regress test for AuthorizedPrincipalsCommand

diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile
index 1c2b75c..f4d5f84 100644 (file)
--- a/regress/usr.bin/ssh/Makefile
+++ b/regress/usr.bin/ssh/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.80 2015/04/23 05:01:19 dtucker Exp $
+#      $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $
 
 .ifndef SKIP_UNIT
 SUBDIR=                unittests
@@ -69,7 +69,8 @@ LTESTS=       connect \
                limit-keytype \
                hostkey-agent \
                keygen-knownhosts \
-               hostkey-rotate
+               hostkey-rotate \
+               principals-command
 
 INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
 #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp

diff --git a/regress/usr.bin/ssh/principals-command.sh b/regress/usr.bin/ssh/principals-command.sh
new file mode 100644 (file)
index 0000000..c3816e0
--- /dev/null
+++ b/regress/usr.bin/ssh/principals-command.sh
@@ -0,0 +1,139 @@
+#      $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
+#      Placed in the Public Domain.
+
+tid="authorized principals command"
+
+rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+if [ -z "$SUDO" ]; then
+       fatal "need SUDO to create file in /var/run, test won't work without"
+fi
+
+# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
+# acceptable directory permissions.
+PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
+#!/bin/sh
+test "x\$1" != "x${LOGNAME}" && exit 1
+test -f "$OBJ/authorized_principals_${LOGNAME}" &&
+       exec cat "$OBJ/authorized_principals_${LOGNAME}"
+_EOF
+test $? -eq 0 || fatal "couldn't prepare principals command"
+$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
+
+# Create a CA key and a user certificate.
+${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
+       fatal "ssh-keygen of user_ca_key failed"
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
+       fatal "ssh-keygen of cert_user_key failed"
+${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
+       fatal "couldn't sign cert_user_key"
+
+# Test explicitly-specified principals
+for privsep in yes no ; do
+       _prefix="privsep $privsep"
+
+       # Setup for AuthorizedPrincipalsCommand
+       rm -f $OBJ/authorized_keys_$USER
+       (
+               cat $OBJ/sshd_proxy_bak
+               echo "UsePrivilegeSeparation $privsep"
+               echo "AuthorizedKeysFile none"
+               echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
+               echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+               echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+       ) > $OBJ/sshd_proxy
+
+       # XXX test missing command
+       # XXX test failing command
+
+       # Empty authorized_principals
+       verbose "$tid: ${_prefix} empty authorized_principals"
+       echo > $OBJ/authorized_principals_$USER
+       ${SSH} -2i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect succeeded unexpectedly"
+       fi
+
+       # Wrong authorized_principals
+       verbose "$tid: ${_prefix} wrong authorized_principals"
+       echo gregorsamsa > $OBJ/authorized_principals_$USER
+       ${SSH} -2i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect succeeded unexpectedly"
+       fi
+
+       # Correct authorized_principals
+       verbose "$tid: ${_prefix} correct authorized_principals"
+       echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+       ${SSH} -2i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -ne 0 ]; then
+               fail "ssh cert connect failed"
+       fi
+
+       # authorized_principals with bad key option
+       verbose "$tid: ${_prefix} authorized_principals bad key opt"
+       echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+       ${SSH} -2i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect succeeded unexpectedly"
+       fi
+
+       # authorized_principals with command=false
+       verbose "$tid: ${_prefix} authorized_principals command=false"
+       echo 'command="false" mekmitasdigoat' > \
+           $OBJ/authorized_principals_$USER
+       ${SSH} -2i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect succeeded unexpectedly"
+       fi
+
+
+       # authorized_principals with command=true
+       verbose "$tid: ${_prefix} authorized_principals command=true"
+       echo 'command="true" mekmitasdigoat' > \
+           $OBJ/authorized_principals_$USER
+       ${SSH} -2i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+       if [ $? -ne 0 ]; then
+               fail "ssh cert connect failed"
+       fi
+
+       # Setup for principals= key option
+       rm -f $OBJ/authorized_principals_$USER
+       (
+               cat $OBJ/sshd_proxy_bak
+               echo "UsePrivilegeSeparation $privsep"
+       ) > $OBJ/sshd_proxy
+
+       # Wrong principals list
+       verbose "$tid: ${_prefix} wrong principals key option"
+       (
+               printf 'cert-authority,principals="gregorsamsa" '
+               cat $OBJ/user_ca_key.pub
+       ) > $OBJ/authorized_keys_$USER
+       ${SSH} -2i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect succeeded unexpectedly"
+       fi
+
+       # Correct principals list
+       verbose "$tid: ${_prefix} correct principals key option"
+       (
+               printf 'cert-authority,principals="mekmitasdigoat" '
+               cat $OBJ/user_ca_key.pub
+       ) > $OBJ/authorized_keys_$USER
+       ${SSH} -2i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -ne 0 ]; then
+               fail "ssh cert connect failed"
+       fi
+done