warpgate/tests/test_ssh_target_selection.py

79 lines
2.3 KiB
Python
Raw Normal View History

2022-08-14 18:36:49 +08:00
from pathlib import Path
2022-11-12 00:00:12 +08:00
import subprocess
from uuid import uuid4
2022-08-14 18:36:49 +08:00
2022-11-12 00:00:12 +08:00
from .api_client import (
api_add_role_to_target,
api_add_role_to_user,
api_admin_session,
api_create_role,
api_create_target,
api_create_user,
)
from .conftest import ProcessManager, WarpgateProcess
2022-08-14 18:36:49 +08:00
from .util import wait_port
class Test:
def test_bad_target(
2022-11-12 00:00:12 +08:00
self,
processes: ProcessManager,
wg_c_ed25519_pubkey: Path,
shared_wg: WarpgateProcess,
2022-08-14 18:36:49 +08:00
):
ssh_port = processes.start_ssh_server(
trusted_keys=[wg_c_ed25519_pubkey.read_text()]
)
wait_port(ssh_port)
2022-11-12 00:00:12 +08:00
url = f"https://localhost:{shared_wg.http_port}"
with api_admin_session(url) as session:
role = api_create_role(url, session, {"name": f"role-{uuid4()}"})
user = api_create_user(
url,
session,
{
"username": f"user-{uuid4()}",
"credentials": [
{
"kind": "Password",
"hash": "123",
},
],
},
)
api_add_role_to_user(url, session, user["id"], role["id"])
ssh_target = api_create_target(
url,
session,
{
"name": f"ssh-{uuid4()}",
"options": {
"kind": "Ssh",
"host": "localhost",
"port": ssh_port,
"username": "root",
"auth": {"kind": "PublicKey"},
},
},
)
api_add_role_to_target(url, session, ssh_target["id"], role["id"])
2022-08-14 18:36:49 +08:00
ssh_client = processes.start_ssh_client(
2022-11-12 00:00:12 +08:00
"-t",
f"{user['username']}:badtarget@localhost",
"-p",
str(shared_wg.ssh_port),
"-i",
"/dev/null",
"-o",
"PreferredAuthentications=password",
"echo",
"hello",
stderr=subprocess.PIPE,
password="123",
2022-08-14 18:36:49 +08:00
)
assert ssh_client.returncode != 0
2022-11-12 00:00:12 +08:00
assert b"Permission denied" in ssh_client.stderr.read()