2015-07-10 15:56:14 +00:00
|
|
|
package ssh
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2015-08-30 18:17:50 +00:00
|
|
|
"reflect"
|
2015-07-10 15:56:14 +00:00
|
|
|
"testing"
|
2015-09-21 20:12:38 +00:00
|
|
|
"time"
|
2015-07-10 15:56:14 +00:00
|
|
|
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
|
2017-03-02 21:37:03 +00:00
|
|
|
"encoding/base64"
|
|
|
|
"errors"
|
|
|
|
"strings"
|
|
|
|
|
2015-08-18 23:48:50 +00:00
|
|
|
"github.com/hashicorp/vault/api"
|
2015-07-10 15:56:14 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
logicaltest "github.com/hashicorp/vault/logical/testing"
|
2015-07-10 22:18:02 +00:00
|
|
|
"github.com/hashicorp/vault/vault"
|
2015-07-10 15:56:14 +00:00
|
|
|
"github.com/mitchellh/mapstructure"
|
|
|
|
)
|
|
|
|
|
2016-02-02 17:32:50 +00:00
|
|
|
// Before the following tests are run, a username going by the name 'vaultssh' has
|
|
|
|
// to be created and its ~/.ssh/authorized_keys file should contain the below key.
|
|
|
|
//
|
|
|
|
// ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9i+hFxZHGo6KblVme4zrAcJstR6I0PTJozW286X4WyvPnkMYDQ5mnhEYC7UWCvjoTWbPEXPX7NjhRtwQTGD67bV+lrxgfyzK1JZbUXK4PwgKJvQD+XyyWYMzDgGSQY61KUSqCxymSm/9NZkPU3ElaQ9xQuTzPpztM4ROfb8f2Yv6/ZESZsTo0MTAkp8Pcy+WkioI/uJ1H7zqs0EA4OMY4aDJRu0UtP4rTVeYNEAuRXdX+eH4aW3KMvhzpFTjMbaJHJXlEeUm2SaX5TNQyTOvghCeQILfYIL/Ca2ij8iwCmulwdV6eQGfd4VDu40PvSnmfoaE38o6HaPnX0kUcnKiT
|
|
|
|
|
2015-07-10 15:56:14 +00:00
|
|
|
const (
|
2016-02-02 17:32:50 +00:00
|
|
|
testIP = "127.0.0.1"
|
|
|
|
testUserName = "vaultssh"
|
|
|
|
testAdminUser = "vaultssh"
|
2015-07-31 17:24:23 +00:00
|
|
|
testOTPKeyType = "otp"
|
|
|
|
testDynamicKeyType = "dynamic"
|
2015-08-13 15:46:55 +00:00
|
|
|
testCIDRList = "127.0.0.1/32"
|
2015-07-31 17:24:23 +00:00
|
|
|
testDynamicRoleName = "testDynamicRoleName"
|
|
|
|
testOTPRoleName = "testOTPRoleName"
|
2015-07-31 19:17:40 +00:00
|
|
|
testKeyName = "testKeyName"
|
2015-07-10 22:18:02 +00:00
|
|
|
testSharedPrivateKey = `
|
2015-07-10 15:56:14 +00:00
|
|
|
-----BEGIN RSA PRIVATE KEY-----
|
2015-07-10 22:18:02 +00:00
|
|
|
MIIEogIBAAKCAQEAvYvoRcWRxqOim5VZnuM6wHCbLUeiND0yaM1tvOl+Fsrz55DG
|
|
|
|
A0OZp4RGAu1Fgr46E1mzxFz1+zY4UbcEExg+u21fpa8YH8sytSWW1FyuD8ICib0A
|
|
|
|
/l8slmDMw4BkkGOtSlEqgscpkpv/TWZD1NxJWkPcULk8z6c7TOETn2/H9mL+v2RE
|
|
|
|
mbE6NDEwJKfD3MvlpIqCP7idR+86rNBAODjGOGgyUbtFLT+K01XmDRALkV3V/nh+
|
|
|
|
GltyjL4c6RU4zG2iRyV5RHlJtkml+UzUMkzr4IQnkCC32CC/wmtoo/IsAprpcHVe
|
|
|
|
nkBn3eFQ7uND70p5n6GhN/KOh2j519JFHJyokwIDAQABAoIBAHX7VOvBC3kCN9/x
|
|
|
|
+aPdup84OE7Z7MvpX6w+WlUhXVugnmsAAVDczhKoUc/WktLLx2huCGhsmKvyVuH+
|
|
|
|
MioUiE+vx75gm3qGx5xbtmOfALVMRLopjCnJYf6EaFA0ZeQ+NwowNW7Lu0PHmAU8
|
|
|
|
Z3JiX8IwxTz14DU82buDyewO7v+cEr97AnERe3PUcSTDoUXNaoNxjNpEJkKREY6h
|
|
|
|
4hAY676RT/GsRcQ8tqe/rnCqPHNd7JGqL+207FK4tJw7daoBjQyijWuB7K5chSal
|
|
|
|
oPInylM6b13ASXuOAOT/2uSUBWmFVCZPDCmnZxy2SdnJGbsJAMl7Ma3MUlaGvVI+
|
|
|
|
Tfh1aQkCgYEA4JlNOabTb3z42wz6mz+Nz3JRwbawD+PJXOk5JsSnV7DtPtfgkK9y
|
|
|
|
6FTQdhnozGWShAvJvc+C4QAihs9AlHXoaBY5bEU7R/8UK/pSqwzam+MmxmhVDV7G
|
|
|
|
IMQPV0FteoXTaJSikhZ88mETTegI2mik+zleBpVxvfdhE5TR+lq8Br0CgYEA2AwJ
|
|
|
|
CUD5CYUSj09PluR0HHqamWOrJkKPFPwa+5eiTTCzfBBxImYZh7nXnWuoviXC0sg2
|
|
|
|
AuvCW+uZ48ygv/D8gcz3j1JfbErKZJuV+TotK9rRtNIF5Ub7qysP7UjyI7zCssVM
|
|
|
|
kuDd9LfRXaB/qGAHNkcDA8NxmHW3gpln4CFdSY8CgYANs4xwfercHEWaJ1qKagAe
|
|
|
|
rZyrMpffAEhicJ/Z65lB0jtG4CiE6w8ZeUMWUVJQVcnwYD+4YpZbX4S7sJ0B8Ydy
|
|
|
|
AhkSr86D/92dKTIt2STk6aCN7gNyQ1vW198PtaAWH1/cO2UHgHOy3ZUt5X/Uwxl9
|
|
|
|
cex4flln+1Viumts2GgsCQKBgCJH7psgSyPekK5auFdKEr5+Gc/jB8I/Z3K9+g4X
|
|
|
|
5nH3G1PBTCJYLw7hRzw8W/8oALzvddqKzEFHphiGXK94Lqjt/A4q1OdbCrhiE68D
|
|
|
|
My21P/dAKB1UYRSs9Y8CNyHCjuZM9jSMJ8vv6vG/SOJPsnVDWVAckAbQDvlTHC9t
|
|
|
|
O98zAoGAcbW6uFDkrv0XMCpB9Su3KaNXOR0wzag+WIFQRXCcoTvxVi9iYfUReQPi
|
|
|
|
oOyBJU/HMVvBfv4g+OVFLVgSwwm6owwsouZ0+D/LasbuHqYyqYqdyPJQYzWA2Y+F
|
|
|
|
+B6f4RoPdSXj24JHPg/ioRxjaj094UXJxua2yfkcecGNEuBQHSs=
|
2015-07-10 15:56:14 +00:00
|
|
|
-----END RSA PRIVATE KEY-----
|
2016-12-26 14:03:27 +00:00
|
|
|
`
|
|
|
|
// Public half of `privateKey`, identical to how it would be fed in from a file
|
|
|
|
publicKey = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDArgK0ilRRfk8E7HIsjz5l3BuxmwpDd8DHRCVfOhbZ4gOSVxjEOOqBwWGjygdboBIZwFXmwDlU6sWX0hBJAgpQz0Cjvbjxtq/NjkvATrYPgnrXUhTaEn2eQO0PsqRNSFH46SK/oJfTp0q8/WgojxWJ2L7FUV8PO8uIk49DzqAqPV7WXU63vFsjx+3WQOX/ILeQvHCvaqs3dWjjzEoDudRWCOdUqcHEOshV9azIzPrXlQVzRV3QAKl6u7pC+/Secorpwt6IHpMKoVPGiR0tMMuNOVH8zrAKzIxPGfy2WmNDpJopbXMTvSOGAqNcp49O4SKOQl9Fzfq2HEevJamKLrMB dummy@example.com
|
|
|
|
`
|
|
|
|
publicKey2 = `AAAAB3NzaC1yc2EAAAADAQABAAABAQDArgK0ilRRfk8E7HIsjz5l3BuxmwpDd8DHRCVfOhbZ4gOSVxjEOOqBwWGjygdboBIZwFXmwDlU6sWX0hBJAgpQz0Cjvbjxtq/NjkvATrYPgnrXUhTaEn2eQO0PsqRNSFH46SK/oJfTp0q8/WgojxWJ2L7FUV8PO8uIk49DzqAqPV7WXU63vFsjx+3WQOX/ILeQvHCvaqs3dWjjzEoDudRWCOdUqcHEOshV9azIzPrXlQVzRV3QAKl6u7pC+/Secorpwt6IHpMKoVPGiR0tMMuNOVH8zrAKzIxPGfy2WmNDpJopbXMTvSOGAqNcp49O4SKOQl9Fzfq2HEevJamKLrMB
|
|
|
|
`
|
|
|
|
privateKey = `-----BEGIN RSA PRIVATE KEY-----
|
|
|
|
MIIEowIBAAKCAQEAwK4CtIpUUX5PBOxyLI8+ZdwbsZsKQ3fAx0QlXzoW2eIDklcY
|
|
|
|
xDjqgcFho8oHW6ASGcBV5sA5VOrFl9IQSQIKUM9Ao7248bavzY5LwE62D4J611IU
|
|
|
|
2hJ9nkDtD7KkTUhR+Okiv6CX06dKvP1oKI8Vidi+xVFfDzvLiJOPQ86gKj1e1l1O
|
|
|
|
t7xbI8ft1kDl/yC3kLxwr2qrN3Vo48xKA7nUVgjnVKnBxDrIVfWsyMz615UFc0Vd
|
|
|
|
0ACperu6Qvv0nnKK6cLeiB6TCqFTxokdLTDLjTlR/M6wCsyMTxn8tlpjQ6SaKW1z
|
|
|
|
E70jhgKjXKePTuEijkJfRc36thxHryWpii6zAQIDAQABAoIBAA/DrPD8iF2KigiL
|
|
|
|
F+RRa/eFhLaJStOuTpV/G9eotwnolgY5Hguf5H/tRIHUG7oBZLm6pMyWWZp7AuOj
|
|
|
|
CjYO9q0Z5939vc349nVI+SWoyviF4msPiik1bhWulja8lPjFu/8zg+ZNy15Dx7ei
|
|
|
|
vAzleAupMiKOv8pNSB/KguQ3WZ9a9bcQcoFQ2Foru6mXpLJ03kghVRlkqvQ7t5cA
|
|
|
|
n11d2Hiipq9mleESr0c+MUPKLBX/neaWfGA4xgJTjIYjZi6avmYc/Ox3sQ9aLq2J
|
|
|
|
tH0D4HVUZvaU28hn+jhbs64rRFbu++qQMe3vNvi/Q/iqcYU4b6tgDNzm/JFRTS/W
|
|
|
|
njiz4mkCgYEA44CnQVmonN6qQ0AgNNlBY5+RX3wwBJZ1AaxpzwDRylAt2vlVUA0n
|
|
|
|
YY4RW4J4+RMRKwHwjxK5RRmHjsIJx+nrpqihW3fte3ev5F2A9Wha4dzzEHxBY6IL
|
|
|
|
362T/x2f+vYk6tV+uTZSUPHsuELH26mitbBVFNB/00nbMNdEc2bO5FMCgYEA2NCw
|
|
|
|
ubt+g2bRkkT/Qf8gIM8ZDpZbARt6onqxVcWkQFT16ZjbsBWUrH1Xi7alv9+lwYLJ
|
|
|
|
ckY/XDX4KeU19HabeAbpyy6G9Q2uBSWZlJbjl7QNhdLeuzV82U1/r8fy6Uu3gQnU
|
|
|
|
WSFx2GesRpSmZpqNKMs5ksqteZ9Yjg1EIgXdINsCgYBIn9REt1NtKGOf7kOZu1T1
|
|
|
|
cYXdvm4xuLoHW7u3OiK+e9P3mCqU0G4m5UxDMyZdFKohWZAqjCaamWi9uNGYgOMa
|
|
|
|
I7DG20TzaiS7OOIm9TY17eul8pSJMrypnealxRZB7fug/6Bhjaa/cktIEwFr7P4l
|
|
|
|
E/JFH73+fBA9yipu0H3xQwKBgHmiwrLAZF6VrVcxDD9bQQwHA5iyc4Wwg+Fpkdl7
|
|
|
|
0wUgZQHTdtRXlxwaCaZhJqX5c4WXuSo6DMvPn1TpuZZXgCsbPch2ZtJOBWXvzTSW
|
|
|
|
XkK6iaedQMWoYU2L8+mK9FU73EwxVodWgwcUSosiVCRV6oGLWdZnjGEiK00uVh38
|
|
|
|
Si1nAoGBAL47wWinv1cDTnh5mm0mybz3oI2a6V9aIYCloQ/EFcvtahyR/gyB8qNF
|
|
|
|
lObH9Faf0WGdnACZvTz22U9gWhw79S0SpDV31tC5Kl8dXHFiZ09vYUKkYmSd/kms
|
|
|
|
SeKWrUkryx46LVf6NMhkyYmRqCEjBwfOozzezi5WbiJy6nn54GQt
|
|
|
|
-----END RSA PRIVATE KEY-----
|
2015-07-10 15:56:14 +00:00
|
|
|
`
|
|
|
|
)
|
|
|
|
|
2016-05-30 07:01:47 +00:00
|
|
|
func TestBackend_allowed_users(t *testing.T) {
|
|
|
|
config := logical.TestBackendConfig()
|
|
|
|
config.StorageView = &logical.InmemStorage{}
|
|
|
|
|
2016-06-01 16:17:47 +00:00
|
|
|
b, err := Backend(config)
|
2016-05-30 07:01:47 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2016-06-01 16:17:47 +00:00
|
|
|
_, err = b.Setup(config)
|
2016-05-30 07:01:47 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2017-02-16 21:29:30 +00:00
|
|
|
err = b.Initialize()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2016-05-30 07:01:47 +00:00
|
|
|
|
|
|
|
roleData := map[string]interface{}{
|
|
|
|
"key_type": "otp",
|
|
|
|
"default_user": "ubuntu",
|
|
|
|
"cidr_list": "52.207.235.245/16",
|
|
|
|
"allowed_users": "test",
|
|
|
|
}
|
|
|
|
|
|
|
|
roleReq := &logical.Request{
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Path: "roles/role1",
|
|
|
|
Storage: config.StorageView,
|
|
|
|
Data: roleData,
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := b.HandleRequest(roleReq)
|
|
|
|
if err != nil || (resp != nil && resp.IsError()) || resp != nil {
|
|
|
|
t.Fatalf("failed to create role: resp:%#v err:%s", resp, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
credsData := map[string]interface{}{
|
|
|
|
"ip": "52.207.235.245",
|
|
|
|
"username": "ubuntu",
|
|
|
|
}
|
|
|
|
credsReq := &logical.Request{
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Storage: config.StorageView,
|
|
|
|
Path: "creds/role1",
|
|
|
|
Data: credsData,
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err = b.HandleRequest(credsReq)
|
|
|
|
if err != nil || (resp != nil && resp.IsError()) || resp == nil {
|
|
|
|
t.Fatalf("failed to create role: resp:%#v err:%s", resp, err)
|
|
|
|
}
|
|
|
|
if resp.Data["key"] == "" ||
|
|
|
|
resp.Data["key_type"] != "otp" ||
|
|
|
|
resp.Data["ip"] != "52.207.235.245" ||
|
|
|
|
resp.Data["username"] != "ubuntu" {
|
|
|
|
t.Fatalf("failed to create credential: resp:%#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
credsData["username"] = "test"
|
|
|
|
resp, err = b.HandleRequest(credsReq)
|
|
|
|
if err != nil || (resp != nil && resp.IsError()) || resp == nil {
|
|
|
|
t.Fatalf("failed to create role: resp:%#v err:%s", resp, err)
|
|
|
|
}
|
|
|
|
if resp.Data["key"] == "" ||
|
|
|
|
resp.Data["key_type"] != "otp" ||
|
|
|
|
resp.Data["ip"] != "52.207.235.245" ||
|
|
|
|
resp.Data["username"] != "test" {
|
|
|
|
t.Fatalf("failed to create credential: resp:%#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
credsData["username"] = "random"
|
|
|
|
resp, err = b.HandleRequest(credsReq)
|
|
|
|
if err != nil || resp == nil || (resp != nil && !resp.IsError()) {
|
|
|
|
t.Fatalf("expected failure: resp:%#v err:%s", resp, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
delete(roleData, "allowed_users")
|
|
|
|
resp, err = b.HandleRequest(roleReq)
|
|
|
|
if err != nil || (resp != nil && resp.IsError()) || resp != nil {
|
|
|
|
t.Fatalf("failed to create role: resp:%#v err:%s", resp, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
credsData["username"] = "ubuntu"
|
|
|
|
resp, err = b.HandleRequest(credsReq)
|
|
|
|
if err != nil || (resp != nil && resp.IsError()) || resp == nil {
|
|
|
|
t.Fatalf("failed to create role: resp:%#v err:%s", resp, err)
|
|
|
|
}
|
|
|
|
if resp.Data["key"] == "" ||
|
|
|
|
resp.Data["key_type"] != "otp" ||
|
|
|
|
resp.Data["ip"] != "52.207.235.245" ||
|
|
|
|
resp.Data["username"] != "ubuntu" {
|
|
|
|
t.Fatalf("failed to create credential: resp:%#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
credsData["username"] = "test"
|
|
|
|
resp, err = b.HandleRequest(credsReq)
|
|
|
|
if err != nil || resp == nil || (resp != nil && !resp.IsError()) {
|
|
|
|
t.Fatalf("expected failure: resp:%#v err:%s", resp, err)
|
|
|
|
}
|
2016-05-30 07:12:43 +00:00
|
|
|
|
|
|
|
roleData["allowed_users"] = "*"
|
|
|
|
resp, err = b.HandleRequest(roleReq)
|
|
|
|
if err != nil || (resp != nil && resp.IsError()) || resp != nil {
|
|
|
|
t.Fatalf("failed to create role: resp:%#v err:%s", resp, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err = b.HandleRequest(credsReq)
|
|
|
|
if err != nil || (resp != nil && resp.IsError()) || resp == nil {
|
|
|
|
t.Fatalf("failed to create role: resp:%#v err:%s", resp, err)
|
|
|
|
}
|
|
|
|
if resp.Data["key"] == "" ||
|
|
|
|
resp.Data["key_type"] != "otp" ||
|
|
|
|
resp.Data["ip"] != "52.207.235.245" ||
|
|
|
|
resp.Data["username"] != "test" {
|
|
|
|
t.Fatalf("failed to create credential: resp:%#v", resp)
|
|
|
|
}
|
2016-05-30 07:01:47 +00:00
|
|
|
}
|
|
|
|
|
2015-09-21 20:12:38 +00:00
|
|
|
func testingFactory(conf *logical.BackendConfig) (logical.Backend, error) {
|
2016-02-02 17:32:50 +00:00
|
|
|
_, err := vault.StartSSHHostTestServer()
|
|
|
|
if err != nil {
|
|
|
|
panic(fmt.Sprintf("error starting mock server:%s", err))
|
|
|
|
}
|
2015-09-21 20:12:38 +00:00
|
|
|
defaultLeaseTTLVal := 2 * time.Minute
|
|
|
|
maxLeaseTTLVal := 10 * time.Minute
|
|
|
|
return Factory(&logical.BackendConfig{
|
|
|
|
Logger: nil,
|
|
|
|
StorageView: &logical.InmemStorage{},
|
|
|
|
System: &logical.StaticSystemView{
|
|
|
|
DefaultLeaseTTLVal: defaultLeaseTTLVal,
|
|
|
|
MaxLeaseTTLVal: maxLeaseTTLVal,
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2016-02-02 17:32:50 +00:00
|
|
|
func TestSSHBackend_Lookup(t *testing.T) {
|
|
|
|
testOTPRoleData := map[string]interface{}{
|
2015-08-03 20:18:14 +00:00
|
|
|
"key_type": testOTPKeyType,
|
|
|
|
"default_user": testUserName,
|
2015-08-13 15:46:55 +00:00
|
|
|
"cidr_list": testCIDRList,
|
2015-08-03 20:18:14 +00:00
|
|
|
}
|
2016-02-02 17:32:50 +00:00
|
|
|
testDynamicRoleData := map[string]interface{}{
|
2015-08-30 18:17:50 +00:00
|
|
|
"key_type": testDynamicKeyType,
|
|
|
|
"key": testKeyName,
|
|
|
|
"admin_user": testAdminUser,
|
|
|
|
"default_user": testAdminUser,
|
|
|
|
"cidr_list": testCIDRList,
|
2015-08-03 20:18:14 +00:00
|
|
|
}
|
2015-08-30 18:30:59 +00:00
|
|
|
data := map[string]interface{}{
|
|
|
|
"ip": testIP,
|
|
|
|
}
|
2015-09-03 22:43:53 +00:00
|
|
|
resp1 := []string(nil)
|
|
|
|
resp2 := []string{testOTPRoleName}
|
|
|
|
resp3 := []string{testDynamicRoleName, testOTPRoleName}
|
|
|
|
resp4 := []string{testDynamicRoleName}
|
2015-08-03 20:18:14 +00:00
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2016-04-05 19:10:44 +00:00
|
|
|
AcceptanceTest: true,
|
|
|
|
Factory: testingFactory,
|
2015-08-03 20:18:14 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
2015-09-03 22:43:53 +00:00
|
|
|
testLookupRead(t, data, resp1),
|
2015-08-30 18:30:59 +00:00
|
|
|
testRoleWrite(t, testOTPRoleName, testOTPRoleData),
|
2015-09-03 22:43:53 +00:00
|
|
|
testLookupRead(t, data, resp2),
|
2015-09-03 22:50:44 +00:00
|
|
|
testNamedKeysWrite(t, testKeyName, testSharedPrivateKey),
|
2015-08-30 18:30:59 +00:00
|
|
|
testRoleWrite(t, testDynamicRoleName, testDynamicRoleData),
|
2015-09-03 22:43:53 +00:00
|
|
|
testLookupRead(t, data, resp3),
|
2015-08-03 20:18:14 +00:00
|
|
|
testRoleDelete(t, testOTPRoleName),
|
2015-09-03 22:43:53 +00:00
|
|
|
testLookupRead(t, data, resp4),
|
2015-08-03 20:18:14 +00:00
|
|
|
testRoleDelete(t, testDynamicRoleName),
|
2015-09-03 22:43:53 +00:00
|
|
|
testLookupRead(t, data, resp1),
|
2015-08-03 20:18:14 +00:00
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2015-08-03 15:22:00 +00:00
|
|
|
func TestSSHBackend_DynamicKeyCreate(t *testing.T) {
|
2016-02-02 17:32:50 +00:00
|
|
|
testDynamicRoleData := map[string]interface{}{
|
|
|
|
"key_type": testDynamicKeyType,
|
|
|
|
"key": testKeyName,
|
|
|
|
"admin_user": testAdminUser,
|
|
|
|
"default_user": testAdminUser,
|
|
|
|
"cidr_list": testCIDRList,
|
|
|
|
}
|
2015-09-03 22:11:04 +00:00
|
|
|
data := map[string]interface{}{
|
|
|
|
"username": testUserName,
|
|
|
|
"ip": testIP,
|
|
|
|
}
|
2015-07-10 15:56:14 +00:00
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2016-04-05 19:10:44 +00:00
|
|
|
AcceptanceTest: true,
|
|
|
|
Factory: testingFactory,
|
2015-07-10 15:56:14 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
2015-09-03 22:50:44 +00:00
|
|
|
testNamedKeysWrite(t, testKeyName, testSharedPrivateKey),
|
2015-09-03 22:11:04 +00:00
|
|
|
testRoleWrite(t, testDynamicRoleName, testDynamicRoleData),
|
2015-09-10 15:55:07 +00:00
|
|
|
testCredsWrite(t, testDynamicRoleName, data, false),
|
2015-07-10 15:56:14 +00:00
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2015-07-31 17:24:23 +00:00
|
|
|
func TestSSHBackend_OTPRoleCrud(t *testing.T) {
|
2016-02-02 17:32:50 +00:00
|
|
|
testOTPRoleData := map[string]interface{}{
|
|
|
|
"key_type": testOTPKeyType,
|
|
|
|
"default_user": testUserName,
|
|
|
|
"cidr_list": testCIDRList,
|
|
|
|
}
|
2015-09-10 14:44:26 +00:00
|
|
|
respOTPRoleData := map[string]interface{}{
|
|
|
|
"key_type": testOTPKeyType,
|
|
|
|
"port": 22,
|
|
|
|
"default_user": testUserName,
|
|
|
|
"cidr_list": testCIDRList,
|
|
|
|
}
|
2015-07-31 19:17:40 +00:00
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2016-04-05 19:10:44 +00:00
|
|
|
AcceptanceTest: true,
|
|
|
|
Factory: testingFactory,
|
2015-07-31 19:17:40 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
2015-08-30 18:30:59 +00:00
|
|
|
testRoleWrite(t, testOTPRoleName, testOTPRoleData),
|
2015-09-10 14:44:26 +00:00
|
|
|
testRoleRead(t, testOTPRoleName, respOTPRoleData),
|
2015-07-31 19:17:40 +00:00
|
|
|
testRoleDelete(t, testOTPRoleName),
|
|
|
|
testRoleRead(t, testOTPRoleName, nil),
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSSHBackend_DynamicRoleCrud(t *testing.T) {
|
2016-02-02 17:32:50 +00:00
|
|
|
testDynamicRoleData := map[string]interface{}{
|
|
|
|
"key_type": testDynamicKeyType,
|
|
|
|
"key": testKeyName,
|
|
|
|
"admin_user": testAdminUser,
|
|
|
|
"default_user": testAdminUser,
|
|
|
|
"cidr_list": testCIDRList,
|
|
|
|
}
|
2015-09-10 14:44:26 +00:00
|
|
|
respDynamicRoleData := map[string]interface{}{
|
|
|
|
"cidr_list": testCIDRList,
|
|
|
|
"port": 22,
|
|
|
|
"install_script": DefaultPublicKeyInstallScript,
|
|
|
|
"key_bits": 1024,
|
|
|
|
"key": testKeyName,
|
|
|
|
"admin_user": testUserName,
|
|
|
|
"default_user": testUserName,
|
|
|
|
"key_type": testDynamicKeyType,
|
|
|
|
}
|
2015-07-31 17:24:23 +00:00
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2016-04-05 19:10:44 +00:00
|
|
|
AcceptanceTest: true,
|
|
|
|
Factory: testingFactory,
|
2015-07-31 17:24:23 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
2015-09-03 22:50:44 +00:00
|
|
|
testNamedKeysWrite(t, testKeyName, testSharedPrivateKey),
|
2015-08-30 18:30:59 +00:00
|
|
|
testRoleWrite(t, testDynamicRoleName, testDynamicRoleData),
|
2015-09-10 14:44:26 +00:00
|
|
|
testRoleRead(t, testDynamicRoleName, respDynamicRoleData),
|
2015-07-31 19:17:40 +00:00
|
|
|
testRoleDelete(t, testDynamicRoleName),
|
|
|
|
testRoleRead(t, testDynamicRoleName, nil),
|
2015-07-31 17:24:23 +00:00
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2015-08-03 20:18:14 +00:00
|
|
|
func TestSSHBackend_NamedKeysCrud(t *testing.T) {
|
2015-08-03 15:22:00 +00:00
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2016-04-05 19:10:44 +00:00
|
|
|
AcceptanceTest: true,
|
|
|
|
Factory: testingFactory,
|
2015-08-03 15:22:00 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
2015-09-03 22:50:44 +00:00
|
|
|
testNamedKeysWrite(t, testKeyName, testSharedPrivateKey),
|
2015-08-03 20:18:14 +00:00
|
|
|
testNamedKeysDelete(t),
|
2015-08-03 15:22:00 +00:00
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2015-08-03 23:04:07 +00:00
|
|
|
func TestSSHBackend_OTPCreate(t *testing.T) {
|
2016-02-02 17:32:50 +00:00
|
|
|
testOTPRoleData := map[string]interface{}{
|
|
|
|
"key_type": testOTPKeyType,
|
|
|
|
"default_user": testUserName,
|
|
|
|
"cidr_list": testCIDRList,
|
|
|
|
}
|
2015-09-03 22:11:04 +00:00
|
|
|
data := map[string]interface{}{
|
|
|
|
"username": testUserName,
|
|
|
|
"ip": testIP,
|
|
|
|
}
|
2015-08-03 23:04:07 +00:00
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2016-04-05 19:10:44 +00:00
|
|
|
AcceptanceTest: true,
|
|
|
|
Factory: testingFactory,
|
2015-08-03 23:04:07 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
2015-08-30 18:30:59 +00:00
|
|
|
testRoleWrite(t, testOTPRoleName, testOTPRoleData),
|
2015-09-10 15:55:07 +00:00
|
|
|
testCredsWrite(t, testOTPRoleName, data, false),
|
2015-08-03 23:04:07 +00:00
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2015-08-18 23:48:50 +00:00
|
|
|
func TestSSHBackend_VerifyEcho(t *testing.T) {
|
|
|
|
verifyData := map[string]interface{}{
|
|
|
|
"otp": api.VerifyEchoRequest,
|
|
|
|
}
|
|
|
|
expectedData := map[string]interface{}{
|
|
|
|
"message": api.VerifyEchoResponse,
|
|
|
|
}
|
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2016-04-05 19:10:44 +00:00
|
|
|
AcceptanceTest: true,
|
|
|
|
Factory: testingFactory,
|
2015-08-18 23:48:50 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
|
|
|
testVerifyWrite(t, verifyData, expectedData),
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2015-08-30 18:17:50 +00:00
|
|
|
func TestSSHBackend_ConfigZeroAddressCRUD(t *testing.T) {
|
2016-02-02 17:32:50 +00:00
|
|
|
testOTPRoleData := map[string]interface{}{
|
|
|
|
"key_type": testOTPKeyType,
|
|
|
|
"default_user": testUserName,
|
|
|
|
"cidr_list": testCIDRList,
|
|
|
|
}
|
|
|
|
testDynamicRoleData := map[string]interface{}{
|
|
|
|
"key_type": testDynamicKeyType,
|
|
|
|
"key": testKeyName,
|
|
|
|
"admin_user": testAdminUser,
|
|
|
|
"default_user": testAdminUser,
|
|
|
|
"cidr_list": testCIDRList,
|
|
|
|
}
|
2015-08-31 21:03:46 +00:00
|
|
|
req1 := map[string]interface{}{
|
2015-08-30 18:17:50 +00:00
|
|
|
"roles": testOTPRoleName,
|
|
|
|
}
|
2015-08-31 21:03:46 +00:00
|
|
|
resp1 := map[string]interface{}{
|
|
|
|
"roles": []string{testOTPRoleName},
|
|
|
|
}
|
|
|
|
req2 := map[string]interface{}{
|
2015-08-30 18:17:50 +00:00
|
|
|
"roles": fmt.Sprintf("%s,%s", testOTPRoleName, testDynamicRoleName),
|
|
|
|
}
|
2015-08-31 21:03:46 +00:00
|
|
|
resp2 := map[string]interface{}{
|
|
|
|
"roles": []string{testOTPRoleName, testDynamicRoleName},
|
|
|
|
}
|
|
|
|
resp3 := map[string]interface{}{
|
|
|
|
"roles": []string{},
|
2015-08-30 18:17:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2016-04-05 19:10:44 +00:00
|
|
|
AcceptanceTest: true,
|
|
|
|
Factory: testingFactory,
|
2015-08-30 18:17:50 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
2015-08-30 18:30:59 +00:00
|
|
|
testRoleWrite(t, testOTPRoleName, testOTPRoleData),
|
2015-08-31 21:03:46 +00:00
|
|
|
testConfigZeroAddressWrite(t, req1),
|
|
|
|
testConfigZeroAddressRead(t, resp1),
|
2015-09-03 22:50:44 +00:00
|
|
|
testNamedKeysWrite(t, testKeyName, testSharedPrivateKey),
|
2015-08-30 18:30:59 +00:00
|
|
|
testRoleWrite(t, testDynamicRoleName, testDynamicRoleData),
|
2015-08-31 21:03:46 +00:00
|
|
|
testConfigZeroAddressWrite(t, req2),
|
|
|
|
testConfigZeroAddressRead(t, resp2),
|
2015-08-30 18:17:50 +00:00
|
|
|
testRoleDelete(t, testDynamicRoleName),
|
2015-08-31 21:03:46 +00:00
|
|
|
testConfigZeroAddressRead(t, resp1),
|
2015-08-30 18:17:50 +00:00
|
|
|
testRoleDelete(t, testOTPRoleName),
|
2015-08-31 21:03:46 +00:00
|
|
|
testConfigZeroAddressRead(t, resp3),
|
2015-08-30 18:17:50 +00:00
|
|
|
testConfigZeroAddressDelete(t),
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2015-09-10 15:55:07 +00:00
|
|
|
func TestSSHBackend_CredsForZeroAddressRoles(t *testing.T) {
|
|
|
|
dynamicRoleData := map[string]interface{}{
|
|
|
|
"key_type": testDynamicKeyType,
|
|
|
|
"key": testKeyName,
|
|
|
|
"admin_user": testAdminUser,
|
|
|
|
"default_user": testAdminUser,
|
|
|
|
}
|
|
|
|
otpRoleData := map[string]interface{}{
|
|
|
|
"key_type": testOTPKeyType,
|
|
|
|
"default_user": testUserName,
|
|
|
|
}
|
|
|
|
data := map[string]interface{}{
|
|
|
|
"username": testUserName,
|
|
|
|
"ip": testIP,
|
|
|
|
}
|
|
|
|
req1 := map[string]interface{}{
|
|
|
|
"roles": testOTPRoleName,
|
|
|
|
}
|
|
|
|
req2 := map[string]interface{}{
|
|
|
|
"roles": fmt.Sprintf("%s,%s", testOTPRoleName, testDynamicRoleName),
|
|
|
|
}
|
2015-09-03 22:11:04 +00:00
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2016-04-05 19:10:44 +00:00
|
|
|
AcceptanceTest: true,
|
|
|
|
Factory: testingFactory,
|
2015-09-03 22:11:04 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
|
|
|
testRoleWrite(t, testOTPRoleName, otpRoleData),
|
2015-09-10 15:55:07 +00:00
|
|
|
testCredsWrite(t, testOTPRoleName, data, true),
|
|
|
|
testConfigZeroAddressWrite(t, req1),
|
|
|
|
testCredsWrite(t, testOTPRoleName, data, false),
|
|
|
|
testNamedKeysWrite(t, testKeyName, testSharedPrivateKey),
|
|
|
|
testRoleWrite(t, testDynamicRoleName, dynamicRoleData),
|
|
|
|
testCredsWrite(t, testDynamicRoleName, data, true),
|
|
|
|
testConfigZeroAddressWrite(t, req2),
|
|
|
|
testCredsWrite(t, testDynamicRoleName, data, false),
|
|
|
|
testConfigZeroAddressDelete(t),
|
|
|
|
testCredsWrite(t, testOTPRoleName, data, true),
|
|
|
|
testCredsWrite(t, testDynamicRoleName, data, true),
|
2015-09-03 22:11:04 +00:00
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2016-12-26 14:03:27 +00:00
|
|
|
func TestBackend_AbleToRetrievePublicKey(t *testing.T) {
|
|
|
|
|
|
|
|
config := logical.TestBackendConfig()
|
|
|
|
|
|
|
|
b, err := Factory(config)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Cannot create backend: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
testCase := logicaltest.TestCase{
|
|
|
|
Backend: b,
|
|
|
|
Steps: []logicaltest.TestStep{
|
|
|
|
configCaStep(),
|
|
|
|
|
|
|
|
logicaltest.TestStep{
|
|
|
|
Operation: logical.ReadOperation,
|
|
|
|
Path: "public_key",
|
|
|
|
Unauthenticated: true,
|
|
|
|
|
|
|
|
Check: func(resp *logical.Response) error {
|
|
|
|
|
|
|
|
key := string(resp.Data["http_raw_body"].([]byte))
|
|
|
|
|
|
|
|
if key != publicKey {
|
|
|
|
return fmt.Errorf("public_key incorrect. Expected %v, actual %v", publicKey, key)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
logicaltest.Test(t, testCase)
|
|
|
|
}
|
|
|
|
|
2017-03-02 09:32:50 +00:00
|
|
|
func TestBackend_AbleToAutoGenerateSigningKeys(t *testing.T) {
|
|
|
|
|
|
|
|
config := logical.TestBackendConfig()
|
|
|
|
|
|
|
|
b, err := Factory(config)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Cannot create backend: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
testCase := logicaltest.TestCase{
|
|
|
|
Backend: b,
|
|
|
|
Steps: []logicaltest.TestStep{
|
|
|
|
logicaltest.TestStep{
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Path: "config/ca",
|
|
|
|
},
|
|
|
|
|
|
|
|
logicaltest.TestStep{
|
|
|
|
Operation: logical.ReadOperation,
|
|
|
|
Path: "public_key",
|
|
|
|
Unauthenticated: true,
|
|
|
|
|
|
|
|
Check: func(resp *logical.Response) error {
|
|
|
|
|
|
|
|
key := string(resp.Data["http_raw_body"].([]byte))
|
|
|
|
|
|
|
|
if key == "" {
|
|
|
|
return fmt.Errorf("public_key empty. Expected not empty, actual %s", key)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
logicaltest.Test(t, testCase)
|
|
|
|
}
|
|
|
|
|
2016-12-26 14:03:27 +00:00
|
|
|
func TestBackend_ValidPrincipalsValidatedForHostCertificates(t *testing.T) {
|
|
|
|
config := logical.TestBackendConfig()
|
|
|
|
|
|
|
|
b, err := Factory(config)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Cannot create backend: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
testCase := logicaltest.TestCase{
|
|
|
|
Backend: b,
|
|
|
|
Steps: []logicaltest.TestStep{
|
|
|
|
configCaStep(),
|
|
|
|
|
|
|
|
createRoleStep("testing", map[string]interface{}{
|
2017-03-02 21:37:03 +00:00
|
|
|
"key_type": "ca",
|
2017-02-28 08:24:31 +00:00
|
|
|
"allow_host_certificates": true,
|
2017-03-02 21:37:03 +00:00
|
|
|
"allowed_domains": "example.com,example.org",
|
|
|
|
"allow_subdomains": true,
|
2016-12-26 14:03:27 +00:00
|
|
|
"default_critical_options": map[string]interface{}{
|
|
|
|
"option": "value",
|
|
|
|
},
|
|
|
|
"default_extensions": map[string]interface{}{
|
|
|
|
"extension": "extended",
|
|
|
|
},
|
|
|
|
}),
|
|
|
|
|
2017-03-16 15:14:17 +00:00
|
|
|
signCertificateStep("testing", "vault-root-22608f5ef173aabf700797cb95c5641e792698ec6380e8e1eb55523e39aa5e51", ssh.HostCert, []string{"dummy.example.org", "second.example.com"}, map[string]string{
|
2016-12-26 14:03:27 +00:00
|
|
|
"option": "value",
|
|
|
|
}, map[string]string{
|
|
|
|
"extension": "extended",
|
|
|
|
},
|
|
|
|
2*time.Hour, map[string]interface{}{
|
|
|
|
"public_key": publicKey2,
|
|
|
|
"ttl": "2h",
|
|
|
|
"cert_type": "host",
|
|
|
|
"valid_principals": "dummy.example.org,second.example.com",
|
|
|
|
}),
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
logicaltest.Test(t, testCase)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestBackend_OptionsOverrideDefaults(t *testing.T) {
|
|
|
|
config := logical.TestBackendConfig()
|
|
|
|
|
|
|
|
b, err := Factory(config)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Cannot create backend: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
testCase := logicaltest.TestCase{
|
|
|
|
Backend: b,
|
|
|
|
Steps: []logicaltest.TestStep{
|
|
|
|
configCaStep(),
|
|
|
|
|
|
|
|
createRoleStep("testing", map[string]interface{}{
|
2017-03-02 21:37:03 +00:00
|
|
|
"key_type": "ca",
|
|
|
|
"allowed_users": "tuber",
|
|
|
|
"default_user": "tuber",
|
|
|
|
"allow_user_certificates": true,
|
2016-12-26 14:03:27 +00:00
|
|
|
"allowed_critical_options": "option,secondary",
|
|
|
|
"allowed_extensions": "extension,additional",
|
|
|
|
"default_critical_options": map[string]interface{}{
|
|
|
|
"option": "value",
|
|
|
|
},
|
|
|
|
"default_extensions": map[string]interface{}{
|
|
|
|
"extension": "extended",
|
|
|
|
},
|
|
|
|
}),
|
|
|
|
|
2017-03-16 15:14:17 +00:00
|
|
|
signCertificateStep("testing", "vault-root-22608f5ef173aabf700797cb95c5641e792698ec6380e8e1eb55523e39aa5e51", ssh.UserCert, []string{"tuber"}, map[string]string{
|
2016-12-26 14:03:27 +00:00
|
|
|
"secondary": "value",
|
|
|
|
}, map[string]string{
|
|
|
|
"additional": "value",
|
|
|
|
}, 2*time.Hour, map[string]interface{}{
|
|
|
|
"public_key": publicKey2,
|
|
|
|
"ttl": "2h",
|
|
|
|
"critical_options": map[string]interface{}{
|
|
|
|
"secondary": "value",
|
|
|
|
},
|
|
|
|
"extensions": map[string]interface{}{
|
|
|
|
"additional": "value",
|
|
|
|
},
|
|
|
|
}),
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
logicaltest.Test(t, testCase)
|
|
|
|
}
|
|
|
|
|
|
|
|
func configCaStep() logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Path: "config/ca",
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"public_key": publicKey,
|
|
|
|
"private_key": privateKey,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func createRoleStep(name string, parameters map[string]interface{}) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
|
|
|
Operation: logical.CreateOperation,
|
|
|
|
Path: "roles/" + name,
|
|
|
|
Data: parameters,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-03-02 21:37:03 +00:00
|
|
|
func signCertificateStep(
|
|
|
|
role, keyId string, certType int, validPrincipals []string,
|
|
|
|
criticalOptionPermissions, extensionPermissions map[string]string,
|
|
|
|
ttl time.Duration,
|
|
|
|
requestParameters map[string]interface{}) logicaltest.TestStep {
|
2016-12-26 14:03:27 +00:00
|
|
|
return logicaltest.TestStep{
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Path: "sign/" + role,
|
|
|
|
Data: requestParameters,
|
|
|
|
|
|
|
|
Check: func(resp *logical.Response) error {
|
|
|
|
|
|
|
|
serialNumber := resp.Data["serial_number"].(string)
|
|
|
|
if serialNumber == "" {
|
|
|
|
return errors.New("No serial number in response")
|
|
|
|
}
|
|
|
|
|
|
|
|
signedKey := strings.TrimSpace(resp.Data["signed_key"].(string))
|
|
|
|
if signedKey == "" {
|
|
|
|
return errors.New("No signed key in response")
|
|
|
|
}
|
|
|
|
|
|
|
|
key, _ := base64.StdEncoding.DecodeString(strings.Split(signedKey, " ")[1])
|
|
|
|
|
|
|
|
parsedKey, err := ssh.ParsePublicKey(key)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return validateSSHCertificate(parsedKey.(*ssh.Certificate), keyId, certType, validPrincipals, criticalOptionPermissions, extensionPermissions, ttl)
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func validateSSHCertificate(cert *ssh.Certificate, keyId string, certType int, validPrincipals []string, criticalOptionPermissions, extensionPermissions map[string]string,
|
2017-03-02 21:37:03 +00:00
|
|
|
ttl time.Duration) error {
|
2016-12-26 14:03:27 +00:00
|
|
|
|
|
|
|
if cert.KeyId != keyId {
|
2017-03-16 15:14:17 +00:00
|
|
|
return fmt.Errorf("Incorrect KeyId: %v, wanted %v", cert.KeyId, keyId)
|
2016-12-26 14:03:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if cert.CertType != uint32(certType) {
|
|
|
|
return fmt.Errorf("Incorrect CertType: %v", cert.CertType)
|
|
|
|
}
|
|
|
|
|
|
|
|
if time.Unix(int64(cert.ValidAfter), 0).After(time.Now()) {
|
|
|
|
return fmt.Errorf("Incorrect ValidAfter: %v", cert.ValidAfter)
|
|
|
|
}
|
|
|
|
|
|
|
|
if time.Unix(int64(cert.ValidBefore), 0).Before(time.Now()) {
|
|
|
|
return fmt.Errorf("Incorrect ValidBefore: %v", cert.ValidBefore)
|
|
|
|
}
|
|
|
|
|
|
|
|
actualTtl := time.Unix(int64(cert.ValidBefore), 0).Add(-30 * time.Second).Sub(time.Unix(int64(cert.ValidAfter), 0))
|
|
|
|
if actualTtl != ttl {
|
|
|
|
return fmt.Errorf("Incorrect ttl: expected: %v, actualL %v", ttl, actualTtl)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !reflect.DeepEqual(cert.ValidPrincipals, validPrincipals) {
|
|
|
|
return fmt.Errorf("Incorrect ValidPrincipals: expected: %#v actual: %#v", validPrincipals, cert.ValidPrincipals)
|
|
|
|
}
|
|
|
|
|
|
|
|
publicSigningKey, err := getSigningPublicKey()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(cert.SignatureKey, publicSigningKey) {
|
|
|
|
return fmt.Errorf("Incorrect SignatureKey: %v", cert.SignatureKey)
|
|
|
|
}
|
|
|
|
|
|
|
|
if cert.Signature == nil {
|
|
|
|
return fmt.Errorf("Incorrect Signature: %v", cert.Signature)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !reflect.DeepEqual(cert.Permissions.Extensions, extensionPermissions) {
|
|
|
|
return fmt.Errorf("Incorrect Permissions.Extensions: Expected: %v, Actual: %v", extensionPermissions, cert.Permissions.Extensions)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !reflect.DeepEqual(cert.Permissions.CriticalOptions, criticalOptionPermissions) {
|
|
|
|
return fmt.Errorf("Incorrect Permissions.CriticalOptions: %v", cert.Permissions.CriticalOptions)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func getSigningPublicKey() (ssh.PublicKey, error) {
|
|
|
|
key, err := base64.StdEncoding.DecodeString(strings.Split(publicKey, " ")[1])
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
parsedKey, err := ssh.ParsePublicKey(key)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return parsedKey, nil
|
|
|
|
}
|
|
|
|
|
2015-08-30 18:17:50 +00:00
|
|
|
func testConfigZeroAddressDelete(t *testing.T) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
|
|
|
Operation: logical.DeleteOperation,
|
|
|
|
Path: "config/zeroaddress",
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-03 22:50:44 +00:00
|
|
|
func testConfigZeroAddressWrite(t *testing.T, data map[string]interface{}) logicaltest.TestStep {
|
2015-08-30 18:17:50 +00:00
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-08-30 18:17:50 +00:00
|
|
|
Path: "config/zeroaddress",
|
2015-09-03 22:50:44 +00:00
|
|
|
Data: data,
|
2015-08-30 18:17:50 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func testConfigZeroAddressRead(t *testing.T, expected map[string]interface{}) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
|
|
|
Operation: logical.ReadOperation,
|
|
|
|
Path: "config/zeroaddress",
|
|
|
|
Check: func(resp *logical.Response) error {
|
|
|
|
var d zeroAddressRoles
|
|
|
|
if err := mapstructure.Decode(resp.Data, &d); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
var ex zeroAddressRoles
|
|
|
|
if err := mapstructure.Decode(expected, &ex); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if !reflect.DeepEqual(d, ex) {
|
|
|
|
return fmt.Errorf("Response mismatch:\nActual:%#v\nExpected:%#v", d, ex)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-03 22:50:44 +00:00
|
|
|
func testVerifyWrite(t *testing.T, data map[string]interface{}, expected map[string]interface{}) logicaltest.TestStep {
|
2015-08-18 23:48:50 +00:00
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-08-18 23:48:50 +00:00
|
|
|
Path: fmt.Sprintf("verify"),
|
2015-09-03 22:50:44 +00:00
|
|
|
Data: data,
|
2015-08-18 23:48:50 +00:00
|
|
|
Check: func(resp *logical.Response) error {
|
|
|
|
var ac api.SSHVerifyResponse
|
|
|
|
if err := mapstructure.Decode(resp.Data, &ac); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
var ex api.SSHVerifyResponse
|
|
|
|
if err := mapstructure.Decode(expected, &ex); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2015-08-30 18:17:50 +00:00
|
|
|
if !reflect.DeepEqual(ac, ex) {
|
2015-08-18 23:48:50 +00:00
|
|
|
return fmt.Errorf("Invalid response")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-03 22:50:44 +00:00
|
|
|
func testNamedKeysWrite(t *testing.T, name, key string) logicaltest.TestStep {
|
2015-08-03 20:18:14 +00:00
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-09-03 22:50:44 +00:00
|
|
|
Path: fmt.Sprintf("keys/%s", name),
|
2015-08-03 20:18:14 +00:00
|
|
|
Data: map[string]interface{}{
|
2015-09-03 22:50:44 +00:00
|
|
|
"key": key,
|
2015-08-03 20:18:14 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func testNamedKeysDelete(t *testing.T) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
|
|
|
Operation: logical.DeleteOperation,
|
|
|
|
Path: fmt.Sprintf("keys/%s", testKeyName),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-03 22:43:53 +00:00
|
|
|
func testLookupRead(t *testing.T, data map[string]interface{}, expected []string) logicaltest.TestStep {
|
2015-08-03 15:22:00 +00:00
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-08-03 15:22:00 +00:00
|
|
|
Path: "lookup",
|
|
|
|
Data: data,
|
|
|
|
Check: func(resp *logical.Response) error {
|
|
|
|
if resp.Data == nil || resp.Data["roles"] == nil {
|
|
|
|
return fmt.Errorf("Missing roles information")
|
|
|
|
}
|
2015-09-03 22:43:53 +00:00
|
|
|
if !reflect.DeepEqual(resp.Data["roles"].([]string), expected) {
|
|
|
|
return fmt.Errorf("Invalid response: \nactual:%#v\nexpected:%#v", resp.Data["roles"].([]string), expected)
|
2015-08-03 15:22:00 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-07-31 19:17:40 +00:00
|
|
|
func testRoleWrite(t *testing.T, name string, data map[string]interface{}) logicaltest.TestStep {
|
2015-07-31 17:24:23 +00:00
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-07-31 19:17:40 +00:00
|
|
|
Path: "roles/" + name,
|
2015-07-31 17:24:23 +00:00
|
|
|
Data: data,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-10 14:44:26 +00:00
|
|
|
func testRoleRead(t *testing.T, roleName string, expected map[string]interface{}) logicaltest.TestStep {
|
2015-07-31 17:24:23 +00:00
|
|
|
return logicaltest.TestStep{
|
|
|
|
Operation: logical.ReadOperation,
|
2015-09-10 14:44:26 +00:00
|
|
|
Path: "roles/" + roleName,
|
2015-07-31 17:24:23 +00:00
|
|
|
Check: func(resp *logical.Response) error {
|
|
|
|
if resp == nil {
|
2015-09-10 14:44:26 +00:00
|
|
|
if expected == nil {
|
2015-07-31 17:24:23 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return fmt.Errorf("bad: %#v", resp)
|
|
|
|
}
|
2015-07-31 19:17:40 +00:00
|
|
|
var d sshRole
|
2015-07-31 17:24:23 +00:00
|
|
|
if err := mapstructure.Decode(resp.Data, &d); err != nil {
|
2015-07-31 19:17:40 +00:00
|
|
|
return fmt.Errorf("error decoding response:%s", err)
|
2015-07-31 17:24:23 +00:00
|
|
|
}
|
2015-09-10 14:44:26 +00:00
|
|
|
if roleName == testOTPRoleName {
|
|
|
|
if d.KeyType != expected["key_type"] || d.DefaultUser != expected["default_user"] || d.CIDRList != expected["cidr_list"] {
|
2015-07-31 19:17:40 +00:00
|
|
|
return fmt.Errorf("data mismatch. bad: %#v", resp)
|
|
|
|
}
|
|
|
|
} else {
|
2015-09-10 14:44:26 +00:00
|
|
|
if d.AdminUser != expected["admin_user"] || d.CIDRList != expected["cidr_list"] || d.KeyName != expected["key"] || d.KeyType != expected["key_type"] {
|
2015-07-31 19:17:40 +00:00
|
|
|
return fmt.Errorf("data mismatch. bad: %#v", resp)
|
|
|
|
}
|
2015-07-31 17:24:23 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-07-31 19:17:40 +00:00
|
|
|
func testRoleDelete(t *testing.T, name string) logicaltest.TestStep {
|
2015-07-31 17:24:23 +00:00
|
|
|
return logicaltest.TestStep{
|
|
|
|
Operation: logical.DeleteOperation,
|
2015-07-31 19:17:40 +00:00
|
|
|
Path: "roles/" + name,
|
2015-07-31 17:24:23 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-10 15:55:07 +00:00
|
|
|
func testCredsWrite(t *testing.T, roleName string, data map[string]interface{}, expectError bool) logicaltest.TestStep {
|
2015-07-10 15:56:14 +00:00
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-09-03 22:11:04 +00:00
|
|
|
Path: fmt.Sprintf("creds/%s", roleName),
|
2015-09-03 22:50:44 +00:00
|
|
|
Data: data,
|
2015-09-10 15:55:07 +00:00
|
|
|
ErrorOk: true,
|
2015-07-10 15:56:14 +00:00
|
|
|
Check: func(resp *logical.Response) error {
|
2015-09-10 15:55:07 +00:00
|
|
|
if resp == nil {
|
|
|
|
return fmt.Errorf("response is nil")
|
|
|
|
}
|
|
|
|
if resp.Data == nil {
|
|
|
|
return fmt.Errorf("data is nil")
|
|
|
|
}
|
|
|
|
if expectError {
|
|
|
|
var e struct {
|
|
|
|
Error string `mapstructure:"error"`
|
|
|
|
}
|
|
|
|
if err := mapstructure.Decode(resp.Data, &e); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if len(e.Error) == 0 {
|
|
|
|
return fmt.Errorf("expected error, but write succeeded.")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2015-09-03 22:11:04 +00:00
|
|
|
if roleName == testDynamicRoleName {
|
|
|
|
var d struct {
|
|
|
|
Key string `mapstructure:"key"`
|
|
|
|
}
|
|
|
|
if err := mapstructure.Decode(resp.Data, &d); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if d.Key == "" {
|
|
|
|
return fmt.Errorf("Generated key is an empty string")
|
|
|
|
}
|
|
|
|
// Checking only for a parsable key
|
|
|
|
_, err := ssh.ParsePrivateKey([]byte(d.Key))
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Generated key is invalid")
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if resp.Data["key_type"] != KeyTypeOTP {
|
|
|
|
return fmt.Errorf("Incorrect key_type")
|
|
|
|
}
|
|
|
|
if resp.Data["key"] == nil {
|
|
|
|
return fmt.Errorf("Invalid key")
|
|
|
|
}
|
2015-07-10 15:56:14 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|