def validate_remote_usernames_against_iam_groups(config: BlessConfig, request: BlessUserRequest): requested_remotes = request.remote_usernames.split(',') if config.getboolean(bless_config.BLESS_OPTIONS_SECTION, bless_config.REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION): iam = boto3.client('iam') user_groups = iam.list_groups_for_user(UserName=request.bastion_user) iam_group_with_full_access = config.get(bless_config.BLESS_OPTIONS_SECTION, bless_config.FULL_ACCESS_IAM_GROUP_NAME_OPTION) # if full access iam group is set then check if the user belongs to the group if iam_group_with_full_access != bless_config.FULL_ACCESS_IAM_GROUP_NAME_DEFAULT: for group in user_groups['Groups']: if group['GroupName'] == iam_group_with_full_access: return None group_name_template = config.get(bless_config.BLESS_OPTIONS_SECTION, bless_config.IAM_GROUP_NAME_VALIDATION_FORMAT_OPTION) for requested_remote in requested_remotes: required_group_name = group_name_template.format(requested_remote) user_is_in_group = any( group for group in user_groups['Groups'] if group['GroupName'] == required_group_name ) if not user_is_in_group: return error_response('ValidationError', 'user {} is not in the {} iam group'.format( request.bastion_user, required_group_name)) return None
def test_kms_config_opts(monkeypatch): # Default option config = BlessConfig("us-east-1", config_file=os.path.join(os.path.dirname(__file__), 'full.cfg')) assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION) is False # Config file value config = BlessConfig("us-east-1", config_file=os.path.join(os.path.dirname(__file__), 'full-with-kmsauth.cfg')) assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION) is True assert config.getboolean( KMSAUTH_SECTION, VALIDATE_REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION) is False
def test_config_environment_override(monkeypatch): extra_environment_variables = { 'bless_options_certificate_validity_after_seconds': '1', 'bless_options_certificate_validity_before_seconds': '1', 'bless_options_entropy_minimum_bits': '2', 'bless_options_random_seed_bytes': '3', 'bless_options_logging_level': 'DEBUG', 'bless_options_certificate_extensions': 'permit-X11-forwarding', 'bless_options_username_validation': 'debian', 'bless_options_remote_usernames_validation': 'useradd', 'bless_ca_us_east_1_password': '******', 'bless_ca_default_password': '******', 'bless_ca_ca_private_key_file': '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>', 'bless_ca_ca_private_key': str(base64.b64encode(b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'), encoding='ascii'), 'kms_auth_use_kmsauth': 'True', 'kms_auth_kmsauth_key_id': '<INSERT_ARN>', 'kms_auth_kmsauth_serviceid': 'bless-test', } for k, v in extra_environment_variables.items(): monkeypatch.setenv(k, v) # Create an empty config, everything is set in the environment config = BlessConfig('us-east-1', config_file='') assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) assert 'DEBUG' == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) assert 'permit-X11-forwarding' == config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) assert 'debian' == config.get(BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION) assert 'useradd' == config.get(BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION) assert '<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword() assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>' == config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION) assert b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>' == config.getprivatekey() assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION) assert '<INSERT_ARN>' == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION) assert 'bless-test' == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION) config.aws_region = 'invalid' assert '<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
def test_config_environment_override(monkeypatch): extra_environment_variables = { 'bless_options_certificate_validity_after_seconds': '1', 'bless_options_certificate_validity_before_seconds': '1', 'bless_options_entropy_minimum_bits': '2', 'bless_options_random_seed_bytes': '3', 'bless_options_logging_level': 'DEBUG', 'bless_options_certificate_extensions': 'permit-X11-forwarding', 'bless_ca_us_east_1_password': '******', 'bless_ca_default_password': '******', 'bless_ca_ca_private_key_file': '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>', 'bless_ca_ca_private_key': base64.b64encode('<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'), 'kms_auth_use_kmsauth': 'True', 'kms_auth_kmsauth_key_id': '<INSERT_ARN>', 'kms_auth_kmsauth_serviceid': 'bless-test', } for k,v in extra_environment_variables.items(): monkeypatch.setenv(k, v) # Create an empty config, everything is set in the environment config = BlessConfig('us-east-1', config_file='') assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) assert 'DEBUG' == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) assert 'permit-X11-forwarding' == config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) assert '<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword() assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>' == config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION) assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>' == config.getprivatekey() assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION) assert '<INSERT_ARN>' == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION) assert 'bless-test' == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION) config.aws_region = 'invalid' assert '<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
def test_config_environment_override(monkeypatch): extra_environment_variables = { "bless_options_certificate_validity_after_seconds": "1", "bless_options_certificate_validity_before_seconds": "1", "bless_options_server_certificate_validity_after_seconds": "1", "bless_options_server_certificate_validity_before_seconds": "1", "bless_options_hostname_validation": "disabled", "bless_options_entropy_minimum_bits": "2", "bless_options_random_seed_bytes": "3", "bless_options_logging_level": "DEBUG", "bless_options_certificate_extensions": "permit-X11-forwarding", "bless_options_username_validation": "debian", "bless_options_remote_usernames_validation": "useradd", "bless_ca_us_east_1_password": "******", "bless_ca_default_password": "******", "bless_ca_ca_private_key_file": "<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>", "bless_ca_ca_private_key": str( base64.b64encode(b"<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>"), encoding="ascii", ), "kms_auth_use_kmsauth": "True", "kms_auth_kmsauth_key_id": "<INSERT_ARN>", "kms_auth_kmsauth_serviceid": "bless-test", } for k, v in extra_environment_variables.items(): monkeypatch.setenv(k, v) # Create an empty config, everything is set in the environment config = BlessConfig("us-east-1", config_file="") assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) assert 1 == config.getint(BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) assert 1 == config.getint(BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) assert "DEBUG" == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) assert "permit-X11-forwarding" == config.get( BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) assert "debian" == config.get(BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION) assert "disabled" == config.get(BLESS_OPTIONS_SECTION, HOSTNAME_VALIDATION_OPTION) assert "useradd" == config.get(BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION) assert ("<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>" == config.getpassword()) assert "<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>" == config.get( BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION) assert b"<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>" == config.getprivatekey( ) assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION) assert "<INSERT_ARN>" == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION) assert "bless-test" == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION) config.aws_region = "invalid" assert ("<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>" == config.getpassword())