From 72093244f96b7fce28de73cac9caa277cc69bb4f Mon Sep 17 00:00:00 2001 From: Manoj Ampalam Date: Tue, 3 Oct 2017 12:21:08 -0700 Subject: [PATCH] Added test cases for certificate authentication (#216) --- contrib/win32/openssh/OpenSSHTestHelper.psm1 | 20 +++++- regress/pesterTests/CertAuth.Tests.ps1 | 70 ++++++++++++++++++++ regress/pesterTests/SSHD_Config | 1 + regress/pesterTests/sshtest_ca_userkeys | 7 ++ regress/pesterTests/sshtest_ca_userkeys.pub | 1 + 5 files changed, 96 insertions(+), 3 deletions(-) create mode 100644 regress/pesterTests/CertAuth.Tests.ps1 create mode 100644 regress/pesterTests/sshtest_ca_userkeys create mode 100644 regress/pesterTests/sshtest_ca_userkeys.pub diff --git a/contrib/win32/openssh/OpenSSHTestHelper.psm1 b/contrib/win32/openssh/OpenSSHTestHelper.psm1 index a2a8a9774..731bb9810 100644 --- a/contrib/win32/openssh/OpenSSHTestHelper.psm1 +++ b/contrib/win32/openssh/OpenSSHTestHelper.psm1 @@ -175,7 +175,7 @@ WARNING: Following changes will be made to OpenSSH configuration Start-Service ssh-agent #copy sshtest keys - Copy-Item "$($Script:E2ETestDirectory)\sshtest*hostkey*" $script:OpenSSHBinPath -Force + Copy-Item "$($Script:E2ETestDirectory)\sshtest*hostkey*" $script:OpenSSHBinPath -Force Get-ChildItem "$($script:OpenSSHBinPath)\sshtest*hostkey*"| % { #workaround for the cariggage new line added by git before copy them $filePath = "$($_.FullName)" @@ -192,6 +192,17 @@ WARNING: Following changes will be made to OpenSSH configuration } } + #copy ca pubkey to SSHD bin path + Copy-Item "$($Script:E2ETestDirectory)\sshtest_ca_userkeys.pub" $script:OpenSSHBinPath -Force + + #copy ca private key to test dir + $ca_priv_key = (Join-Path $Global:OpenSSHTestInfo["TestDataPath"] sshtest_ca_userkeys) + Copy-Item (Join-Path $Script:E2ETestDirectory sshtest_ca_userkeys) $ca_priv_key -Force + $con = (Get-Content $ca_priv_key | Out-String).Replace("`r`n","`n") + Set-Content -Path $ca_priv_key -Value "$con" + Repair-UserSshConfigPermission -FilePath $ca_priv_key -confirm:$false + $Global:OpenSSHTestInfo["CA_Private_Key"] = $ca_priv_key + Restart-Service sshd -Force #Backup existing known_hosts and replace with test version @@ -241,7 +252,8 @@ WARNING: Following changes will be made to OpenSSH configuration Copy-Item $testPubKeyPath $authorizedKeyPath -Force -ErrorAction SilentlyContinue Repair-AuthorizedKeyPermission -FilePath $authorizedKeyPath -confirm:$false - $testPriKeypath = Join-Path $Script:E2ETestDirectory sshtest_userssokey_ed25519 + copy-item (Join-Path $Script:E2ETestDirectory sshtest_userssokey_ed25519) $Global:OpenSSHTestInfo["TestDataPath"] + $testPriKeypath = Join-Path $Global:OpenSSHTestInfo["TestDataPath"] sshtest_userssokey_ed25519 $con = (Get-Content $testPriKeypath | Out-String).Replace("`r`n","`n") Set-Content -Path $testPriKeypath -Value "$con" cmd /c "ssh-add -D 2>&1 >> $Script:TestSetupLogFile" @@ -462,7 +474,9 @@ function Clear-OpenSSHTestEnvironment Remove-ItemProperty "HKLM:Software\Microsoft\Windows NT\CurrentVersion\AeDebug" -Name Auto -ErrorAction SilentlyContinue -Force | Out-Null } - Remove-Item $sshBinPath\sshtest*hostkey* -Force -ErrorAction SilentlyContinue + Remove-Item "$sshBinPath\sshtest*hostkey*" -Force -ErrorAction SilentlyContinue + Remove-Item "$sshBinPath\sshtest*ca_userkeys*" -Force -ErrorAction SilentlyContinue + #Restore sshd_config $backupConfigPath = Join-Path $sshBinPath sshd_config.ori if (Test-Path $backupConfigPath -PathType Leaf) { diff --git a/regress/pesterTests/CertAuth.Tests.ps1 b/regress/pesterTests/CertAuth.Tests.ps1 new file mode 100644 index 000000000..d49663228 --- /dev/null +++ b/regress/pesterTests/CertAuth.Tests.ps1 @@ -0,0 +1,70 @@ +If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path} +Import-Module $PSScriptRoot\CommonUtils.psm1 -Force +$tC = 1 +$tI = 0 +$suite = "certauth" + +Describe "E2E scenarios for certificate authentication" -Tags "CI" { + BeforeAll { + if($OpenSSHTestInfo -eq $null) + { + Throw "`$OpenSSHTestInfo is null. Please run Set-OpenSSHTestEnvironment to set test environments." + } + + $server = $OpenSSHTestInfo["Target"] + $port = $OpenSSHTestInfo["Port"] + $pkuser = $OpenSSHTestInfo["PubKeyUser"] + $cakey = $OpenSSHTestInfo["CA_Private_Key"] + + $testDir = Join-Path $OpenSSHTestInfo["TestDataPath"] $suite + if(-not (Test-Path $testDir)) + { + $null = New-Item $testDir -ItemType directory -Force -ErrorAction SilentlyContinue + } + $user_key = Join-Path $testDir "cert_auth_user_key" + $keypassphrase = "testpassword" + + $platform = Get-Platform + $skip = ($platform -eq [PlatformType]::Windows) -and ($PSVersionTable.PSVersion.Major -le 2) + + } + + BeforeEach { + $stderrFile=Join-Path $testDir "$tC.$tI.stderr.txt" + $stdoutFile=Join-Path $testDir "$tC.$tI.stdout.txt" + $logFile = Join-Path $testDir "$tC.$tI.log.txt" + } + + AfterEach {$tI++;} + + Context "$tC - generate certificates" { + + BeforeAll {$tI=1} + AfterAll{$tC++} + + It "$tC.$tI - sign user keys" { + Remove-Item "$($user_key)*" + ssh-keygen -t ed25519 -f $user_key -P $keypassphrase + $user_key | Should Exist + $nullFile = join-path $testDir ("$tC.$tI.nullfile") + $null > $nullFile + $user_key_pub = ($user_key + ".pub") + iex "cmd /c `"ssh-keygen -s $cakey -I $pkuser -V -1w:+54w5d -n $pkuser $user_key_pub < $nullFile 2> nul `"" + } + + } + + Context "$tC - ssh with certificate" { + BeforeAll {$tI=1} + AfterAll{$tC++} + + It "$tC.$tI - authenticate using certificate" { + #set up SSH_ASKPASS for key passphrase + Add-PasswordSetting -Pass $keypassphrase + $o = ssh -i $user_key -p $port $pkuser@$server echo 1234 + $o | Should Be "1234" + Remove-PasswordSetting + } + } + +} diff --git a/regress/pesterTests/SSHD_Config b/regress/pesterTests/SSHD_Config index 244471f36..9d0ec47f5 100644 --- a/regress/pesterTests/SSHD_Config +++ b/regress/pesterTests/SSHD_Config @@ -127,3 +127,4 @@ PubkeyAcceptedKeyTypes ssh-ed25519* #DenyGroups denygroup1 denygr*p2 deny?rou?3 #AllowGroups allowgroup1 allowg*2 allowg?ou?3 Adm* hostkeyagent \\.\pipe\openssh-ssh-agent +TrustedUserCAKeys sshtest_ca_userkeys.pub diff --git a/regress/pesterTests/sshtest_ca_userkeys b/regress/pesterTests/sshtest_ca_userkeys new file mode 100644 index 000000000..7c602426e --- /dev/null +++ b/regress/pesterTests/sshtest_ca_userkeys @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACCbSeGZ+6Me6gaSAwK41/QILL6KnNUlem4XUu/Xm7RqYQAAAKCOV5jPjleY +zwAAAAtzc2gtZWQyNTUxOQAAACCbSeGZ+6Me6gaSAwK41/QILL6KnNUlem4XUu/Xm7RqYQ +AAAEBPPuXnlqwvhMYZNKaoMQS0GmtlJwFcctT3aZg1Ib4JaJtJ4Zn7ox7qBpIDArjX9Ags +voqc1SV6bhdS79ebtGphAAAAG21hbm9qYW1wQHJlZG1vbmRAbWFub2otZGV2MwEC +-----END OPENSSH PRIVATE KEY----- diff --git a/regress/pesterTests/sshtest_ca_userkeys.pub b/regress/pesterTests/sshtest_ca_userkeys.pub new file mode 100644 index 000000000..0fccad783 --- /dev/null +++ b/regress/pesterTests/sshtest_ca_userkeys.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtJ4Zn7ox7qBpIDArjX9Agsvoqc1SV6bhdS79ebtGph sshtest_ca_userkeys