Exemplo n.º 1
0
def validate_remote_usernames_against_iam_groups(config: BlessConfig, request: BlessUserRequest):
    requested_remotes = request.remote_usernames.split(',')
    if config.getboolean(bless_config.BLESS_OPTIONS_SECTION,
                         bless_config.REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION):
        iam = boto3.client('iam')
        user_groups = iam.list_groups_for_user(UserName=request.bastion_user)

        iam_group_with_full_access = config.get(bless_config.BLESS_OPTIONS_SECTION,
                                                bless_config.FULL_ACCESS_IAM_GROUP_NAME_OPTION)

        # if full access iam group is set then check if the user belongs to the group
        if iam_group_with_full_access != bless_config.FULL_ACCESS_IAM_GROUP_NAME_DEFAULT:
            for group in user_groups['Groups']:
                if group['GroupName'] == iam_group_with_full_access:
                    return None

        group_name_template = config.get(bless_config.BLESS_OPTIONS_SECTION,
                                         bless_config.IAM_GROUP_NAME_VALIDATION_FORMAT_OPTION)
        for requested_remote in requested_remotes:
            required_group_name = group_name_template.format(requested_remote)

            user_is_in_group = any(
                group
                for group in user_groups['Groups']
                if group['GroupName'] == required_group_name
            )

            if not user_is_in_group:
                return error_response('ValidationError',
                                      'user {} is not in the {} iam group'.format(
                                          request.bastion_user,
                                          required_group_name))

    return None
Exemplo n.º 2
0
def test_kms_config_opts(monkeypatch):
    # Default option
    config = BlessConfig("us-east-1",
                         config_file=os.path.join(os.path.dirname(__file__),
                                                  'full.cfg'))
    assert config.getboolean(KMSAUTH_SECTION,
                             KMSAUTH_USEKMSAUTH_OPTION) is False

    # Config file value
    config = BlessConfig("us-east-1",
                         config_file=os.path.join(os.path.dirname(__file__),
                                                  'full-with-kmsauth.cfg'))
    assert config.getboolean(KMSAUTH_SECTION,
                             KMSAUTH_USEKMSAUTH_OPTION) is True
    assert config.getboolean(
        KMSAUTH_SECTION,
        VALIDATE_REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION) is False
Exemplo n.º 3
0
def test_config_environment_override(monkeypatch):
    extra_environment_variables = {
        'bless_options_certificate_validity_after_seconds': '1',
        'bless_options_certificate_validity_before_seconds': '1',
        'bless_options_entropy_minimum_bits': '2',
        'bless_options_random_seed_bytes': '3',
        'bless_options_logging_level': 'DEBUG',
        'bless_options_certificate_extensions': 'permit-X11-forwarding',
        'bless_options_username_validation': 'debian',
        'bless_options_remote_usernames_validation': 'useradd',

        'bless_ca_us_east_1_password': '******',
        'bless_ca_default_password': '******',
        'bless_ca_ca_private_key_file': '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>',
        'bless_ca_ca_private_key': str(base64.b64encode(b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'), encoding='ascii'),

        'kms_auth_use_kmsauth': 'True',
        'kms_auth_kmsauth_key_id': '<INSERT_ARN>',
        'kms_auth_kmsauth_serviceid': 'bless-test',
    }

    for k, v in extra_environment_variables.items():
        monkeypatch.setenv(k, v)

    # Create an empty config, everything is set in the environment
    config = BlessConfig('us-east-1', config_file='')

    assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
    assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
    assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION)
    assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
    assert 'DEBUG' == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
    assert 'permit-X11-forwarding' == config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION)
    assert 'debian' == config.get(BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION)
    assert 'useradd' == config.get(BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION)

    assert '<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
    assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>' == config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION)
    assert b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>' == config.getprivatekey()

    assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION)
    assert '<INSERT_ARN>' == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION)
    assert 'bless-test' == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION)

    config.aws_region = 'invalid'
    assert '<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
Exemplo n.º 4
0
def test_config_environment_override(monkeypatch):
    extra_environment_variables = {
        'bless_options_certificate_validity_after_seconds': '1',
        'bless_options_certificate_validity_before_seconds': '1',
        'bless_options_entropy_minimum_bits': '2',
        'bless_options_random_seed_bytes': '3',
        'bless_options_logging_level': 'DEBUG',
        'bless_options_certificate_extensions': 'permit-X11-forwarding',

        'bless_ca_us_east_1_password': '******',
        'bless_ca_default_password': '******',
        'bless_ca_ca_private_key_file': '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>',
        'bless_ca_ca_private_key': base64.b64encode('<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'),

        'kms_auth_use_kmsauth': 'True',
        'kms_auth_kmsauth_key_id': '<INSERT_ARN>',
        'kms_auth_kmsauth_serviceid': 'bless-test',
    }

    for k,v in extra_environment_variables.items():
        monkeypatch.setenv(k, v)

    # Create an empty config, everything is set in the environment
    config = BlessConfig('us-east-1', config_file='')

    assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
    assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
    assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION)
    assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
    assert 'DEBUG' == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
    assert 'permit-X11-forwarding' == config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION)

    assert '<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
    assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>' == config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION)
    assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>' == config.getprivatekey()

    assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION)
    assert '<INSERT_ARN>' == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION)
    assert 'bless-test' == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION)

    config.aws_region = 'invalid'
    assert '<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
Exemplo n.º 5
0
def test_config_environment_override(monkeypatch):
    extra_environment_variables = {
        "bless_options_certificate_validity_after_seconds":
        "1",
        "bless_options_certificate_validity_before_seconds":
        "1",
        "bless_options_server_certificate_validity_after_seconds":
        "1",
        "bless_options_server_certificate_validity_before_seconds":
        "1",
        "bless_options_hostname_validation":
        "disabled",
        "bless_options_entropy_minimum_bits":
        "2",
        "bless_options_random_seed_bytes":
        "3",
        "bless_options_logging_level":
        "DEBUG",
        "bless_options_certificate_extensions":
        "permit-X11-forwarding",
        "bless_options_username_validation":
        "debian",
        "bless_options_remote_usernames_validation":
        "useradd",
        "bless_ca_us_east_1_password":
        "******",
        "bless_ca_default_password":
        "******",
        "bless_ca_ca_private_key_file":
        "<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>",
        "bless_ca_ca_private_key":
        str(
            base64.b64encode(b"<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>"),
            encoding="ascii",
        ),
        "kms_auth_use_kmsauth":
        "True",
        "kms_auth_kmsauth_key_id":
        "<INSERT_ARN>",
        "kms_auth_kmsauth_serviceid":
        "bless-test",
    }

    for k, v in extra_environment_variables.items():
        monkeypatch.setenv(k, v)

    # Create an empty config, everything is set in the environment
    config = BlessConfig("us-east-1", config_file="")

    assert 1 == config.getint(BLESS_OPTIONS_SECTION,
                              CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
    assert 1 == config.getint(BLESS_OPTIONS_SECTION,
                              CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
    assert 1 == config.getint(BLESS_OPTIONS_SECTION,
                              SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
    assert 1 == config.getint(BLESS_OPTIONS_SECTION,
                              SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
    assert 2 == config.getint(BLESS_OPTIONS_SECTION,
                              ENTROPY_MINIMUM_BITS_OPTION)
    assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
    assert "DEBUG" == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
    assert "permit-X11-forwarding" == config.get(
        BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION)
    assert "debian" == config.get(BLESS_OPTIONS_SECTION,
                                  USERNAME_VALIDATION_OPTION)
    assert "disabled" == config.get(BLESS_OPTIONS_SECTION,
                                    HOSTNAME_VALIDATION_OPTION)
    assert "useradd" == config.get(BLESS_OPTIONS_SECTION,
                                   REMOTE_USERNAMES_VALIDATION_OPTION)

    assert ("<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>"
            == config.getpassword())
    assert "<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>" == config.get(
        BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION)
    assert b"<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>" == config.getprivatekey(
    )

    assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION)
    assert "<INSERT_ARN>" == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION)
    assert "bless-test" == config.get(KMSAUTH_SECTION,
                                      KMSAUTH_SERVICE_ID_OPTION)

    config.aws_region = "invalid"
    assert ("<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>"
            == config.getpassword())