def test_in_match_disabled_globally_enabled(current_actor_context):
""" Configuration file in this format:
PermitRootLogin yes # explicit
Match address 192.*
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='yes', in_match=None),
OpenSshPermitRootLogin(value='no', in_match=['address', '192.*'])
], )
assert not semantics_changes(config)
def test_in_match_enabled_globally_disabled():
""" Configuration file in this format:
PermitRootLogin no # explicit
Match address 192.*
PermitRootLogin yes
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='no', in_match=None),
OpenSshPermitRootLogin(value='yes', in_match=['address', '192.*'])
],
deprecated_directives=[])
assert not semantics_changes(config)
def test_globally_enabled(current_actor_context):
""" Configuration file in this format:
PermitRootLogin yes # explicit
"""
config = OpenSshConfig(
permit_root_login=[OpenSshPermitRootLogin(value='yes',
in_match=None)], )
assert not semantics_changes(config)
def test_globally_disabled_password():
""" Configuration file in this format:
PermitRootLogin prohibit-password # explicit
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='prohibit-password', in_match=None)
], )
assert not semantics_changes(config)
def test_globally_enabled():
""" Configuration file in this format:
PermitRootLogin yes # explicit
"""
config = OpenSshConfig(
permit_root_login=[OpenSshPermitRootLogin(value='yes', in_match=None)],
deprecated_directives=[])
assert not semantics_changes(config)
def test_in_match_all_disabled_password(current_actor_context):
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match all
PermitRootLogin prohibit-password
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='prohibit-password', in_match=['all'])
], )
assert not semantics_changes(config)
def test_in_match_disabled(current_actor_context):
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 10.10.*
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='no', in_match=['address', '10.10.*'])
], )
assert semantics_changes(config)
def test_in_match_all_disabled():
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match all
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='no', in_match=['all'])
], )
assert not semantics_changes(config)
def parse_config(config):
"""Parse OpenSSH server configuration or the output of sshd test option."""
# RHEL7 defaults
ret = OpenSshConfig(permit_root_login=[], deprecated_directives=[])
in_match = None
for line in config:
line = line.strip()
if line_empty(line):
continue
el = line.split()
if len(el) < 2:
continue
value = el[1]
if el[0].lower() == 'match':
in_match = el[1:]
continue
if el[0].lower() == 'permitrootlogin':
# convert deprecated alias
if value == "without-password":
value = "prohibit-password"
v = OpenSshPermitRootLogin(value=value, in_match=in_match)
ret.permit_root_login.append(v)
elif el[0].lower() == 'useprivilegeseparation':
# Record only first occurence, which is effective
if not ret.use_privilege_separation:
ret.use_privilege_separation = value
elif el[0].lower() == 'protocol':
# Record only first occurence, which is effective
if not ret.protocol:
ret.protocol = value
elif el[0].lower() == 'ciphers':
# Record only first occurence, which is effective
if not ret.ciphers:
ret.ciphers = value
elif el[0].lower() == 'macs':
# Record only first occurence, which is effective
if not ret.macs:
ret.macs = value
elif el[0].lower() in DEPRECATED_DIRECTIVES:
# Filter out duplicit occurences of the same deprecated directive
if el[0].lower() not in ret.deprecated_directives:
# Use the directive in the form as found in config for user convenience
ret.deprecated_directives.append(el[0])
return ret
def test_in_match_enabled(current_actor_context):
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 192.168.*
PermitRootLogin yes
"""
# TODO This is suspicious configuration we should probably handle separately
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='yes', in_match=['address', '192.168.*'])
], )
assert not semantics_changes(config)
def test_in_match_disabled_password():
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 192.168.*
PermitRootLogin prohibit-password
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='prohibit-password',
in_match=['address', '10.10.*'])
], )
assert semantics_changes(config)
def test_in_match_disabled():
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 10.10.*
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='no', in_match=['address', '10.10.*'])
],
deprecated_directives=[])
assert semantics_changes(config)
def test_in_match_all_enabled():
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match all
PermitRootLogin yes
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='yes', in_match=['all'])
],
deprecated_directives=[])
assert not semantics_changes(config)
def test_produce_config():
output = []
def fake_producer(*args):
output.extend(args)
config = OpenSshConfig(
permit_root_login=[OpenSshPermitRootLogin(value="no")],
use_privilege_separation="yes",
protocol="1",
)
produce_config(fake_producer, config)
assert len(output) == 1
cfg = output[0]
assert len(cfg.permit_root_login) == 1
assert cfg.permit_root_login[0].value == "no"
assert cfg.use_privilege_separation == "yes"
assert cfg.protocol == '1'
import pytest
from leapp.exceptions import StopActorExecutionError
from leapp.libraries.actor import opensshprotocolcheck
from leapp.models import OpenSshConfig, OpenSshPermitRootLogin, Report
from leapp.snactor.fixture import current_actor_context
def test_no_config(current_actor_context):
with pytest.raises(StopActorExecutionError):
opensshprotocolcheck.process(iter([]))
osprl = OpenSshPermitRootLogin(value='no')
@pytest.mark.parametrize('protocol', [None, '1', '2', '1,2', '2,1', '7'])
def test_protocol(current_actor_context, protocol):
current_actor_context.feed(
OpenSshConfig(permit_root_login=[osprl],
protocol=protocol,
deprecated_directives=[]))
current_actor_context.run()
if protocol:
assert current_actor_context.consume(Report)
else:
assert not current_actor_context.consume(Report)
