fix: tests: don't test FIDO2 on unsupported distros

doc/sphinx/development/setup.rst

@@ -160,6 +160,7 @@ to get up-to-date information):
        --has-mfa-password=[0|1]   PAM is usable to check passwords (default: 0)
        --has-pamtester=[0|1]      The `pamtester` binary is available, and PAM is usable (default: 1)
        --has-piv=[0|1]            The `yubico-piv-tool` binary is available (default: 1)
+       --has-sk=[0|1]             The openssh-server supports Secure Keys (FIDO2) (default: 0)
 
 Without Docker
 --------------

docker/Dockerfile.debian11

@@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1

docker/Dockerfile.debian12

@@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1

docker/Dockerfile.opensuse15

@@ -30,5 +30,5 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=0 --has-pamtester=0 --has-piv=0
-# TESTFROM opensuse/leap:15.2 opensuse/leap:15.3
+# TESTOPT --has-mfa=0 --has-pamtester=0 --has-piv=0 --has-sk=1
+# TESTFROM opensuse/leap:15.4 opensuse/leap:15.5

docker/Dockerfile.rockylinux9

@@ -29,4 +29,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1

docker/Dockerfile.ubuntu2004

@@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1

docker/Dockerfile.ubuntu2204

@@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1

tests/functional/launch_tests_on_instance.sh

@@ -17,7 +17,7 @@ opt_slowness_factor=1
 opt_log_prefix=
 opt_module=
 opt_post_run=
-declare -A capabilities=( [ed25519]=1 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 )
+declare -A capabilities=( [ed25519]=1 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 [sk]=0 )
 
 # set the helptext now to get the proper default values
 help_text=$(cat <<EOF
@@ -39,6 +39,7 @@ Specifying features support of the underlying OS of the tested bastion:
     --has-mfa-password=[0|1]   PAM is usable to check passwords (default: ${capabilities[mfa-password]})
     --has-pamtester=[0|1]      The \`pamtester\` binary is available, and PAM is usable (default: ${capabilities[pamtester]})
     --has-piv=[0|1]            The \`yubico-piv-tool\` binary is available (default: ${capabilities[piv]})
+    --has-sk=[0|1]             The openssh-server supports Secure Keys (FIDO2) (default: ${capabilities[sk]})
 
 EOF
 )

tests/functional/tests.d/330-selfkeys.sh

@@ -464,34 +464,37 @@ EOS
         .value.key.line   "ecdsa-sha2-nistp521 $b64 test@ecdsa521" \
         .value.key.prefix ""
 
-b64='AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBTjpImSazDYONgM5plDyz7R2dFmVJMtKCYRemL+XNvVpyRc4e+V8GBF+UZFSc2ieCpGmcB54GfjryznSgyYHHYAAAAEc3NoOg=='
-    local fpe256_sk
-    fpe256_sk="SHA256:DRMDgE8K3ByBwYEcosmosvLfHMT7XabCzzM4MoIiIgU"
-    [ "$FP_TYPE" = md5 ] && fpe256_sk="dc:e1:9b:e4:64:97:d6:c3:47:a7:9b:33:3d:35:e2:cb"
-    script  sk-ecdsa256  $a1 -osh selfAddIngressKey "<<< \"[email protected] $b64 test@ecdsa256-sk\""
-    retvalshouldbe 0
-    contain "key successfully added"
-    json $(cat <<EOS
-    .command                selfAddIngressKey
-    .error_code             OK
-    .value.key.base64       $b64
-    .value.key.comment      test@ecdsa256-sk
-    .value.key.typecode     [email protected]
-    .value.key.fingerprint  $fpe256_sk
-    .value.key.family       ECDSA-SK
-    .value.key.size         256
+    local fplist
+    fplist="$fp4096 $fp8192 $fp16384 $fpe256 $fpe384 $fpe521"
+
+    if [ "${capabilities[sk]}" = "1" ] ; then
+        b64='AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBTjpImSazDYONgM5plDyz7R2dFmVJMtKCYRemL+XNvVpyRc4e+V8GBF+UZFSc2ieCpGmcB54GfjryznSgyYHHYAAAAEc3NoOg=='
+        local fpe256_sk
+        fpe256_sk="SHA256:DRMDgE8K3ByBwYEcosmosvLfHMT7XabCzzM4MoIiIgU"
+        [ "$FP_TYPE" = md5 ] && fpe256_sk="dc:e1:9b:e4:64:97:d6:c3:47:a7:9b:33:3d:35:e2:cb"
+        script  sk-ecdsa256  $a1 -osh selfAddIngressKey "<<< \"[email protected] $b64 test@ecdsa256-sk\""
+        retvalshouldbe 0
+        contain "key successfully added"
+        json $(cat <<EOS
+        .command                selfAddIngressKey
+        .error_code             OK
+        .value.key.base64       $b64
+        .value.key.comment      test@ecdsa256-sk
+        .value.key.typecode     [email protected]
+        .value.key.fingerprint  $fpe256_sk
+        .value.key.family       ECDSA-SK
+        .value.key.size         256
 EOS
-    ) \
-        .value.key.line   "[email protected] $b64 test@ecdsa256-sk" \
-        .value.key.prefix ""
-
+        ) \
+            .value.key.line   "[email protected] $b64 test@ecdsa256-sk" \
+            .value.key.prefix ""
+        fplist="$fplist $fpe256_sk"
+    fi
 
     b64='AAAAC3NzaC1lZDI1NTE5AAAAIB+fS15BtjxBL338aMGMZus6OuPYP1Ix1yKY1RRCa5VB'
     local fped
     fped="SHA256:DFITA8tNfJknq6a/xbro1SxTLTWn/vwZkEROk4IB2LM"
     [ "$FP_TYPE" = md5 ] && fped="d7:92:5b:77:8b:69:03:cb:e7:5a:11:76:d1:a6:ea:e4"
-    local fplist
-    fplist="$fp4096 $fp8192 $fp16384 $fpe256 $fpe384 $fpe521 $fpe256_sk"
     script  ed25519   $a1 -osh selfAddIngressKey "<<< \"ssh-ed25519 $b64 test@ed25519\""
     if [ "${capabilities[ed25519]}" = "1" ] ; then
         fplist="$fplist $fped"
@@ -528,44 +531,46 @@ EOS
             .value.key.prefix ""
     fi
 
-    b64='AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIELpTERg9ds+oj8afq/8fOHdpbf1HBhbRcn5JTzv2QOSAAAABHNzaDo='
-    local fped_sk
-    fped_sk="SHA256:iV2l8+uJjJwyHnbaWAO25xIsYbZWN77C1kx5vxzbz9k"
-    [ "$FP_TYPE" = md5 ] && fped_sk="f5:bd:0c:4f:c7:6a:9d:15:d9:9e:55:9d:89:b3:2b:8f"
-    script  ed25519-sk   $a1 -osh selfAddIngressKey "<<< \"[email protected] $b64 test@ed25519-sk\""
-    if [ "${capabilities[ed25519]}" = "1" ] ; then
-        fplist="$fplist $fped_sk"
-        retvalshouldbe 0
-        contain "key successfully added"
-        json $(cat <<EOS
-        .command                selfAddIngressKey
-        .error_code             OK
-        .value.key.base64       $b64
-        .value.key.comment      test@ed25519-sk
-        .value.key.typecode     [email protected]
-        .value.key.fingerprint  $fped_sk
-        .value.key.family       ED25519-SK
-        .value.key.size         256
-EOS
-    ) \
-            .value.key.line   "[email protected] $b64 test@ed25519-sk" \
-            .value.key.prefix ""
-    else
-        retvalshouldbe 100
-        contain "look like an SSH public key"
-        json $(cat <<EOS
-        .command                selfAddIngressKey
-        .error_code             KO_NOT_A_KEY
-        .value.key.base64       $b64
-        .value.key.comment      test@ed25519-sk
-        .value.key.typecode     [email protected]
-        .value.key.fingerprint  null
-        .value.key.family       null
-        .value.key.size         null
+    if [ "${capabilities[sk]}" = "1" ] ; then
+        b64='AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIELpTERg9ds+oj8afq/8fOHdpbf1HBhbRcn5JTzv2QOSAAAABHNzaDo='
+        local fped_sk
+        fped_sk="SHA256:iV2l8+uJjJwyHnbaWAO25xIsYbZWN77C1kx5vxzbz9k"
+        [ "$FP_TYPE" = md5 ] && fped_sk="f5:bd:0c:4f:c7:6a:9d:15:d9:9e:55:9d:89:b3:2b:8f"
+        script  ed25519-sk   $a1 -osh selfAddIngressKey "<<< \"[email protected] $b64 test@ed25519-sk\""
+        if [ "${capabilities[ed25519]}" = "1" ] ; then
+            fplist="$fplist $fped_sk"
+            retvalshouldbe 0
+            contain "key successfully added"
+            json $(cat <<EOS
+            .command                selfAddIngressKey
+            .error_code             OK
+            .value.key.base64       $b64
+            .value.key.comment      test@ed25519-sk
+            .value.key.typecode     [email protected]
+            .value.key.fingerprint  $fped_sk
+            .value.key.family       ED25519-SK
+            .value.key.size         256
 EOS
         ) \
-            .value.key.line   "[email protected] $b64 test@ed25519-sk" \
-            .value.key.prefix ""
+                .value.key.line   "[email protected] $b64 test@ed25519-sk" \
+                .value.key.prefix ""
+        else
+            retvalshouldbe 100
+            contain "look like an SSH public key"
+            json $(cat <<EOS
+            .command                selfAddIngressKey
+            .error_code             KO_NOT_A_KEY
+            .value.key.base64       $b64
+            .value.key.comment      test@ed25519-sk
+            .value.key.typecode     [email protected]
+            .value.key.fingerprint  null
+            .value.key.family       null
+            .value.key.size         null
+EOS
+            ) \
+                .value.key.line   "[email protected] $b64 test@ed25519-sk" \
+                .value.key.prefix ""
+        fi
     fi
 
     run user1key2beforeadd $a1k2 -osh info