From 9770f55db97ef16714aa4532b8e60f4a48c30e18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?=
 <stephane.lesimple+bastion@ovhcloud.com>
Date: Tue, 9 Apr 2024 16:22:41 +0000
Subject: [PATCH] fix: tests: don't test FIDO2 on unsupported distros

---
 doc/sphinx/development/setup.rst             |   1 +
 docker/Dockerfile.debian11                   |   2 +-
 docker/Dockerfile.debian12                   |   2 +-
 docker/Dockerfile.opensuse15                 |   4 +-
 docker/Dockerfile.rockylinux8                |   2 +-
 docker/Dockerfile.rockylinux9                |   2 +-
 docker/Dockerfile.ubuntu2004                 |   2 +-
 docker/Dockerfile.ubuntu2204                 |   2 +-
 tests/functional/launch_tests_on_instance.sh |   3 +-
 tests/functional/tests.d/330-selfkeys.sh     | 121 ++++++++++---------
 10 files changed, 74 insertions(+), 67 deletions(-)

diff --git a/doc/sphinx/development/setup.rst b/doc/sphinx/development/setup.rst
index 72cc4c10b..e00926564 100644
--- a/doc/sphinx/development/setup.rst
+++ b/doc/sphinx/development/setup.rst
@@ -160,6 +160,7 @@ to get up-to-date information):
        --has-mfa-password=[0|1]   PAM is usable to check passwords (default: 0)
        --has-pamtester=[0|1]      The `pamtester` binary is available, and PAM is usable (default: 1)
        --has-piv=[0|1]            The `yubico-piv-tool` binary is available (default: 1)
+       --has-sk=[0|1]             The openssh-server supports Secure Keys (FIDO2) (default: 0)
 
 Without Docker
 --------------
diff --git a/docker/Dockerfile.debian11 b/docker/Dockerfile.debian11
index b3bb80ea5..9067718c4 100644
--- a/docker/Dockerfile.debian11
+++ b/docker/Dockerfile.debian11
@@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1
diff --git a/docker/Dockerfile.debian12 b/docker/Dockerfile.debian12
index 10e88640b..0969b6d2b 100644
--- a/docker/Dockerfile.debian12
+++ b/docker/Dockerfile.debian12
@@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1
diff --git a/docker/Dockerfile.opensuse15 b/docker/Dockerfile.opensuse15
index ee4cec94c..7eec47047 100644
--- a/docker/Dockerfile.opensuse15
+++ b/docker/Dockerfile.opensuse15
@@ -30,5 +30,5 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=0 --has-pamtester=0 --has-piv=0
-# TESTFROM opensuse/leap:15.2 opensuse/leap:15.3
+# TESTOPT --has-mfa=0 --has-pamtester=0 --has-piv=0 --has-sk=1
+# TESTFROM opensuse/leap:15.4 opensuse/leap:15.5
diff --git a/docker/Dockerfile.rockylinux8 b/docker/Dockerfile.rockylinux8
index 4d4a473b3..888d7c734 100644
--- a/docker/Dockerfile.rockylinux8
+++ b/docker/Dockerfile.rockylinux8
@@ -29,4 +29,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1
diff --git a/docker/Dockerfile.rockylinux9 b/docker/Dockerfile.rockylinux9
index 7b8d5dad3..e4e118548 100644
--- a/docker/Dockerfile.rockylinux9
+++ b/docker/Dockerfile.rockylinux9
@@ -29,4 +29,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1
diff --git a/docker/Dockerfile.ubuntu2004 b/docker/Dockerfile.ubuntu2004
index 87faf7ace..589efdcdb 100644
--- a/docker/Dockerfile.ubuntu2004
+++ b/docker/Dockerfile.ubuntu2004
@@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1
diff --git a/docker/Dockerfile.ubuntu2204 b/docker/Dockerfile.ubuntu2204
index ecce83762..b17ca7c79 100644
--- a/docker/Dockerfile.ubuntu2204
+++ b/docker/Dockerfile.ubuntu2204
@@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"]
 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh
 
-# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
+# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1
diff --git a/tests/functional/launch_tests_on_instance.sh b/tests/functional/launch_tests_on_instance.sh
index 0bbc35467..a11ed17d0 100755
--- a/tests/functional/launch_tests_on_instance.sh
+++ b/tests/functional/launch_tests_on_instance.sh
@@ -17,7 +17,7 @@ opt_slowness_factor=1
 opt_log_prefix=
 opt_module=
 opt_post_run=
-declare -A capabilities=( [ed25519]=1 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 )
+declare -A capabilities=( [ed25519]=1 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 [sk]=0 )
 
 # set the helptext now to get the proper default values
 help_text=$(cat <<EOF
@@ -39,6 +39,7 @@ Specifying features support of the underlying OS of the tested bastion:
     --has-mfa-password=[0|1]   PAM is usable to check passwords (default: ${capabilities[mfa-password]})
     --has-pamtester=[0|1]      The \`pamtester\` binary is available, and PAM is usable (default: ${capabilities[pamtester]})
     --has-piv=[0|1]            The \`yubico-piv-tool\` binary is available (default: ${capabilities[piv]})
+    --has-sk=[0|1]             The openssh-server supports Secure Keys (FIDO2) (default: ${capabilities[sk]})
 
 EOF
 )
diff --git a/tests/functional/tests.d/330-selfkeys.sh b/tests/functional/tests.d/330-selfkeys.sh
index 5f1b6781a..558e4584f 100644
--- a/tests/functional/tests.d/330-selfkeys.sh
+++ b/tests/functional/tests.d/330-selfkeys.sh
@@ -464,34 +464,37 @@ EOS
         .value.key.line   "ecdsa-sha2-nistp521 $b64 test@ecdsa521" \
         .value.key.prefix ""
 
-b64='AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBTjpImSazDYONgM5plDyz7R2dFmVJMtKCYRemL+XNvVpyRc4e+V8GBF+UZFSc2ieCpGmcB54GfjryznSgyYHHYAAAAEc3NoOg=='
-    local fpe256_sk
-    fpe256_sk="SHA256:DRMDgE8K3ByBwYEcosmosvLfHMT7XabCzzM4MoIiIgU"
-    [ "$FP_TYPE" = md5 ] && fpe256_sk="dc:e1:9b:e4:64:97:d6:c3:47:a7:9b:33:3d:35:e2:cb"
-    script  sk-ecdsa256  $a1 -osh selfAddIngressKey "<<< \"sk-ecdsa-sha2-nistp256@openssh.com $b64 test@ecdsa256-sk\""
-    retvalshouldbe 0
-    contain "key successfully added"
-    json $(cat <<EOS
-    .command                selfAddIngressKey
-    .error_code             OK
-    .value.key.base64       $b64
-    .value.key.comment      test@ecdsa256-sk
-    .value.key.typecode     sk-ecdsa-sha2-nistp256@openssh.com
-    .value.key.fingerprint  $fpe256_sk
-    .value.key.family       ECDSA-SK
-    .value.key.size         256
+    local fplist
+    fplist="$fp4096 $fp8192 $fp16384 $fpe256 $fpe384 $fpe521"
+
+    if [ "${capabilities[sk]}" = "1" ] ; then
+        b64='AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBTjpImSazDYONgM5plDyz7R2dFmVJMtKCYRemL+XNvVpyRc4e+V8GBF+UZFSc2ieCpGmcB54GfjryznSgyYHHYAAAAEc3NoOg=='
+        local fpe256_sk
+        fpe256_sk="SHA256:DRMDgE8K3ByBwYEcosmosvLfHMT7XabCzzM4MoIiIgU"
+        [ "$FP_TYPE" = md5 ] && fpe256_sk="dc:e1:9b:e4:64:97:d6:c3:47:a7:9b:33:3d:35:e2:cb"
+        script  sk-ecdsa256  $a1 -osh selfAddIngressKey "<<< \"sk-ecdsa-sha2-nistp256@openssh.com $b64 test@ecdsa256-sk\""
+        retvalshouldbe 0
+        contain "key successfully added"
+        json $(cat <<EOS
+        .command                selfAddIngressKey
+        .error_code             OK
+        .value.key.base64       $b64
+        .value.key.comment      test@ecdsa256-sk
+        .value.key.typecode     sk-ecdsa-sha2-nistp256@openssh.com
+        .value.key.fingerprint  $fpe256_sk
+        .value.key.family       ECDSA-SK
+        .value.key.size         256
 EOS
-    ) \
-        .value.key.line   "sk-ecdsa-sha2-nistp256@openssh.com $b64 test@ecdsa256-sk" \
-        .value.key.prefix ""
-
+        ) \
+            .value.key.line   "sk-ecdsa-sha2-nistp256@openssh.com $b64 test@ecdsa256-sk" \
+            .value.key.prefix ""
+        fplist="$fplist $fpe256_sk"
+    fi
 
     b64='AAAAC3NzaC1lZDI1NTE5AAAAIB+fS15BtjxBL338aMGMZus6OuPYP1Ix1yKY1RRCa5VB'
     local fped
     fped="SHA256:DFITA8tNfJknq6a/xbro1SxTLTWn/vwZkEROk4IB2LM"
     [ "$FP_TYPE" = md5 ] && fped="d7:92:5b:77:8b:69:03:cb:e7:5a:11:76:d1:a6:ea:e4"
-    local fplist
-    fplist="$fp4096 $fp8192 $fp16384 $fpe256 $fpe384 $fpe521 $fpe256_sk"
     script  ed25519   $a1 -osh selfAddIngressKey "<<< \"ssh-ed25519 $b64 test@ed25519\""
     if [ "${capabilities[ed25519]}" = "1" ] ; then
         fplist="$fplist $fped"
@@ -528,44 +531,46 @@ EOS
             .value.key.prefix ""
     fi
 
-    b64='AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIELpTERg9ds+oj8afq/8fOHdpbf1HBhbRcn5JTzv2QOSAAAABHNzaDo='
-    local fped_sk
-    fped_sk="SHA256:iV2l8+uJjJwyHnbaWAO25xIsYbZWN77C1kx5vxzbz9k"
-    [ "$FP_TYPE" = md5 ] && fped_sk="f5:bd:0c:4f:c7:6a:9d:15:d9:9e:55:9d:89:b3:2b:8f"
-    script  ed25519-sk   $a1 -osh selfAddIngressKey "<<< \"sk-ssh-ed25519@openssh.com $b64 test@ed25519-sk\""
-    if [ "${capabilities[ed25519]}" = "1" ] ; then
-        fplist="$fplist $fped_sk"
-        retvalshouldbe 0
-        contain "key successfully added"
-        json $(cat <<EOS
-        .command                selfAddIngressKey
-        .error_code             OK
-        .value.key.base64       $b64
-        .value.key.comment      test@ed25519-sk
-        .value.key.typecode     sk-ssh-ed25519@openssh.com
-        .value.key.fingerprint  $fped_sk
-        .value.key.family       ED25519-SK
-        .value.key.size         256
-EOS
-    ) \
-            .value.key.line   "sk-ssh-ed25519@openssh.com $b64 test@ed25519-sk" \
-            .value.key.prefix ""
-    else
-        retvalshouldbe 100
-        contain "look like an SSH public key"
-        json $(cat <<EOS
-        .command                selfAddIngressKey
-        .error_code             KO_NOT_A_KEY
-        .value.key.base64       $b64
-        .value.key.comment      test@ed25519-sk
-        .value.key.typecode     sk-ssh-ed25519@openssh.com
-        .value.key.fingerprint  null
-        .value.key.family       null
-        .value.key.size         null
+    if [ "${capabilities[sk]}" = "1" ] ; then
+        b64='AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIELpTERg9ds+oj8afq/8fOHdpbf1HBhbRcn5JTzv2QOSAAAABHNzaDo='
+        local fped_sk
+        fped_sk="SHA256:iV2l8+uJjJwyHnbaWAO25xIsYbZWN77C1kx5vxzbz9k"
+        [ "$FP_TYPE" = md5 ] && fped_sk="f5:bd:0c:4f:c7:6a:9d:15:d9:9e:55:9d:89:b3:2b:8f"
+        script  ed25519-sk   $a1 -osh selfAddIngressKey "<<< \"sk-ssh-ed25519@openssh.com $b64 test@ed25519-sk\""
+        if [ "${capabilities[ed25519]}" = "1" ] ; then
+            fplist="$fplist $fped_sk"
+            retvalshouldbe 0
+            contain "key successfully added"
+            json $(cat <<EOS
+            .command                selfAddIngressKey
+            .error_code             OK
+            .value.key.base64       $b64
+            .value.key.comment      test@ed25519-sk
+            .value.key.typecode     sk-ssh-ed25519@openssh.com
+            .value.key.fingerprint  $fped_sk
+            .value.key.family       ED25519-SK
+            .value.key.size         256
 EOS
         ) \
-            .value.key.line   "sk-ssh-ed25519@openssh.com $b64 test@ed25519-sk" \
-            .value.key.prefix ""
+                .value.key.line   "sk-ssh-ed25519@openssh.com $b64 test@ed25519-sk" \
+                .value.key.prefix ""
+        else
+            retvalshouldbe 100
+            contain "look like an SSH public key"
+            json $(cat <<EOS
+            .command                selfAddIngressKey
+            .error_code             KO_NOT_A_KEY
+            .value.key.base64       $b64
+            .value.key.comment      test@ed25519-sk
+            .value.key.typecode     sk-ssh-ed25519@openssh.com
+            .value.key.fingerprint  null
+            .value.key.family       null
+            .value.key.size         null
+EOS
+            ) \
+                .value.key.line   "sk-ssh-ed25519@openssh.com $b64 test@ed25519-sk" \
+                .value.key.prefix ""
+        fi
     fi
 
     run user1key2beforeadd $a1k2 -osh info