saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Stop ignoring the host keys, query and write them down as accepted.

Browse source
This commit is contained in:
Pedro Algarvio 2024-03-21 16:56:53 +00:00
parent 37e56ba0a6
commit 20f4966ca0
9 changed files with 62 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
tests/conftest.py
View file

@ -1402,7 +1402,21 @@ def sshd_server(salt_factories, sshd_config_dir, salt_master, grains):
@pytest.fixture(scope="module") @pytest.fixture(scope="module")
def salt_ssh_roster_file(sshd_server, salt_master): def known_hosts_file(sshd_server, salt_master, salt_factories):
with pytest.helpers.temp_file(
"ssh-known-hosts",
"\n".join(sshd_server.get_host_keys()),
salt_factories.tmp_root_dir,
) as known_hosts_file, pytest.helpers.temp_file(
"master.d/ssh-known-hosts.conf",
f"known_hosts_file: {known_hosts_file}",
salt_master.config_dir,
):
yield known_hosts_file
@pytest.fixture(scope="module")
def salt_ssh_roster_file(sshd_server, salt_master, known_hosts_file):
roster_contents = """ roster_contents = """
localhost: localhost:
host: 127.0.0.1 host: 127.0.0.1
@ -1415,6 +1429,7 @@ def salt_ssh_roster_file(sshd_server, salt_master):
) )
if salt.utils.platform.is_darwin(): if salt.utils.platform.is_darwin():
roster_contents += " set_path: $PATH:/usr/local/bin/\n" roster_contents += " set_path: $PATH:/usr/local/bin/\n"
with pytest.helpers.temp_file( with pytest.helpers.temp_file(
"roster", roster_contents, salt_master.config_dir "roster", roster_contents, salt_master.config_dir
) as roster_file: ) as roster_file:

3
tests/pytests/integration/conftest.py
View file

@ -95,7 +95,7 @@ def salt_run_cli(salt_master):
@pytest.fixture(scope="module") @pytest.fixture(scope="module")
def salt_ssh_cli(salt_master, salt_ssh_roster_file, sshd_config_dir): def salt_ssh_cli(salt_master, salt_ssh_roster_file, sshd_config_dir, known_hosts_file):
""" """
The ``salt-ssh`` CLI as a fixture against the running master The ``salt-ssh`` CLI as a fixture against the running master
""" """
@ -105,7 +105,6 @@ def salt_ssh_cli(salt_master, salt_ssh_roster_file, sshd_config_dir):
roster_file=salt_ssh_roster_file, roster_file=salt_ssh_roster_file,
target_host="localhost", target_host="localhost",
client_key=str(sshd_config_dir / "client_key"), client_key=str(sshd_config_dir / "client_key"),
base_script_args=["--ignore-host-keys"],
) )

12
tests/pytests/integration/netapi/test_ssh_client.py
View file

@ -1,3 +1,5 @@
import logging
import pytest import pytest
import salt.netapi import salt.netapi
@ -18,9 +20,12 @@ pytestmark = [
), ),
] ]
log = logging.getLogger(__name__)
@pytest.fixture @pytest.fixture
def client_config(client_config): def client_config(client_config, known_hosts_file):
client_config["known_hosts_file"] = str(known_hosts_file)
client_config["netapi_enable_clients"] = ["ssh"] client_config["netapi_enable_clients"] = ["ssh"]
return client_config return client_config
@ -67,7 +72,6 @@ def test_ssh(client, auth_creds, salt_ssh_roster_file, rosters_dir, ssh_priv_key
"client": "ssh", "client": "ssh",
"tgt": "localhost", "tgt": "localhost",
"fun": "test.ping", "fun": "test.ping",
"ignore_host_keys": True,
"roster_file": str(salt_ssh_roster_file), "roster_file": str(salt_ssh_roster_file),
"rosters": [rosters_dir], "rosters": [rosters_dir],
"ssh_priv": ssh_priv_key, "ssh_priv": ssh_priv_key,
@ -187,7 +191,6 @@ def test_shell_inject_tgt(client, salt_ssh_roster_file, tmp_path, salt_auto_acco
"eauth": "auto", "eauth": "auto",
"username": salt_auto_account.username, "username": salt_auto_account.username,
"password": salt_auto_account.password, "password": salt_auto_account.password,
"ignore_host_keys": True,
} }
ret = client.run(low) ret = client.run(low)
assert path.exists() is False assert path.exists() is False
@ -242,7 +245,6 @@ def test_shell_inject_ssh_port(
"roster_file": str(salt_ssh_roster_file), "roster_file": str(salt_ssh_roster_file),
"rosters": "/", "rosters": "/",
"ssh_port": f"hhhhh|id>{path} #", "ssh_port": f"hhhhh|id>{path} #",
"ignore_host_keys": True,
} }
ret = client.run(low) ret = client.run(low)
assert path.exists() is False assert path.exists() is False
@ -270,7 +272,6 @@ def test_shell_inject_remote_port_forwards(
"eauth": "auto", "eauth": "auto",
"username": salt_auto_account.username, "username": salt_auto_account.username,
"password": salt_auto_account.password, "password": salt_auto_account.password,
"ignore_host_keys": True,
} }
ret = client.run(low) ret = client.run(low)
assert path.exists() is False assert path.exists() is False
@ -317,7 +318,6 @@ def test_ssh_auth_bypass(client, salt_ssh_roster_file):
"roster_file": str(salt_ssh_roster_file), "roster_file": str(salt_ssh_roster_file),
"rosters": "/", "rosters": "/",
"eauth": "xx", "eauth": "xx",
"ignore_host_keys": True,
} }
with pytest.raises(EauthAuthenticationError): with pytest.raises(EauthAuthenticationError):
client.run(low) client.run(low)

18
tests/pytests/integration/ssh/test_log.py
View file

@ -70,26 +70,23 @@ def ssh_port(ssh_docker_container):
@pytest.fixture(scope="module") @pytest.fixture(scope="module")
def salt_ssh_roster_file(ssh_port, ssh_keys, salt_master, ssh_auth): def salt_ssh_roster_file(ssh_port, ssh_keys, salt_master, ssh_auth, known_hosts_file):
""" """
Temporary roster for ssh docker container Temporary roster for ssh docker container
""" """
ssh_pass, ssh_user = ssh_auth ssh_pass, ssh_user = ssh_auth
roster = """ roster = f"""
pyvertest: pyvertest:
host: localhost host: localhost
user: {} user: {ssh_user}
port: {} port: {ssh_port}
passwd: {} passwd: {ssh_pass}
sudo: True sudo: True
sudo_user: root sudo_user: root
tty: True tty: True
ssh_options: ssh_options:
- StrictHostKeyChecking=no - UserKnownHostsFile={known_hosts_file}
- UserKnownHostsFile=/dev/null """
""".format(
ssh_user, ssh_port, ssh_pass
)
with pytest.helpers.temp_file( with pytest.helpers.temp_file(
"py_versions_roster", roster, salt_master.config_dir "py_versions_roster", roster, salt_master.config_dir
) as roster_file: ) as roster_file:
@ -104,7 +101,6 @@ def salt_ssh_cli(salt_master, salt_ssh_roster_file, ssh_keys, ssh_docker_contain
timeout=180, timeout=180,
roster_file=salt_ssh_roster_file, roster_file=salt_ssh_roster_file,
target_host="localhost", target_host="localhost",
base_script_args=["--ignore-host-keys"],
ssh_user="app-admin", ssh_user="app-admin",
) )

4
tests/pytests/integration/ssh/test_pillar_compilation.py
View file

@ -251,7 +251,7 @@ def _assert_saltutil_runner_pillar(ret, salt_minion_id):
@pytest.mark.skip_if_binaries_missing("gpg") @pytest.mark.skip_if_binaries_missing("gpg")
@pytest.mark.usefixtures("pillar_setup", "gpg_homedir") @pytest.mark.usefixtures("pillar_setup", "gpg_homedir")
def test_gpg_pillar_orch(salt_ssh_cli, salt_run_cli, gpg_homedir): def test_gpg_pillar_orch(salt_ssh_cli, salt_run_cli):
""" """
Ensure that GPG-encrypted pillars can be decrypted when Salt-SSH is Ensure that GPG-encrypted pillars can be decrypted when Salt-SSH is
called during an orchestration or via saltutil.cmd. called during an orchestration or via saltutil.cmd.
@ -265,7 +265,6 @@ def test_gpg_pillar_orch(salt_ssh_cli, salt_run_cli, gpg_homedir):
salt_ssh_cli.target_host, salt_ssh_cli.target_host,
"pillar.items", "pillar.items",
ssh=True, ssh=True,
ignore_host_keys=True,
roster_file=str(salt_ssh_cli.roster_file), roster_file=str(salt_ssh_cli.roster_file),
ssh_priv=str(salt_ssh_cli.client_key), ssh_priv=str(salt_ssh_cli.client_key),
) )
@ -290,7 +289,6 @@ def test_saltutil_runner_orch(salt_ssh_cli, salt_run_cli, salt_minion):
salt_ssh_cli.target_host, salt_ssh_cli.target_host,
"pillar.items", "pillar.items",
ssh=True, ssh=True,
ignore_host_keys=True,
roster_file=str(salt_ssh_cli.roster_file), roster_file=str(salt_ssh_cli.roster_file),
ssh_priv=str(salt_ssh_cli.client_key), ssh_priv=str(salt_ssh_cli.client_key),
) )

16
tests/pytests/integration/ssh/test_py_versions.py
View file

@ -85,22 +85,19 @@ def ssh_port(ssh_docker_container):
@pytest.fixture(scope="module") @pytest.fixture(scope="module")
def salt_ssh_roster_file(ssh_port, ssh_keys, salt_master): def salt_ssh_roster_file(ssh_port, ssh_keys, salt_master, known_hosts_file):
""" """
Temporary roster for ssh docker container Temporary roster for ssh docker container
""" """
roster = """ roster = f"""
pyvertest: pyvertest:
host: localhost host: localhost
user: centos user: centos
port: {} port: {ssh_port}
priv: {} priv: {ssh_keys.priv_path}
ssh_options: ssh_options:
- StrictHostKeyChecking=no - UserKnownHostsFile={known_hosts_file}
- UserKnownHostsFile=/dev/null """
""".format(
ssh_port, ssh_keys.priv_path
)
with pytest.helpers.temp_file( with pytest.helpers.temp_file(
"py_versions_roster", roster, salt_master.config_dir "py_versions_roster", roster, salt_master.config_dir
) as roster_file: ) as roster_file:
@ -116,7 +113,6 @@ def salt_ssh_cli(salt_master, salt_ssh_roster_file, ssh_keys, ssh_docker_contain
roster_file=salt_ssh_roster_file, roster_file=salt_ssh_roster_file,
target_host="localhost", target_host="localhost",
client_key=str(ssh_keys.priv_path), client_key=str(ssh_keys.priv_path),
base_script_args=["--ignore-host-keys"],
) )

26
tests/pytests/integration/ssh/test_ssh_setup.py
View file

@ -117,23 +117,30 @@ def ssh_sub_port(ssh_sub_container):
@pytest.fixture(scope="module") @pytest.fixture(scope="module")
def salt_ssh_roster_file( def salt_ssh_roster_file(
ssh_container_name, ssh_sub_container_name, ssh_port, ssh_sub_port, salt_master ssh_container_name,
ssh_sub_container_name,
ssh_port,
ssh_sub_port,
salt_master,
known_hosts_file,
): ):
""" """
Temporary roster for ssh docker container Temporary roster for ssh docker container
""" """
roster = """ roster = f"""
{}: {ssh_container_name}:
host: localhost host: localhost
user: centos user: centos
port: {} port: {ssh_port}
{}: ssh_options:
- UserKnownHostsFile={known_hosts_file}
{ssh_sub_container_name}:
host: localhost host: localhost
user: centos user: centos
port: {} port: {ssh_sub_port}
""".format( ssh_options:
ssh_container_name, ssh_port, ssh_sub_container_name, ssh_sub_port - UserKnownHostsFile={known_hosts_file}
) """
with pytest.helpers.temp_file( with pytest.helpers.temp_file(
"setup_roster", roster, salt_master.config_dir "setup_roster", roster, salt_master.config_dir
) as roster_file: ) as roster_file:
@ -151,7 +158,6 @@ def salt_ssh_cli(
timeout=180, timeout=180,
roster_file=salt_ssh_roster_file, roster_file=salt_ssh_roster_file,
client_key=str(ssh_keys.priv_path), client_key=str(ssh_keys.priv_path),
base_script_args=["--ignore-host-keys"],
) )

11
tests/pytests/integration/ssh/test_terraform.py
View file

@ -17,7 +17,7 @@ def minion_id():
@pytest.fixture(scope="module") @pytest.fixture(scope="module")
def terraform_roster_file(sshd_server, salt_master, tmp_path_factory, minion_id): def terraform_roster_file(sshd_server, tmp_path_factory, minion_id, known_hosts_file):
darwin_addon = "" darwin_addon = ""
if salt.utils.platform.is_darwin(): if salt.utils.platform.is_darwin():
darwin_addon = ',\n "set_path": "$PATH:/usr/local/bin/"\n' darwin_addon = ',\n "set_path": "$PATH:/usr/local/bin/"\n'
@ -49,7 +49,10 @@ def terraform_roster_file(sshd_server, salt_master, tmp_path_factory, minion_id)
"thin_dir": null, "thin_dir": null,
"timeout": null, "timeout": null,
"tty": null, "tty": null,
"user": "{user}"{darwin_addon} "user": "{user}"{darwin_addon},
"ssh_options": [
"UserKnownHostsFile={known_hosts_file}"
]
}} }}
}} }}
] ]
@ -63,6 +66,7 @@ def terraform_roster_file(sshd_server, salt_master, tmp_path_factory, minion_id)
port=sshd_server.listen_port, port=sshd_server.listen_port,
user=RUNTIME_VARS.RUNNING_TESTS_USER, user=RUNTIME_VARS.RUNNING_TESTS_USER,
darwin_addon=darwin_addon, darwin_addon=darwin_addon,
known_hosts_file=known_hosts_file,
) )
roster_file = tmp_path_factory.mktemp("terraform_roster") / "terraform.tfstate" roster_file = tmp_path_factory.mktemp("terraform_roster") / "terraform.tfstate"
roster_file.write_text(roster_contents) roster_file.write_text(roster_contents)
@ -71,7 +75,7 @@ def terraform_roster_file(sshd_server, salt_master, tmp_path_factory, minion_id)
@pytest.fixture(scope="module") @pytest.fixture(scope="module")
def salt_ssh_cli(salt_master, terraform_roster_file, sshd_config_dir): def salt_ssh_cli(salt_master, terraform_roster_file, sshd_config_dir, known_hosts_file):
""" """
The ``salt-ssh`` CLI as a fixture against the running master The ``salt-ssh`` CLI as a fixture against the running master
""" """
@ -80,7 +84,6 @@ def salt_ssh_cli(salt_master, terraform_roster_file, sshd_config_dir):
roster_file=terraform_roster_file, roster_file=terraform_roster_file,
target_host="*", target_host="*",
client_key=str(sshd_config_dir / "client_key"), client_key=str(sshd_config_dir / "client_key"),
base_script_args=["--ignore-host-keys"],
) )

5
tests/pytests/integration/states/test_ansiblegate.py
View file

@ -40,7 +40,7 @@ def ansible_inventory_directory(tmp_path_factory, grains):
@pytest.fixture(scope="module", autouse=True) @pytest.fixture(scope="module", autouse=True)
def ansible_inventory(ansible_inventory_directory, sshd_server): def ansible_inventory(ansible_inventory_directory, sshd_server, known_hosts_file):
inventory = str(ansible_inventory_directory / "inventory") inventory = str(ansible_inventory_directory / "inventory")
client_key = str(sshd_server.config_dir / "client_key") client_key = str(sshd_server.config_dir / "client_key")
data = { data = {
@ -52,8 +52,7 @@ def ansible_inventory(ansible_inventory_directory, sshd_server):
"ansible_user": RUNTIME_VARS.RUNNING_TESTS_USER, "ansible_user": RUNTIME_VARS.RUNNING_TESTS_USER,
"ansible_ssh_private_key_file": client_key, "ansible_ssh_private_key_file": client_key,
"ansible_ssh_extra_args": ( "ansible_ssh_extra_args": (
"-o StrictHostKeyChecking=false " f"-o UserKnownHostsFile={known_hosts_file} "
"-o UserKnownHostsFile=/dev/null "
), ),
}, },
}, },