From 596cba2255d5b7abeee201ce3c261af693c7ee5f Mon Sep 17 00:00:00 2001 From: Jiri Kortus Date: Wed, 17 Apr 2019 16:12:12 +0200 Subject: [PATCH] Use verify_image function as a helper for generic tests --- tests/cli/lib/lib.sh | 44 ++++++++++++++++++++ tests/cli/lib/root_account.sh | 38 ----------------- tests/cli/test_build_and_deploy_aws.sh | 6 +-- tests/cli/test_build_and_deploy_azure.sh | 6 +-- tests/cli/test_build_and_deploy_openstack.sh | 6 +-- tests/cli/test_build_and_deploy_vmware.sh | 6 +-- tests/cli/test_compose_live-iso.sh | 6 +-- tests/cli/test_compose_qcow2.sh | 6 +-- 8 files changed, 62 insertions(+), 56 deletions(-) create mode 100755 tests/cli/lib/lib.sh delete mode 100755 tests/cli/lib/root_account.sh diff --git a/tests/cli/lib/lib.sh b/tests/cli/lib/lib.sh new file mode 100755 index 00000000..02e7d705 --- /dev/null +++ b/tests/cli/lib/lib.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +# a generic helper function unifying the specific checks executed on a running +# image instance +verify_image() { + SSH_USER="$1" + SSH_MACHINE="$2" + SSH_OPTS="-o StrictHostKeyChecking=no $3" + rlLogInfo "verify_image: SSH_OPTS:'$SSH_OPTS' SSH_USER:'$SSH_USER' SSH_MACHINE: '$SSH_MACHINE'" + check_root_account "$@" +} + +check_root_account() { +# Try to SSH to a remote machine first using root account using password-based +# auth (this is expected to fail) and then using key-based auth with the +# supplied username to check content of /etc/shadow and audit.log. +# +# use: check_root_account [ssh options] + + ROOT_ACCOUNT_LOCKED=${ROOT_ACCOUNT_LOCKED:-1} + if [[ "$SSH_USER" == "" || "$SSH_MACHINE" == "" ]]; then + rlFail "check_root_account: Missing user or machine parameter." + return 1 + fi + + if [ $ROOT_ACCOUNT_LOCKED == 0 ]; then + rlRun -t -c "ssh $SSH_OPTS ${SSH_USER}@${SSH_MACHINE} \"sudo grep '^root::' /etc/shadow\"" \ + 0 "Password for root account in /etc/shadow is empty" + else + # ssh returns 255 in case of any ssh error, so it's better to grep the specific error message + rlRun -t -c "ssh $SSH_OPTS -o PubkeyAuthentication=no root@${SSH_MACHINE} 2>&1 | grep -i 'permission denied ('" \ + 0 "Can't ssh to '$SSH_MACHINE' as root using password-based auth" + rlRun -t -c "ssh $SSH_OPTS ${SSH_USER}@${SSH_MACHINE} \"sudo grep -E '^root:(\*LOCK\*|!):' /etc/shadow\"" \ + 0 "root account is disabled in /etc/shadow" + rlRun -t -c "ssh $SSH_OPTS ${SSH_USER}@${SSH_MACHINE} \"sudo grep 'USER_LOGIN.*acct=\\\"root\\\".*terminal=ssh.*res=failed' /var/log/audit/audit.log\"" \ + 0 "audit.log contains entry about unsuccessful root login" + # We modify the default sshd settings on live ISO, so we can only check the default empty password setting + # outside of live ISO + rlRun -t -c "ssh $SSH_OPTS ${SSH_USER}@${SSH_MACHINE} 'sudo grep -E \"^[[:blank:]]*PermitEmptyPasswords[[:blank:]]*yes\" /etc/ssh/sshd_config'" 1 \ + "Login with empty passwords is disabled in sshd config file" + fi + rlRun -t -c "ssh $SSH_OPTS ${SSH_USER}@${SSH_MACHINE} 'cat /etc/redhat-release'" +} + diff --git a/tests/cli/lib/root_account.sh b/tests/cli/lib/root_account.sh deleted file mode 100755 index c86b8b1a..00000000 --- a/tests/cli/lib/root_account.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/env bash - -check_root_account() { -# Try to SSH to a remote machine first using root account using password-based -# auth (this is expected to fail) and then using key-based auth with the -# supplied username to check content of /etc/shadow and audit.log. -# -# use: check_root_account [ssh options] - - local ssh_opts="-o StrictHostKeyChecking=no $3" - local user="$1" - local machine="$2" - ROOT_ACCOUNT_LOCKED=${ROOT_ACCOUNT_LOCKED:-1} - if [[ "$user" == "" || "$machine" == "" ]]; then - rlFail "check_root_account: Missing user or machine parameter." - return 1 - fi - - if [ $ROOT_ACCOUNT_LOCKED == 0 ]; then - rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep '^root::' /etc/shadow\"" \ - 0 "Password for root account in /etc/shadow is empty" - else - # ssh returns 255 in case of any ssh error, so it's better to grep the specific error message - rlRun -t -c "ssh $ssh_opts -o PubkeyAuthentication=no root@${machine} 2>&1 | grep -i 'permission denied ('" \ - 0 "Can't ssh to '$machine' as root using password-based auth" - rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep -E '^root:(\*LOCK\*|!):' /etc/shadow\"" \ - 0 "root account is disabled in /etc/shadow" - rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep 'USER_LOGIN.*acct=\\\"root\\\".*terminal=ssh.*res=failed' /var/log/audit/audit.log\"" \ - 0 "audit.log contains entry about unsuccessful root login" - # We modify the default sshd settings on live ISO, so we can only check the default empty password setting - # outside of live ISO - rlRun -t -c "ssh $ssh_opts ${user}@${machine} 'sudo grep -E \"^[[:blank:]]*PermitEmptyPasswords[[:blank:]]*yes\" /etc/ssh/sshd_config'" 1 \ - "Login with empty passwords is disabled in sshd config file" - fi - rlRun -t -c "ssh $ssh_opts ${user}@${machine} 'cat /etc/redhat-release'" - -} - diff --git a/tests/cli/test_build_and_deploy_aws.sh b/tests/cli/test_build_and_deploy_aws.sh index 31c1a912..3575c9f2 100755 --- a/tests/cli/test_build_and_deploy_aws.sh +++ b/tests/cli/test_build_and_deploy_aws.sh @@ -8,6 +8,7 @@ ##### . /usr/share/beakerlib/beakerlib.sh +. ./tests/cli/lib/lib.sh CLI="${CLI:-./src/bin/composer-cli}" @@ -185,9 +186,8 @@ __EOF__ CLOUD_USER="fedora" fi - # verify we can login into that instance and root account is disabled - . ./tests/cli/lib/root_account.sh - check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" + # run generic tests to verify the instance + verify_image "$CLOUD_USER" "$IP_ADDRESS" "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_build_and_deploy_azure.sh b/tests/cli/test_build_and_deploy_azure.sh index 4ba3b6d2..ddffcaf5 100755 --- a/tests/cli/test_build_and_deploy_azure.sh +++ b/tests/cli/test_build_and_deploy_azure.sh @@ -8,6 +8,7 @@ ##### . /usr/share/beakerlib/beakerlib.sh +. ./tests/cli/lib/lib.sh CLI="${CLI:-./src/bin/composer-cli}" @@ -139,9 +140,8 @@ __EOF__ rlPhaseEnd rlPhaseStartTest "Verify VM instance" - # verify we can login into that instance and root account is disabled - . ./tests/cli/lib/root_account.sh - check_root_account azure-user $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" + # run generic tests to verify the instance + verify_image azure-user "$IP_ADDRESS" "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_build_and_deploy_openstack.sh b/tests/cli/test_build_and_deploy_openstack.sh index f3f01988..5c0550ac 100755 --- a/tests/cli/test_build_and_deploy_openstack.sh +++ b/tests/cli/test_build_and_deploy_openstack.sh @@ -8,6 +8,7 @@ ##### . /usr/share/beakerlib/beakerlib.sh +. ./tests/cli/lib/lib.sh CLI="${CLI:-./src/bin/composer-cli}" @@ -118,9 +119,8 @@ __EOF__ CLOUD_USER="fedora" fi - # verify we can login into that instance and root account is disabled - . ./tests/cli/lib/root_account.sh - check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" + # run generic tests to verify the instance + verify_image "$CLOUD_USER" "$IP_ADDRESS" "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_build_and_deploy_vmware.sh b/tests/cli/test_build_and_deploy_vmware.sh index 9a5a66d9..cbc515ea 100755 --- a/tests/cli/test_build_and_deploy_vmware.sh +++ b/tests/cli/test_build_and_deploy_vmware.sh @@ -8,6 +8,7 @@ ##### . /usr/share/beakerlib/beakerlib.sh +. ./tests/cli/lib/lib.sh CLI="${CLI:-./src/bin/composer-cli}" @@ -140,9 +141,8 @@ __EOF__ rlPhaseEnd rlPhaseStartTest "Verify VM instance" - # verify we can login into that instance and root account is disabled - . ./tests/cli/lib/root_account.sh - check_root_account root $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" + # run generic tests to verify the instance + verify_image root "$IP_ADDRESS" "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_compose_live-iso.sh b/tests/cli/test_compose_live-iso.sh index 63eeb889..aac27330 100755 --- a/tests/cli/test_compose_live-iso.sh +++ b/tests/cli/test_compose_live-iso.sh @@ -8,6 +8,7 @@ ##### . /usr/share/beakerlib/beakerlib.sh +. ./tests/cli/lib/lib.sh CLI="${CLI:-./src/bin/composer-cli}" QEMU="/usr/bin/qemu-kvm" @@ -50,9 +51,8 @@ rlJournalStart rlPhaseEnd rlPhaseStartTest "Verify VM instance" - # verify we can login into that instance *WITHOUT* a password - . ./tests/cli/lib/root_account.sh - ROOT_ACCOUNT_LOCKED=0 check_root_account root localhost "-p 2222" + # run generic tests to verify the instance + ROOT_ACCOUNT_LOCKED=0 verify_image root localhost "-p 2222" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_compose_qcow2.sh b/tests/cli/test_compose_qcow2.sh index 6ede23c1..48b58e4a 100755 --- a/tests/cli/test_compose_qcow2.sh +++ b/tests/cli/test_compose_qcow2.sh @@ -8,6 +8,7 @@ ##### . /usr/share/beakerlib/beakerlib.sh +. ./tests/cli/lib/lib.sh CLI="${CLI:-./src/bin/composer-cli}" QEMU="/usr/bin/qemu-kvm" @@ -73,9 +74,8 @@ __EOF__ rlPhaseEnd rlPhaseStartTest "Verify VM instance" - # verify we can login into that instance and root account is disabled - . ./tests/cli/lib/root_account.sh - check_root_account root localhost "-i $SSH_KEY_DIR/id_rsa -p 2222" + # run generic tests to verify the instance + verify_image root localhost "-i $SSH_KEY_DIR/id_rsa -p 2222" rlPhaseEnd rlPhaseStartCleanup