- djm@cvs.openbsd.org 2010/05/07 11:31:26

[regress/Makefile regress/cert-userkey.sh] regress tests for AuthorizedPrincipalsFile and "principals=" key option. feedback and ok markus@
2010-05-21 14:48:16 +10:00 · 2010-05-21 14:48:16 +10:00 · 3bcce80b54
parent 4b1ec8381b
commit 3bcce80b54
3 changed files with 122 additions and 7 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+20100521
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/05/07 11:31:26
+     [regress/Makefile regress/cert-userkey.sh]
+     regress tests for AuthorizedPrincipalsFile and "principals=" key option.
+     feedback and ok markus@
+
 20100511
 - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve
   circular dependency problem on old or odd platforms.  From Tom Lane, ok
--- a/regress/Makefile
+++ b/regress/Makefile
@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $
+#	$OpenBSD: Makefile,v 1.53 2010/05/07 11:31:26 djm Exp $

 REGRESS_TARGETS=	t1 t2 t3 t4 t5 t6 t7 t-exec
 tests:		$(REGRESS_TARGETS)
@ -69,7 +69,8 @@ CLEANFILES=	t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
 		scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
 		sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
 		known_hosts-cert host_ca_key* cert_host_key* \
-		putty.rsa2 sshd_proxy_orig
+		putty.rsa2 sshd_proxy_orig \
+		authorized_principals_${USER}

 # Enable all malloc(3) randomisations and checks
 TEST_ENV=      "MALLOC_OPTIONS=AFGJPRX"
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $
 #	Placed in the Public Domain.

 tid="certified user keys"
@ -18,16 +18,100 @@ for ktype in rsa dsa ; do
 		fail "ssh-keygen of cert_user_key_${ktype} failed"
 	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
 	    "regress user key for $USER" \
-	    -n $USER $OBJ/cert_user_key_${ktype} ||
+	    -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"
 	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
 	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
 	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
 	    "regress user key for $USER" \
-	    -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
+	    -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
 		fail "couldn't sign cert_user_key_${ktype}_v00"
 done

+# Test explicitly-specified principals
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
+	for privsep in yes no ; do
+		_prefix="${ktype} privsep $privsep"
+
+		# Setup for AuthorizedPrincipalsFile
+		rm -f $OBJ/authorized_keys_$USER
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo "UsePrivilegeSeparation $privsep"
+			echo "AuthorizedPrincipalsFile " \
+			    "$OBJ/authorized_principals_%u"
+			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+		) > $OBJ/sshd_proxy
+
+		# Missing authorized_principals
+		verbose "$tid: ${_prefix} missing authorized_principals"
+		rm -f $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+
+		# Empty authorized_principals
+		verbose "$tid: ${_prefix} empty authorized_principals"
+		echo > $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+	
+		# Wrong authorized_principals
+		verbose "$tid: ${_prefix} wrong authorized_principals"
+		echo gregorsamsa > $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+
+		# Correct authorized_principals
+		verbose "$tid: ${_prefix} correct authorized_principals"
+		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+
+		# Setup for principals= key option
+		rm -f $OBJ/authorized_principals_$USER
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo "UsePrivilegeSeparation $privsep"
+		) > $OBJ/sshd_proxy
+
+		# Wrong principals list
+		verbose "$tid: ${_prefix} wrong principals key option"
+		(
+			echon 'cert-authority,principals="gregorsamsa" '
+			cat $OBJ/user_ca_key.pub
+		) > $OBJ/authorized_keys_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+
+		# Correct principals list
+		verbose "$tid: ${_prefix} correct principals key option"
+		(
+			echon 'cert-authority,principals="mekmitasdigoat" '
+			cat $OBJ/user_ca_key.pub
+		) > $OBJ/authorized_keys_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+	done
+done
+
 basic_tests() {
 	auth=$1
 	if test "x$auth" = "xauthorized_keys" ; then
@ -108,6 +192,7 @@ test_one() {
 	result=$2
 	sign_opts=$3
 	auth_choice=$4
+	auth_opt=$5

 	if test "x$auth_choice" = "x" ; then
 		auth_choice="authorized_keys TrustedUserCAKeys"
@ -119,14 +204,16 @@ test_one() {
 			if test "x$auth" = "xauthorized_keys" ; then
 				# Add CA to authorized_keys
 				(
-					echon 'cert-authority '
+					echon "cert-authority${auth_opt} "
 					cat $OBJ/user_ca_key.pub
 				) > $OBJ/authorized_keys_$USER
 			else
 				echo > $OBJ/authorized_keys_$USER
 				echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
 				    >> $OBJ/sshd_proxy
-	
+				if test "x$auth_opt" != "x" ; then
+					echo $auth_opt >> $OBJ/sshd_proxy
+				fi
 			fi
 			
 			verbose "$tid: $ident auth $auth expect $result $ktype"
@ -165,7 +252,26 @@ test_one "force-command"	failure "-n ${USER} -Oforce-command=false"
 test_one "empty principals"	success "" authorized_keys
 test_one "empty principals"	failure "" TrustedUserCAKeys

+# Check explicitly-specified principals: an empty principals list in the cert
+# should always be refused.
+
+# AuthorizedPrincipalsFile
+rm -f $OBJ/authorized_keys_$USER
+echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
+    TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+test_one "AuthorizedPrincipalsFile no principals" failure "" \
+    TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+
+# principals= key option
+rm -f $OBJ/authorized_principals_$USER
+test_one "principals key option principals" success "-n mekmitasdigoat" \
+    authorized_keys ',principals="mekmitasdigoat"'
+test_one "principals key option no principals" failure "" \
+    authorized_keys ',principals="mekmitasdigoat"'
+
 # Wrong certificate
+cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
 for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
 	case $ktype in
 	*_v00) args="-t v00" ;;
@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do
 done

 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+rm -f $OBJ/authorized_principals_$USER