diff --git a/tests/functional/launch_tests_on_instance.sh b/tests/functional/launch_tests_on_instance.sh index 6d2a510..c1c30f5 100755 --- a/tests/functional/launch_tests_on_instance.sh +++ b/tests/functional/launch_tests_on_instance.sh @@ -242,72 +242,70 @@ check_sourced_module_output() r0=" $t ssh -F $mytmpdir/ssh_config -i $rootkeyfile root@$remote_ip -p $remote_port -- " # gpg has a terrible tendency to block on the pseudo-random number generator because it - # reads from /dev/random instead of /dev/urandom for bad reasons. so, just hardcode a pubkey here + # reads from /dev/random instead of /dev/urandom for bad reasons. so, just hardcode some keys here + + admins_gpg_key_fp='77BD43B49D953216B23FB0D3EF588AFD95728724' + admins_gpg_key_id='EF588AFD95728724' + admins_gpg_key_password='password' admins_gpg_key_pub=' -----BEGIN PGP PUBLIC KEY BLOCK----- -mQENBGHDPRUBCAC4P/TAxKiZ14KPL3nuGpKf8EdPkoUpj/9ugiOXYjoTeGykJiuC -xTpu+st/UIOy9XVtI41W72uRIKYz6Fe79+0v9BvmTqvzk4XwJNKYG4jYHIpI8lMv -ZJjqmL2tMMEma78vix5DFq+ShlMUTn5O1YL3NaF1WdsXhgYi05IxHQCyfczUmMb3 -CZak2LFKZB0rsw110AjcO0ak37Tt0zIiaM7JhRR1o2w55SwnCiFIIIcHYYs8DKdP -2IjrIWw3frLnScOu/vsswf8i+93hR7wIPJFFWoJYp4bw9hqpN7iUtiu36NEYxiSj -phbLNJOkgRMlB5k3g5RSTW2ESjSSU8JGaIgBABEBAAG0P1RoZSBCYXN0aW9uIEZ1 -bmN0aW9uYWwgVGVzdHMgKCkgKDIwMjEpIDx0aGViYXN0aW9uQGV4YW1wbGUub3Jn -PokBTgQTAQoAOBYhBABWXvGgvAIuXvD9mBty/SwiFepEBQJhwz0VAhsvBQsJCAcC -BhUKCQgLAgQWAgMBAh4BAheAAAoJEBty/SwiFepE6xQIAJ0gUhe5HfQfv5s7zblM -lDQgVVGD058aXv3X//p6bzZY38yPsOaNDtah+bWZPUaDGAgxU2K1hpDCgsXlt6QG -BlLIosFALp3OBQFQCRJQnyePEIZKLEH0UtxhTWY12QC60D5173H771p+rapIw+CD -QxId4IktofMMRW2qc6Dl1e/CJtgtDOhBoX7CN2WPvCIxUnY9FUWU5FWeWxn2OYSy -azAxSA3E7THn5J+lpQ4cK6bedUWYWXOnMzjUHf7qAaJdT0jKYIkdY4XLodR1A+Gd -LFhXNAMD8AU+LB7sukz8xBeQ6usWcY7A0V/ZRVY2uTzn1SSmM6SAVBniSfdMIJOh -Ojy5AQ0EYcM9FQEIANdorEWuRp6z1I0KpqAwiEn1q0zgJ8HxF9Ax9EtIJdXHAxgQ -//zRnGMgj+TFJ+uqPodXg9r/v3JqXYNZQpTMBdtaB+x/xMO2PmZcwV7M7i6H54RL -Eskwh7jE0YURCIFa1riaKdieBtF/ZanFtEJdKil1tw14GISop0mPo+qccyQQ+kHD -zzcLemPYCtqC8tM6JHGBWPhiscUmkE2htYEB9fchGsMB3KANKSXLOWXM5RyqqZf2 -jxtLV/2TkZCMoIlkrpe1XinLxRRd9YWWzC70C+rNppsKXRuicR0fyGH04BiF8ybR -nsyEaW0t82cDTn6ly/VbHWoMqvxp/00fXHwPifMAEQEAAYkCbAQYAQoAIBYhBABW -XvGgvAIuXvD9mBty/SwiFepEBQJhwz0VAhsuAUAJEBty/SwiFepEwHQgBBkBCgAd -FiEEk/2R/vaQJdSmfrJyR7pDY5i5QmgFAmHDPRUACgkQR7pDY5i5QmhpYwf/c5zh -6jGiSf2dhcXFfbvByGlIqP3T16hl/8qJA9Le9GgqwHfF9CSPaQE0sNJZCw+GPa7c -ciHPJuEHMjPC8zxFtul/8PDNkcT1QMn2D/9yc+4gvKbiVMZm2zeabuakWtf4S06m -yaXesfZqFK4e/frKOkTM1UGLjHPZWXdiPnidE50f07laA+Ql72ATmoAl9yZHdJrC -GKZ0IBVR3v7spoiJz61Wv5T3ZaK/7TpKS4VXLAnNue0o3tEQ1N5f1p5GXn2Hzt7D -kZJuwMnhykijhDcPQxLQhuM7pEkWKoPMyp89wRgblMg0SAtZG/Q153tlHgddIRAk -HP2i7tckRJeWZItaFmWfCACjnEpLSqswHordQhMeWAS1gFJEWMqogWE2IRImVjD/ -bqUbmistdkcmVgGkJ6VoPoK0B4clUggRyMWvObB+qoX5O2lJvP9V9kNsuRn2YAPO -8lCrrloHzAH6NM2scRtqURQbiqei/Ud563xWHSohpLqw0ujxqKOnfMnnFyKrhSYN -tLIF+pOSWUO/jwmNld8icSgrKzwn3R9HTRccziBp6lZRIVoRvtEmHOvwbnropnh5 -LicUjkm1z+cdyt8b5qQnbFW1OjYtbkZIBz3wrB0L2tiuks9PckuiYFT9DzyoGwyt -4fa+23uEetbTatxVLjJDOPGTsSwk7YlU+36568JzzvTK -=hEcM +mDMEaManoRYJKwYBBAHaRw8BAQdAJrSyrZwplw4fLoCTA/+qtadGBfgAFrTGNEVG +6VLEA5G0KVRoZSBCYXN0aW9uIEZ1bmN0aW9uYWwgVGVzdHMgMSBETyBOT1QgVVNF +iJAEExYIADgWIQR3vUO0nZUyFrI/sNPvWIr9lXKHJAUCaManoQIbAwULCQgHAgYV +CgkICwIEFgIDAQIeAQIXgAAKCRDvWIr9lXKHJMPDAQDX9cynb7vYgqoDchZ96j18 +mDj771Hj8UqMKvvmAOs89AEAhWPfBPFPLIuE3I1i4xcqqDxGhJjOEImguomvw+Mk +XQa4OARoxqfPEgorBgEEAZdVAQUBAQdAPknOek1HwmahNN5cIZytU5gui0jOzMzM +BHoIa2gJp2oDAQgHiHgEGBYIACAWIQR3vUO0nZUyFrI/sNPvWIr9lXKHJAUCaMan +zwIbDAAKCRDvWIr9lXKHJIVXAP9kvmTQSL6slzKEJg0ihG2osctYtA4qjqHLT7nJ +83nW/AEAyBRd/CP5DQzVeLgf0yY3rfKyPJXPkRT7Jv5VYJ0OTgw= +=Rl5j -----END PGP PUBLIC KEY BLOCK----- ' - # 25305EA2FCA333C4 - admins_gpg_key_pub_2=' + # shellcheck disable=SC1078,SC1079 + admins_gpg_key_priv=' +-----BEGIN PGP PRI''VATE KEY BLOCK----- + +lIYEaManoRYJKwYBBAHaRw8BAQdAJrSyrZwplw4fLoCTA/+qtadGBfgAFrTGNEVG +6VLEA5H+BwMCDR1ixPbIDkD/pJPZ0bDoc5QNSvdYkBNMcfn8jU1nuP0ae830qr6Z +l17PSnJYswDB9FnsILgHY4m/53h/1XbzOioeY8B69gNOxvmDI5MDyLQpVGhlIEJh +c3Rpb24gRnVuY3Rpb25hbCBUZXN0cyAxIERPIE5PVCBVU0WIkAQTFggAOBYhBHe9 +Q7SdlTIWsj+w0+9Yiv2VcockBQJoxqehAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B +AheAAAoJEO9Yiv2Vcockw8MBANf1zKdvu9iCqgNyFn3qPXyYOPvvUePxSowq++YA +6zz0AQCFY98E8U8si4TcjWLjFyqoPEaEmM4QiaC6ia/D4yRdBpyLBGjGp88SCisG +AQQBl1UBBQEBB0A+Sc56TUfCZqE03lwhnK1TmC6LSM7MzMwEeghraAmnagMBCAf+ +BwMCpS1daNVeiWj/pW7Ul3dcOBcb4Six3puFfhKCqISbYxz8TCyryskobgV7rNQW +JtP/KiPIm3n9zSTeKe+Mz61MkP2terPwkmCcpIXGQxO6F4h4BBgWCAAgFiEEd71D +tJ2VMhayP7DT71iK/ZVyhyQFAmjGp88CGwwACgkQ71iK/ZVyhySFVwD/ZL5k0Ei+ +rJcyhCYNIoRtqLHLWLQOKo6hy0+5yfN51vwBAMgUXfwj+Q0M1Xi4H9MmN63ysjyV +z5EU+yb+VWCdDk4M +=X0wo +-----END PGP PRI''VATE KEY BLOCK----- +' + + admins_gpg_key2_fp='DDD75B4E323605E2F2D84C57B07681E46080FA6C' + admins_gpg_key2_id='B07681E46080FA6C' + admins_gpg_key2_password='password' + admins_gpg_key2_pub=' -----BEGIN PGP PUBLIC KEY BLOCK----- -mI0EZTjYygEEAMbJBg+8/bKtsWif5I/EaoNYhY4dPJ2wc4rg/6JJFTvXQP5hCP5S -9vUyw/PW1Lho8fYNbTOFdgI0lbi0HObTuy1oMPRmBdMFppUbA06RcYImCB+ueZgN -F4TYXtleF26xasOSuf+k7lH8FrSfdnDxE/3+xddWUReTCs+Z5o/odTItABEBAAG0 -JWJhc3Rpb24gdGVzdHMgNiA8YmFzdGlvbkBleGFtcGxlLm9yZz6I1AQTAQoAPhYh -BCRiNpSK15lfa7/YoiUwXqL8ozPEBQJlONjKAhsDBQkDwmcABQsJCAcCBhUKCQgL -AgQWAgMBAh4BAheAAAoJECUwXqL8ozPE7QEEAIcgxxBkn66ibzGfHFTwBg5mOEsh -CVOKkLms+5T22EgwgD5IVusYkHuwzPLpzvIHbm49Q2zZpoWzz/D+A8WhlB1hf1hD -MEs/zwyji35LzxENL3sGm+PaADzQpj/2BFNr+KkLvDtP+ly1DqoDsWB5VlKRTcej -fKo/0fnlgVgUH9QWuI0EZTjamwEEAM6tWi1JeLKKn3dXy4W/tgWcG8qkLnk1IBsT -ADRPMhmRpevfDEf93L9E/Nb4hNHOXtI4H93ZI1V3xsqLtZn7Vp5xtf8hRUgySyeJ -BUvcZCSn8t9h7PJi1n88jkyIsuRYrr9AZ1A764PBMHX72zJynRO3kXA9e3qK18y2 -wyo4G/F7ABEBAAGItgQYAQoAIBYhBCRiNpSK15lfa7/YoiUwXqL8ozPEBQJlONqb -AhsMAAoJECUwXqL8ozPEKDYD/R5VGtppw6yJ9D92qCGnzNEIlfoasRynQVxr+ogl -rMaesAB0HiKTBmU4WOT4u+7/W5p/bkS/GbJAa34DIi8pYZVj1b9VVfq9ICQFG/+K -/0PeCKsbPCVFNI9giWKWukJ5v0qtzIxIQcAtLJAntX86KAZCTU6Nqnv1gOx1dLXO -tM6t -=Anoc +mDMEaMan1hYJKwYBBAHaRw8BAQdAe5q2pQcaPCvoCBvAplS4bDoAHZYrvBSNOeI1 +YyWt7ca0KVRoZSBCYXN0aW9uIEZ1bmN0aW9uYWwgVGVzdHMgMiBETyBOT1QgVVNF +iJAEExYIADgWIQTd11tOMjYF4vLYTFewdoHkYID6bAUCaMan1gIbAwULCQgHAgYV +CgkICwIEFgIDAQIeAQIXgAAKCRCwdoHkYID6bC1/AQCttlvVVZYCuy6M0pdBQhnj +5hi+h7ZsOEbxLuBS1Q0xBwEAk/6SesVpnWQaZ34ZMGwu0b5UsqLDNssNFpEnEE+X +jg64OARoxqfgEgorBgEEAZdVAQUBAQdA1vSd5OghmsJLq+j1l47ZMRL2vY84pN/U +PWfGqRi3FEwDAQgHiHgEGBYIACAWIQTd11tOMjYF4vLYTFewdoHkYID6bAUCaMan +4AIbDAAKCRCwdoHkYID6bAlFAQC1fdDV2DpgpsS9eqi4RAMnJu92HMMi5vts9zsb +lg0/tgEArubNUjLLiOHz9mDnHvYeDfH78XxKOYolCpJ75kH9ygc= +=Xr7M -----END PGP PUBLIC KEY BLOCK----- ' # CF27BEC1C8266FFE EC6CEA6719EF3700 - admins_gpg_key_pub_double=' + admins_gpg_key_double1_id='CF27BEC1C8266FFE' + admins_gpg_key_double2_id='EC6CEA6719EF3700' + admins_gpg_key_double_pub=' -----BEGIN PGP PUBLIC KEY BLOCK----- mI0EZTjY4gEEALsLQRaWUyfXtD9gtAXmo9Uq1DV9ZInd9xkxvEbLx8PJxsAnD5dV diff --git a/tests/functional/tests.d/200-scripts.sh b/tests/functional/tests.d/200-scripts.sh index 6656013..5ec3b6e 100644 --- a/tests/functional/tests.d/200-scripts.sh +++ b/tests/functional/tests.d/200-scripts.sh @@ -26,40 +26,40 @@ testsuite_scripts() success setup_keys_generate $r0 /opt/bastion/bin/admin/setup-gpg.sh --generate contain "autogenerated with" - script setup_keys_import $r0 "\"echo '$admins_gpg_key_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import\"" + script setup_keys_import_double $r0 "\"echo '$admins_gpg_key_double_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import\"" retvalshouldbe 0 contain "Paste the admins" contain "50-gpg-admins-key.conf updated:" contain "50-gpg.conf updated:" - contain "Parsed and added 1 keys" - contain "GPGKEYS='1B72FD2C2215EA44'" - contain '[ "1B72FD2C2215EA44" ]' + contain "Parsed and added 2 keys" + contain REGEX "GPGKEYS='($admins_gpg_key_double1_id $admins_gpg_key_double2_id|$admins_gpg_key_double2_id $admins_gpg_key_double1_id)'" + contain REGEX "(\"$admins_gpg_key_double1_id\", \"$admins_gpg_key_double2_id\"|\"$admins_gpg_key_double2_id\", \"$admins_gpg_key_double1_id\")" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" - script setup_keys_import_2 $r0 "\"echo '$admins_gpg_key_pub_2' | /opt/bastion/bin/admin/setup-gpg.sh --import --overwrite\"" + success setup_keys_clear $r0 "\"rm -f $opt_remote_etc_bastion/osh-encrypt-rsync.conf.d/50-gpg-admins-key.conf $opt_remote_etc_bastion/osh-backup-acl-keys.conf.d/50-gpg.conf\"" + + script setup_keys_import $r0 "\"echo '$admins_gpg_key2_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import\"" retvalshouldbe 0 contain "Paste the admins" - contain "50-gpg-admins-key.conf already exists, but overwriting" - contain "50-gpg.conf already exists, but overwriting" contain "Parsed and added 1 keys" - contain "GPGKEYS='25305EA2FCA333C4'" - contain '[ "25305EA2FCA333C4" ]' + contain "GPGKEYS='$admins_gpg_key2_id'" + contain '[ "'"$admins_gpg_key2_id"'" ]' nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" - success setup_keys_clear $r0 "\"rm -f $opt_remote_etc_bastion/osh-encrypt-rsync.conf.d/50-gpg-admins-key.conf $opt_remote_etc_bastion/osh-backup-acl-keys.conf.d/50-gpg.conf\"" - - script setup_keys_import_3 $r0 "\"echo '$admins_gpg_key_pub_double' | /opt/bastion/bin/admin/setup-gpg.sh --import\"" + script setup_keys_import_overwrite $r0 "\"echo '$admins_gpg_key_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import --overwrite\"" retvalshouldbe 0 contain "Paste the admins" + contain "50-gpg-admins-key.conf already exists, but overwriting" + contain "50-gpg.conf already exists, but overwriting" contain "50-gpg-admins-key.conf updated:" contain "50-gpg.conf updated:" - contain "Parsed and added 2 keys" - contain REGEX "GPGKEYS='(CF27BEC1C8266FFE EC6CEA6719EF3700|EC6CEA6719EF3700 CF27BEC1C8266FFE)'" - contain REGEX '("CF27BEC1C8266FFE", "EC6CEA6719EF3700"|"EC6CEA6719EF3700", "CF27BEC1C8266FFE")' + contain "Parsed and added 1 keys" + contain "GPGKEYS='$admins_gpg_key_id'" + contain '[ "'"$admins_gpg_key_id"'" ]' nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" @@ -135,18 +135,43 @@ testsuite_scripts() json .error_code OK .command accountAddPersonalAccess run a1_connect $a1 none@127.0.0.1 + contain 'Connecting...' # encrypt rsync (one file to encrypt) - success encrypt_rsync_none $r0 /opt/bastion/bin/cron/osh-encrypt-rsync.pl --force-encrypt --encrypt-only + success encrypt_rsync_one $r0 /opt/bastion/bin/cron/osh-encrypt-rsync.pl --force-encrypt --encrypt-only contain 'Config test passed' contain "Creating" contain "Encrypting" contain ".gpg" - contain "Done" + contain "Done, got 0 error(s) and 0 warning(s)" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" + # get one of the encrypted files name's, for the next test + local gpgfile + gpgfile=$(get_stdout | awk '/^Encrypting .+ to / {print $4;exit}' | tr -d '\r') + + # import the private key that we'll need on the next test + local keyb64 + keyb64=$(echo "$admins_gpg_key_priv" | base64 -w0) + # shellcheck disable=SC1078 + script import_gpg_secret_key "$r0 ' + set -x; + t=\$(mktemp); + echo \"$keyb64\" | base64 -d > \$t; + gpg --import --pinentry-mode loopback --passphrase-fd 0 --batch \$t <<< \"$admins_gpg_key_password\"; + rm -f \$t; + '" + retvalshouldbe 0 + contain 'secret keys imported: 1' + + # check that encrypted file is also signed, we need the private key of the recipient because + # the signature is embedded in the encrypted payload + script encrypt_rsync_one_check "$r0 gpg --list-packets --pinentry-mode loopback --passphrase-fd 0 --batch $gpgfile <<< $admins_gpg_key_password" + retvalshouldbe 0 + contain ':encrypted' + contain ':signature' # rename account script account_rename $r0 /opt/bastion/bin/admin/rename-account.sh $account1 $account2 '