osh groupCreate --group $realm_egress_group --owner $account0 --algo rsa --size 4096 local realm_group_key realm_group_key=$(get_json | $jq '.value.public_key.line') success realm a0_delowner_egressgroup $a0 --osh groupDelOwner --group $realm_egress_group --account $account0 # add account1 to this group on local bastion success realm add_account1_to_support_group $a0 --osh groupAddMember --group $realm_egress_group --account $account1 # add account1 to this group on local bastion success realm add_account2_to_support_group $a0 --osh groupAddMember --group $realm_egress_group --account $account2 grant realmCreate # fail to create a realm with forbidden name plgfail realm realm_forbidden_name $a0 --osh realmCreate --realm realm --from 0.0.0.0/0 --public-key \"$realm_group_key\" # fail to create account with forbidden name plgfail realm account_forbidden_name $a0 --osh accountCreate --account realm_foobar --uid-auto --public-key \""$(cat $account1key1file.pub)"\" # create shared realm-account on remote bastion success realm create_shared_account $a0 --osh realmCreate --realm $realm_shared_account --public-key \"$realm_group_key\" --from 0.0.0.0/0 revoke accountCreate revoke realmCreate # add remote bastion ip on group of local bastion success realm add_remote_bastion_to_group $a0 --osh groupAddServer --host 127.0.0.1 --user realm_$realm_shared_account --port 22 --group $realm_egress_group --kbd-interactive # attempt inter-realm connection success realm firstconnect1 $a1 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh info json .value.account $account1 .value.realm $realm_shared_account # attempt inter-realm connection success realm firstconnect2 $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh info json .value.account $account2 .value.realm $realm_shared_account # try forbidden plugins for plugin in selfAddPersonalAccess selfAddIngressKey selfDelIngressKey selfGenerateEgressKey selfAddPersonalAccess selfDelPersonalAccess selfPlaySession selfListSessions selfResetIngressKeys do run realm plugindenied $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh $plugin retvalshouldbe 106 json .error_message "Realm accounts can't execute this plugin, use --osh help to get the allowed plugin list" .error_code KO_RESTRICTED_COMMAND done grant accountAddPersonalAccess # add an access to account1 from realm on remote bastion success realm add_access_to_remote $a0 --osh accountAddPersonalAccess --account $realm_shared_account/$account1 --user-any --port-any --host 127.0.0.5 json .error_code OK # fail to add a dup access to account1 from realm on remote bastion success realm add_access_to_remote_dup $a0 --osh accountAddPersonalAccess --account $realm_shared_account/$account1 --user-any --port-any --host 127.0.0.5 json .error_code OK_NO_CHANGE # list accesses remotely success realm list_my_accesses1 $a1 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh selfListAccesses json .error_code OK .value[0].acl[0].addedBy $account0 .value[0].acl[0].ip 127.0.0.5 # list accesses remotely success realm list_my_accesses2 $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- $js --osh selfListAccesses json .error_code OK_EMPTY # try to access remotely (success) run realm access1 $a1 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- test@127.0.0.5 retvalshouldbe 255 nocontain 'Access denied' contain 'will try the following accesses you have' # try to access remotely (fail) run realm access2 $a2 realm_$realm_shared_account@127.0.0.1 --kbd-interactive -- test@127.0.0.5 retvalshouldbe 107 contain "Access denied for $realm_shared_account/$account2 to test@127.0.0.5:22" # create a group on remote bastion success realm create_normal_group $a0 --osh groupCreate --group $group1 --owner $account0 --algo rsa --size 4096 # can't add a realm user as gk, aclk or owner of group for acc in "realm_$realm_shared_account" "$realm_shared_account/$account1" do for role in Owner Gatekeeper Aclkeeper do plgfail realm add_${acc}_as_$role $a0 --osh groupAdd$role --group $group1 --account $acc if [ "$acc" = "$realm_shared_account/$account1" ]; then json .error_code ERR_REALM_USER else json .error_code KO_FORBIDDEN_PREFIX fi done done plgfail realm add_support_account_as_member $a0 --osh groupAddMember --group $group1 --account realm_$realm_shared_account # add account1 as member success realm add_account1_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/$account1 json .error_code OK success realm add_account1_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/$account1 json .error_code OK_NO_CHANGE # check groupInfo success realm groupinfo $a0 --osh groupInfo --group $group1 json --arg want "$realm_shared_account/$account1 $account0" '.value.members|sort == ($want|split(" ")|sort)' true # add a remote account as member success realm add_account2_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/alien json .error_code OK success realm add_account2_as_member $a0 --osh groupAddMember --group $group1 --account $realm_shared_account/alien json .error_code OK_NO_CHANGE # check groupInfo success realm groupinfo $a0 --osh groupInfo --group $group1 json --arg want "$realm_shared_account/$account1 $realm_shared_account/alien $account0" '.value.members|sort == ($want|split(" ")|sort)' true # add a dummy host to the group, to see it in the accountListAccesses afterwards success realm add_server_to_group1 $a0 --osh groupAddServer --group $group1 --host 172.16.4.4 --user nobody --port 12345 --force success realm add_server_to_group1 $a0 --osh groupAddServer --group $group1 --host 172.16.4.4 --user nobody --port 12346 --force success realm removemyselffromaclk $a0 --osh groupDelAclkeeper --group $group1 --account $account0 success realm a0_delowner_group1 $a0 --osh groupDelOwner --group $group1 --account $account0 grant accountListAccesses # check access list success realm access_list_account1 $a0 --osh accountListAccesses --account $realm_shared_account/$account1 json '.value|[.[]|.type]|sort' '["group-member","personal"]' json '.value[]|select(.type == "personal")|.acl[]|.ip' 127.0.0.5 json '.value[]|select(.type == "group-member")|[.acl[]|.port]' '["12345","12346"]' # revoke group membership success realm del_account1_as_member $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/$account1 json .error_code OK success realm del_account1_as_member_dup $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/$account1 json .error_code OK_NO_CHANGE # check groupInfo success realm groupinfo $a0 --osh groupInfo --group $group1 json --arg want "$realm_shared_account/alien $account0" '.value.members|sort == ($want|split(" ")|sort)' true # check access list success realm access_list_account1_again $a0 --osh accountListAccesses --account $realm_shared_account/$account1 json '.value|[.[]|.type]|sort' '["personal"]' json '.value[]|select(.type == "personal")|.acl[]|.ip' 127.0.0.5 # check access list success realm access_list_account2_again $a0 --osh accountListAccesses --account $realm_shared_account/alien json '.value|[.[]|.type]|sort' '["group-member"]' json '.value[]|select(.type == "group-member")|[.acl[]|.port]' '["12345","12346"]' # revoke group membership success realm del_account2_as_member $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/alien json .error_code OK success realm del_account2_as_member_dup $a0 --osh groupDelMember --group $group1 --account $realm_shared_account/alien json .error_code OK_NO_CHANGE # check groupInfo success realm groupinfo $a0 --osh groupInfo --group $group1 json '.value.members|sort' "[\"$account0\"]" # add guest access success realm add_guest_account1 $a0 --osh groupAddGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12345 success realm add_guest_account1 $a0 --osh groupAddGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12346 # add other guest access success realm add_guest_account2 $a0 --osh groupAddGuestAccess --account $realm_shared_account/second --group $group1 --host 172.16.4.4 --user nobody --port 12345 # check groupInfo success realm groupinfo $a0 --osh groupInfo --group $group1 json '.value.members|sort' "[\"$account0\"]" json '.value.guests|sort' "[\"$realm_shared_account/first\",\"$realm_shared_account/second\"]" # check access list of account success realm access_list_account1_guest $a0 --osh accountListAccesses --account $realm_shared_account/first json '.value|[.[]|.type]|sort' '["group-guest"]' json '.value[]|select(.type == "group-guest")|[.acl[]|.port]' '["12345","12346"]' # remove guest access 1 success realm del_guest_account1 $a0 --osh groupDelGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12345 nocontain "removed group key" # check access list of account success realm access_list_account1_guest $a0 --osh accountListAccesses --account $realm_shared_account/first json '.value|[.[]|.type]|sort' '["group-guest"]' json '.value[]|select(.type == "group-guest")|.acl[]|.port' 12346 # remove guest access 1 success realm del_guest_account1 $a0 --osh groupDelGuestAccess --account $realm_shared_account/first --group $group1 --host 172.16.4.4 --user nobody --port 12346 nocontain "removed group key" # check groupInfo success realm groupinfo $a0 --osh groupInfo --group $group1 json '.value.members|sort' "[\"$account0\"]" json '.value.guests|sort' "[\"$realm_shared_account/second\"]" # remove last guest access success realm del_guest_account2 $a0 --osh groupDelGuestAccess --account $realm_shared_account/second --group $group1 --host 172.16.4.4 --user nobody --port 12345 contain "removed group key" # check groupInfo success realm groupinfo $a0 --osh groupInfo --group $group1 json '.value.members|sort' "[\"$account0\"]" json '.value.guests|sort' "[]" # check max account length success realm add_guest_account3 $a0 --osh groupAddGuestAccess --account $realm_shared_account/verylongaccountnam --group $group1 --host 172.16.4.4 --user nobody --port 12345 grant accountDelete # delete account1 success realm account1_cleanup $a0 --osh accountDelete --account $account1 --no-confirm # delete account2 script realm account2_cleanup "$a0 --osh accountDelete --account $account2 <<< \"Yes, do as I say and delete $account2, kthxbye\"" retvalshouldbe 0 revoke accountDelete grant groupDelete # delete realm-egress group run realm cleanup_realm_support_group $a0 --osh groupDelete --group $realm_egress_group --no-confirm retvalshouldbe 0 revoke groupDelete grant accountDelete # delete shared realm-account script realm cleanup_shared_realm_account_fail "$a0 --osh accountDelete --account realm_$realm_shared_account <<< \"Yes, do as I say and delete realm_$realm_shared_account, kthxbye\"" retvalshouldbe 100 json .error_code KO_FORBIDDEN_PREFIX grant realmDelete script realm cleanup_shared_realm_account "$a0 --osh realmDelete --realm $realm_shared_account <<< \"Yes, do as I say and delete $realm_shared_account, kthxbye\"" retvalshouldbe 0 revoke realmDelete revoke accountDelete grant groupDelete # delete group1 script realm group_cleanup "$a0 --osh groupDelete --group $group1 <<< \"$group1\"" retvalshouldbe 0 revoke groupDelete } testsuite_realm