def validate_remote_usernames_against_iam_groups(config: BlessConfig, request: BlessUserRequest):
requested_remotes = request.remote_usernames.split(',')
if config.getboolean(bless_config.BLESS_OPTIONS_SECTION,
bless_config.REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION):
iam = boto3.client('iam')
user_groups = iam.list_groups_for_user(UserName=request.bastion_user)
iam_group_with_full_access = config.get(bless_config.BLESS_OPTIONS_SECTION,
bless_config.FULL_ACCESS_IAM_GROUP_NAME_OPTION)
# if full access iam group is set then check if the user belongs to the group
if iam_group_with_full_access != bless_config.FULL_ACCESS_IAM_GROUP_NAME_DEFAULT:
for group in user_groups['Groups']:
if group['GroupName'] == iam_group_with_full_access:
return None
group_name_template = config.get(bless_config.BLESS_OPTIONS_SECTION,
bless_config.IAM_GROUP_NAME_VALIDATION_FORMAT_OPTION)
for requested_remote in requested_remotes:
required_group_name = group_name_template.format(requested_remote)
user_is_in_group = any(
group
for group in user_groups['Groups']
if group['GroupName'] == required_group_name
)
if not user_is_in_group:
return error_response('ValidationError',
'user {} is not in the {} iam group'.format(
request.bastion_user,
required_group_name))
return None
def test_kms_config_opts(monkeypatch):
# Default option
config = BlessConfig("us-east-1",
config_file=os.path.join(os.path.dirname(__file__),
'full.cfg'))
assert config.getboolean(KMSAUTH_SECTION,
KMSAUTH_USEKMSAUTH_OPTION) is False
# Config file value
config = BlessConfig("us-east-1",
config_file=os.path.join(os.path.dirname(__file__),
'full-with-kmsauth.cfg'))
assert config.getboolean(KMSAUTH_SECTION,
KMSAUTH_USEKMSAUTH_OPTION) is True
assert config.getboolean(
KMSAUTH_SECTION,
VALIDATE_REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION) is False
def test_config_environment_override(monkeypatch):
extra_environment_variables = {
'bless_options_certificate_validity_after_seconds': '1',
'bless_options_certificate_validity_before_seconds': '1',
'bless_options_entropy_minimum_bits': '2',
'bless_options_random_seed_bytes': '3',
'bless_options_logging_level': 'DEBUG',
'bless_options_certificate_extensions': 'permit-X11-forwarding',
'bless_options_username_validation': 'debian',
'bless_options_remote_usernames_validation': 'useradd',
'bless_ca_us_east_1_password': '******',
'bless_ca_default_password': '******',
'bless_ca_ca_private_key_file': '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>',
'bless_ca_ca_private_key': str(base64.b64encode(b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'), encoding='ascii'),
'kms_auth_use_kmsauth': 'True',
'kms_auth_kmsauth_key_id': '<INSERT_ARN>',
'kms_auth_kmsauth_serviceid': 'bless-test',
}
for k, v in extra_environment_variables.items():
monkeypatch.setenv(k, v)
# Create an empty config, everything is set in the environment
config = BlessConfig('us-east-1', config_file='')
assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION)
assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
assert 'DEBUG' == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
assert 'permit-X11-forwarding' == config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION)
assert 'debian' == config.get(BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION)
assert 'useradd' == config.get(BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION)
assert '<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>' == config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION)
assert b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>' == config.getprivatekey()
assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION)
assert '<INSERT_ARN>' == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION)
assert 'bless-test' == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION)
config.aws_region = 'invalid'
assert '<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
def test_config_environment_override(monkeypatch):
extra_environment_variables = {
'bless_options_certificate_validity_after_seconds': '1',
'bless_options_certificate_validity_before_seconds': '1',
'bless_options_entropy_minimum_bits': '2',
'bless_options_random_seed_bytes': '3',
'bless_options_logging_level': 'DEBUG',
'bless_options_certificate_extensions': 'permit-X11-forwarding',
'bless_ca_us_east_1_password': '******',
'bless_ca_default_password': '******',
'bless_ca_ca_private_key_file': '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>',
'bless_ca_ca_private_key': base64.b64encode('<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'),
'kms_auth_use_kmsauth': 'True',
'kms_auth_kmsauth_key_id': '<INSERT_ARN>',
'kms_auth_kmsauth_serviceid': 'bless-test',
}
for k,v in extra_environment_variables.items():
monkeypatch.setenv(k, v)
# Create an empty config, everything is set in the environment
config = BlessConfig('us-east-1', config_file='')
assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION)
assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
assert 'DEBUG' == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
assert 'permit-X11-forwarding' == config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION)
assert '<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>' == config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION)
assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>' == config.getprivatekey()
assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION)
assert '<INSERT_ARN>' == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION)
assert 'bless-test' == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION)
config.aws_region = 'invalid'
assert '<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
def test_config_environment_override(monkeypatch):
extra_environment_variables = {
"bless_options_certificate_validity_after_seconds":
"1",
"bless_options_certificate_validity_before_seconds":
"1",
"bless_options_server_certificate_validity_after_seconds":
"1",
"bless_options_server_certificate_validity_before_seconds":
"1",
"bless_options_hostname_validation":
"disabled",
"bless_options_entropy_minimum_bits":
"2",
"bless_options_random_seed_bytes":
"3",
"bless_options_logging_level":
"DEBUG",
"bless_options_certificate_extensions":
"permit-X11-forwarding",
"bless_options_username_validation":
"debian",
"bless_options_remote_usernames_validation":
"useradd",
"bless_ca_us_east_1_password":
"******",
"bless_ca_default_password":
"******",
"bless_ca_ca_private_key_file":
"<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>",
"bless_ca_ca_private_key":
str(
base64.b64encode(b"<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>"),
encoding="ascii",
),
"kms_auth_use_kmsauth":
"True",
"kms_auth_kmsauth_key_id":
"<INSERT_ARN>",
"kms_auth_kmsauth_serviceid":
"bless-test",
}
for k, v in extra_environment_variables.items():
monkeypatch.setenv(k, v)
# Create an empty config, everything is set in the environment
config = BlessConfig("us-east-1", config_file="")
assert 1 == config.getint(BLESS_OPTIONS_SECTION,
CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
assert 1 == config.getint(BLESS_OPTIONS_SECTION,
CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
assert 1 == config.getint(BLESS_OPTIONS_SECTION,
SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
assert 1 == config.getint(BLESS_OPTIONS_SECTION,
SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
assert 2 == config.getint(BLESS_OPTIONS_SECTION,
ENTROPY_MINIMUM_BITS_OPTION)
assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
assert "DEBUG" == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
assert "permit-X11-forwarding" == config.get(
BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION)
assert "debian" == config.get(BLESS_OPTIONS_SECTION,
USERNAME_VALIDATION_OPTION)
assert "disabled" == config.get(BLESS_OPTIONS_SECTION,
HOSTNAME_VALIDATION_OPTION)
assert "useradd" == config.get(BLESS_OPTIONS_SECTION,
REMOTE_USERNAMES_VALIDATION_OPTION)
assert ("<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>"
== config.getpassword())
assert "<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>" == config.get(
BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION)
assert b"<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>" == config.getprivatekey(
)
assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION)
assert "<INSERT_ARN>" == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION)
assert "bless-test" == config.get(KMSAUTH_SECTION,
KMSAUTH_SERVICE_ID_OPTION)
config.aws_region = "invalid"
assert ("<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>"
== config.getpassword())
