the-bastion/tests/functional/tests.d/340-selfaccesses.sh
Stéphane Lesimple f6e4ec81a8 chore: remove useless 'section' test info
As tests are now split by modules, the section is autodetected
and taken as the module name, hence a test now only needs a name,
instead of a section & a name.
2021-09-13 17:45:36 +02:00

516 lines
20 KiB
Bash

# vim: set filetype=sh ts=4 sw=4 sts=4 et:
# shellcheck shell=bash
# shellcheck disable=SC2086,SC2016,SC2046
# below: convoluted way that forces shellcheck to source our caller
# shellcheck source=tests/functional/launch_tests_on_instance.sh
. "$(dirname "${BASH_SOURCE[0]}")"/dummy
testsuite_selfaccesses()
{
# now bastion key stuff
# create 10 accounts with no keys and with default uids
grant accountCreate
for i in {1..10}; do
success a0_create_a1_uidauto_nokey_$i $a0 --osh accountCreate --account delme$i --uid-auto --no-key
json .error_code OK .command accountCreate
done
revoke accountCreate
grant accountDelete
# delete those accounts
for i in {1..10}; do
script a0_delete_a1_uidauto_nokey_$i $a0 --osh accountDelete --account delme$i "<<< \"Yes, do as I say and delete delme$i, kthxbye\""
retvalshouldbe 0
json .error_code OK .command accountDelete
done
revoke accountDelete
grant accountCreate
# create account1
success accountCreate $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
json .error_code OK .command accountCreate .value null
revoke accountCreate
grant accountModify
success modify_account1 $a0 --osh accountModify --pam-auth-bypass yes --account $account1
json .error_code OK .command accountModify
# test osh-only
success enable_osh_only $a0 --osh accountModify --osh-only yes --account $account1
json .error_code OK .command accountModify
# account1 can not connect to anything
run no_ssh_after_osh_only $a1 anybody@127.0.0.1
retvalshouldbe 107
json .error_code KO_ACCESS_DENIED .error_message "You don't have the right to connect anywhere"
success disable_osh_only $a0 --osh accountModify --osh-only no --account $account1
json .error_code OK .command accountModify
# account1 can connect now (or could if they were granted)
run can_ssh_after_osh_only_disable $a1 anybody@127.0.0.1
retvalshouldbe 107
json .error_code KO_ACCESS_DENIED
contain "Access denied"
nocontain "anywhere"
revoke accountModify
success beforeadd $a1 -osh selfListEgressKeys
tmpfp=$(get_json | $jq '.value|keys[0]')
json .command selfListEgressKeys .error_code OK '.value|keys[1]' null
pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp\"]|.comment")"
success selfGenerateEgressKey $a1 --osh selfGenerateEgressKey --algo rsa --size 4096
json .error_code OK .command selfGenerateEgressKey .value.size 4096 .value.family RSA
tmpfp2=$(get_json | $jq '.value.fingerprint')
success afteradd $a1 -osh selfListEgressKeys
json .command selfListEgressKeys .error_code OK '.value|keys[2]' null
pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp\"]|.comment")"
pattern "^$account1@fix-my-config-please-missing-bastion-name:[0-9]+$" "$(get_json | $jq ".value|.[\"$tmpfp2\"]|.comment")"
unset tmpfp
unset tmpfp2
# batch plugin
script one "printf \"%b\\n\" \"info\\naccountInfo --account $account0\\nselfListEgressKeys\" | $a1 --osh batch"
retvalshouldbe 0
json .command batch .error_code OK
json '.value[0].result.error_code' OK '.value[0].command' info '.value[0].result.value.account' "$account1"
json '.value[1].result.error_code' KO_RESTRICTED_COMMAND '.value[1].command' "accountInfo --account $account0"
json '.value[2].result.error_code' OK '.value[2].command' selfListEgressKeys
# ssh
run a1atlo2 $a1 127.0.0.2 -- id
retvalshouldbe 107
contain "Access denied for"
json .command null .error_code KO_ACCESS_DENIED
run invalid_host $a1 127.0./0.1 -- id
retvalshouldbe 102
json .error_code KO_HOST_NOT_FOUND
run invalid_host $a1 127.0.%0.1 -- id
retvalshouldbe 128
json .error_code KO_INVALID_REMOTE_HOST
run invalid_user $a1 ro/ot@127.0.0.1 -- id
retvalshouldbe 127
json .error_code KO_INVALID_REMOTE_USER
grant selfAddPersonalAccess
grant selfDelPersonalAccess
run mustfail $a1 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22
retvalshouldbe 106
contain "you to be specifically granted"
json .command null .error_code KO_RESTRICTED_COMMAND
success mustwork $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 --kbd-interactive
nocontain "already"
json .command selfAddPersonalAccess .error_code OK .value.ip 127.0.0.2 .value.user $shellaccount .value.port 22
success dupe $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22 --kbd-interactive
contain "already"
json .command selfAddPersonalAccess .error_code OK_NO_CHANGE .value null
success withttl $a0 -osh selfAddPersonalAccess -h 127.0.0.4 -u $shellaccount -p 22 --force --ttl 0d0h0m3s
json .command selfAddPersonalAccess .error_code OK .value.ip 127.0.0.4 .value.user $shellaccount .value.port 22 .value.ttl 3
run a1atlo2_login8 $a0 127.0.0.2 -- id
retvalshouldbe 107
contain "Access denied for"
json .command null .value null .error_code KO_ACCESS_DENIED
# auto hostname=$host comment
success self_add_personal_access_auto_comment $a0 --osh selfAddPersonalAccess --host localhost -u autocomment -p 1234 --force --ttl 1
json .command selfAddPersonalAccess .error_code OK .value.comment "hostname=localhost" .value.user autocomment .value.port 1234 .value.ttl 1
# forcekey
success for_force_key $a0 --osh selfListEgressKeys
account0key1fp=$(get_json | $jq '.value|keys[0]')
success forcekey $a0 --osh selfAddPersonalAccess -h 127.7.7.7 -u $shellaccount -p 22 --force --force-key "$account0key1fp"
success forcekey $a0 --osh selfListAccesses
contain "$account0key1fp"
# try to use the force key
success forcekey $a0 $shellaccount@127.7.7.7 --kbd-interactive -- id
contain 'FORCED IN ACL'
success forcekey $a0 -osh selfDelPersonalAccess -h 127.7.7.7 -u $shellaccount -p 22
# /forcekey
success shellaccountatlo2_mustwork $a0 $shellaccount@127.0.0.2 --kbd-interactive -- echo $randomstr
contain REGEX "$shellaccount@[a-zA-Z0-9._-]+:22"
contain "allowed ... log on"
nocontain "Permission denied"
contain "$randomstr"
# scp
success forscp $a0 --osh selfAddPersonalAccess --host 127.0.0.2 --scpup --port 22
success scp $a0 --osh scp
if [ "$COUNTONLY" != 1 ]; then
tmpb64=$(get_json | $jq '.value.script')
base64 -d <<< "$tmpb64" | gunzip -c > /tmp/scphelpertmp
perl -pe "s/ssh $account0\\@\\S+/ssh -p $remote_port $account0\\@$remote_ip/" /tmp/scphelpertmp > /tmp/scphelper
chmod +x /tmp/scphelper
cat /tmp/scphelper
unset tmpb64
fi
run scp_downloadfailnoright scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded
retvalshouldbe 1
contain "Sorry, but even"
success forscp $a0 --osh selfAddPersonalAccess --host 127.0.0.2 --scpdown --port 22
run scp_downloadfailnofile scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded
retvalshouldbe 1
contain "through the bastion from"
contain "Error launching transfer"
contain "No such file or directory"
nocontain "Permission denied"
run scp_invalidhostname scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@_invalid._invalid:uptest /tmp/downloaded
retvalshouldbe 1
contain "Sorry, couldn't resolve the host you specified"
success scp_upload scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file /etc/passwd $shellaccount@127.0.0.2:uptest
contain "through the bastion to"
contain "Done,"
success scp_download scp -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@127.0.0.2:uptest /tmp/downloaded
contain "through the bastion from"
contain "Done,"
success forscpremove1 $a0 --osh selfDelPersonalAccess --host 127.0.0.2 --scpup --port 22
success forscpremove2 $a0 --osh selfDelPersonalAccess --host 127.0.0.2 --scpdown --port 22
# /scp
# (forced commands)
# ESCAPE HELL
success escapehell1ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo 'test1;test1' ; id\""
contain "'test1"
contain 'uid='
contain REGEX "test1': (command )?not found"
nocontain 'test1;test1'
nocontain 'crazy'
success escapehell2ae $a0 --always-escape $shellaccount@127.0.0.2 -- "'echo \"test1;test1\" ; id'"
contain "test1;test1"
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success escapehell3ae $a0 --always-escape $shellaccount@127.0.0.2 -- "'echo \\\"test1;test1\\\" ; id'"
contain '"test1'
contain 'uid='
contain REGEX 'test1": (command )?not found'
nocontain 'crazy'
success escapehell4ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1;test1\\\" ; id\""
contain 'test1;test1'
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success escapehell5ae $a0 --always-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1';'test1\\\" ; id\""
contain "test1\\';\\'test1"
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success escapehell1ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo 'test1;test1' ; id\""
contain "test1;test1"
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success escapehell2ne $a0 --never-escape $shellaccount@127.0.0.2 -- "'echo \"test1;test1\" ; id'"
contain "test1;test1"
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success escapehell3ne $a0 --never-escape $shellaccount@127.0.0.2 -- "'echo \\\"test1;test1\\\" ; id'"
contain '"test1'
contain 'uid='
contain REGEX 'test1": (command )?not found'
nocontain 'crazy'
success escapehell4ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1;test1\\\" ; id\""
contain 'test1;test1'
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success escapehell5ne $a0 --never-escape $shellaccount@127.0.0.2 -- "\"echo \\\"test1';'test1\\\" ; id\""
contain "test1';'test1"
contain 'uid='
nocontain 'not found'
nocontain 'crazy'
success escapehellnoprotect1ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo 'test1;test1' ; id\""
contain "test1"
contain 'uid='
contain REGEX "test1: (command )?not found"
nocontain 'test1;test1'
contain 'crazy'
success escapehellnoprotect2ae $a0 --always-escape $shellaccount@127.0.0.2 "'echo \"test1;test1\" ; id'"
contain "test1"
contain 'uid='
contain REGEX 'test1: (command )?not found'
nocontain 'test1;test1'
contain 'crazy'
success escapehellnoprotect3ae $a0 --always-escape $shellaccount@127.0.0.2 "'echo \\\"test1;test1\\\" ; id'"
contain 'test1;test1'
contain 'uid='
nocontain REGEX ': (command )?not found'
contain 'crazy'
success escapehellnoprotect4ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo \\\"test1;test1\\\" ; id\""
contain "test1"
contain 'uid='
contain REGEX 'test1: (command )?not found'
nocontain 'test1;test1'
contain 'crazy'
success escapehellnoprotect5ae $a0 --always-escape $shellaccount@127.0.0.2 "\"echo \\\"test1';'test1\\\" ; id\""
contain 'test1;test1'
contain 'uid='
nocontain 'not found'
contain 'crazy'
success escapehellnoprotect1ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo 'test1;test1' ; id\""
contain "test1"
contain 'uid='
contain REGEX 'test1: (command )?not found'
nocontain 'test1;test1'
contain 'crazy'
success escapehellnoprotect2ne $a0 --never-escape $shellaccount@127.0.0.2 "'echo \"test1;test1\" ; id'"
contain "test1"
contain 'uid='
contain REGEX 'test1: (command )?not found'
nocontain 'test1;test1'
contain 'crazy'
success escapehellnoprotect3ne $a0 --never-escape $shellaccount@127.0.0.2 "'echo \\\"test1;test1\\\" ; id'"
contain 'test1;test1'
contain 'uid='
nocontain 'not found'
contain 'crazy'
success escapehellnoprotect4ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo \\\"test1;test1\\\" ; id\""
contain "test1"
contain 'uid='
contain REGEX 'test1: (command )?not found'
nocontain 'test1;test1'
contain 'crazy'
success escapehellnoprotect5ne $a0 --never-escape $shellaccount@127.0.0.2 "\"echo \\\"test1';'test1\\\" ; id\""
contain 'test1;test1'
contain 'uid='
nocontain 'not found'
contain 'crazy'
run shellaccountatlo_badport $a0 $shellaccount@127.0.0.2 -p 223 -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
run shellaccountatlo_badip $a0 $shellaccount@127.0.0.1 -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
run shellaccountatlo_badroot $a0 root@127.0.0.2 -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
run mustfailnosudo $a1 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22
retvalshouldbe 106
contain "you to be specifically granted"
json .command null .value null .error_code KO_RESTRICTED_COMMAND
#sudo usermod -a -G osh-selfDelPersonalAccess $account1
success mustwork $a0 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 22
contain "Access to $shellaccount@127.0.0.2:22"
json .command selfDelPersonalAccess .error_code OK .value.ip 127.0.0.2 .value.user $shellaccount .value.port 22
run shellaccountatlo2_mustfail $a1 $shellaccount@127.0.0.2 -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
success mustwork $a0 -osh selfAddPersonalAccess -h 127.0.0.2 -u $shellaccount -p 226
nocontain "already"
json .command selfAddPersonalAccess .error_code OK .value.ip 127.0.0.2 .value.user $shellaccount .value.port 226
# shouldn't work
run shellaccountatlo2_badport2 $a0 $shellaccount@127.0.0.2 -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
# should
success shellaccountatlo2_mustwork226 $a0 $shellaccount@127.0.0.2 -p 226 -- echo $randomstr
contain REGEX "$shellaccount@[a-zA-Z0-9._-]+:226"
contain "allowed ... log on"
nocontain "Permission denied"
contain "$randomstr"
success mustwork $a0 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 226
contain "Access to $shellaccount@127.0.0.2:226"
json .command selfDelPersonalAccess .error_code OK .value.ip 127.0.0.2 .value.user $shellaccount .value.port 226
run shellaccountatlo2_mustfailnow $a0 $shellaccount@127.0.0.2 -p 226 -- echo $randomstr
retvalshouldbe 107
contain "Access denied for"
nocontain "$randomstr"
json .command null .value null .error_code KO_ACCESS_DENIED
plgfail nousernoportnoforce $a0 -osh selfAddPersonalAccess -h 127.0.0.4
nocontain "already"
contain REGEX "Couldn't connect to $account0@127.0.0.4 \\(ssh returned error (255|124)\\)"
json .command selfAddPersonalAccess .error_code ERR_CONNECTION_FAILED .value null
success nousernoport $a0 -osh selfAddPersonalAccess -h 127.0.0.4 --force
nocontain "already"
contain "Forcing add as asked"
json .command selfAddPersonalAccess .error_code OK .value.ip 127.0.0.4 .value.port null .value.user null
run rootport22 $a0 root@127.0.0.4 -- echo $randomstr
retvalshouldbe 255
contain "allowed ... log on"
contain "Permission denied"
nocontain "$randomstr"
run anyuserport22 $a0 whatevaah@127.0.0.4 -- echo $randomstr
retvalshouldbe 255
contain "allowed ... log on"
contain "Permission denied"
nocontain "$randomstr"
success gooduserport22 $a0 $shellaccount@127.0.0.4 -- echo $randomstr
contain "allowed ... log on"
contain "$randomstr"
run exitcode $a0 $shellaccount@127.0.0.4 -- exit 43
retvalshouldbe 43
contain "allowed ... log on"
success gooduserport226 $a0 $shellaccount@127.0.0.4 -p 226 -- echo $randomstr
contain "allowed ... log on"
contain "$randomstr"
run anyuseaarrport226 $a0 pokpozkpab@127.0.0.4 -p 226 -- echo $randomstr
retvalshouldbe 255
contain "allowed ... log on"
nocontain "$randomstr"
success nousernoport $a0 -osh selfDelPersonalAccess -h 127.0.0.4
contain "Access to 127.0.0.4 "
json .command selfDelPersonalAccess .error_code OK .value.ip 127.0.0.4 .value.port null .value.user null
success nousernoport_dupe $a0 -osh selfDelPersonalAccess -h 127.0.0.4
nocontain "no longer has a personal access"
json .command selfDelPersonalAccess .error_code OK_NO_CHANGE .value null
# TODO try add/del accesses with and without port/user specification
# ... then try to ssh with all combinations
# TODO try partial group thing, and try to ssh to ip pertaining to group
success oka0 $a0 --osh selfListAccesses
contain 'no registered accesses'
nocontain 'personal'
nocontain 'group-member'
nocontain 'group-guest'
json .command selfListAccesses .error_code OK_EMPTY .value null
# FIXME with bastion config => auto-added private accesses ?
success oka1 $a1 --osh selfListAccesses
contain 'no registered accesses'
nocontain 'personal'
nocontain 'group-member'
nocontain 'group-guest'
json .command selfListAccesses .error_code OK_EMPTY .value null
success loportnomatch $a0 --osh selfForgetHostKey --host 127.0.0.1 --port 1234
json .command selfForgetHostKey .error_code OK '.value."[127.0.0.1]:1234".action' OK_NO_MATCH
success lonomatch $a0 --osh selfForgetHostKey --host 127.0.0.1
json .command selfForgetHostKey .error_code OK '.value."127.0.0.1".action' OK_NO_MATCH
success lonofile $a1 --osh selfForgetHostKey --host 127.0.0.1
json .command selfForgetHostKey .error_code OK_NO_CHANGE .value null
success works $a0 --osh selfForgetHostKey --host 127.0.0.2
json .command selfForgetHostKey .error_code OK '.value."127.0.0.2".action' OK_DELETED
success dupe $a0 --osh selfForgetHostKey --host 127.0.0.2
json .command selfForgetHostKey .error_code OK '.value."127.0.0.2".action' OK_NO_MATCH
grant accountUnexpire
success nochange $a0 --osh accountUnexpire --account $account1
json .command accountUnexpire .error_code OK_NO_CHANGE
# artificially expire account1
configchg 's=^\\\\x22accountMaxInactiveDays\\\\x22.+=\\\\x22accountMaxInactiveDays\\\\x22:2,='
success manuallyExpireAccount1 $r0 "touch -t 201501010101 /home/$account1/lastlog"
run expired $a1 --osh info
retvalshouldbe 113
success works $a0 --osh accountUnexpire --account $account1
json .command accountUnexpire .error_code OK
success unexpired $a1 --osh info
json .error_code OK
success worksnochange $a0 --osh accountUnexpire --account $account1
json .command accountUnexpire .error_code OK_NO_CHANGE
# try on never logged-in account (different code path)
success manuallyRemoveLastlog $r0 "rm -f /home/$account1/lastlog"
success worksnochange $a0 --osh accountUnexpire --account $account1
json .command accountUnexpire .error_code OK_NO_CHANGE
revoke accountUnexpire
# delete account1
grant accountDelete
script cleanup $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\""
retvalshouldbe 0
revoke accountDelete
}
testsuite_selfaccesses