// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 package static_test import ( "context" "encoding/json" "fmt" "os" "strings" "testing" "github.com/hashicorp/boundary/api/targets" "github.com/hashicorp/boundary/testing/internal/e2e" "github.com/hashicorp/boundary/testing/internal/e2e/boundary" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) // TestCliConnectTargetWithAuthzToken uses the boundary cli to connect to a target using the // `authz_token` option func TestCliConnectTargetWithAuthzToken(t *testing.T) { e2e.MaybeSkipTest(t) c, err := loadTestConfig() require.NoError(t, err) ctx := context.Background() boundary.AuthenticateAdminCli(t, ctx) newOrgId := boundary.CreateNewOrgCli(t, ctx) t.Cleanup(func() { ctx := context.Background() boundary.AuthenticateAdminCli(t, ctx) output := e2e.RunCommand(ctx, "boundary", e2e.WithArgs("scopes", "delete", "-id", newOrgId)) require.NoError(t, output.Err, string(output.Stderr)) }) newProjectId := boundary.CreateNewProjectCli(t, ctx, newOrgId) newHostCatalogId := boundary.CreateNewHostCatalogCli(t, ctx, newProjectId) newHostSetId := boundary.CreateNewHostSetCli(t, ctx, newHostCatalogId) newHostId := boundary.CreateNewHostCli(t, ctx, newHostCatalogId, c.TargetIp) boundary.AddHostToHostSetCli(t, ctx, newHostSetId, newHostId) newTargetId := boundary.CreateNewTargetCli(t, ctx, newProjectId, c.TargetPort) boundary.AddHostSourceToTargetCli(t, ctx, newTargetId, newHostSetId) newCredentialStoreId := boundary.CreateNewCredentialStoreStaticCli(t, ctx, newProjectId) newCredentialsId := boundary.CreateNewStaticCredentialPrivateKeyCli(t, ctx, newCredentialStoreId, c.TargetSshUser, c.TargetSshKeyPath) boundary.AddCredentialSourceToTargetCli(t, ctx, newTargetId, newCredentialsId) // Get credentials for target output := e2e.RunCommand(ctx, "boundary", e2e.WithArgs("targets", "authorize-session", "-id", newTargetId, "-format", "json"), ) require.NoError(t, output.Err, string(output.Stderr)) var newSessionAuthorizationResult targets.SessionAuthorizationResult err = json.Unmarshal(output.Stdout, &newSessionAuthorizationResult) require.NoError(t, err) newSessionAuthorization := newSessionAuthorizationResult.Item retrievedUser, ok := newSessionAuthorization.Credentials[0].Credential["username"].(string) require.True(t, ok) retrievedKey, ok := newSessionAuthorization.Credentials[0].Credential["private_key"].(string) require.True(t, ok) retrievedKey += "\n" assert.Equal(t, c.TargetSshUser, retrievedUser) k, err := os.ReadFile(c.TargetSshKeyPath) require.NoError(t, err) require.Equal(t, string(k), retrievedKey) t.Log("Successfully retrieved credentials for target") // Get auth token for session newAuthToken := newSessionAuthorizationResult.Item.AuthorizationToken // Create key file retrievedKeyPath := fmt.Sprintf("%s/%s", t.TempDir(), "target_private_key.pem") f, err := os.Create(retrievedKeyPath) require.NoError(t, err) _, err = f.WriteString(retrievedKey) require.NoError(t, err) err = os.Chmod(retrievedKeyPath, 0o400) require.NoError(t, err) // Connect to target and print host's IP address using retrieved credentials output = e2e.RunCommand(ctx, "boundary", e2e.WithArgs( "connect", "-authz-token", newAuthToken, "-exec", "/usr/bin/ssh", "--", "-l", retrievedUser, "-i", retrievedKeyPath, "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "IdentitiesOnly=yes", // forces the use of the provided key "-p", "{{boundary.port}}", // this is provided by boundary "{{boundary.ip}}", "hostname", "-i", ), ) require.NoError(t, output.Err, string(output.Stderr)) parts := strings.Fields(string(output.Stdout)) hostIp := parts[len(parts)-1] require.Equal(t, c.TargetIp, hostIp, "SSH session did not return expected output") t.Log("Successfully connected to target") }