Use verify_image function as a helper for generic tests
Related: rhbz#1704209
This commit is contained in:
parent
59793f9889
commit
0980ddfc54
44
tests/cli/lib/lib.sh
Executable file
44
tests/cli/lib/lib.sh
Executable file
@ -0,0 +1,44 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# a generic helper function unifying the specific checks executed on a running
|
||||
# image instance
|
||||
verify_image() {
|
||||
SSH_USER="$1"
|
||||
SSH_MACHINE="$2"
|
||||
SSH_OPTS="-o StrictHostKeyChecking=no $3"
|
||||
rlLogInfo "verify_image: SSH_OPTS:'$SSH_OPTS' SSH_USER:'$SSH_USER' SSH_MACHINE: '$SSH_MACHINE'"
|
||||
check_root_account "$@"
|
||||
}
|
||||
|
||||
check_root_account() {
|
||||
# Try to SSH to a remote machine first using root account using password-based
|
||||
# auth (this is expected to fail) and then using key-based auth with the
|
||||
# supplied username to check content of /etc/shadow and audit.log.
|
||||
#
|
||||
# use: check_root_account <user> <machine> [ssh options]
|
||||
|
||||
ROOT_ACCOUNT_LOCKED=${ROOT_ACCOUNT_LOCKED:-1}
|
||||
if [[ "$SSH_USER" == "" || "$SSH_MACHINE" == "" ]]; then
|
||||
rlFail "check_root_account: Missing user or machine parameter."
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ $ROOT_ACCOUNT_LOCKED == 0 ]; then
|
||||
rlRun -t -c "ssh $SSH_OPTS ${SSH_USER}@${SSH_MACHINE} \"sudo grep '^root::' /etc/shadow\"" \
|
||||
0 "Password for root account in /etc/shadow is empty"
|
||||
else
|
||||
# ssh returns 255 in case of any ssh error, so it's better to grep the specific error message
|
||||
rlRun -t -c "ssh $SSH_OPTS -o PubkeyAuthentication=no root@${SSH_MACHINE} 2>&1 | grep -i 'permission denied ('" \
|
||||
0 "Can't ssh to '$SSH_MACHINE' as root using password-based auth"
|
||||
rlRun -t -c "ssh $SSH_OPTS ${SSH_USER}@${SSH_MACHINE} \"sudo grep -E '^root:(\*LOCK\*|!):' /etc/shadow\"" \
|
||||
0 "root account is disabled in /etc/shadow"
|
||||
rlRun -t -c "ssh $SSH_OPTS ${SSH_USER}@${SSH_MACHINE} \"sudo grep 'USER_LOGIN.*acct=\\\"root\\\".*terminal=ssh.*res=failed' /var/log/audit/audit.log\"" \
|
||||
0 "audit.log contains entry about unsuccessful root login"
|
||||
# We modify the default sshd settings on live ISO, so we can only check the default empty password setting
|
||||
# outside of live ISO
|
||||
rlRun -t -c "ssh $SSH_OPTS ${SSH_USER}@${SSH_MACHINE} 'sudo grep -E \"^[[:blank:]]*PermitEmptyPasswords[[:blank:]]*yes\" /etc/ssh/sshd_config'" 1 \
|
||||
"Login with empty passwords is disabled in sshd config file"
|
||||
fi
|
||||
rlRun -t -c "ssh $SSH_OPTS ${SSH_USER}@${SSH_MACHINE} 'cat /etc/redhat-release'"
|
||||
}
|
||||
|
@ -1,38 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
check_root_account() {
|
||||
# Try to SSH to a remote machine first using root account using password-based
|
||||
# auth (this is expected to fail) and then using key-based auth with the
|
||||
# supplied username to check content of /etc/shadow and audit.log.
|
||||
#
|
||||
# use: check_root_account <user> <machine> [ssh options]
|
||||
|
||||
local ssh_opts="-o StrictHostKeyChecking=no $3"
|
||||
local user="$1"
|
||||
local machine="$2"
|
||||
ROOT_ACCOUNT_LOCKED=${ROOT_ACCOUNT_LOCKED:-1}
|
||||
if [[ "$user" == "" || "$machine" == "" ]]; then
|
||||
rlFail "check_root_account: Missing user or machine parameter."
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ $ROOT_ACCOUNT_LOCKED == 0 ]; then
|
||||
rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep '^root::' /etc/shadow\"" \
|
||||
0 "Password for root account in /etc/shadow is empty"
|
||||
else
|
||||
# ssh returns 255 in case of any ssh error, so it's better to grep the specific error message
|
||||
rlRun -t -c "ssh $ssh_opts -o PubkeyAuthentication=no root@${machine} 2>&1 | grep -i 'permission denied ('" \
|
||||
0 "Can't ssh to '$machine' as root using password-based auth"
|
||||
rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep -E '^root:(\*LOCK\*|!):' /etc/shadow\"" \
|
||||
0 "root account is disabled in /etc/shadow"
|
||||
rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep 'USER_LOGIN.*acct=\\\"root\\\".*terminal=ssh.*res=failed' /var/log/audit/audit.log\"" \
|
||||
0 "audit.log contains entry about unsuccessful root login"
|
||||
# We modify the default sshd settings on live ISO, so we can only check the default empty password setting
|
||||
# outside of live ISO
|
||||
rlRun -t -c "ssh $ssh_opts ${user}@${machine} 'sudo grep -E \"^[[:blank:]]*PermitEmptyPasswords[[:blank:]]*yes\" /etc/ssh/sshd_config'" 1 \
|
||||
"Login with empty passwords is disabled in sshd config file"
|
||||
fi
|
||||
rlRun -t -c "ssh $ssh_opts ${user}@${machine} 'cat /etc/redhat-release'"
|
||||
|
||||
}
|
||||
|
@ -8,6 +8,7 @@
|
||||
#####
|
||||
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
. ./tests/cli/lib/lib.sh
|
||||
|
||||
CLI="${CLI:-./src/bin/composer-cli}"
|
||||
|
||||
@ -186,9 +187,8 @@ __EOF__
|
||||
CLOUD_USER="fedora"
|
||||
fi
|
||||
|
||||
# verify we can login into that instance and root account is disabled
|
||||
. ./tests/cli/lib/root_account.sh
|
||||
check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa"
|
||||
# run generic tests to verify the instance
|
||||
verify_image "$CLOUD_USER" "$IP_ADDRESS" "-i $SSH_KEY_DIR/id_rsa"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
|
@ -8,6 +8,7 @@
|
||||
#####
|
||||
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
. ./tests/cli/lib/lib.sh
|
||||
|
||||
CLI="${CLI:-./src/bin/composer-cli}"
|
||||
|
||||
@ -142,9 +143,8 @@ __EOF__
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Verify VM instance"
|
||||
# verify we can login into that instance and root account is disabled
|
||||
. ./tests/cli/lib/root_account.sh
|
||||
check_root_account azure-user $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa"
|
||||
# run generic tests to verify the instance
|
||||
verify_image azure-user "$IP_ADDRESS" "-i $SSH_KEY_DIR/id_rsa"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
|
@ -8,6 +8,7 @@
|
||||
#####
|
||||
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
. ./tests/cli/lib/lib.sh
|
||||
|
||||
|
||||
CLI="${CLI:-./src/bin/composer-cli}"
|
||||
@ -123,9 +124,8 @@ __EOF__
|
||||
CLOUD_USER="fedora"
|
||||
fi
|
||||
|
||||
# verify we can login into that instance and root account is disabled
|
||||
. ./tests/cli/lib/root_account.sh
|
||||
check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa"
|
||||
# run generic tests to verify the instance
|
||||
verify_image "$CLOUD_USER" "$IP_ADDRESS" "-i $SSH_KEY_DIR/id_rsa"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
|
@ -8,6 +8,7 @@
|
||||
#####
|
||||
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
. ./tests/cli/lib/lib.sh
|
||||
|
||||
CLI="${CLI:-./src/bin/composer-cli}"
|
||||
|
||||
@ -141,9 +142,8 @@ __EOF__
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Verify VM instance"
|
||||
# verify we can login into that instance and root account is disabled
|
||||
. ./tests/cli/lib/root_account.sh
|
||||
check_root_account root $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa"
|
||||
# run generic tests to verify the instance
|
||||
verify_image root "$IP_ADDRESS" "-i $SSH_KEY_DIR/id_rsa"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
|
@ -8,6 +8,7 @@
|
||||
#####
|
||||
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
. ./tests/cli/lib/lib.sh
|
||||
|
||||
CLI="${CLI:-./src/bin/composer-cli}"
|
||||
QEMU="/usr/libexec/qemu-kvm"
|
||||
@ -50,9 +51,8 @@ rlJournalStart
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Verify VM instance"
|
||||
# verify we can login into that instance *WITHOUT* a password
|
||||
. ./tests/cli/lib/root_account.sh
|
||||
ROOT_ACCOUNT_LOCKED=0 check_root_account root localhost "-p 2222"
|
||||
# run generic tests to verify the instance
|
||||
ROOT_ACCOUNT_LOCKED=0 verify_image root localhost "-p 2222"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
|
@ -8,6 +8,7 @@
|
||||
#####
|
||||
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
. ./tests/cli/lib/lib.sh
|
||||
|
||||
CLI="${CLI:-./src/bin/composer-cli}"
|
||||
QEMU="/usr/libexec/qemu-kvm"
|
||||
@ -73,9 +74,8 @@ __EOF__
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Verify VM instance"
|
||||
# verify we can login into that instance and root account is disabled
|
||||
. ./tests/cli/lib/root_account.sh
|
||||
check_root_account root localhost "-i $SSH_KEY_DIR/id_rsa -p 2222"
|
||||
# run generic tests to verify the instance
|
||||
verify_image root localhost "-i $SSH_KEY_DIR/id_rsa -p 2222"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
|
Loading…
Reference in New Issue
Block a user