def test_keybaseca_sign(self, test_config):
# Stdout contains a useful message
with open("/shared/keybaseca-sign.out") as f:
assert "Provisioned new certificate" in f.read()
# SSH with that certificate should just work for every team
assert_contains_hash(
test_config.expected_hash,
run_command(
f"ssh -q -o StrictHostKeyChecking=no -i "
f"/shared/userkey user@sshd-prod 'sha1sum /etc/unique'"),
)
assert_contains_hash(
test_config.expected_hash,
run_command(
f"ssh -q -o StrictHostKeyChecking=no -i "
f"/shared/userkey root@sshd-prod 'sha1sum /etc/unique'"),
)
assert_contains_hash(
test_config.expected_hash,
run_command(
f"ssh -q -o StrictHostKeyChecking=no -i "
f"/shared/userkey user@sshd-staging 'sha1sum /etc/unique'"),
)
assert_contains_hash(
test_config.expected_hash,
run_command(
f"ssh -q -o StrictHostKeyChecking=no -i "
f"/shared/userkey root@sshd-prod 'sha1sum /etc/unique'"),
)
# Checking that it actually contains the correct principals
assert get_principals("/shared/userkey-cert.pub") == set(
test_config.subteams)
def test_kssh_provision(self, test_config):
# Test the `kssh --provision` flag
# we have to run all of the below commands in one run_command call so that environment variables are shared
# so ssh-agent can work
with outputs_audit_log(test_config, filename=test_env_1_log_filename, expected_number=1):
output = run_command_with_agent("""
bin/kssh --provision
ssh -q -o StrictHostKeyChecking=no root@sshd-prod "sha1sum /etc/unique"
echo -n foo > /tmp/foo
scp /tmp/foo root@sshd-prod:/tmp/foo
ssh -q -o StrictHostKeyChecking=no root@sshd-prod "sha1sum /tmp/foo"
""")
assert_contains_hash(test_config.expected_hash, output)
assert hashlib.sha1(b"foo").hexdigest().encode('utf-8') in output
assert get_principals("~/.ssh/keybase-signed-key---cert.pub") == set([test_config.subteam + ".ssh.staging", test_config.subteam + ".ssh.root_everywhere"])