Stéphane Lesimple c201f44d83 enh: tests: refactor the framework for more maintainability
The chain of executions is as is:
- ``
  - launches several instances of ``
    - builds docker images with the `` and `` entrypoints
      - inside the tester docker, `` launches ``
      - the target docker gets tested after setting up accounts, SSH etc.

Previously, these scripts passed options to each other either by a mix of environment
variables and command-line arguments, with some inconsistencies here and there.

Now, `` supports a lot of command-line options, which can
be specified directly if testing a remote server, or can be passed-through by the calling
script in case of docker tests. `` and
`` also support to passthrough these options down.
2021-06-25 16:02:38 +02:00

516 lines
21 KiB

# vim: set filetype=sh ts=4 sw=4 sts=4 et:
# shellcheck shell=bash
# shellcheck disable=SC2086,SC2016,SC2046
# below: convoluted way that forces shellcheck to source our caller
# shellcheck source=tests/functional/
. "$(dirname "${BASH_SOURCE[0]}")"/dummy
# now bastion key stuff
# create 10 accounts with no keys and with default uids
grant accountCreate
for i in {1..10}; do
success selfaccess a0_create_a1_uidauto_nokey_$i $a0 --osh accountCreate --account delme$i --uid-auto --no-key
json .error_code OK .command accountCreate
revoke accountCreate
grant accountDelete
# delete those accounts
for i in {1..10}; do
script selfaccess a0_delete_a1_uidauto_nokey_$i $a0 --osh accountDelete --account delme$i "<<< \"Yes, do as I say and delete delme$i, kthxbye\""
retvalshouldbe 0
json .error_code OK .command accountDelete
revoke accountDelete
grant accountCreate
# create account1
success osh accountCreate $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $\""
json .error_code OK .command accountCreate .value null
revoke accountCreate
grant accountModify
success realm modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account1
json .error_code OK .command accountModify
# test osh-only
success accountModify enable_osh_only $a0 --osh accountModify --osh-only yes --account $account1
json .error_code OK .command accountModify
# account1 can not connect to anything
run accountModify no_ssh_after_osh_only $a1 anybody@
retvalshouldbe 107
json .error_code KO_ACCESS_DENIED .error_message "You don't have the right to connect anywhere"
success accountModify disable_osh_only $a0 --osh accountModify --osh-only no --account $account1
json .error_code OK .command accountModify
# account1 can connect now (or could if they were granted)
run accountModify can_ssh_after_osh_only_disable $a1 anybody@
retvalshouldbe 107
json .error_code KO_ACCESS_DENIED
contain "Access denied"
nocontain "anywhere"
revoke accountModify
success selfListEgressKeys beforeadd $a1 -osh selfListEgressKeys
tmpfp=$(get_json | $jq '.value|keys[0]')
json .command selfListEgressKeys .error_code OK '.value|keys[1]' null
pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp\"]|.comment")"
success osh selfGenerateEgressKey $a1 --osh selfGenerateEgressKey --algo rsa --size 4096
json .error_code OK .command selfGenerateEgressKey .value.size 4096 RSA
tmpfp2=$(get_json | $jq '.value.fingerprint')
success selfListEgressKeys afteradd $a1 -osh selfListEgressKeys
json .command selfListEgressKeys .error_code OK '.value|keys[2]' null
pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp\"]|.comment")"
pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp2\"]|.comment")"
unset tmpfp
unset tmpfp2
# batch plugin
script plugin-batch one "printf \"%b\\n\" \"info\\naccountInfo --account $account0\\nselfListEgressKeys\" | $a1 --osh batch"
retvalshouldbe 0
json .command batch .error_code OK
json '.value[0].result.error_code' OK '.value[0].command' info '.value[0].result.value.account' "$account1"
json '.value[1].result.error_code' KO_RESTRICTED_COMMAND '.value[1].command' "accountInfo --account $account0"
json '.value[2].result.error_code' OK '.value[2].command' selfListEgressKeys
# ssh
run ssh a1atlo2 $a1 -- id
retvalshouldbe 107
contain "Access denied for"
json .command null .error_code KO_ACCESS_DENIED
run ssh invalid_host $a1 127.0./0.1 -- id
retvalshouldbe 102
json .error_code KO_HOST_NOT_FOUND
run ssh invalid_host $a1 127.0.%0.1 -- id
retvalshouldbe 128
json .error_code KO_INVALID_REMOTE_HOST
run ssh invalid_user $a1 ro/ot@ -- id
retvalshouldbe 127
json .error_code KO_INVALID_REMOTE_USER
grant selfAddPersonalAccess
grant selfDelPersonalAccess
run selfAddPersonalAccess mustfail $a1 -osh selfAddPersonalAccess -h -u $shellaccount -p 22
retvalshouldbe 106
contain "you to be specifically granted"
json .command null .error_code KO_RESTRICTED_COMMAND
success selfAddPersonalAccess mustwork $a0 -osh selfAddPersonalAccess -h -u $shellaccount -p 22 --kbd-interactive
nocontain "already"
json .command selfAddPersonalAccess .error_code OK .value.ip .value.user $shellaccount .value.port 22
success selfAddPersonalAccess dupe $a0 -osh selfAddPersonalAccess -h -u $shellaccount -p 22 --kbd-interactive
contain "already"
json .command selfAddPersonalAccess .error_code OK_NO_CHANGE .value null
success selfAddPersonalAccess withttl $a0 -osh selfAddPersonalAccess -h -u $shellaccount -p 22 --force --ttl 0d0h0m3s
json .command selfAddPersonalAccess .error_code OK .value.ip .value.user $shellaccount .value.port 22 .value.ttl 3
run ssh a1atlo2_login8 $a0 -- id
retvalshouldbe 107
contain "Access denied for"
json .command null .value null .error_code KO_ACCESS_DENIED
# auto hostname=$host comment
success selfAddPersonalAccess self_add_personal_access_auto_comment $a0 --osh selfAddPersonalAccess --host localhost -u autocomment -p 1234 --force --ttl 1
json .command selfAddPersonalAccess .error_code OK .value.comment "hostname=localhost" .value.user autocomment .value.port 1234 .value.ttl 1
# forcekey
success selfListIngressKeys for_force_key $a0 --osh selfListEgressKeys
account0key1fp=$(get_json | $jq '.value|keys[0]')
success selfAddPersonalAccess forcekey $a0 --osh selfAddPersonalAccess -h -u $shellaccount -p 22 --force --force-key "$account0key1fp"
success selfListAccesses forcekey $a0 --osh selfListAccesses
contain "$account0key1fp"
# try to use the force key
success ssh forcekey $a0 $shellaccount@ --kbd-interactive -- id
contain 'FORCED IN ACL'
success selfDelPersonalAccess forcekey $a0 -osh selfDelPersonalAccess -h -u $shellaccount -p 22
# /forcekey
success ssh shellaccountatlo2_mustwork $a0 $shellaccount@ --kbd-interactive -- echo $randomstr
contain REGEX "$shellaccount@[a-zA-Z0-9._-]+:22"
contain "allowed ... log on"
nocontain "Permission denied"
contain "$randomstr"
# scp
success accountAddPersonalAccess forscp $a0 --osh selfAddPersonalAccess --host --scpup --port 22
success osh scp $a0 --osh scp
if [ "$COUNTONLY" != 1 ]; then
tmpb64=$(get_json | $jq '.value.script')
base64 -d <<< "$tmpb64" | gunzip -c > /tmp/scphelpertmp
perl -pe "s/ssh $account0\\@\\S+/ssh -p $remote_port $account0\\@$remote_ip/" /tmp/scphelpertmp > /tmp/scphelper
chmod +x /tmp/scphelper
cat /tmp/scphelper
unset tmpb64
run scp downloadfailnoright scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@ /tmp/downloaded
retvalshouldbe 1
contain "Sorry, but even"
success accountAddPersonalAccess forscp $a0 --osh selfAddPersonalAccess --host --scpdown --port 22
run scp downloadfailnofile scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@ /tmp/downloaded
retvalshouldbe 1
contain "through the bastion from"
contain "Error launching transfer"
contain "No such file or directory"
nocontain "Permission denied"
run scp invalidhostname scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@_invalid._invalid:uptest /tmp/downloaded
retvalshouldbe 1
contain "Sorry, couldn't resolve the host you specified"
success scp upload scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file /etc/passwd $shellaccount@
contain "through the bastion to"
contain "Done,"
success scp download scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@ /tmp/downloaded
contain "through the bastion from"
contain "Done,"
success accountAddPersonalAccess forscpremove1 $a0 --osh selfDelPersonalAccess --host --scpup --port 22
success accountAddPersonalAccess forscpremove2 $a0 --osh selfDelPersonalAccess --host --scpdown --port 22
# /scp
# (forced commands)
success ssh escapehell1ae $a0 --always-escape $shellaccount@ -- "\"echo 'test1;test1' ; id\""
contain "'test1"
contain 'uid='
contain REGEX "test1': (command )?not found"
nocontain 'test1;test1'
nocontain 'crazy'
success ssh escapehell2ae $a0 --always-escape $shellaccount@ -- "'echo \"test1;test1\" ; id'"
contain "test1;test1"
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success ssh escapehell3ae $a0 --always-escape $shellaccount@ -- "'echo \\\"test1;test1\\\" ; id'"
contain '"test1'
contain 'uid='
contain REGEX 'test1": (command )?not found'
nocontain 'crazy'
success ssh escapehell4ae $a0 --always-escape $shellaccount@ -- "\"echo \\\"test1;test1\\\" ; id\""
contain 'test1;test1'
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success ssh escapehell5ae $a0 --always-escape $shellaccount@ -- "\"echo \\\"test1';'test1\\\" ; id\""
contain "test1\\';\\'test1"
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success ssh escapehell1ne $a0 --never-escape $shellaccount@ -- "\"echo 'test1;test1' ; id\""
contain "test1;test1"
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success ssh escapehell2ne $a0 --never-escape $shellaccount@ -- "'echo \"test1;test1\" ; id'"
contain "test1;test1"
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success ssh escapehell3ne $a0 --never-escape $shellaccount@ -- "'echo \\\"test1;test1\\\" ; id'"
contain '"test1'
contain 'uid='
contain REGEX 'test1": (command )?not found'
nocontain 'crazy'
success ssh escapehell4ne $a0 --never-escape $shellaccount@ -- "\"echo \\\"test1;test1\\\" ; id\""
contain 'test1;test1'
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success ssh escapehell5ne $a0 --never-escape $shellaccount@ -- "\"echo \\\"test1';'test1\\\" ; id\""
contain "test1';'test1"
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success ssh escapehellnoprotect1ae $a0 --always-escape $shellaccount@ "\"echo 'test1;test1' ; id\""
contain "test1"
contain 'uid='
contain REGEX "test1: (command )?not found"
nocontain 'test1;test1'
contain 'crazy'
success ssh escapehellnoprotect2ae $a0 --always-escape $shellaccount@ "'echo \"test1;test1\" ; id'"
contain "test1"
contain 'uid='
contain REGEX 'test1: (command )?not found'
nocontain 'test1;test1'
contain 'crazy'
success ssh escapehellnoprotect3ae $a0 --always-escape $shellaccount@ "'echo \\\"test1;test1\\\" ; id'"
contain 'test1;test1'
contain 'uid='
nocontain REGEX ': (command )?not found'
contain 'crazy'
success ssh escapehellnoprotect4ae $a0 --always-escape $shellaccount@ "\"echo \\\"test1;test1\\\" ; id\""
contain "test1"
contain 'uid='
contain REGEX 'test1: (command )?not found'
nocontain 'test1;test1'
contain 'crazy'
success ssh escapehellnoprotect5ae $a0 --always-escape $shellaccount@ "\"echo \\\"test1';'test1\\\" ; id\""
contain 'test1;test1'
contain 'uid='
nocontain 'not found'
contain 'crazy'
success ssh escapehellnoprotect1ne $a0 --never-escape $shellaccount@ "\"echo 'test1;test1' ; id\""
contain "test1"
contain 'uid='
contain REGEX 'test1: (command )?not found'
nocontain 'test1;test1'
contain 'crazy'
success ssh escapehellnoprotect2ne $a0 --never-escape $shellaccount@ "'echo \"test1;test1\" ; id'"
contain "test1"
contain 'uid='
contain REGEX 'test1: (command )?not found'
nocontain 'test1;test1'
contain 'crazy'
success ssh escapehellnoprotect3ne $a0 --never-escape $shellaccount@ "'echo \\\"test1;test1\\\" ; id'"
contain 'test1;test1'
contain 'uid='
nocontain 'not found'
contain 'crazy'
success ssh escapehellnoprotect4ne $a0 --never-escape $shellaccount@ "\"echo \\\"test1;test1\\\" ; id\""
contain "test1"
contain 'uid='
contain REGEX 'test1: (command )?not found'
nocontain 'test1;test1'
contain 'crazy'
success ssh escapehellnoprotect5ne $a0 --never-escape $shellaccount@ "\"echo \\\"test1';'test1\\\" ; id\""
contain 'test1;test1'
contain 'uid='
nocontain 'not found'
contain 'crazy'
run ssh shellaccountatlo_badport $a0 $shellaccount@ -p 223 -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
run ssh shellaccountatlo_badip $a0 $shellaccount@ -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
run ssh shellaccountatlo_badroot $a0 root@ -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
run selfDelPersonalAccess mustfailnosudo $a1 -osh selfDelPersonalAccess -h -u $shellaccount -p 22
retvalshouldbe 106
contain "you to be specifically granted"
json .command null .value null .error_code KO_RESTRICTED_COMMAND
#sudo usermod -a -G osh-selfDelPersonalAccess $account1
success selfDelPersonalAccess mustwork $a0 -osh selfDelPersonalAccess -h -u $shellaccount -p 22
contain "Access to $shellaccount@"
json .command selfDelPersonalAccess .error_code OK .value.ip .value.user $shellaccount .value.port 22
run ssh shellaccountatlo2_mustfail $a1 $shellaccount@ -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
success selfAddPersonalAccess mustwork $a0 -osh selfAddPersonalAccess -h -u $shellaccount -p 226
nocontain "already"
json .command selfAddPersonalAccess .error_code OK .value.ip .value.user $shellaccount .value.port 226
# shouldn't work
run ssh shellaccountatlo2_badport2 $a0 $shellaccount@ -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
# should
success ssh shellaccountatlo2_mustwork226 $a0 $shellaccount@ -p 226 -- echo $randomstr
contain REGEX "$shellaccount@[a-zA-Z0-9._-]+:226"
contain "allowed ... log on"
nocontain "Permission denied"
contain "$randomstr"
success selfDelPersonalAccess mustwork $a0 -osh selfDelPersonalAccess -h -u $shellaccount -p 226
contain "Access to $shellaccount@"
json .command selfDelPersonalAccess .error_code OK .value.ip .value.user $shellaccount .value.port 226
run ssh shellaccountatlo2_mustfailnow $a0 $shellaccount@ -p 226 -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
plgfail selfAddPersonalAccess nousernoportnoforce $a0 -osh selfAddPersonalAccess -h
nocontain "already"
contain REGEX "Couldn't connect to $account0@ \\(ssh returned error (255|124)\\)"
json .command selfAddPersonalAccess .error_code ERR_CONNECTION_FAILED .value null
success selfAddPersonalAccess nousernoport $a0 -osh selfAddPersonalAccess -h --force
nocontain "already"
contain "Forcing add as asked"
json .command selfAddPersonalAccess .error_code OK .value.ip .value.port null .value.user null
run ssh rootport22 $a0 root@ -- echo $randomstr
retvalshouldbe 255
contain "allowed ... log on"
contain "Permission denied"
nocontain "$randomstr"
run ssh anyuserport22 $a0 whatevaah@ -- echo $randomstr
retvalshouldbe 255
contain "allowed ... log on"
contain "Permission denied"
nocontain "$randomstr"
success ssh gooduserport22 $a0 $shellaccount@ -- echo $randomstr
contain "allowed ... log on"
contain "$randomstr"
run ssh exitcode $a0 $shellaccount@ -- exit 43
retvalshouldbe 43
contain "allowed ... log on"
success ssh gooduserport226 $a0 $shellaccount@ -p 226 -- echo $randomstr
contain "allowed ... log on"
contain "$randomstr"
run ssh anyuseaarrport226 $a0 pokpozkpab@ -p 226 -- echo $randomstr
retvalshouldbe 255
contain "allowed ... log on"
nocontain "$randomstr"
success selfDelPersonalAccess nousernoport $a0 -osh selfDelPersonalAccess -h
contain "Access to "
json .command selfDelPersonalAccess .error_code OK .value.ip .value.port null .value.user null
success selfDelPersonalAccess nousernoport_dupe $a0 -osh selfDelPersonalAccess -h
nocontain "no longer has a personal access"
json .command selfDelPersonalAccess .error_code OK_NO_CHANGE .value null
# TODO try add/del accesses with and without port/user specification
# ... then try to ssh with all combinations
# TODO try partial group thing, and try to ssh to ip pertaining to group
success selfListAccesses oka0 $a0 --osh selfListAccesses
contain 'no registered accesses'
nocontain 'personal'
nocontain 'group-member'
nocontain 'group-guest'
json .command selfListAccesses .error_code OK_EMPTY .value null
# FIXME with bastion config => auto-added private accesses ?
success selfListAccesses oka1 $a1 --osh selfListAccesses
contain 'no registered accesses'
nocontain 'personal'
nocontain 'group-member'
nocontain 'group-guest'
json .command selfListAccesses .error_code OK_EMPTY .value null
success selfForgetHostKey loportnomatch $a0 --osh selfForgetHostKey --host --port 1234
json .command selfForgetHostKey .error_code OK '.value."[]:1234".action' OK_NO_MATCH
success selfForgetHostKey lonomatch $a0 --osh selfForgetHostKey --host
json .command selfForgetHostKey .error_code OK '.value."".action' OK_NO_MATCH
success selfForgetHostKey lonofile $a1 --osh selfForgetHostKey --host
json .command selfForgetHostKey .error_code OK_NO_CHANGE .value null
success selfForgetHostKey works $a0 --osh selfForgetHostKey --host
json .command selfForgetHostKey .error_code OK '.value."".action' OK_DELETED
success selfForgetHostKey dupe $a0 --osh selfForgetHostKey --host
json .command selfForgetHostKey .error_code OK '.value."".action' OK_NO_MATCH
grant accountUnexpire
success accountUnexpire nochange $a0 --osh accountUnexpire --account $account1
json .command accountUnexpire .error_code OK_NO_CHANGE
# artificially expire account1
configchg 's=^\\\\x22accountMaxInactiveDays\\\\x22.+=\\\\x22accountMaxInactiveDays\\\\x22:2,='
success bastion manuallyExpireAccount1 $r0 "touch -t 201501010101 /home/$account1/lastlog"
run account expired $a1 --osh info
retvalshouldbe 113
success accountUnexpire works $a0 --osh accountUnexpire --account $account1
json .command accountUnexpire .error_code OK
success account unexpired $a1 --osh info
json .error_code OK
success accountUnexpire worksnochange $a0 --osh accountUnexpire --account $account1
json .command accountUnexpire .error_code OK_NO_CHANGE
# try on never logged-in account (different code path)
success bastion manuallyRemoveLastlog $r0 "rm -f /home/$account1/lastlog"
success accountUnexpire worksnochange $a0 --osh accountUnexpire --account $account1
json .command accountUnexpire .error_code OK_NO_CHANGE
revoke accountUnexpire
# delete account1
grant accountDelete
script accountDelete cleanup $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
retvalshouldbe 0
revoke accountDelete