openssh-portable/regress/addrmatch.sh

#	$OpenBSD: addrmatch.sh,v 1.3 2010/02/09 04:57:36 djm Exp $
#	Placed in the Public Domain.

tid="address match"

mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

run_trial()
{
	user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5"

	verbose "test $descr for $user $addr $host"
	result=`${SSHD} -f $OBJ/sshd_proxy -T \
	    -C user=${user},addr=${addr},host=${host} | \
	    awk '/^passwordauthentication/ {print $2}'`
	if [ "$result" != "$expected" ]; then
		fail "failed for $user $addr $host: expected $expected, got $result"
	fi
}

cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
cat >>$OBJ/sshd_proxy <<EOD
PasswordAuthentication no
Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com
	PasswordAuthentication yes
Match Address 1.1.1.1,::1,!::3,2000::/16
	PasswordAuthentication yes
EOD

run_trial user 192.168.0.1 somehost yes		"permit, first entry"
run_trial user 192.168.30.1 somehost no		"deny, negative match"
run_trial user 19.0.0.1 somehost no		"deny, no match"
run_trial user 10.255.255.254 somehost yes	"permit, list middle"
run_trial user 192.168.30.1 192.168.0.1 no	"deny, faked IP in hostname"
run_trial user 1.1.1.1 somehost.example.com yes	"permit, bare IP4 address"
test "$TEST_SSH_IPV6" = "no" && exit
run_trial user ::1 somehost.example.com	 yes	"permit, bare IP6 address"
run_trial user ::2 somehost.exaple.com no	"deny IPv6"
run_trial user ::3 somehost no			"deny IP6 negated"
run_trial user ::4 somehost no			"deny, IP6 no match"
run_trial user 2000::1 somehost yes		"permit, IP6 network"
run_trial user 2001::1 somehost no		"deny, IP6 network"

cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
rm $OBJ/sshd_proxy_bak
- djm@cvs.openbsd.org 2010/02/09 04:57:36 [regress/addrmatch.sh] clean up droppings 2010-02-24 07:26:38 +01:00			`# $OpenBSD: addrmatch.sh,v 1.3 2010/02/09 04:57:36 djm Exp $`
- dtucker@cvs.openbsd.org 2008/06/10 05:23:32 [addrmatch.sh Makefile] Regress test for Match CIDR rules. ok djm@ 2008-06-10 15:16:46 +02:00			`# Placed in the Public Domain.`

			`tid="address match"`

- djm@cvs.openbsd.org 2010/02/09 04:57:36 [regress/addrmatch.sh] clean up droppings 2010-02-24 07:26:38 +01:00			`mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak`
- dtucker@cvs.openbsd.org 2008/06/10 05:23:32 [addrmatch.sh Makefile] Regress test for Match CIDR rules. ok djm@ 2008-06-10 15:16:46 +02:00
			`run_trial()`
			`{`
			`user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5"`

			`verbose "test $descr for $user $addr $host"`
			result=`${SSHD} -f $OBJ/sshd_proxy -T \
			`-C user=${user},addr=${addr},host=${host} \| \`
- djm@cvs.openbsd.org 2008/12/07 22:17:48 [regress/addrmatch.sh] match string "passwordauthentication" only at start of line, not anywhere in sshd -T output 2009-10-07 01:30:06 +02:00			awk '/^passwordauthentication/ {print $2}'`
- dtucker@cvs.openbsd.org 2008/06/10 05:23:32 [addrmatch.sh Makefile] Regress test for Match CIDR rules. ok djm@ 2008-06-10 15:16:46 +02:00			`if [ "$result" != "$expected" ]; then`
			`fail "failed for $user $addr $host: expected $expected, got $result"`
			`fi`
			`}`

- djm@cvs.openbsd.org 2010/02/09 04:57:36 [regress/addrmatch.sh] clean up droppings 2010-02-24 07:26:38 +01:00			`cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy`
- dtucker@cvs.openbsd.org 2008/06/10 05:23:32 [addrmatch.sh Makefile] Regress test for Match CIDR rules. ok djm@ 2008-06-10 15:16:46 +02:00			`cat >>$OBJ/sshd_proxy <<EOD`
			`PasswordAuthentication no`
			`Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com`
			`PasswordAuthentication yes`
			`Match Address 1.1.1.1,::1,!::3,2000::/16`
			`PasswordAuthentication yes`
			`EOD`

			`run_trial user 192.168.0.1 somehost yes "permit, first entry"`
			`run_trial user 192.168.30.1 somehost no "deny, negative match"`
			`run_trial user 19.0.0.1 somehost no "deny, no match"`
			`run_trial user 10.255.255.254 somehost yes "permit, list middle"`
			`run_trial user 192.168.30.1 192.168.0.1 no "deny, faked IP in hostname"`
			`run_trial user 1.1.1.1 somehost.example.com yes "permit, bare IP4 address"`
- (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6 specific tests on platforms that don't do IPv6. 2008-06-10 20:15:05 +02:00			`test "$TEST_SSH_IPV6" = "no" && exit`
- dtucker@cvs.openbsd.org 2008/06/10 05:23:32 [addrmatch.sh Makefile] Regress test for Match CIDR rules. ok djm@ 2008-06-10 15:16:46 +02:00			`run_trial user ::1 somehost.example.com yes "permit, bare IP6 address"`
			`run_trial user ::2 somehost.exaple.com no "deny IPv6"`
			`run_trial user ::3 somehost no "deny IP6 negated"`
			`run_trial user ::4 somehost no "deny, IP6 no match"`
			`run_trial user 2000::1 somehost yes "permit, IP6 network"`
			`run_trial user 2001::1 somehost no "deny, IP6 network"`
- djm@cvs.openbsd.org 2010/02/09 04:57:36 [regress/addrmatch.sh] clean up droppings 2010-02-24 07:26:38 +01:00
			`cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy`
			`rm $OBJ/sshd_proxy_bak`