Skip to content

Commit

Permalink
chore: fix FreeBSD GitHub Action
Browse files Browse the repository at this point in the history
  • Loading branch information
speed47 committed Oct 31, 2023
1 parent d3ece7b commit 9901c19
Show file tree
Hide file tree
Showing 8 changed files with 96 additions and 57 deletions.
65 changes: 46 additions & 19 deletions .github/workflows/freebsd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,31 +6,58 @@ on:

jobs:
freebsd:
runs-on: macos-12
runs-on: ubuntu-latest
name: FreeBSD
if: ${{ contains(github.event.pull_request.labels.*.name, 'tests:full') || contains(github.event.pull_request.labels.*.name, 'tests:long') || contains(github.event.pull_request.labels.*.name, 'tests:freebsd') }}
timeout-minutes: 180
if: ${{ contains(github.event.pull_request.labels.*.name, 'tests:freebsd') }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Functional tests under FreeBSD
uses: vmactions/freebsd-vm@v0
uses: cross-platform-actions/action@master
with:
usesh: true
sync: sshfs
operating_system: freebsd
version: '13.2'
shell: bash
sync_files: runner-to-vm
run: |
set -ex
# source this to get the $SSH_DIR var properly filled
source lib/shell/functions.inc
# a few debug commands
set -x
freebsd-version
mount -o acls /
pkg install -y bash rsync ca_root_nss jq fping screen flock curl
mkdir -p /opt/bastion
rsync -a . /opt/bastion/
/opt/bastion/bin/admin/packages-check.sh -i
/opt/bastion/bin/admin/install-ttyrec.sh -s
/opt/bastion/bin/admin/install-yubico-piv-checker.sh -s
/opt/bastion/bin/admin/install-mkhash-helper.sh -s
/opt/bastion/bin/admin/install --new-install
ssh-keygen -t ed25519 -f id_user
ssh-keygen -t ed25519 -f id_root
WANT_HTTP_PROXY=0 NO_SLEEP=1 user_pubkey=$(cat id_user.pub) root_pubkey=$(cat id_root.pub) TARGET_USER=user5000 /opt/bastion/tests/functional/docker/target_role.sh
/opt/bastion/tests/functional/launch_tests_on_instance.sh --has-mfa=0 --has-mfa-password=1 --has-pamtester=1 --skip-consistency-check --remote-etc-bastion=/usr/local/etc/bastion 127.0.0.1 22 0 user5000 id_user id_root
id
# to do proper tests, we need the fs to have ACLs enabled
sudo mount -o acls /
# install required packages
sudo pkg update
sudo pkg install -y bash rsync ca_root_nss jq fping screen flock curl
# create required folder
sudo mkdir -p /opt/bastion
# copy bastion code to the proper location
sudo rsync -a . /opt/bastion/
# save default ssh config, so we can restore it when we're done,
# or the github action will fail because the post-run actions it'll
# try to do over ssh won't complete due to our modified ssh config
sudo tar czf /opt/bastion/ssh_config.tar.gz $SSH_DIR/
# setup bastion
sudo /opt/bastion/bin/admin/packages-check.sh -i
sudo /opt/bastion/bin/admin/install-ttyrec.sh -s
sudo /opt/bastion/bin/admin/install-yubico-piv-checker.sh -s
sudo /opt/bastion/bin/admin/install-mkhash-helper.sh -s
sudo /opt/bastion/bin/admin/install --new-install
# by default, this is 0700, but we'll run those as non-root
sudo chmod 0755 /opt/bastion/tests
# generate two sets of keys
ssh-keygen -t ed25519 -f id_user -N ''
ssh-keygen -t ed25519 -f id_root -N ''
# setup the local bastion for tests
sudo env WANT_HTTP_PROXY=0 NO_SLEEP=1 user_pubkey="$(cat id_user.pub)" root_pubkey="$(cat id_root.pub)" TARGET_USER=user5000 /opt/bastion/tests/functional/docker/target_role.sh
# run the tests
/opt/bastion/tests/functional/launch_tests_on_instance.sh --has-mfa=0 --has-mfa-password=1 --has-pamtester=1 --skip-consistency-check --remote-etc-bastion=/usr/local/etc/bastion --slowness-factor=2 127.0.0.1 22 0 user5000 id_user id_root
# restore saved ssh config
sudo tar xzf /opt/bastion/ssh_config.tar.gz -C /
# restart ssh so that the config is taken into account
sudo /etc/rc.d/sshd restart
# now, the post-run of cross-platform-actions will work
10 changes: 6 additions & 4 deletions tests/functional/docker/target_role.sh
Original file line number Diff line number Diff line change
Expand Up @@ -125,15 +125,18 @@ if [ "$OS_FAMILY" = Linux ] ; then
fi

elif [ "$OS_FAMILY" = OpenBSD ] || [ "$OS_FAMILY" = FreeBSD ] || [ "$OS_FAMILY" = NetBSD ] ; then

# setup some 127.0.0.x IPs (needed for our tests)
# this automatically works under Linux on lo
nic=$(ifconfig | perl -ne 'm{^([a-z._0-9]+): flags}i and $nic=$1; m{inet 127\.0\.0\.1} and print $nic and exit')
: "${nic:=lo0}"
i=2
while [ $i -lt 20 ] ; do
ifconfig lo0 127.0.0.$i netmask 255.0.0.0 alias
ifconfig $nic 127.0.0.$i netmask 255.0.0.0 alias
(( i++ ))
done
ifconfig lo0 127.7.7.7 netmask 255.0.0.0 alias
ifconfig $nic 127.7.7.7 netmask 255.0.0.0 alias
echo "Added a few local IP aliases"
ifconfig $nic

set +e
for st in restart onestart
Expand All @@ -150,7 +153,6 @@ if [ -n "$NO_SLEEP" ]; then
fi

if [ "$WANT_HTTP_PROXY" = 1 ]; then

# build a self-signed certificate for the http proxy and adjust the config
openssl req -x509 -nodes -days 7 -newkey rsa:2048 -keyout /tmp/selfsigned.key -out /tmp/selfsigned.crt -subj "/CN=testcert"
chgrp proxyhttp /tmp/selfsigned.key
Expand Down
11 changes: 9 additions & 2 deletions tests/functional/launch_tests_on_instance.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ opt_remote_etc_bastion=/etc/bastion
opt_remote_basedir=$basedir
opt_skip_consistency_check=0
opt_no_pause_on_fail=0
opt_slowness_factor=1
opt_log_prefix=
opt_module=
declare -A capabilities=( [ed25519]=1 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 )
Expand All @@ -24,6 +25,7 @@ Test Options:
--no-pause-on-fail Don't pause when a test fails
--log-prefix=X Prefix all logs by this name
--module=X Only test this module (specify a filename found in \`functional/tests.d/\`), can be specified multiple times
--slowness-factor=X If your test environment is slow, set this to 2, 3 or more to use higher timeouts (default: 1)
Remote OS directory locations:
--remote-etc-bastion=X Override the default remote bastion configuration directory (default: $opt_remote_etc_bastion)
Expand Down Expand Up @@ -67,6 +69,10 @@ do
--no-pause-on-fail)
opt_no_pause_on_fail=1
;;
--slowness-factor=*)
if [ $optval =~ ^[1-9]$ ]; then
opt_slowness_factor=$optval
fi
--log-prefix=*)
opt_log_prefix="$optval"
;;
Expand Down Expand Up @@ -173,8 +179,9 @@ fi

jq="jq --raw-output --compact-output --sort-keys"
js="--json-greppable"
t="timeout --foreground 30"
tf="timeout --foreground 15"
default_timeout=$((30 * $opt_slowness_factor))
t="timeout --foreground $default_timeout"
tf="timeout --foreground $((default_timeout / 2))"
a0=" $t ssh -F $mytmpdir/ssh_config -i $account0key1file $account0@$remote_ip -p $remote_port -- $js "
a1=" $t ssh -F $mytmpdir/ssh_config -i $account1key1file $account1@$remote_ip -p $remote_port -- $js "
a1k2="$t ssh -F $mytmpdir/ssh_config -i $account1key2file $account1@$remote_ip -p $remote_port -- $js "
Expand Down
4 changes: 2 additions & 2 deletions tests/functional/tests.d/200-scripts.sh
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,8 @@ testsuite_scripts()
contain "50-gpg-admins-key.conf updated:"
contain "50-gpg.conf updated:"
contain "Parsed and added 2 keys"
contain "GPGKEYS='CF27BEC1C8266FFE EC6CEA6719EF3700'"
contain '[ "CF27BEC1C8266FFE", "EC6CEA6719EF3700" ]'
contain REGEX "GPGKEYS='(CF27BEC1C8266FFE EC6CEA6719EF3700|EC6CEA6719EF3700 CF27BEC1C8266FFE)'"
contain REGEX '("CF27BEC1C8266FFE", "EC6CEA6719EF3700"|"EC6CEA6719EF3700", "CF27BEC1C8266FFE")'
nocontain "WARN:"
nocontain "ERROR:"
nocontain "Unexpected termination"
Expand Down
11 changes: 7 additions & 4 deletions tests/functional/tests.d/340-selfaccesses.sh
Original file line number Diff line number Diff line change
Expand Up @@ -198,14 +198,17 @@ testsuite_selfaccesses()

# scp & sftp

# patch bastionCommand in config
configchg 's=^\\\\x22bastionCommand\\\\x22.+=\\\\x22bastionCommand\\\\x22:\\\\x22ssh\\\\x20USER\\\\x40'"$remote_ip"'\\\\x20-p\\\\x20'"$remote_port"'\\\\x20-t\\\\x20--\\\\x22,='

## get both helpers first
for proto in scp sftp; do
success $proto $a0 --osh $proto
if [ "$COUNTONLY" != 1 ]; then
tmpb64=$(get_json | $jq '.value.script')
base64 -d <<< "$tmpb64" | gunzip -c > /tmp/${proto}helpertmp
perl -pe "s/ssh $account0\\@\\S+/ssh -p $remote_port $account0\\@$remote_ip/" /tmp/${proto}helpertmp > /tmp/${proto}helper
chmod +x /tmp/${proto}helper
base64 -d <<< "$tmpb64" | gunzip -c > "/tmp/${proto}helper"
perl -i -pe 'print "BASTION_SCP_DEBUG=1\nBASTION_SFTP_DEBUG=1\n" if ++$line==2' "/tmp/${proto}helper"
chmod +x "/tmp/${proto}helper"
unset tmpb64
fi
done
Expand Down Expand Up @@ -243,7 +246,7 @@ testsuite_selfaccesses()

run scp_invalidhostname scp $scp_options -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@_invalid._invalid:uptest /tmp/downloaded
retvalshouldbe 1
contain "Sorry, couldn't resolve the host you specified"
contain REGEX "Sorry, couldn't resolve the host you specified|I was unable to resolve host"

success scp_upload scp $scp_options -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file /etc/passwd $shellaccount@127.0.0.2:uptest
contain "through the bastion to"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ testsuite_selfaccesses_force_password()
retvalshouldbe 124
contain 'enter this:'
a4_password_tmp=$(get_stdout | grep -Eo 'enter this: [a-zA-Z0-9_-]+' | sed -e 's/enter this: //')
script a4_setup_pass_2of2 "echo 'set timeout 30; \
script a4_setup_pass_2of2 "echo 'set timeout $default_timeout; \
spawn $a4 --osh selfMFASetupPassword --yes; \
expect \":\" { sleep 0.2; send \"$a4_password_tmp\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
Expand Down
Loading

0 comments on commit 9901c19

Please sign in to comment.