saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Remove `external_auth` from the static config file

Browse source
This commit is contained in:
Pedro Algarvio 2021-09-21 08:00:30 +01:00 committed by Megan Wilhite
parent e931632b23
commit 6e846e721f
17 changed files with 221 additions and 268 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
tests/conftest.py
View file

@ -941,6 +941,8 @@ def salt_master_factory(
prod_env_state_tree_root_dir,
prod_env_pillar_tree_root_dir,
ext_pillar_file_tree_root_dir,
salt_api_account_factory,
salt_auto_account_factory,
):
root_dir = salt_factories.get_root_dir_for_daemon("master")
conf_dir = root_dir / "conf"
@ -978,6 +980,17 @@ def salt_master_factory(
}
)
config_overrides["pillar_opts"] = True
config_overrides["external_auth"] = {
"auto": {
salt_api_account_factory.username: [
"@wheel",
"@runner",
"test.*",
"grains.*",
],
salt_auto_account_factory.username: ["@wheel", "@runner", "test.*"],
}
}
# We need to copy the extension modules into the new master root_dir or
# it will be prefixed by it
@ -1533,4 +1546,14 @@ def _disable_salt_logging():
yield
@pytest.fixture(scope="session")
def salt_api_account_factory():
return TestAccount(username="saltdev_api", password="saltdev")
@pytest.fixture(scope="session")
def salt_auto_account_factory():
return TestAccount(username="saltdev_auto", password="saltdev")
# <---- Custom Fixtures ----------------------------------------------------------------------------------------------

6
tests/integration/client/test_runner.py
View file

@ -4,6 +4,12 @@ from tests.support.mixins import AdaptedConfigurationTestCaseMixin
from tests.support.unit import TestCase
@pytest.fixture(scope="module", autouse=True)
def salt_auto_account(salt_auto_account_factory):
with salt_auto_account_factory as account:
yield account
@pytest.mark.windows_whitelisted
class RunnerModuleTest(TestCase, AdaptedConfigurationTestCaseMixin):
# This is really an integration test since it needs a salt-master running

45
tests/integration/files/conf/master
View file

@ -39,44 +39,13 @@ config_opt:
layer2: 'kosher'
yaml_utf8: True
external_auth:
pam:
saltdev-auth:
- test.*
saltdev-netapi:
- '@wheel'
- '@runner'
- test.*
saltdev-key:
- '@wheel'
- '@runner'
- test.*
saltdev-runner:
- '@wheel'
- '@runner'
- test.*
saltops%:
- '@wheel'
- '@runner'
- 'test.*'
auto:
saltdev-netapi:
- '@wheel'
- '@runner'
- test.*
saltdev_auto:
- '@wheel'
- '@runner'
- test.*
saltdev_api:
- '@wheel'
- '@runner'
- test.*
- grains.*
'*':
- '@wheel'
- '@runner'
- test.*
# DO NOT SET external_auth in this config file, see tests/conftest.py and tests/pytests/conftest.py
#external_auth:
# auto:
# '*':
# - '@wheel'
# - '@runner'
# - test.*
master_tops:
master_tops_test: True

39
tests/integration/netapi/conftest.py
View file

@ -1,39 +0,0 @@
import pytest
import salt.config
import tests.support.netapi as netapi
@pytest.fixture
def client_config(salt_master):
config = salt.config.client_config(
salt_master.config["conf_file"], defaults=salt_master.config.copy()
)
return config
@pytest.fixture
def minion_config(salt_minion):
return salt_minion.config.copy()
@pytest.fixture
def load_auth(client_config):
return netapi.load_auth(client_config)
@pytest.fixture
def auth_creds():
return netapi.auth_creds()
@pytest.fixture
def auth_token(load_auth, auth_creds):
"""
Mint and return a valid token for auth_creds
"""
return netapi.auth_token(load_auth, auth_creds)
@pytest.fixture
def content_type_map():
return netapi.content_type_map()

6
tests/integration/netapi/rest_tornado/test_app.py
View file

@ -15,6 +15,12 @@ from tests.support.mixins import AdaptedConfigurationTestCaseMixin
from tests.support.unit import skipIf
@pytest.fixture(scope="module", autouse=True)
def salt_api_account(salt_api_account_factory):
with salt_api_account_factory as account:
yield account
class SaltnadoIntegrationTestsBase(
AsyncHTTPTestCase, AdaptedConfigurationTestCaseMixin
):

6
tests/integration/wheel/test_client.py
View file

@ -6,6 +6,12 @@ from tests.support.mixins import AdaptedConfigurationTestCaseMixin
from tests.support.unit import TestCase, skipIf
@pytest.fixture(scope="module", autouse=True)
def salt_auto_account(salt_auto_account_factory):
with salt_auto_account_factory as account:
yield account
@pytest.mark.windows_whitelisted
class WheelModuleTest(TestCase, AdaptedConfigurationTestCaseMixin):

42
tests/pytests/conftest.py
View file

@ -21,11 +21,32 @@ from pytestshellutils.utils import ports
from salt.serializers import yaml
from saltfactories.utils import random_string
from tests.support.helpers import get_virtualenv_binary_path
from tests.support.pytest.helpers import TestAccount
from tests.support.runtests import RUNTIME_VARS
log = logging.getLogger(__name__)
@pytest.fixture(scope="session")
def salt_auth_account_1_factory():
return TestAccount(username="saltdev-auth-1")
@pytest.fixture(scope="session")
def salt_auth_account_2_factory():
return TestAccount(username="saltdev-auth-2", group_name="saltops")
@pytest.fixture(scope="session")
def salt_netapi_account_factory():
return TestAccount(username="saltdev-netapi")
@pytest.fixture(scope="session")
def salt_eauth_account_factory():
return TestAccount(username="saltdev-eauth")
@pytest.fixture(scope="session")
def salt_minion_id():
return random_string("minion-")
@ -99,6 +120,11 @@ def salt_master_factory(
vault_port,
reactor_event,
master_id,
salt_auth_account_1_factory,
salt_auth_account_2_factory,
salt_netapi_account_factory,
salt_eauth_account_factory,
salt_auto_account_factory,
):
root_dir = salt_factories.get_root_dir_for_daemon(master_id)
conf_dir = root_dir / "conf"
@ -172,6 +198,22 @@ def salt_master_factory(
}
)
config_overrides["pillar_opts"] = True
config_overrides["external_auth"] = {
"pam": {
salt_auth_account_1_factory.username: ["test.*"],
"{}%".format(salt_auth_account_2_factory.group_name): [
"@wheel",
"@runner",
"test.*",
],
salt_netapi_account_factory.username: ["@wheel", "@runner", "test.*"],
salt_eauth_account_factory.username: ["@wheel", "@runner", "test.*"],
},
"auto": {
salt_netapi_account_factory.username: ["@wheel", "@runner", "test.*"],
salt_auto_account_factory.username: ["@wheel", "@runner", "test.*"],
},
}
# We need to copy the extension modules into the new master root_dir or
# it will be prefixed by it

14
tests/pytests/functional/netapi/conftest.py
View file

@ -34,9 +34,19 @@ def load_auth(client_config):
return netapi.load_auth(client_config)
@pytest.fixture(scope="package")
def salt_netapi_account(salt_netapi_account_factory):
with salt_netapi_account_factory as account:
yield account
@pytest.fixture
def auth_creds():
return netapi.auth_creds()
def auth_creds(salt_netapi_account):
return {
"username": salt_netapi_account.username,
"password": salt_netapi_account.password,
"eauth": "auto",
}
@pytest.fixture

17
tests/pytests/functional/netapi/rest_cherrypy/test_auth_pam.py
View file

@ -9,21 +9,10 @@ pytestmark = [
]
@pytest.fixture(scope="module")
def netapi_account():
with pytest.helpers.create_account(
username="saltdev-netapi", password="saltdev"
) as account:
yield account
@pytest.fixture
def auth_creds(netapi_account):
return {
"username": netapi_account.username,
"password": netapi_account.password,
"eauth": "pam",
}
def auth_creds(auth_creds):
auth_creds["eauth"] = "pam"
return auth_creds
@pytest.mark.parametrize("service", ["chsh", "login"])

17
tests/pytests/functional/netapi/rest_tornado/test_auth_handler_pam.py
View file

@ -12,21 +12,10 @@ pytestmark = [
]
@pytest.fixture(scope="module")
def netapi_account():
with pytest.helpers.create_account(
username="saltdev-netapi", password="saltdev"
) as account:
yield account
@pytest.fixture
def auth_creds(netapi_account):
return {
"username": netapi_account.username,
"password": netapi_account.password,
"eauth": "pam",
}
def auth_creds(auth_creds):
auth_creds["eauth"] = "pam"
return auth_creds
@pytest.fixture

7
tests/pytests/integration/cli/conftest.py Normal file
View file

@ -0,0 +1,7 @@
import pytest
@pytest.fixture(scope="package")
def salt_eauth_account(salt_eauth_account_factory):
with salt_eauth_account_factory as account:
yield account

80
tests/pytests/integration/cli/test_salt_auth.py
View file

@ -1,14 +1,6 @@
"""
tests.integration.shell.auth
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"""
import logging
import pytest
import salt.utils.platform
import salt.utils.pycrypto
log = logging.getLogger(__name__)
@ -19,62 +11,20 @@ pytestmark = [
pytest.mark.skip_on_windows,
]
USERA = "saltdev-auth"
USERA_PWD = "saltdev"
@pytest.fixture(scope="module")
def salt_auth_account_1(salt_auth_account_1_factory):
with salt_auth_account_1_factory as account:
yield account
@pytest.fixture(scope="module")
def saltdev_account(sminion):
try:
assert sminion.functions.user.add(USERA, createhome=False)
assert sminion.functions.shadow.set_password(
USERA,
USERA_PWD
if salt.utils.platform.is_darwin()
else salt.utils.pycrypto.gen_hash(password=USERA_PWD),
)
assert USERA in sminion.functions.user.list_users()
# Run tests
yield
finally:
sminion.functions.user.delete(USERA, remove=True)
def salt_auth_account_2(salt_auth_account_2_factory):
with salt_auth_account_2_factory as account:
yield account
SALTOPS = "saltops"
@pytest.fixture(scope="module")
def saltops_group(sminion):
try:
assert sminion.functions.group.add(SALTOPS)
# Run tests
yield
finally:
sminion.functions.group.delete(SALTOPS)
USERB = "saltdev-adm"
USERB_PWD = USERA_PWD
@pytest.fixture(scope="module")
def saltadm_account(sminion, saltops_group):
try:
assert sminion.functions.user.add(USERB, groups=[SALTOPS], createhome=False)
assert sminion.functions.shadow.set_password(
USERB,
USERB_PWD
if salt.utils.platform.is_darwin()
else salt.utils.pycrypto.gen_hash(password=USERB_PWD),
)
assert USERB in sminion.functions.user.list_users()
# Run tests
yield
finally:
sminion.functions.user.delete(USERB, remove=True)
def test_pam_auth_valid_user(salt_minion, salt_cli, saltdev_account):
def test_pam_auth_valid_user(salt_minion, salt_cli, salt_auth_account_1):
"""
test that pam auth mechanism works with a valid user
"""
@ -83,9 +33,9 @@ def test_pam_auth_valid_user(salt_minion, salt_cli, saltdev_account):
"-a",
"pam",
"--username",
USERA,
salt_auth_account_1.username,
"--password",
USERA_PWD,
salt_auth_account_1.password,
"test.ping",
minion_tgt=salt_minion.id,
)
@ -93,7 +43,7 @@ def test_pam_auth_valid_user(salt_minion, salt_cli, saltdev_account):
assert ret.data is True
def test_pam_auth_invalid_user(salt_minion, salt_cli, saltdev_account):
def test_pam_auth_invalid_user(salt_minion, salt_cli):
"""
test pam auth mechanism errors for an invalid user
"""
@ -110,7 +60,7 @@ def test_pam_auth_invalid_user(salt_minion, salt_cli, saltdev_account):
assert ret.stdout == "Authentication error occurred."
def test_pam_auth_valid_group(salt_minion, salt_cli, saltadm_account):
def test_pam_auth_valid_group(salt_minion, salt_cli, salt_auth_account_2):
"""
test that pam auth mechanism works for a valid group
"""
@ -120,9 +70,9 @@ def test_pam_auth_valid_group(salt_minion, salt_cli, saltadm_account):
"-a",
"pam",
"--username",
USERB,
salt_auth_account_2.username,
"--password",
USERB_PWD,
salt_auth_account_2.password,
"test.ping",
minion_tgt=salt_minion.id,
)

50
tests/pytests/integration/cli/test_salt_key.py
View file

@ -15,8 +15,6 @@ pytestmark = [
pytest.mark.windows_whitelisted,
]
USERA = "saltdev-key"
USERA_PWD = "saltdev"
PUB_KEY = textwrap.dedent(
"""\
-----BEGIN PUBLIC KEY-----
@ -32,23 +30,6 @@ PUB_KEY = textwrap.dedent(
)
@pytest.fixture(scope="module")
def saltdev_account(sminion):
try:
assert sminion.functions.user.add(USERA, createhome=False)
assert sminion.functions.shadow.set_password(
USERA,
USERA_PWD
if salt.utils.platform.is_darwin()
else salt.utils.pycrypto.gen_hash(password=USERA_PWD),
)
assert USERA in sminion.functions.user.list_users()
# Run tests
yield
finally:
sminion.functions.user.delete(USERA, remove=True)
def test_remove_key(salt_master, salt_key_cli):
"""
test salt-key -d usage
@ -94,7 +75,7 @@ def test_remove_key(salt_master, salt_key_cli):
@pytest.mark.skip_if_not_root
@pytest.mark.destructive_test
@pytest.mark.skip_on_windows(reason="PAM is not supported on Windows")
def test_remove_key_eauth(salt_key_cli, salt_master, saltdev_account):
def test_remove_key_eauth(salt_key_cli, salt_master, salt_eauth_account):
"""
test salt-key -d usage
"""
@ -120,9 +101,9 @@ def test_remove_key_eauth(salt_key_cli, salt_master, saltdev_account):
"--eauth",
"pam",
"--username",
USERA,
salt_eauth_account.username,
"--password",
USERA_PWD,
salt_eauth_account.password,
)
assert ret.returncode == 0
# We can't load JSON because we print to stdout!
@ -221,12 +202,19 @@ def test_list_acc(salt_key_cli, salt_minion, salt_sub_minion):
@pytest.mark.skip_if_not_root
@pytest.mark.destructive_test
@pytest.mark.skip_on_windows(reason="PAM is not supported on Windows")
def test_list_acc_eauth(salt_key_cli, saltdev_account, salt_minion, salt_sub_minion):
def test_list_acc_eauth(salt_key_cli, salt_minion, salt_sub_minion, salt_eauth_account):
"""
test salt-key -l with eauth
"""
ret = salt_key_cli.run(
"-l", "acc", "--eauth", "pam", "--username", USERA, "--password", USERA_PWD
"-l",
"acc",
"--eauth",
"pam",
"--username",
salt_eauth_account.username,
"--password",
salt_eauth_account.password,
)
assert ret.returncode == 0
expected = {"minions": [salt_minion.id, salt_sub_minion.id]}
@ -236,7 +224,7 @@ def test_list_acc_eauth(salt_key_cli, saltdev_account, salt_minion, salt_sub_min
@pytest.mark.skip_if_not_root
@pytest.mark.destructive_test
@pytest.mark.skip_on_windows(reason="PAM is not supported on Windows")
def test_list_acc_eauth_bad_creds(salt_key_cli, saltdev_account):
def test_list_acc_eauth_bad_creds(salt_key_cli, salt_eauth_account):
"""
test salt-key -l with eauth and bad creds
"""
@ -246,17 +234,19 @@ def test_list_acc_eauth_bad_creds(salt_key_cli, saltdev_account):
"--eauth",
"pam",
"--username",
USERA,
salt_eauth_account.username,
"--password",
"wrongpassword",
)
assert (
ret.stdout
== 'Authentication failure of type "eauth" occurred for user {}.'.format(USERA)
== 'Authentication failure of type "eauth" occurred for user {}.'.format(
salt_eauth_account.username
)
)
def test_list_acc_wrong_eauth(salt_key_cli):
def test_list_acc_wrong_eauth(salt_key_cli, salt_eauth_account):
"""
test salt-key -l with wrong eauth
"""
@ -266,9 +256,9 @@ def test_list_acc_wrong_eauth(salt_key_cli):
"--eauth",
"wrongeauth",
"--username",
USERA,
salt_eauth_account.username,
"--password",
USERA_PWD,
salt_eauth_account.password,
)
assert ret.returncode == 0, ret
assert re.search(

27
tests/pytests/integration/cli/test_salt_run.py
View file

@ -12,15 +12,6 @@ pytestmark = [
pytest.mark.windows_whitelisted,
]
USERA = "saltdev-runner"
USERA_PWD = "saltdev"
@pytest.fixture(scope="module")
def saltdev_account():
with pytest.helpers.create_account(username="saltdev-runner") as account:
yield account
@pytest.fixture
def salt_run_cli(salt_master):
@ -82,7 +73,7 @@ def test_exit_status_correct_usage(salt_run_cli):
@pytest.mark.skip_if_not_root
@pytest.mark.parametrize("flag", ["--auth", "--eauth", "--external-auth", "-a"])
@pytest.mark.skip_on_windows(reason="PAM is not supported on Windows")
def test_salt_run_with_eauth_all_args(salt_run_cli, saltdev_account, flag):
def test_salt_run_with_eauth_all_args(salt_run_cli, salt_eauth_account, flag):
"""
test salt-run with eauth
tests all eauth args
@ -91,9 +82,9 @@ def test_salt_run_with_eauth_all_args(salt_run_cli, saltdev_account, flag):
flag,
"pam",
"--username",
saltdev_account.username,
salt_eauth_account.username,
"--password",
saltdev_account.password,
salt_eauth_account.password,
"test.arg",
"arg",
kwarg="kwarg1",
@ -107,7 +98,7 @@ def test_salt_run_with_eauth_all_args(salt_run_cli, saltdev_account, flag):
@pytest.mark.skip_if_not_root
@pytest.mark.skip_on_windows(reason="PAM is not supported on Windows")
def test_salt_run_with_eauth_bad_passwd(salt_run_cli, saltdev_account):
def test_salt_run_with_eauth_bad_passwd(salt_run_cli, salt_eauth_account):
"""
test salt-run with eauth and bad password
"""
@ -115,7 +106,7 @@ def test_salt_run_with_eauth_bad_passwd(salt_run_cli, saltdev_account):
"-a",
"pam",
"--username",
saltdev_account.username,
salt_eauth_account.username,
"--password",
"wrongpassword",
"test.arg",
@ -125,13 +116,13 @@ def test_salt_run_with_eauth_bad_passwd(salt_run_cli, saltdev_account):
assert (
ret.stdout
== 'Authentication failure of type "eauth" occurred for user {}.'.format(
saltdev_account.username
salt_eauth_account.username
)
)
@pytest.mark.skip_if_not_root
def test_salt_run_with_wrong_eauth(salt_run_cli, saltdev_account):
def test_salt_run_with_wrong_eauth(salt_run_cli, salt_eauth_account):
"""
test salt-run with wrong eauth parameter
"""
@ -139,9 +130,9 @@ def test_salt_run_with_wrong_eauth(salt_run_cli, saltdev_account):
"-a",
"wrongeauth",
"--username",
saltdev_account.username,
salt_eauth_account.username,
"--password",
saltdev_account.password,
salt_eauth_account.password,
"test.arg",
"arg",
kwarg="kwarg1",

14
tests/pytests/integration/netapi/conftest.py
View file

@ -28,9 +28,19 @@ def load_auth(client_config):
return netapi.load_auth(client_config)
@pytest.fixture(scope="package")
def salt_netapi_account(salt_netapi_account_factory):
with salt_netapi_account_factory as account:
yield account
@pytest.fixture
def auth_creds():
return netapi.auth_creds()
def auth_creds(salt_netapi_account):
return {
"username": salt_netapi_account.username,
"password": salt_netapi_account.password,
"eauth": "auto",
}
@pytest.fixture

88
tests/pytests/integration/netapi/test_ssh_client.py
View file

@ -42,10 +42,14 @@ def webserver_handler(webserver):
@pytest.fixture(scope="module")
def saltdev_account():
with pytest.helpers.create_account(
username="saltdev-auth", password="saltdev"
) as account:
def salt_auth_account_1(salt_auth_account_1_factory):
with salt_auth_account_1_factory as account:
yield account
@pytest.fixture(scope="module")
def salt_auto_account(salt_auto_account_factory):
with salt_auto_account_factory as account:
yield account
@ -112,7 +116,9 @@ def test_ssh_authenticated_raw_shell_disabled(client, tmp_path):
assert badfile.exists() is False
def test_shell_inject_ssh_priv(client, salt_ssh_roster_file, rosters_dir, tmp_path):
def test_shell_inject_ssh_priv(
client, salt_ssh_roster_file, rosters_dir, tmp_path, salt_auto_account
):
"""
Verify CVE-2020-16846 for ssh_priv variable
"""
@ -127,8 +133,8 @@ def test_shell_inject_ssh_priv(client, salt_ssh_roster_file, rosters_dir, tmp_pa
"ssh_priv": "aaa|id>{} #".format(path),
"fun": "test.ping",
"eauth": "auto",
"username": "saltdev_auto",
"password": "saltdev",
"username": salt_auto_account.username,
"password": salt_auto_account.password,
"roster_file": str(salt_ssh_roster_file),
"rosters": [rosters_dir],
}
@ -140,7 +146,7 @@ def test_shell_inject_ssh_priv(client, salt_ssh_roster_file, rosters_dir, tmp_pa
assert ret[tgt]["stderr"]
def test_shell_inject_tgt(client, salt_ssh_roster_file, tmp_path):
def test_shell_inject_tgt(client, salt_ssh_roster_file, tmp_path, salt_auto_account):
"""
Verify CVE-2020-16846 for tgt variable
"""
@ -154,8 +160,8 @@ def test_shell_inject_tgt(client, salt_ssh_roster_file, tmp_path):
"rosters": "/",
"fun": "test.ping",
"eauth": "auto",
"username": "saltdev_auto",
"password": "saltdev",
"username": salt_auto_account.username,
"password": salt_auto_account.password,
"ignore_host_keys": True,
}
ret = client.run(low)
@ -164,7 +170,9 @@ def test_shell_inject_tgt(client, salt_ssh_roster_file, tmp_path):
assert ret["127.0.0.1"]["stderr"]
def test_shell_inject_ssh_options(client, salt_ssh_roster_file, tmp_path):
def test_shell_inject_ssh_options(
client, salt_ssh_roster_file, tmp_path, salt_auto_account
):
"""
Verify CVE-2020-16846 for ssh_options
"""
@ -177,8 +185,8 @@ def test_shell_inject_ssh_options(client, salt_ssh_roster_file, tmp_path):
"renderer": "jinja|yaml",
"fun": "test.ping",
"eauth": "auto",
"username": "saltdev_auto",
"password": "saltdev",
"username": salt_auto_account.username,
"password": salt_auto_account.password,
"roster_file": str(salt_ssh_roster_file),
"rosters": "/",
"ssh_options": ["|id>{} #".format(path), "lol"],
@ -189,7 +197,9 @@ def test_shell_inject_ssh_options(client, salt_ssh_roster_file, tmp_path):
assert ret["127.0.0.1"]["stderr"]
def test_shell_inject_ssh_port(client, salt_ssh_roster_file, tmp_path):
def test_shell_inject_ssh_port(
client, salt_ssh_roster_file, tmp_path, salt_auto_account
):
"""
Verify CVE-2020-16846 for ssh_port variable
"""
@ -202,8 +212,8 @@ def test_shell_inject_ssh_port(client, salt_ssh_roster_file, tmp_path):
"renderer": "jinja|yaml",
"fun": "test.ping",
"eauth": "auto",
"username": "saltdev_auto",
"password": "saltdev",
"username": salt_auto_account.username,
"password": salt_auto_account.password,
"roster_file": str(salt_ssh_roster_file),
"rosters": "/",
"ssh_port": "hhhhh|id>{} #".format(path),
@ -215,7 +225,9 @@ def test_shell_inject_ssh_port(client, salt_ssh_roster_file, tmp_path):
assert ret["127.0.0.1"]["stderr"]
def test_shell_inject_remote_port_forwards(client, salt_ssh_roster_file, tmp_path):
def test_shell_inject_remote_port_forwards(
client, salt_ssh_roster_file, tmp_path, salt_auto_account
):
"""
Verify CVE-2020-16846 for remote_port_forwards variable
"""
@ -231,8 +243,8 @@ def test_shell_inject_remote_port_forwards(client, salt_ssh_roster_file, tmp_pat
"rosters": "/",
"ssh_remote_port_forwards": "hhhhh|id>{} #, lol".format(path),
"eauth": "auto",
"username": "saltdev_auto",
"password": "saltdev",
"username": salt_auto_account.username,
"password": salt_auto_account.password,
"ignore_host_keys": True,
}
ret = client.run(low)
@ -241,7 +253,7 @@ def test_shell_inject_remote_port_forwards(client, salt_ssh_roster_file, tmp_pat
assert ret["127.0.0.1"]["stderr"]
def test_extra_mods(client, ssh_priv_key, rosters_dir, tmp_path, saltdev_account):
def test_extra_mods(client, ssh_priv_key, rosters_dir, tmp_path, salt_auth_account_1):
"""
validate input from extra_mods
"""
@ -254,8 +266,8 @@ def test_extra_mods(client, ssh_priv_key, rosters_dir, tmp_path, saltdev_account
"rosters": [rosters_dir],
"ssh_priv": ssh_priv_key,
"eauth": "pam",
"username": saltdev_account.username,
"password": saltdev_account.password,
"username": salt_auth_account_1.username,
"password": salt_auth_account_1.password,
"regen_thin": True,
"thin_extra_mods": "';touch {};'".format(path),
}
@ -286,7 +298,7 @@ def test_ssh_auth_bypass(client, salt_ssh_roster_file):
client.run(low)
def test_ssh_auth_valid(client, ssh_priv_key, rosters_dir, saltdev_account):
def test_ssh_auth_valid(client, ssh_priv_key, rosters_dir, salt_auth_account_1):
"""
CVE-2020-25592 - Valid eauth works as expected.
"""
@ -298,8 +310,8 @@ def test_ssh_auth_valid(client, ssh_priv_key, rosters_dir, saltdev_account):
"rosters": [rosters_dir],
"ssh_priv": ssh_priv_key,
"eauth": "pam",
"username": saltdev_account.username,
"password": saltdev_account.password,
"username": salt_auth_account_1.username,
"password": salt_auth_account_1.password,
}
ret = client.run(low)
assert "localhost" in ret
@ -307,7 +319,7 @@ def test_ssh_auth_valid(client, ssh_priv_key, rosters_dir, saltdev_account):
assert ret["localhost"]["return"] is True
def test_ssh_auth_invalid(client, rosters_dir, ssh_priv_key, saltdev_account):
def test_ssh_auth_invalid(client, rosters_dir, ssh_priv_key, salt_auth_account_1):
"""
CVE-2020-25592 - Wrong password raises exception.
"""
@ -319,14 +331,14 @@ def test_ssh_auth_invalid(client, rosters_dir, ssh_priv_key, saltdev_account):
"rosters": [rosters_dir],
"ssh_priv": ssh_priv_key,
"eauth": "pam",
"username": saltdev_account.username,
"username": salt_auth_account_1.username,
"password": "notvalidpassword",
}
with pytest.raises(EauthAuthenticationError):
client.run(low)
def test_ssh_auth_invalid_acl(client, rosters_dir, ssh_priv_key, saltdev_account):
def test_ssh_auth_invalid_acl(client, rosters_dir, ssh_priv_key, salt_auth_account_1):
"""
CVE-2020-25592 - Eauth ACL enforced.
"""
@ -339,21 +351,21 @@ def test_ssh_auth_invalid_acl(client, rosters_dir, ssh_priv_key, saltdev_account
"rosters": [rosters_dir],
"ssh_priv": ssh_priv_key,
"eauth": "pam",
"username": saltdev_account.username,
"username": salt_auth_account_1.username,
"password": "notvalidpassword",
}
with pytest.raises(EauthAuthenticationError):
client.run(low)
def test_ssh_auth_token(client, rosters_dir, ssh_priv_key, saltdev_account):
def test_ssh_auth_token(client, rosters_dir, ssh_priv_key, salt_auth_account_1):
"""
CVE-2020-25592 - Eauth tokens work as expected.
"""
low = {
"eauth": "pam",
"username": saltdev_account.username,
"password": saltdev_account.password,
"username": salt_auth_account_1.username,
"password": salt_auth_account_1.password,
}
ret = client.loadauth.mk_token(low)
assert "token" in ret
@ -375,14 +387,14 @@ def test_ssh_auth_token(client, rosters_dir, ssh_priv_key, saltdev_account):
def test_ssh_cve_2021_3197_a(
client, rosters_dir, ssh_priv_key, saltdev_account, tmp_path
client, rosters_dir, ssh_priv_key, salt_auth_account_1, tmp_path
):
exploited_path = tmp_path / "exploited"
assert exploited_path.exists() is False
low = {
"eauth": "auto",
"username": saltdev_account.username,
"password": saltdev_account.password,
"username": salt_auth_account_1.username,
"password": salt_auth_account_1.password,
"client": "ssh",
"tgt": "localhost",
"fun": "test.ping",
@ -398,14 +410,14 @@ def test_ssh_cve_2021_3197_a(
def test_ssh_cve_2021_3197_b(
client, rosters_dir, ssh_priv_key, saltdev_account, tmp_path
client, rosters_dir, ssh_priv_key, salt_auth_account_1, tmp_path
):
exploited_path = tmp_path / "exploited"
assert exploited_path.exists() is False
low = {
"eauth": "auto",
"username": saltdev_account.username,
"password": saltdev_account.password,
"username": salt_auth_account_1.username,
"password": salt_auth_account_1.password,
"client": "ssh",
"tgt": "localhost",
"fun": "test.ping",

8
tests/support/netapi.py
View file

@ -104,14 +104,6 @@ def load_auth(client_config):
return salt.auth.LoadAuth(client_config)
def auth_creds():
return {
"username": "saltdev_api",
"password": "saltdev",
"eauth": "auto",
}
def auth_token(load_auth, auth_creds):
"""
Mint and return a valid token for auth_creds