示例#1
0
def test_separation(current_actor_context, values, expected_report):
    for value in values:
        if value:
            current_actor_context.feed(
                OpenSshConfig(permit_root_login=[osprl],
                              use_privilege_separation=value))
        else:
            current_actor_context.feed(
                OpenSshConfig(permit_root_login=[osprl]))
    current_actor_context.run()
    if expected_report:
        assert current_actor_context.consume(Report)
    else:
        assert not current_actor_context.consume(Report)
def test_inhibit_if_deprecated_directives_used(monkeypatch):
    """Tests whether the upgrade is inhibited when deprecated directives are used in config."""
    created_report = create_report_mocked()
    monkeypatch.setattr(reporting, 'create_report', created_report)

    ssh_config = OpenSshConfig(permit_root_login=[],
                               deprecated_directives=['ShowPatchLevel'])

    inhibit_if_deprecated_directives_used(ssh_config)

    fail_description = 'Report entry was not created when deprecated directive found in the ssh config.'
    assert created_report.called == 1, fail_description

    fail_description = 'Report doesn\'t have information about deprecated directive in the title.'
    assert 'deprecated directive' in created_report.report_fields[
        'title'].lower(), fail_description

    fail_description = 'Report doesn\'t contain the (mocked) deprecated directive present in the config.'
    # The report should have the directive in a preserved form (same as found in configuration)
    assert 'ShowPatchLevel' in created_report.report_fields[
        'summary'], fail_description

    assert created_report.report_fields[
        'severity'] == 'high', 'Report has incorrect severity.'

    fail_description = 'Report should have the inhibition flag set when deprecated directive is present.'
    assert 'inhibitor' in created_report.report_fields[
        'flags'], fail_description

    assert created_report.report_fields[
        'remediations'], 'Report should carry some remediation information.'
示例#3
0
def test_protocol(current_actor_context, protocol):
    current_actor_context.feed(
        OpenSshConfig(permit_root_login=[osprl], protocol=protocol))
    current_actor_context.run()
    if protocol:
        assert current_actor_context.consume(Report)
    else:
        assert not current_actor_context.consume(Report)
示例#4
0
def test_ciphers(current_actor_context, ciphers, expected_report):
    current_actor_context.feed(
        OpenSshConfig(permit_root_login=[osprl], ciphers=ciphers))
    current_actor_context.run()
    if expected_report:
        assert current_actor_context.consume(Report)
    else:
        assert not current_actor_context.consume(Report)
def test_globally_enabled(current_actor_context):
    """ Configuration file in this format:

        PermitRootLogin yes # explicit
    """
    config = OpenSshConfig(
        permit_root_login=[OpenSshPermitRootLogin(value='yes',
                                                  in_match=None)], )

    assert not semantics_changes(config)
示例#6
0
def test_globally_disabled_password():
    """ Configuration file in this format:

        PermitRootLogin prohibit-password # explicit
    """
    config = OpenSshConfig(permit_root_login=[
        OpenSshPermitRootLogin(value='prohibit-password', in_match=None)
    ], )

    assert not semantics_changes(config)
示例#7
0
def test_globally_enabled():
    """ Configuration file in this format:

        PermitRootLogin yes # explicit
    """
    config = OpenSshConfig(
        permit_root_login=[OpenSshPermitRootLogin(value='yes', in_match=None)],
        deprecated_directives=[])

    assert not semantics_changes(config)
def test_inhibit_if_deprecated_directives_used_no_deprecated_directives(
        monkeypatch):
    """Tests whether the upgrade is not inhibited when no deprecated directives are used in config."""
    created_report = create_report_mocked()
    monkeypatch.setattr(reporting, 'create_report', created_report)

    ssh_config = OpenSshConfig(permit_root_login=[], deprecated_directives=[])

    inhibit_if_deprecated_directives_used(ssh_config)
    assert created_report.called == 0, 'No report should be created if no deprecated directive present in the config.'
def test_in_match_disabled(current_actor_context):
    """ Configuration file in this format:

        # PermitRootLogin yes # implicit
        Match address 10.10.*
            PermitRootLogin no
    """
    config = OpenSshConfig(permit_root_login=[
        OpenSshPermitRootLogin(value='no', in_match=['address', '10.10.*'])
    ], )

    assert semantics_changes(config)
示例#10
0
def test_in_match_all_disabled():
    """ Configuration file in this format:

        # PermitRootLogin yes # implicit
        Match all
            PermitRootLogin no
    """
    config = OpenSshConfig(permit_root_login=[
        OpenSshPermitRootLogin(value='no', in_match=['all'])
    ], )

    assert not semantics_changes(config)
示例#11
0
def test_in_match_all_disabled_password(current_actor_context):
    """ Configuration file in this format:

        # PermitRootLogin yes # implicit
        Match all
            PermitRootLogin prohibit-password
    """
    config = OpenSshConfig(permit_root_login=[
        OpenSshPermitRootLogin(value='prohibit-password', in_match=['all'])
    ], )

    assert not semantics_changes(config)
示例#12
0
def test_in_match_enabled(current_actor_context):
    """ Configuration file in this format:

        # PermitRootLogin yes # implicit
        Match address 192.168.*
            PermitRootLogin yes
    """
    # TODO This is suspicious configuration we should probably handle separately
    config = OpenSshConfig(permit_root_login=[
        OpenSshPermitRootLogin(value='yes', in_match=['address', '192.168.*'])
    ], )

    assert not semantics_changes(config)
示例#13
0
def test_in_match_disabled_globally_enabled(current_actor_context):
    """ Configuration file in this format:

        PermitRootLogin yes # explicit
        Match address 192.*
            PermitRootLogin no
    """
    config = OpenSshConfig(permit_root_login=[
        OpenSshPermitRootLogin(value='yes', in_match=None),
        OpenSshPermitRootLogin(value='no', in_match=['address', '192.*'])
    ], )

    assert not semantics_changes(config)
示例#14
0
def test_in_match_disabled():
    """ Configuration file in this format:

        # PermitRootLogin yes # implicit
        Match address 10.10.*
            PermitRootLogin no
    """
    config = OpenSshConfig(permit_root_login=[
        OpenSshPermitRootLogin(value='no', in_match=['address', '10.10.*'])
    ],
                           deprecated_directives=[])

    assert semantics_changes(config)
示例#15
0
def test_in_match_all_enabled():
    """ Configuration file in this format:

        # PermitRootLogin yes # implicit
        Match all
            PermitRootLogin yes
    """
    config = OpenSshConfig(permit_root_login=[
        OpenSshPermitRootLogin(value='yes', in_match=['all'])
    ],
                           deprecated_directives=[])

    assert not semantics_changes(config)
示例#16
0
def test_in_match_disabled_password():
    """ Configuration file in this format:

        # PermitRootLogin yes # implicit
        Match address 192.168.*
            PermitRootLogin prohibit-password
    """
    config = OpenSshConfig(permit_root_login=[
        OpenSshPermitRootLogin(value='prohibit-password',
                               in_match=['address', '10.10.*'])
    ], )

    assert semantics_changes(config)
示例#17
0
def test_in_match_enabled_globally_disabled():
    """ Configuration file in this format:

        PermitRootLogin no # explicit
        Match address 192.*
            PermitRootLogin yes
    """
    config = OpenSshConfig(permit_root_login=[
        OpenSshPermitRootLogin(value='no', in_match=None),
        OpenSshPermitRootLogin(value='yes', in_match=['address', '192.*'])
    ],
                           deprecated_directives=[])

    assert not semantics_changes(config)
示例#18
0
def parse_config(config):
    """Parse OpenSSH server configuration or the output of sshd test option."""

    # RHEL7 defaults
    ret = OpenSshConfig(permit_root_login=[], deprecated_directives=[])

    in_match = None
    for line in config:
        line = line.strip()
        if line_empty(line):
            continue

        el = line.split()
        if len(el) < 2:
            continue
        value = el[1]
        if el[0].lower() == 'match':
            in_match = el[1:]
            continue

        if el[0].lower() == 'permitrootlogin':
            # convert deprecated alias
            if value == "without-password":
                value = "prohibit-password"
            v = OpenSshPermitRootLogin(value=value, in_match=in_match)
            ret.permit_root_login.append(v)

        elif el[0].lower() == 'useprivilegeseparation':
            # Record only first occurence, which is effective
            if not ret.use_privilege_separation:
                ret.use_privilege_separation = value

        elif el[0].lower() == 'protocol':
            # Record only first occurence, which is effective
            if not ret.protocol:
                ret.protocol = value

        elif el[0].lower() == 'ciphers':
            # Record only first occurence, which is effective
            if not ret.ciphers:
                ret.ciphers = value

        elif el[0].lower() == 'macs':
            # Record only first occurence, which is effective
            if not ret.macs:
                ret.macs = value

        elif el[0].lower() in DEPRECATED_DIRECTIVES:
            # Filter out duplicit occurences of the same deprecated directive
            if el[0].lower() not in ret.deprecated_directives:
                # Use the directive in the form as found in config for user convenience
                ret.deprecated_directives.append(el[0])
    return ret
示例#19
0
def test_produce_config():
    output = []

    def fake_producer(*args):
        output.extend(args)

    config = OpenSshConfig(
        permit_root_login=[OpenSshPermitRootLogin(value="no")],
        use_privilege_separation="yes",
        protocol="1",
    )

    produce_config(fake_producer, config)
    assert len(output) == 1
    cfg = output[0]
    assert len(cfg.permit_root_login) == 1
    assert cfg.permit_root_login[0].value == "no"
    assert cfg.use_privilege_separation == "yes"
    assert cfg.protocol == '1'