# vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash # shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy testsuite_scripts() { # try to backup without having a GPG key setup first success backup_config $r0 "\"echo DESTDIR='/root/backups' >> $opt_remote_etc_bastion/osh-backup-acl-keys.conf\"" success backup_run_nokey $r0 /opt/bastion/bin/cron/osh-backup-acl-keys.sh contain "Creating /root/backups/backup-" contain "File created" contain "will not be encrypted" nocontain "Encrypting" contain "Done" nocontain "ERROR:" nocontain "Unexpected termination" # generate & import keys success setup_keys_generate $r0 /opt/bastion/bin/admin/setup-gpg.sh --generate contain "autogenerated with" script setup_keys_import_double $r0 "\"echo '$admins_gpg_key_double_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import\"" retvalshouldbe 0 contain "Paste the admins" contain "50-gpg-admins-key.conf updated:" contain "50-gpg.conf updated:" contain "Parsed and added 2 keys" contain REGEX "GPGKEYS='($admins_gpg_key_double1_id $admins_gpg_key_double2_id|$admins_gpg_key_double2_id $admins_gpg_key_double1_id)'" contain REGEX "(\"$admins_gpg_key_double1_id\", \"$admins_gpg_key_double2_id\"|\"$admins_gpg_key_double2_id\", \"$admins_gpg_key_double1_id\")" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" success setup_keys_clear $r0 "\"rm -f $opt_remote_etc_bastion/osh-encrypt-rsync.conf.d/50-gpg-admins-key.conf $opt_remote_etc_bastion/osh-backup-acl-keys.conf.d/50-gpg.conf\"" script setup_keys_import $r0 "\"echo '$admins_gpg_key2_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import\"" retvalshouldbe 0 contain "Paste the admins" contain "Parsed and added 1 keys" contain "GPGKEYS='$admins_gpg_key2_id'" contain '[ "'"$admins_gpg_key2_id"'" ]' nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" script setup_keys_import_overwrite $r0 "\"echo '$admins_gpg_key_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import --overwrite\"" retvalshouldbe 0 contain "Paste the admins" contain "50-gpg-admins-key.conf already exists, but overwriting" contain "50-gpg.conf already exists, but overwriting" contain "50-gpg-admins-key.conf updated:" contain "50-gpg.conf updated:" contain "Parsed and added 1 keys" contain "GPGKEYS='$admins_gpg_key_id'" contain '[ "'"$admins_gpg_key_id"'" ]' nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" # backup again success backup_run_key $r0 /opt/bastion/bin/cron/osh-backup-acl-keys.sh contain "Creating /root/backups/backup-" contain "File created" nocontain "will not be encrypted" contain "Encrypting" contain "Done" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" # lingering sessions reaper success lingering_sessions_reaper $r0 /opt/bastion/bin/cron/osh-lingering-sessions-reaper.sh contain "Done" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" # orphaned homedirs success orphaned_homedirs $r0 /opt/bastion/bin/cron/osh-orphaned-homedir.sh contain "master instance" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" # piv grace reaper is handled in 400-piv.sh # ttyrec rotate success rotate_ttyrec $r0 /opt/bastion/bin/cron/osh-rotate-ttyrec.sh contain "Done" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" # cleanup guest key access success cleanup_guest_key_access $r0 /opt/bastion/bin/cron/osh-cleanup-guest-key-access.pl contain "Done" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" # encrypt rsync (nothing to encrypt) success encrypt_rsync_none $r0 /opt/bastion/bin/cron/osh-encrypt-rsync.pl contain 'Config test passed' contain "Done" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" # ttyrec subfolders cleanup success ttyrec_cleanup $r0 /opt/bastion/bin/cron/osh-remove-empty-folders.sh contain "Done" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" # create and account and connect one to have a ttyrec file success a0_create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\"" json .error_code OK .command accountCreate .value null success a0_allow_a1 $a0 --osh accountAddPersonalAccess --account $account1 --host 127.0.0.1 --user none --port 22 json .error_code OK .command accountAddPersonalAccess run a1_connect $a1 none@127.0.0.1 contain 'Connecting...' # encrypt rsync (one file to encrypt) success encrypt_rsync_one $r0 /opt/bastion/bin/cron/osh-encrypt-rsync.pl --force-encrypt --encrypt-only contain 'Config test passed' contain "Creating" contain "Encrypting" contain ".gpg" contain "Done, got 0 error(s) and 0 warning(s)" nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination" # get one of the encrypted files name's, for the next test local gpgfile gpgfile=$(get_stdout | awk '/^Encrypting .+ to / {print $4;exit}' | tr -d '\r') # import the private key that we'll need on the next test local keyb64 keyb64=$(echo "$admins_gpg_key_priv" | base64 -w0) # shellcheck disable=SC1078 script import_gpg_secret_key "$r0 ' set -x; t=\$(mktemp); echo \"$keyb64\" | base64 -d > \$t; gpg --import --pinentry-mode loopback --passphrase-fd 0 --batch \$t <<< \"$admins_gpg_key_password\"; rm -f \$t; '" retvalshouldbe 0 contain 'secret keys imported: 1' # check that encrypted file is also signed, we need the private key of the recipient because # the signature is embedded in the encrypted payload script encrypt_rsync_one_check "$r0 gpg --list-packets --pinentry-mode loopback --passphrase-fd 0 --batch $gpgfile <<< $admins_gpg_key_password" retvalshouldbe 0 contain ':encrypted' contain ':signature' # rename account script account_rename $r0 /opt/bastion/bin/admin/rename-account.sh $account1 $account2 '