def test_keybaseca_sign(self, test_config): # Stdout contains a useful message with open("/shared/keybaseca-sign.out") as f: assert "Provisioned new certificate" in f.read() # SSH with that certificate should just work for every team assert_contains_hash( test_config.expected_hash, run_command( f"ssh -q -o StrictHostKeyChecking=no -i " f"/shared/userkey user@sshd-prod 'sha1sum /etc/unique'"), ) assert_contains_hash( test_config.expected_hash, run_command( f"ssh -q -o StrictHostKeyChecking=no -i " f"/shared/userkey root@sshd-prod 'sha1sum /etc/unique'"), ) assert_contains_hash( test_config.expected_hash, run_command( f"ssh -q -o StrictHostKeyChecking=no -i " f"/shared/userkey user@sshd-staging 'sha1sum /etc/unique'"), ) assert_contains_hash( test_config.expected_hash, run_command( f"ssh -q -o StrictHostKeyChecking=no -i " f"/shared/userkey root@sshd-prod 'sha1sum /etc/unique'"), ) # Checking that it actually contains the correct principals assert get_principals("/shared/userkey-cert.pub") == set( test_config.subteams)
def test_kssh_provision(self, test_config): # Test the `kssh --provision` flag # we have to run all of the below commands in one run_command call so that environment variables are shared # so ssh-agent can work with outputs_audit_log(test_config, filename=test_env_1_log_filename, expected_number=1): output = run_command_with_agent(""" bin/kssh --provision ssh -q -o StrictHostKeyChecking=no root@sshd-prod "sha1sum /etc/unique" echo -n foo > /tmp/foo scp /tmp/foo root@sshd-prod:/tmp/foo ssh -q -o StrictHostKeyChecking=no root@sshd-prod "sha1sum /tmp/foo" """) assert_contains_hash(test_config.expected_hash, output) assert hashlib.sha1(b"foo").hexdigest().encode('utf-8') in output assert get_principals("~/.ssh/keybase-signed-key---cert.pub") == set([test_config.subteam + ".ssh.staging", test_config.subteam + ".ssh.root_everywhere"])