diff --git a/.github/workflows/freebsd.yml b/.github/workflows/freebsd.yml index 4ba2b147e..0d71415d6 100644 --- a/.github/workflows/freebsd.yml +++ b/.github/workflows/freebsd.yml @@ -6,31 +6,58 @@ on: jobs: freebsd: - runs-on: macos-12 + runs-on: ubuntu-latest name: FreeBSD - if: ${{ contains(github.event.pull_request.labels.*.name, 'tests:full') || contains(github.event.pull_request.labels.*.name, 'tests:long') || contains(github.event.pull_request.labels.*.name, 'tests:freebsd') }} + timeout-minutes: 180 + if: ${{ contains(github.event.pull_request.labels.*.name, 'tests:freebsd') }} steps: - uses: actions/checkout@v4 with: persist-credentials: false - name: Functional tests under FreeBSD - uses: vmactions/freebsd-vm@v0 + uses: cross-platform-actions/action@master with: - usesh: true - sync: sshfs + operating_system: freebsd + version: '13.2' + shell: bash + sync_files: runner-to-vm run: | - set -ex + # source this to get the $SSH_DIR var properly filled + source lib/shell/functions.inc + # a few debug commands + set -exu freebsd-version - mount -o acls / - pkg install -y bash rsync ca_root_nss jq fping screen flock curl - mkdir -p /opt/bastion - rsync -a . /opt/bastion/ - /opt/bastion/bin/admin/packages-check.sh -i - /opt/bastion/bin/admin/install-ttyrec.sh -s - /opt/bastion/bin/admin/install-yubico-piv-checker.sh -s - /opt/bastion/bin/admin/install-mkhash-helper.sh -s - /opt/bastion/bin/admin/install --new-install - ssh-keygen -t ed25519 -f id_user - ssh-keygen -t ed25519 -f id_root - WANT_HTTP_PROXY=0 NO_SLEEP=1 user_pubkey=$(cat id_user.pub) root_pubkey=$(cat id_root.pub) TARGET_USER=user5000 /opt/bastion/tests/functional/docker/target_role.sh - /opt/bastion/tests/functional/launch_tests_on_instance.sh --has-mfa=0 --has-mfa-password=1 --has-pamtester=1 --skip-consistency-check --remote-etc-bastion=/usr/local/etc/bastion 127.0.0.1 22 0 user5000 id_user id_root + id + # to do proper tests, we need the fs to have ACLs enabled + sudo mount -o acls / + # install required packages + sudo pkg update + sudo pkg install -y bash rsync ca_root_nss jq fping screen flock curl + # create required folder + sudo mkdir -p /opt/bastion + # copy bastion code to the proper location + sudo rsync -a . /opt/bastion/ + # save default ssh config, so we can restore it when we're done, + # or the github action will fail because the post-run actions it'll + # try to do over ssh won't complete due to our modified ssh config + sudo tar czf /opt/bastion/ssh_config.tar.gz $SSH_DIR/ + # setup bastion + sudo /opt/bastion/bin/admin/packages-check.sh -i + sudo /opt/bastion/bin/admin/install-ttyrec.sh -s + sudo /opt/bastion/bin/admin/install-yubico-piv-checker.sh -s + sudo /opt/bastion/bin/admin/install-mkhash-helper.sh -s + sudo /opt/bastion/bin/admin/install --new-install + # by default, this is 0700, but we'll run those as non-root + sudo chmod 0755 /opt/bastion/tests + # generate two sets of keys + ssh-keygen -t ed25519 -f id_user -N '' + ssh-keygen -t ed25519 -f id_root -N '' + # setup the local bastion for tests + sudo env WANT_HTTP_PROXY=0 NO_SLEEP=1 user_pubkey="$(cat id_user.pub)" root_pubkey="$(cat id_root.pub)" TARGET_USER=user5000 /opt/bastion/tests/functional/docker/target_role.sh + # run the tests + /opt/bastion/tests/functional/launch_tests_on_instance.sh --has-mfa=0 --has-mfa-password=1 --has-pamtester=1 --skip-consistency-check --module=340-selfaccesses.sh --remote-etc-bastion=/usr/local/etc/bastion 127.0.0.1 22 0 user5000 id_user id_root + # restore saved ssh config + sudo tar xzf /opt/bastion/ssh_config.tar.gz -C / + # restart ssh so that the config is taken into account + sudo /etc/rc.d/sshd restart + # now, the post-run of cross-platform-actions will work diff --git a/tests/functional/docker/target_role.sh b/tests/functional/docker/target_role.sh index b3b632b2c..472334670 100755 --- a/tests/functional/docker/target_role.sh +++ b/tests/functional/docker/target_role.sh @@ -125,15 +125,18 @@ if [ "$OS_FAMILY" = Linux ] ; then fi elif [ "$OS_FAMILY" = OpenBSD ] || [ "$OS_FAMILY" = FreeBSD ] || [ "$OS_FAMILY" = NetBSD ] ; then - # setup some 127.0.0.x IPs (needed for our tests) # this automatically works under Linux on lo + nic=$(ifconfig | perl -ne 'm{^([a-z._0-9]+): flags}i and $nic=$1; m{inet 127\.0\.0\.1} and print $nic and exit') + : ${nic:=lo0} i=2 while [ $i -lt 20 ] ; do - ifconfig lo0 127.0.0.$i netmask 255.0.0.0 alias + ifconfig $nic 127.0.0.$i netmask 255.0.0.0 alias (( i++ )) done - ifconfig lo0 127.7.7.7 netmask 255.0.0.0 alias + ifconfig $nic 127.7.7.7 netmask 255.0.0.0 alias + echo "Added a few local IP aliases" + ifconfig $nic set +e for st in restart onestart @@ -150,7 +153,6 @@ if [ -n "$NO_SLEEP" ]; then fi if [ "$WANT_HTTP_PROXY" = 1 ]; then - # build a self-signed certificate for the http proxy and adjust the config openssl req -x509 -nodes -days 7 -newkey rsa:2048 -keyout /tmp/selfsigned.key -out /tmp/selfsigned.crt -subj "/CN=testcert" chgrp proxyhttp /tmp/selfsigned.key diff --git a/tests/functional/tests.d/200-scripts.sh b/tests/functional/tests.d/200-scripts.sh index 293a992cd..6c7d59b77 100644 --- a/tests/functional/tests.d/200-scripts.sh +++ b/tests/functional/tests.d/200-scripts.sh @@ -58,8 +58,8 @@ testsuite_scripts() contain "50-gpg-admins-key.conf updated:" contain "50-gpg.conf updated:" contain "Parsed and added 2 keys" - contain "GPGKEYS='CF27BEC1C8266FFE EC6CEA6719EF3700'" - contain '[ "CF27BEC1C8266FFE", "EC6CEA6719EF3700" ]' + contain REGEX "GPGKEYS='(CF27BEC1C8266FFE EC6CEA6719EF3700|EC6CEA6719EF3700 CF27BEC1C8266FFE)'" + contain REGEX '("CF27BEC1C8266FFE", "EC6CEA6719EF3700"|"EC6CEA6719EF3700", "CF27BEC1C8266FFE")' nocontain "WARN:" nocontain "ERROR:" nocontain "Unexpected termination"