chore(faster tests) and quick micro-fixes

.github/workflows/freebsd.yml

@@ -59,7 +59,6 @@ jobs:
             --has-mfa=0 \
             --has-mfa-password=1 \
             --has-pamtester=1 \
-            --skip-consistency-check \
             --remote-etc-bastion=/usr/local/etc/bastion \
             --slowness-factor=2 \
             --post-run="sudo tar xzf /opt/bastion/ssh_config.tar.gz -C / ; sudo /etc/rc.d/sshd restart" \

.github/workflows/tests.yml

@@ -6,20 +6,20 @@ on:
 
 jobs:
     tests_short:
-        name: Short (deb12 only, no cc)
+        name: Short (deb12 only, w/o cc)
         runs-on: ubuntu-latest
         if: contains(github.event.pull_request.labels.*.name, 'tests:short')
         steps:
         - uses: actions/checkout@v4
           with:
             persist-credentials: false
         - name: run tests inside a debian12 docker
-          run: tests/functional/docker/docker_build_and_run_tests.sh debian12 --skip-consistency-check --no-pause-on-fail
+          run: tests/functional/docker/docker_build_and_run_tests.sh debian12 --no-pause-on-fail
           env:
             DOCKER_TTY: false
 
     tests_long:
-        name: Long
+        name: Long (multi-distros, w/o cc)
         strategy:
             matrix:
                 platform: [rockylinux9, debian12, 'opensuse15@opensuse/leap:15.6', ubuntu2404]
@@ -30,12 +30,12 @@ jobs:
           with:
             persist-credentials: false
         - name: run tests inside a ${{ matrix.platform }} docker
-          run: tests/functional/docker/docker_build_and_run_tests.sh ${{ matrix.platform }} --skip-consistency-check --no-pause-on-fail
+          run: tests/functional/docker/docker_build_and_run_tests.sh ${{ matrix.platform }} --no-pause-on-fail
           env:
             DOCKER_TTY: false
 
     tests_full:
-        name: Full
+        name: Full (multi-distros all versions, w/ cc)
         strategy:
             matrix:
                 platform: [rockylinux8, rockylinux9, debian10, debian11, debian12, 'opensuse15@opensuse/leap:15.6', ubuntu1804, ubuntu2004, ubuntu2204, ubuntu2404]
@@ -46,6 +46,6 @@ jobs:
           with:
             persist-credentials: false
         - name: run tests inside a ${{ matrix.platform }} docker
-          run: tests/functional/docker/docker_build_and_run_tests.sh ${{ matrix.platform }} --no-pause-on-fail
+          run: tests/functional/docker/docker_build_and_run_tests.sh ${{ matrix.platform }} --consistency-check --no-pause-on-fail
           env:
             DOCKER_TTY: false

bin/plugin/open/groupInfo

@@ -172,11 +172,6 @@ foreach my $groupData (@groups) {
             push @filtered_guests, $guest;
         }
 
-        # deprecated in v2.18.00+
-        $ret{'full_members'}    = \@members;
-        $ret{'partial_members'} = \@filtered_guests;
-        # /deprecated
-
         $ret{'members'}         = \@members;
         $ret{'guests'}          = \@filtered_guests;
         $ret{'guests_accesses'} = \%guest_nb_accesses;
@@ -253,14 +248,15 @@ sub print_group_info {
       if $ret{'members'};
 
     # show guest info, along with the number of accesses each guest has
-    my @guest_text;
-    foreach my $guest (@{$ret{'guests'}}) {
-        my $nb = $ret{'guests_accesses'}{$guest};
-        push @guest_text, sprintf("%s[%s]", $guest, $nb // '?');
+    if ($ret{'guests'}) {
+        my @guest_text;
+        foreach my $guest (@{$ret{'guests'}}) {
+            my $nb = $ret{'guests_accesses'}{$guest};
+            push @guest_text, sprintf("%s[%s]", $guest, $nb // '?');
+        }
+        osh_info("Group ${groupName}'s Guests (with access to SOME of the group servers) are: "
+              . colored(@{$ret{'guests'}} ? join(" ", sort @guest_text) : '-', 'red'));
     }
-    osh_info("Group ${groupName}'s Guests (with access to SOME of the group servers) are: "
-          . colored(@{$ret{'guests'}} ? join(" ", sort @guest_text) : '-', 'red'))
-      if $ret{'guests'};
 
     # current user doesn't have enough rights to get this info, tell them that
     if (!$ret{'members'}) {

bin/plugin/restricted/accountInfo

@@ -353,6 +353,11 @@ foreach my $accHash (@accounts) {
         $ret{'max_inactive_days'} =
           OVH::Bastion::account_config(account => $account, %{OVH::Bastion::OPT_ACCOUNT_MAX_INACTIVE_DAYS()})->value;
 
+        $ret{'osh_only'} = !!OVH::Bastion::account_config(
+            account => $account,
+            key     => OVH::Bastion::OPT_ACCOUNT_OSH_ONLY
+        ) + 0;
+
         if ($withPasswordInfo) {
             my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T };
             push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountGetPasswordInfo';
@@ -478,7 +483,7 @@ sub print_account_info {
         }
     }
 
-    if ($ret{'creation_information'}) {
+    if (defined $ret{'creation_information'}) {
         if ($ret{'creation_information'}{'datetime_utc'}) {
             my $createdOnStr = $ret{'creation_information'}{'datetime_utc'};
             if (   $ret{'creation_information'}{'datetime_local'}
@@ -507,87 +512,106 @@ sub print_account_info {
         }
     }
 
-    osh_info "\nAccount egress SSH config:";
-    if ($ret{'account_egress_ssh_config'}{'type'} eq 'default') {
-        osh_info "- (default)";
+    if (defined $ret{'account_egress_ssh_config'}) {
+        osh_info "\nAccount egress SSH config:";
+        if ($ret{'account_egress_ssh_config'}{'type'} eq 'default') {
+            osh_info "- (default)";
+        }
+        elsif ($ret{'account_egress_ssh_config'}{'type'} eq 'locally_modified') {
+            osh_info "- (locally modified!)";
+        }
+        elsif ($ret{'account_egress_ssh_config'}{'type'} eq 'custom') {
+            foreach my $key (sort keys %{$ret{'account_egress_ssh_config'}{'items'} || {}}) {
+                osh_info "- $key " . $ret{'account_egress_ssh_config'}{'items'}{$key};
+            }
+        }
+        else {
+            osh_info "- (unknown)";
+        }
     }
-    elsif ($ret{'account_egress_ssh_config'}{'type'} eq 'locally_modified') {
-        osh_info "- (locally modified!)";
+
+    if (defined $ret{'osh_only'}) {
+        osh_info "\nThis account can only run commands (\"osh-only\"): "
+          . ($ret{'osh_only'} ? colored('yes', 'red') : colored('no', 'blue'));
     }
-    elsif ($ret{'account_egress_ssh_config'}{'type'} eq 'custom') {
-        foreach my $key (sort keys %{$ret{'account_egress_ssh_config'}{'items'} || {}}) {
-            osh_info "- $key " . $ret{'account_egress_ssh_config'}{'items'}{$key};
+
+    if (exists $ret{'ingress_piv_policy'} && exists $ret{'ingress_piv_grace'}) {
+        osh_info "\nAccount PIV-only policy status:";
+        my $ingress_piv_policy_print = $ret{'ingress_piv_policy'} || 'default';
+        osh_info "- PIV policy for ingress keys on this account is set to "
+          . colored($ingress_piv_policy_print, $ingress_piv_policy_print eq 'default' ? 'blue' : 'green');
+
+        if ($ret{'ingress_piv_grace'} && $ret{'ingress_piv_grace'}{'seconds_remaining'}) {
+            $fnret = OVH::Bastion::duration2human(seconds => $ret{'ingress_piv_grace'}{'seconds_remaining'})->value;
+            osh_info("- PIV grace period for this account is "
+                  . colored('set', 'green')
+                  . " and expires in "
+                  . $fnret->value->{'human'});
+        }
+        else {
+            osh_info "- PIV grace period for this account is " . colored('inactive', 'blue');
         }
-    }
-    else {
-        osh_info "- (unknown)";
     }
 
-    osh_info "\nAccount PIV-only policy status:";
-    my $ingress_piv_policy_print = $ret{'ingress_piv_policy'} || 'default';
-    osh_info "- PIV policy for ingress keys on this account is set to "
-      . colored($ingress_piv_policy_print, $ingress_piv_policy_print eq 'default' ? 'blue' : 'green');
-
-    if ($ret{'ingress_piv_grace'} && $ret{'ingress_piv_grace'}{'seconds_remaining'}) {
-        $fnret = OVH::Bastion::duration2human(seconds => $ret{'ingress_piv_grace'}{'seconds_remaining'})->value;
-        osh_info("- PIV grace period for this account is "
-              . colored('set', 'green')
-              . " and expires in "
-              . $fnret->value->{'human'});
+    if (defined $ret{'global_ingress_policy'}) {
+        osh_info "- Global PIV policy status is "
+          . ($ret{'global_ingress_policy'} ? colored('enabled', 'red') : colored('disabled', 'blue'));
     }
-    else {
-        osh_info "- PIV grace period for this account is " . colored('inactive', 'blue');
+
+    if (defined $ret{'effective_ingress_piv_policy'}) {
+        osh_info "- As a consequence, PIV policy is "
+          . ($ret{'effective_ingress_piv_policy'} ? colored('enforced', 'red') : colored('inactive', 'blue'))
+          . " for this account";
     }
 
-    osh_info "- Global PIV policy status is "
-      . ($ret{'global_ingress_policy'} ? colored('enabled', 'red') : colored('disabled', 'blue'));
-
-    osh_info "- As a consequence, PIV policy is "
-      . ($ret{'effective_ingress_piv_policy'} ? colored('enforced', 'red') : colored('inactive', 'blue'))
-      . " for this account";
-
-    osh_info "\nAccount Multi-Factor Authentication status:";
-    osh_info "- Additional password authentication is "
-      . ($ret{'mfa_password_required'} ? colored('required', 'green') : colored('not required', 'blue'))
-      . " for this account";
-    osh_info "- Additional password authentication bypass is "
-      . ($ret{'mfa_password_bypass'} ? colored('enabled', 'green') : colored('disabled', 'blue'))
-      . " for this account";
-    osh_info "- Additional password authentication is "
-      . ($ret{'mfa_password_configured'} ? colored('enabled and active', 'green') : colored('disabled', 'blue'));
-
-    osh_info "- Additional TOTP authentication is "
-      . ($ret{'mfa_totp_required'} ? colored('required', 'green') : colored('not required', 'blue'))
-      . " for this account";
-    osh_info "- Additional TOTP authentication bypass is "
-      . ($ret{'mfa_totp_bypass'} ? colored('enabled', 'green') : colored('disabled', 'blue'))
-      . " for this account";
-    osh_info "- Additional TOTP authentication is "
-      . ($ret{'mfa_totp_configured'} ? colored('enabled and active', 'green') : colored('disabled', 'blue'));
-
-    osh_info "- PAM authentication bypass is "
-      . ($ret{'pam_auth_bypass'} ? colored('enabled', 'green') : colored('disabled', 'blue'));
-
-    osh_info "- Optional public key authentication is "
-      . ($ret{'pubkey_auth_optional'} ? colored('enabled', 'green') : colored('disabled', 'blue'));
-
-    osh_info "- MFA policy on personal accesses (using personal keys) on egress side is: "
-      . $ret{'personal_egress_mfa_required'};
-
-    osh_info "\n- Account is immune to idle counter-measures: "
-      . ($ret{'idle_ignore'} ? colored('yes', 'green') : colored('no', 'blue'));
-
-    if (!defined $ret{'max_inactive_days'}) {
-        osh_info "- Maximum number of days of inactivity before account is disabled: (default)";
+    if (exists $ret{'mfa_password_required'} && exists $ret{'mfa_totp_required'} && exists $ret{'pam_auth_bypass'}) {
+        osh_info "\nAccount Multi-Factor Authentication status:";
+        osh_info "- Additional password authentication is "
+          . ($ret{'mfa_password_required'} ? colored('required', 'green') : colored('not required', 'blue'))
+          . " for this account";
+        osh_info "- Additional password authentication bypass is "
+          . ($ret{'mfa_password_bypass'} ? colored('enabled', 'green') : colored('disabled', 'blue'))
+          . " for this account";
+        osh_info "- Additional password authentication is "
+          . ($ret{'mfa_password_configured'} ? colored('enabled and active', 'green') : colored('disabled', 'blue'));
+
+        osh_info "- Additional TOTP authentication is "
+          . ($ret{'mfa_totp_required'} ? colored('required', 'green') : colored('not required', 'blue'))
+          . " for this account";
+        osh_info "- Additional TOTP authentication bypass is "
+          . ($ret{'mfa_totp_bypass'} ? colored('enabled', 'green') : colored('disabled', 'blue'))
+          . " for this account";
+        osh_info "- Additional TOTP authentication is "
+          . ($ret{'mfa_totp_configured'} ? colored('enabled and active', 'green') : colored('disabled', 'blue'));
+
+        osh_info "- PAM authentication bypass is "
+          . ($ret{'pam_auth_bypass'} ? colored('enabled', 'green') : colored('disabled', 'blue'));
+
+        osh_info "- Optional public key authentication is "
+          . ($ret{'pubkey_auth_optional'} ? colored('enabled', 'green') : colored('disabled', 'blue'));
+
+        osh_info "- MFA policy on personal accesses (using personal keys) on egress side is: "
+          . $ret{'personal_egress_mfa_required'};
     }
-    elsif ($ret{'max_inactive_days'} == 0) {
-        osh_info "- Maximum number of days of inactivity before account is disabled: never";
+
+    if (exists $ret{'idle_ignore'}) {
+        osh_info "\n- Account is immune to idle counter-measures: "
+          . ($ret{'idle_ignore'} ? colored('yes', 'green') : colored('no', 'blue'));
     }
-    else {
-        osh_info "- Maximum number of days of inactivity before account is disabled: " . $ret{'max_inactive_days'};
+
+    if (exists $ret{'max_inactive_days'}) {
+        if (!defined $ret{'max_inactive_days'}) {
+            osh_info "- Maximum number of days of inactivity before account is disabled: (default)";
+        }
+        elsif ($ret{'max_inactive_days'} == 0) {
+            osh_info "- Maximum number of days of inactivity before account is disabled: never";
+        }
+        else {
+            osh_info "- Maximum number of days of inactivity before account is disabled: " . $ret{'max_inactive_days'};
+        }
     }
 
-    if ($ret{'password'}) {
+    if (defined $ret{'password'}) {
         osh_info "Account PAM UNIX password information (used for password MFA):";
         if ($ret{'password'}{'password'} eq 'locked') {
             osh_info "- No valid password is set";

doc/sphinx/administration/configuration/bastion_conf.rst

@@ -282,7 +282,7 @@ defaultAccountEgressKeyAlgorithm
 
 :Type: ``string``
 
-:Default: ``"rsa"``
+:Default: ``"ecdsa"``
 
 The default algorithm to use to create the egress key of a newly created account
 
@@ -293,7 +293,7 @@ defaultAccountEgressKeySize
 
 :Type: ``int > 0``
 
-:Default: ``4096``
+:Default: ``521``
 
 The default size to use to create the egress key of a newly created account (also see ``defaultAccountEgressKeyAlgorithm``)
 

doc/sphinx/development/setup.rst

@@ -145,7 +145,7 @@ to get up-to-date information):
    Usage: /home/user/bastion/tests/functional/launch_tests_on_instance.sh [OPTIONS] <IP> <SSH_Port> <HTTP_Proxy_Port_or_Zero> <Remote_Admin_User_Name> <Admin_User_SSH_Key_Path> <Root_SSH_Key_Path>
 
    Test Options:
-       --skip-consistency-check   Speed up tests by skipping the consistency check between every test
+       --consistency-check        Check system consistency between every test
        --no-pause-on-fail         Don't pause when a test fails
        --log-prefix=X             Prefix all logs by this name
        --module=X                 Only test this module (specify a filename found in `functional/tests.d/`), can be specified multiple times

etc/bastion/bastion.conf.dist

@@ -86,13 +86,13 @@
 #
 # defaultAccountEgressKeyAlgorithm (string)
 #    DESC: The default algorithm to use to create the egress key of a newly created account
-# DEFAULT: "rsa"
-"defaultAccountEgressKeyAlgorithm": "rsa",
+# DEFAULT: "ecdsa"
+"defaultAccountEgressKeyAlgorithm": "ecdsa",
 #
 # defaultAccountEgressKeySize (int > 0)
 #    DESC: The default size to use to create the egress key of a newly created account (also see ``defaultAccountEgressKeyAlgorithm``)
-# DEFAULT: 4096
-"defaultAccountEgressKeySize": 4096,
+# DEFAULT: 521
+"defaultAccountEgressKeySize": 521,
 #
 # moshAllowed (boolean)
 #     DESC: If set to ``true``, mosh usage is allowed (mosh needs to be installed on serverside, obviously). Otherwise, this feature is disabled.

lib/perl/OVH/Bastion/configuration.inc

@@ -325,7 +325,7 @@ sub load_configuration {
 
     # 4/6) Strings that must be one item of a specific enum.
     foreach my $o (
-        {name => 'defaultAccountEgressKeyAlgorithm', default => 'rsa', valid => [qw{ rsa ecdsa ed25519 }]},
+        {name => 'defaultAccountEgressKeyAlgorithm', default => 'ecdsa', valid => [qw{ rsa ecdsa ed25519 }]},
         {
             name    => 'accountMFAPolicy',
             default => 'enabled',

tests/functional/docker/target_role.sh

@@ -74,8 +74,7 @@ if [ -x "$bashlocation" ]; then
     chsh -s "$bashlocation" "$UID0"
 fi
 
-HOME="$UID0HOME" USER="$UID0" "$basedir"/bin/plugin/restricted/accountCreate       '' '' '' '' --uid 5000 --account "$TARGET_USER" --public-key "$user_pubkey FOR_TESTS_ONLY"
-HOME="$UID0HOME" USER="$UID0" "$basedir"/bin/plugin/restricted/accountGrantCommand '' '' '' '' --account "$TARGET_USER" --command accountGrantCommand
+"$basedir"/bin/admin/setup-first-admin-account.sh "$TARGET_USER" 5000 <<< "$user_pubkey FOR_TESTS_ONLY"
 
 # add an account with local shell access (to mimic a remote server)
 useradd_compat test-shell_ "" "" /bin/sh