tests/ssh-test-plugin

   1 #!/bin/bash
   2
   3 [ -z "$CRYPTSETUP_PATH" ] && {
   4         TOKEN_PATH="./fake_token_path.so"
   5         [ ! -f $TOKEN_PATH ] && { echo "Please compile $TOKEN_PATH."; exit 77; }
   6         export LD_PRELOAD=$TOKEN_PATH
   7         CRYPTSETUP_PATH=".."
   8 }
   9 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
  10 CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
  11 IMG="ssh_test.img"
  12 MAP="sshtest"
  13 USER="sshtest"
  14 PASSWD="sshtest1"
  15 PASSWD2="sshtest2"
  16 SSH_OPTIONS="-o StrictHostKeyChecking=no"
  17
  18 SSH_SERVER="localhost"
  19 SSH_PATH="/home/$USER/keyfile"
  20 SSH_KEY_PATH="$HOME/sshtest-key"
  21
  22 FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
  23
  24 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
  25 CRYPTSETUP_SSH_VALGRIND=../.libs/cryptsetup-ssh
  26 CRYPTSETUP_LIB_VALGRIND=../.libs
  27
  28 [ -z "$srcdir" ] && srcdir="."
  29
  30 function remove_mapping()
  31 {
  32         [ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
  33         rm -f $IMG >/dev/null 2>&1
  34 }
  35
  36 function remove_user()
  37 {
  38         id -u $USER >/dev/null 2>&1 && userdel -r -f $USER >/dev/null 2>&1
  39         rm -f $SSH_KEY_PATH "$SSH_KEY_PATH.pub" >/dev/null 2>&1
  40 }
  41
  42 function create_user()
  43 {
  44         id -u $USER >/dev/null 2>&1
  45         [ $? -eq 0 ] && skip "User account $USER exists, aborting."
  46         [ -f $SSH_KEY_PATH ] && skip "SSH key $SSH_KEY_PATH already exists, aborting."
  47
  48         useradd -m $USER -p $(openssl passwd $PASSWD) || skip "Failed to add user for SSH plugin test."
  49
  50         ssh-keygen -f $SSH_KEY_PATH -q -N "" >/dev/null 2>&1
  51         [ $? -ne 0 ] && remove_user && skip "Failed to create SSH key."
  52 }
  53
  54 function ssh_check()
  55 {
  56         # try to use netcat to check port 22
  57         nc -zv $SSH_SERVER 22 >/dev/null 2>&1 || skip "SSH server does not seem to be running, skipping."
  58 }
  59
  60 function bin_check()
  61 {
  62         command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
  63 }
  64
  65 function ssh_setup()
  66 {
  67         # copy the ssh key
  68         [ -d "/home/$USER/.ssh" ] || mkdir /home/$USER/.ssh
  69         touch /home/$USER/.ssh/authorized_keys
  70
  71         cat $SSH_KEY_PATH.pub >> /home/$USER/.ssh/authorized_keys
  72         [ $? -ne 0 ] && remove_user && fail "Failed to copy SSH key."
  73
  74         # make sure /home/sshtest/.ssh and /home/sshtest/.ssh/authorized_keys have correct permissions
  75         chown -R $USER:$USER /home/$USER/.ssh
  76         chmod 700 /home/$USER/.ssh
  77         chmod 644 /home/$USER/.ssh/authorized_keys
  78
  79         # try to ssh and also create keyfile
  80         ssh -i $SSH_KEY_PATH $SSH_OPTIONS -o BatchMode=yes -n $USER@$SSH_SERVER "echo -n $PASSWD > $SSH_PATH" >/dev/null 2>&1
  81         [ $? -ne 0 ] && remove_user && fail "Failed to connect using SSH."
  82 }
  83
  84 function fail()
  85 {
  86         echo "[FAILED]"
  87         [ -n "$1" ] && echo "$1"
  88         echo "FAILED backtrace:"
  89         while caller $frame; do ((frame++)); done
  90         remove_mapping
  91         remove_user
  92         exit 2
  93 }
  94
  95 function skip()
  96 {
  97         [ -n "$1" ] && echo "$1"
  98         remove_mapping
  99         exit 77
 100 }
 101
 102 function valgrind_setup()
 103 {
 104         command -v valgrind >/dev/null || fail "Cannot find valgrind."
 105         [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
 106         [ ! -f $CRYPTSETUP_SSH_VALGRIND ] && fail "Unable to get location of cryptsetup-ssh executable."
 107         export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
 108 }
 109
 110 function valgrind_run()
 111 {
 112         INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 113 }
 114
 115 function valgrind_run_ssh()
 116 {
 117         INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_SSH_VALGRIND} "$@"
 118 }
 119
 120 format()
 121 {
 122         dd if=/dev/zero of=$IMG bs=1M count=32 >/dev/null 2>&1
 123
 124         echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG --force-password -q
 125         [ $? -ne 0 ] && fail "Format failed."
 126
 127         echo -e "$PASSWD\n$PASSWD2" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG -q
 128         [ $? -ne 0 ] && fail "Add key failed."
 129 }
 130
 131 check_dump()
 132 {
 133         dump=$1
 134         keyslot=$2
 135
 136         token=$(echo "$dump" | grep Tokens -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ")
 137         [ "$token" = "ssh"  ] || fail " token check from dump failed."
 138
 139         server=$(echo "$dump" | grep ssh_server | cut -d: -f2 | tr -d "\t\n ")
 140         [ "$server" = $SSH_SERVER ] || fail " server check from dump failed."
 141
 142         user=$(echo "$dump" | grep ssh_user | cut -d: -f2 | tr -d "\t\n ")
 143         [ "$user" = "$USER"  ] || fail " user check from dump failed."
 144
 145         path=$(echo "$dump" | grep ssh_path | cut -d: -f2 | tr -d "\t\n ")
 146         [ "$path" = "$SSH_PATH"  ] || fail " path check from dump failed."
 147
 148         key_path=$(echo "$dump" | grep ssh_key_path | cut -d: -f2 | tr -d "\t\n ")
 149         [ "$key_path" = "$SSH_KEY_PATH"  ] || fail " key_path check from dump failed."
 150
 151         keyslot_dump=$(echo "$dump" | grep Keyslot: | cut -d: -f2 | tr -d "\t\n ")
 152         [ "$keyslot_dump" = "$keyslot" ] || fail " keyslot check from dump failed."
 153 }
 154
 155 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
 156 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run && CRYPTSETUP_SSH=valgrind_run_ssh
 157 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
 158
 159 # Prevent running dangerous useradd operation by default
 160 [ -z "$RUN_SSH_PLUGIN_TEST" ] && skip "WARNING: Variable RUN_SSH_PLUGIN_TEST must be defined, test skipped."
 161
 162 bin_check nc
 163 bin_check useradd
 164 bin_check ssh
 165 bin_check ssh-keygen
 166 bin_check sshpass
 167 bin_check openssl
 168
 169 format
 170
 171 echo -n "Adding SSH token: "
 172
 173 ssh_check
 174 create_user
 175 ssh_setup
 176
 177 $CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH
 178 [ $? -ne 0 ] && fail "Failed to add SSH token to $IMG"
 179
 180 out=$($CRYPTSETUP luksDump $IMG)
 181 check_dump "$out" 0
 182 echo "[OK]"
 183
 184 echo -n "Activating using SSH token: "
 185
 186 $CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $IMG $MAP && fail "Tokens should be disabled"
 187 $CRYPTSETUP luksOpen -r $IMG $MAP -q >/dev/null 2>&1 <&-
 188 [ $? -ne 0 ] && fail "Failed to open $IMG using SSH token"
 189 echo "[OK]"
 190
 191 # Remove the newly added token and test adding with --key-slot
 192 $CRYPTSETUP token remove --token-id 0 $IMG || fail "Failed to remove token"
 193
 194 echo -n "Adding SSH token with --key-slot: "
 195
 196 $CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1
 197 [ $? -ne 0 ] && fail "Failed to add SSH token to $IMG"
 198
 199 out=$($CRYPTSETUP luksDump $IMG)
 200 check_dump "$out" 1
 201 echo "[OK]"
 202
 203 remove_mapping
 204 remove_user