enh: tests: add tests for sign files issue

8 months ago · c1817bc887
parent 9bc85ec3f4
commit c1817bc887
2 changed files with 95 additions and 72 deletions
--- a/tests/functional/launch_tests_on_instance.sh
+++ b/tests/functional/launch_tests_on_instance.sh
@ -242,72 +242,70 @@ check_sourced_module_output()
    r0="  $t ssh -F $mytmpdir/ssh_config -i $rootkeyfile           root@$remote_ip -p $remote_port -- "

    # gpg has a terrible tendency to block on the pseudo-random number generator because it
-    # reads from /dev/random instead of /dev/urandom for bad reasons. so, just hardcode a pubkey here
+    # reads from /dev/random instead of /dev/urandom for bad reasons. so, just hardcode some keys here
+
+    admins_gpg_key_fp='77BD43B49D953216B23FB0D3EF588AFD95728724'
+    admins_gpg_key_id='EF588AFD95728724'
+    admins_gpg_key_password='password'
    admins_gpg_key_pub='
 -----BEGIN PGP PUBLIC KEY BLOCK-----

-mQENBGHDPRUBCAC4P/TAxKiZ14KPL3nuGpKf8EdPkoUpj/9ugiOXYjoTeGykJiuC
-xTpu+st/UIOy9XVtI41W72uRIKYz6Fe79+0v9BvmTqvzk4XwJNKYG4jYHIpI8lMv
-ZJjqmL2tMMEma78vix5DFq+ShlMUTn5O1YL3NaF1WdsXhgYi05IxHQCyfczUmMb3
-CZak2LFKZB0rsw110AjcO0ak37Tt0zIiaM7JhRR1o2w55SwnCiFIIIcHYYs8DKdP
-2IjrIWw3frLnScOu/vsswf8i+93hR7wIPJFFWoJYp4bw9hqpN7iUtiu36NEYxiSj
-phbLNJOkgRMlB5k3g5RSTW2ESjSSU8JGaIgBABEBAAG0P1RoZSBCYXN0aW9uIEZ1
-bmN0aW9uYWwgVGVzdHMgKCkgKDIwMjEpIDx0aGViYXN0aW9uQGV4YW1wbGUub3Jn
-PokBTgQTAQoAOBYhBABWXvGgvAIuXvD9mBty/SwiFepEBQJhwz0VAhsvBQsJCAcC
-BhUKCQgLAgQWAgMBAh4BAheAAAoJEBty/SwiFepE6xQIAJ0gUhe5HfQfv5s7zblM
-lDQgVVGD058aXv3X//p6bzZY38yPsOaNDtah+bWZPUaDGAgxU2K1hpDCgsXlt6QG
-BlLIosFALp3OBQFQCRJQnyePEIZKLEH0UtxhTWY12QC60D5173H771p+rapIw+CD
-QxId4IktofMMRW2qc6Dl1e/CJtgtDOhBoX7CN2WPvCIxUnY9FUWU5FWeWxn2OYSy
-azAxSA3E7THn5J+lpQ4cK6bedUWYWXOnMzjUHf7qAaJdT0jKYIkdY4XLodR1A+Gd
-LFhXNAMD8AU+LB7sukz8xBeQ6usWcY7A0V/ZRVY2uTzn1SSmM6SAVBniSfdMIJOh
-Ojy5AQ0EYcM9FQEIANdorEWuRp6z1I0KpqAwiEn1q0zgJ8HxF9Ax9EtIJdXHAxgQ
-//zRnGMgj+TFJ+uqPodXg9r/v3JqXYNZQpTMBdtaB+x/xMO2PmZcwV7M7i6H54RL
-Eskwh7jE0YURCIFa1riaKdieBtF/ZanFtEJdKil1tw14GISop0mPo+qccyQQ+kHD
-zzcLemPYCtqC8tM6JHGBWPhiscUmkE2htYEB9fchGsMB3KANKSXLOWXM5RyqqZf2
-jxtLV/2TkZCMoIlkrpe1XinLxRRd9YWWzC70C+rNppsKXRuicR0fyGH04BiF8ybR
-nsyEaW0t82cDTn6ly/VbHWoMqvxp/00fXHwPifMAEQEAAYkCbAQYAQoAIBYhBABW
-XvGgvAIuXvD9mBty/SwiFepEBQJhwz0VAhsuAUAJEBty/SwiFepEwHQgBBkBCgAd
-FiEEk/2R/vaQJdSmfrJyR7pDY5i5QmgFAmHDPRUACgkQR7pDY5i5QmhpYwf/c5zh
-6jGiSf2dhcXFfbvByGlIqP3T16hl/8qJA9Le9GgqwHfF9CSPaQE0sNJZCw+GPa7c
-ciHPJuEHMjPC8zxFtul/8PDNkcT1QMn2D/9yc+4gvKbiVMZm2zeabuakWtf4S06m
-yaXesfZqFK4e/frKOkTM1UGLjHPZWXdiPnidE50f07laA+Ql72ATmoAl9yZHdJrC
-GKZ0IBVR3v7spoiJz61Wv5T3ZaK/7TpKS4VXLAnNue0o3tEQ1N5f1p5GXn2Hzt7D
-kZJuwMnhykijhDcPQxLQhuM7pEkWKoPMyp89wRgblMg0SAtZG/Q153tlHgddIRAk
-HP2i7tckRJeWZItaFmWfCACjnEpLSqswHordQhMeWAS1gFJEWMqogWE2IRImVjD/
-bqUbmistdkcmVgGkJ6VoPoK0B4clUggRyMWvObB+qoX5O2lJvP9V9kNsuRn2YAPO
-8lCrrloHzAH6NM2scRtqURQbiqei/Ud563xWHSohpLqw0ujxqKOnfMnnFyKrhSYN
-tLIF+pOSWUO/jwmNld8icSgrKzwn3R9HTRccziBp6lZRIVoRvtEmHOvwbnropnh5
-LicUjkm1z+cdyt8b5qQnbFW1OjYtbkZIBz3wrB0L2tiuks9PckuiYFT9DzyoGwyt
-4fa+23uEetbTatxVLjJDOPGTsSwk7YlU+36568JzzvTK
-=hEcM
+mDMEaManoRYJKwYBBAHaRw8BAQdAJrSyrZwplw4fLoCTA/+qtadGBfgAFrTGNEVG
+6VLEA5G0KVRoZSBCYXN0aW9uIEZ1bmN0aW9uYWwgVGVzdHMgMSBETyBOT1QgVVNF
+iJAEExYIADgWIQR3vUO0nZUyFrI/sNPvWIr9lXKHJAUCaManoQIbAwULCQgHAgYV
+CgkICwIEFgIDAQIeAQIXgAAKCRDvWIr9lXKHJMPDAQDX9cynb7vYgqoDchZ96j18
+mDj771Hj8UqMKvvmAOs89AEAhWPfBPFPLIuE3I1i4xcqqDxGhJjOEImguomvw+Mk
+XQa4OARoxqfPEgorBgEEAZdVAQUBAQdAPknOek1HwmahNN5cIZytU5gui0jOzMzM
+BHoIa2gJp2oDAQgHiHgEGBYIACAWIQR3vUO0nZUyFrI/sNPvWIr9lXKHJAUCaMan
+zwIbDAAKCRDvWIr9lXKHJIVXAP9kvmTQSL6slzKEJg0ihG2osctYtA4qjqHLT7nJ
+83nW/AEAyBRd/CP5DQzVeLgf0yY3rfKyPJXPkRT7Jv5VYJ0OTgw=
+=Rl5j
 -----END PGP PUBLIC KEY BLOCK-----
 '
-    # 25305EA2FCA333C4
-    admins_gpg_key_pub_2='
+    # shellcheck disable=SC1078,SC1079
+    admins_gpg_key_priv='
+-----BEGIN PGP PRI''VATE KEY BLOCK-----
+
+lIYEaManoRYJKwYBBAHaRw8BAQdAJrSyrZwplw4fLoCTA/+qtadGBfgAFrTGNEVG
+6VLEA5H+BwMCDR1ixPbIDkD/pJPZ0bDoc5QNSvdYkBNMcfn8jU1nuP0ae830qr6Z
+l17PSnJYswDB9FnsILgHY4m/53h/1XbzOioeY8B69gNOxvmDI5MDyLQpVGhlIEJh
+c3Rpb24gRnVuY3Rpb25hbCBUZXN0cyAxIERPIE5PVCBVU0WIkAQTFggAOBYhBHe9
+Q7SdlTIWsj+w0+9Yiv2VcockBQJoxqehAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B
+AheAAAoJEO9Yiv2Vcockw8MBANf1zKdvu9iCqgNyFn3qPXyYOPvvUePxSowq++YA
+6zz0AQCFY98E8U8si4TcjWLjFyqoPEaEmM4QiaC6ia/D4yRdBpyLBGjGp88SCisG
+AQQBl1UBBQEBB0A+Sc56TUfCZqE03lwhnK1TmC6LSM7MzMwEeghraAmnagMBCAf+
+BwMCpS1daNVeiWj/pW7Ul3dcOBcb4Six3puFfhKCqISbYxz8TCyryskobgV7rNQW
+JtP/KiPIm3n9zSTeKe+Mz61MkP2terPwkmCcpIXGQxO6F4h4BBgWCAAgFiEEd71D
+tJ2VMhayP7DT71iK/ZVyhyQFAmjGp88CGwwACgkQ71iK/ZVyhySFVwD/ZL5k0Ei+
+rJcyhCYNIoRtqLHLWLQOKo6hy0+5yfN51vwBAMgUXfwj+Q0M1Xi4H9MmN63ysjyV
+z5EU+yb+VWCdDk4M
+=X0wo
+-----END PGP PRI''VATE KEY BLOCK-----
+'
+
+    admins_gpg_key2_fp='DDD75B4E323605E2F2D84C57B07681E46080FA6C'
+    admins_gpg_key2_id='B07681E46080FA6C'
+    admins_gpg_key2_password='password'
+    admins_gpg_key2_pub='
 -----BEGIN PGP PUBLIC KEY BLOCK-----

-mI0EZTjYygEEAMbJBg+8/bKtsWif5I/EaoNYhY4dPJ2wc4rg/6JJFTvXQP5hCP5S
-9vUyw/PW1Lho8fYNbTOFdgI0lbi0HObTuy1oMPRmBdMFppUbA06RcYImCB+ueZgN
-F4TYXtleF26xasOSuf+k7lH8FrSfdnDxE/3+xddWUReTCs+Z5o/odTItABEBAAG0
-JWJhc3Rpb24gdGVzdHMgNiA8YmFzdGlvbkBleGFtcGxlLm9yZz6I1AQTAQoAPhYh
-BCRiNpSK15lfa7/YoiUwXqL8ozPEBQJlONjKAhsDBQkDwmcABQsJCAcCBhUKCQgL
-AgQWAgMBAh4BAheAAAoJECUwXqL8ozPE7QEEAIcgxxBkn66ibzGfHFTwBg5mOEsh
-CVOKkLms+5T22EgwgD5IVusYkHuwzPLpzvIHbm49Q2zZpoWzz/D+A8WhlB1hf1hD
-MEs/zwyji35LzxENL3sGm+PaADzQpj/2BFNr+KkLvDtP+ly1DqoDsWB5VlKRTcej
-fKo/0fnlgVgUH9QWuI0EZTjamwEEAM6tWi1JeLKKn3dXy4W/tgWcG8qkLnk1IBsT
-ADRPMhmRpevfDEf93L9E/Nb4hNHOXtI4H93ZI1V3xsqLtZn7Vp5xtf8hRUgySyeJ
-BUvcZCSn8t9h7PJi1n88jkyIsuRYrr9AZ1A764PBMHX72zJynRO3kXA9e3qK18y2
-wyo4G/F7ABEBAAGItgQYAQoAIBYhBCRiNpSK15lfa7/YoiUwXqL8ozPEBQJlONqb
-AhsMAAoJECUwXqL8ozPEKDYD/R5VGtppw6yJ9D92qCGnzNEIlfoasRynQVxr+ogl
-rMaesAB0HiKTBmU4WOT4u+7/W5p/bkS/GbJAa34DIi8pYZVj1b9VVfq9ICQFG/+K
-/0PeCKsbPCVFNI9giWKWukJ5v0qtzIxIQcAtLJAntX86KAZCTU6Nqnv1gOx1dLXO
-tM6t
-=Anoc
+mDMEaMan1hYJKwYBBAHaRw8BAQdAe5q2pQcaPCvoCBvAplS4bDoAHZYrvBSNOeI1
+YyWt7ca0KVRoZSBCYXN0aW9uIEZ1bmN0aW9uYWwgVGVzdHMgMiBETyBOT1QgVVNF
+iJAEExYIADgWIQTd11tOMjYF4vLYTFewdoHkYID6bAUCaMan1gIbAwULCQgHAgYV
+CgkICwIEFgIDAQIeAQIXgAAKCRCwdoHkYID6bC1/AQCttlvVVZYCuy6M0pdBQhnj
+5hi+h7ZsOEbxLuBS1Q0xBwEAk/6SesVpnWQaZ34ZMGwu0b5UsqLDNssNFpEnEE+X
+jg64OARoxqfgEgorBgEEAZdVAQUBAQdA1vSd5OghmsJLq+j1l47ZMRL2vY84pN/U
+PWfGqRi3FEwDAQgHiHgEGBYIACAWIQTd11tOMjYF4vLYTFewdoHkYID6bAUCaMan
+4AIbDAAKCRCwdoHkYID6bAlFAQC1fdDV2DpgpsS9eqi4RAMnJu92HMMi5vts9zsb
+lg0/tgEArubNUjLLiOHz9mDnHvYeDfH78XxKOYolCpJ75kH9ygc=
+=Xr7M
 -----END PGP PUBLIC KEY BLOCK-----
 '

    # CF27BEC1C8266FFE EC6CEA6719EF3700
-    admins_gpg_key_pub_double='
+    admins_gpg_key_double1_id='CF27BEC1C8266FFE'
+    admins_gpg_key_double2_id='EC6CEA6719EF3700'
+    admins_gpg_key_double_pub='
 -----BEGIN PGP PUBLIC KEY BLOCK-----

 mI0EZTjY4gEEALsLQRaWUyfXtD9gtAXmo9Uq1DV9ZInd9xkxvEbLx8PJxsAnD5dV
--- a/tests/functional/tests.d/200-scripts.sh
+++ b/tests/functional/tests.d/200-scripts.sh
@ -26,40 +26,40 @@ testsuite_scripts()
    success setup_keys_generate $r0 /opt/bastion/bin/admin/setup-gpg.sh --generate
    contain "autogenerated with"

-    script setup_keys_import $r0 "\"echo '$admins_gpg_key_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import\""
+    script setup_keys_import_double $r0 "\"echo '$admins_gpg_key_double_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import\""
    retvalshouldbe 0
    contain "Paste the admins"
    contain "50-gpg-admins-key.conf updated:"
    contain "50-gpg.conf updated:"
-    contain "Parsed and added 1 keys"
-    contain "GPGKEYS='1B72FD2C2215EA44'"
-    contain '[ "1B72FD2C2215EA44" ]'
+    contain "Parsed and added 2 keys"
+    contain REGEX "GPGKEYS='($admins_gpg_key_double1_id $admins_gpg_key_double2_id|$admins_gpg_key_double2_id $admins_gpg_key_double1_id)'"
+    contain REGEX "(\"$admins_gpg_key_double1_id\", \"$admins_gpg_key_double2_id\"|\"$admins_gpg_key_double2_id\", \"$admins_gpg_key_double1_id\")"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

-    script setup_keys_import_2 $r0 "\"echo '$admins_gpg_key_pub_2' | /opt/bastion/bin/admin/setup-gpg.sh --import --overwrite\""
+    success setup_keys_clear $r0 "\"rm -f $opt_remote_etc_bastion/osh-encrypt-rsync.conf.d/50-gpg-admins-key.conf $opt_remote_etc_bastion/osh-backup-acl-keys.conf.d/50-gpg.conf\""
+
+    script setup_keys_import $r0 "\"echo '$admins_gpg_key2_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import\""
    retvalshouldbe 0
    contain "Paste the admins"
-    contain "50-gpg-admins-key.conf already exists, but overwriting"
-    contain "50-gpg.conf already exists, but overwriting"
    contain "Parsed and added 1 keys"
-    contain "GPGKEYS='25305EA2FCA333C4'"
-    contain '[ "25305EA2FCA333C4" ]'
+    contain "GPGKEYS='$admins_gpg_key2_id'"
+    contain '[ "'"$admins_gpg_key2_id"'" ]'
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

-    success setup_keys_clear $r0 "\"rm -f $opt_remote_etc_bastion/osh-encrypt-rsync.conf.d/50-gpg-admins-key.conf $opt_remote_etc_bastion/osh-backup-acl-keys.conf.d/50-gpg.conf\""
-
-    script setup_keys_import_3 $r0 "\"echo '$admins_gpg_key_pub_double' | /opt/bastion/bin/admin/setup-gpg.sh --import\""
+    script setup_keys_import_overwrite $r0 "\"echo '$admins_gpg_key_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import --overwrite\""
    retvalshouldbe 0
    contain "Paste the admins"
+    contain "50-gpg-admins-key.conf already exists, but overwriting"
+    contain "50-gpg.conf already exists, but overwriting"
    contain "50-gpg-admins-key.conf updated:"
    contain "50-gpg.conf updated:"
-    contain "Parsed and added 2 keys"
-    contain REGEX "GPGKEYS='(CF27BEC1C8266FFE EC6CEA6719EF3700|EC6CEA6719EF3700 CF27BEC1C8266FFE)'"
-    contain REGEX '("CF27BEC1C8266FFE", "EC6CEA6719EF3700"|"EC6CEA6719EF3700", "CF27BEC1C8266FFE")'
+    contain "Parsed and added 1 keys"
+    contain "GPGKEYS='$admins_gpg_key_id'"
+    contain '[ "'"$admins_gpg_key_id"'" ]'
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"
@ -135,18 +135,43 @@ testsuite_scripts()
    json .error_code OK .command accountAddPersonalAccess

    run a1_connect $a1 none@127.0.0.1
+    contain 'Connecting...'

    # encrypt rsync (one file to encrypt)

-    success encrypt_rsync_none $r0 /opt/bastion/bin/cron/osh-encrypt-rsync.pl --force-encrypt --encrypt-only
+    success encrypt_rsync_one $r0 /opt/bastion/bin/cron/osh-encrypt-rsync.pl --force-encrypt --encrypt-only
    contain 'Config test passed'
    contain "Creating"
    contain "Encrypting"
    contain ".gpg"
-    contain "Done"
+    contain "Done, got 0 error(s) and 0 warning(s)"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"
+    # get one of the encrypted files name's, for the next test
+    local gpgfile
+    gpgfile=$(get_stdout | awk '/^Encrypting .+ to / {print $4;exit}' | tr -d '\r')
+
+    # import the private key that we'll need on the next test
+    local keyb64
+    keyb64=$(echo "$admins_gpg_key_priv" | base64 -w0)
+    # shellcheck disable=SC1078
+    script import_gpg_secret_key "$r0 '
+        set -x;
+        t=\$(mktemp);
+        echo \"$keyb64\" | base64 -d > \$t;
+        gpg --import --pinentry-mode loopback --passphrase-fd 0 --batch \$t <<< \"$admins_gpg_key_password\";
+        rm -f \$t;
+    '"
+    retvalshouldbe 0
+    contain 'secret keys imported: 1'
+
+    # check that encrypted file is also signed, we need the private key of the recipient because
+    # the signature is embedded in the encrypted payload
+    script encrypt_rsync_one_check "$r0 gpg --list-packets --pinentry-mode loopback --passphrase-fd 0 --batch $gpgfile <<< $admins_gpg_key_password"
+    retvalshouldbe 0
+    contain ':encrypted'
+    contain ':signature'

    # rename account
    script account_rename $r0 /opt/bastion/bin/admin/rename-account.sh $account1 $account2 '</dev/null'