def test_separation(current_actor_context, values, expected_report):
for value in values:
if value:
current_actor_context.feed(
OpenSshConfig(permit_root_login=[osprl],
use_privilege_separation=value))
else:
current_actor_context.feed(
OpenSshConfig(permit_root_login=[osprl]))
current_actor_context.run()
if expected_report:
assert current_actor_context.consume(Report)
else:
assert not current_actor_context.consume(Report)
def test_inhibit_if_deprecated_directives_used(monkeypatch):
"""Tests whether the upgrade is inhibited when deprecated directives are used in config."""
created_report = create_report_mocked()
monkeypatch.setattr(reporting, 'create_report', created_report)
ssh_config = OpenSshConfig(permit_root_login=[],
deprecated_directives=['ShowPatchLevel'])
inhibit_if_deprecated_directives_used(ssh_config)
fail_description = 'Report entry was not created when deprecated directive found in the ssh config.'
assert created_report.called == 1, fail_description
fail_description = 'Report doesn\'t have information about deprecated directive in the title.'
assert 'deprecated directive' in created_report.report_fields[
'title'].lower(), fail_description
fail_description = 'Report doesn\'t contain the (mocked) deprecated directive present in the config.'
# The report should have the directive in a preserved form (same as found in configuration)
assert 'ShowPatchLevel' in created_report.report_fields[
'summary'], fail_description
assert created_report.report_fields[
'severity'] == 'high', 'Report has incorrect severity.'
fail_description = 'Report should have the inhibition flag set when deprecated directive is present.'
assert 'inhibitor' in created_report.report_fields[
'flags'], fail_description
assert created_report.report_fields[
'remediations'], 'Report should carry some remediation information.'
def test_protocol(current_actor_context, protocol):
current_actor_context.feed(
OpenSshConfig(permit_root_login=[osprl], protocol=protocol))
current_actor_context.run()
if protocol:
assert current_actor_context.consume(Report)
else:
assert not current_actor_context.consume(Report)
def test_ciphers(current_actor_context, ciphers, expected_report):
current_actor_context.feed(
OpenSshConfig(permit_root_login=[osprl], ciphers=ciphers))
current_actor_context.run()
if expected_report:
assert current_actor_context.consume(Report)
else:
assert not current_actor_context.consume(Report)
def test_globally_enabled(current_actor_context):
""" Configuration file in this format:
PermitRootLogin yes # explicit
"""
config = OpenSshConfig(
permit_root_login=[OpenSshPermitRootLogin(value='yes',
in_match=None)], )
assert not semantics_changes(config)
def test_globally_disabled_password():
""" Configuration file in this format:
PermitRootLogin prohibit-password # explicit
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='prohibit-password', in_match=None)
], )
assert not semantics_changes(config)
def test_globally_enabled():
""" Configuration file in this format:
PermitRootLogin yes # explicit
"""
config = OpenSshConfig(
permit_root_login=[OpenSshPermitRootLogin(value='yes', in_match=None)],
deprecated_directives=[])
assert not semantics_changes(config)
def test_inhibit_if_deprecated_directives_used_no_deprecated_directives(
monkeypatch):
"""Tests whether the upgrade is not inhibited when no deprecated directives are used in config."""
created_report = create_report_mocked()
monkeypatch.setattr(reporting, 'create_report', created_report)
ssh_config = OpenSshConfig(permit_root_login=[], deprecated_directives=[])
inhibit_if_deprecated_directives_used(ssh_config)
assert created_report.called == 0, 'No report should be created if no deprecated directive present in the config.'
def test_in_match_disabled(current_actor_context):
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 10.10.*
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='no', in_match=['address', '10.10.*'])
], )
assert semantics_changes(config)
def test_in_match_all_disabled():
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match all
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='no', in_match=['all'])
], )
assert not semantics_changes(config)
def test_in_match_all_disabled_password(current_actor_context):
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match all
PermitRootLogin prohibit-password
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='prohibit-password', in_match=['all'])
], )
assert not semantics_changes(config)
def test_in_match_enabled(current_actor_context):
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 192.168.*
PermitRootLogin yes
"""
# TODO This is suspicious configuration we should probably handle separately
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='yes', in_match=['address', '192.168.*'])
], )
assert not semantics_changes(config)
def test_in_match_disabled_globally_enabled(current_actor_context):
""" Configuration file in this format:
PermitRootLogin yes # explicit
Match address 192.*
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='yes', in_match=None),
OpenSshPermitRootLogin(value='no', in_match=['address', '192.*'])
], )
assert not semantics_changes(config)
def test_in_match_disabled():
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 10.10.*
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='no', in_match=['address', '10.10.*'])
],
deprecated_directives=[])
assert semantics_changes(config)
def test_in_match_all_enabled():
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match all
PermitRootLogin yes
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='yes', in_match=['all'])
],
deprecated_directives=[])
assert not semantics_changes(config)
def test_in_match_disabled_password():
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 192.168.*
PermitRootLogin prohibit-password
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='prohibit-password',
in_match=['address', '10.10.*'])
], )
assert semantics_changes(config)
def test_in_match_enabled_globally_disabled():
""" Configuration file in this format:
PermitRootLogin no # explicit
Match address 192.*
PermitRootLogin yes
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='no', in_match=None),
OpenSshPermitRootLogin(value='yes', in_match=['address', '192.*'])
],
deprecated_directives=[])
assert not semantics_changes(config)
def parse_config(config):
"""Parse OpenSSH server configuration or the output of sshd test option."""
# RHEL7 defaults
ret = OpenSshConfig(permit_root_login=[], deprecated_directives=[])
in_match = None
for line in config:
line = line.strip()
if line_empty(line):
continue
el = line.split()
if len(el) < 2:
continue
value = el[1]
if el[0].lower() == 'match':
in_match = el[1:]
continue
if el[0].lower() == 'permitrootlogin':
# convert deprecated alias
if value == "without-password":
value = "prohibit-password"
v = OpenSshPermitRootLogin(value=value, in_match=in_match)
ret.permit_root_login.append(v)
elif el[0].lower() == 'useprivilegeseparation':
# Record only first occurence, which is effective
if not ret.use_privilege_separation:
ret.use_privilege_separation = value
elif el[0].lower() == 'protocol':
# Record only first occurence, which is effective
if not ret.protocol:
ret.protocol = value
elif el[0].lower() == 'ciphers':
# Record only first occurence, which is effective
if not ret.ciphers:
ret.ciphers = value
elif el[0].lower() == 'macs':
# Record only first occurence, which is effective
if not ret.macs:
ret.macs = value
elif el[0].lower() in DEPRECATED_DIRECTIVES:
# Filter out duplicit occurences of the same deprecated directive
if el[0].lower() not in ret.deprecated_directives:
# Use the directive in the form as found in config for user convenience
ret.deprecated_directives.append(el[0])
return ret
def test_produce_config():
output = []
def fake_producer(*args):
output.extend(args)
config = OpenSshConfig(
permit_root_login=[OpenSshPermitRootLogin(value="no")],
use_privilege_separation="yes",
protocol="1",
)
produce_config(fake_producer, config)
assert len(output) == 1
cfg = output[0]
assert len(cfg.permit_root_login) == 1
assert cfg.permit_root_login[0].value == "no"
assert cfg.use_privilege_separation == "yes"
assert cfg.protocol == '1'