From 13606a12054f4fcf1494ea3068db0640ae6cc3a3 Mon Sep 17 00:00:00 2001
From: dermotbradley <dermot_bradley@yahoo.com>
Date: Thu, 25 Mar 2021 21:18:41 +0000
Subject: tools/write-ssh-key-fingerprints: do not display empty header/footer
 (#817)

When output of SSH host keys and/or SSH fingerprints are disabled for
all keys do not display headers and footers.

Prevent risk of message text being interpreted as "logger" option by
appending "--" to logger options.

Correct syslog output that was tagged with "ec2" regardless of DataSource
in use. Now use "cloud-init" tag instead.

Various "shellcheck" corrections.

Add testcase for disabled output of SSH host keys.
---
 .../integration_tests/modules/test_keys_to_console.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'tests')

diff --git a/tests/integration_tests/modules/test_keys_to_console.py b/tests/integration_tests/modules/test_keys_to_console.py
index 298c9e6d..56dff9a0 100644
--- a/tests/integration_tests/modules/test_keys_to_console.py
+++ b/tests/integration_tests/modules/test_keys_to_console.py
@@ -10,6 +10,11 @@ ssh_fp_console_blacklist: [ssh-dss, ssh-dsa, ecdsa-sha2-nistp256]
 ssh_key_console_blacklist: [ssh-dss, ssh-dsa, ecdsa-sha2-nistp256]
 """
 
+BLACKLIST_ALL_KEYS_USER_DATA = """\
+#cloud-config
+ssh_fp_console_blacklist: [ssh-dsa, ssh-ecdsa, ssh-ed25519, ssh-rsa, ssh-dss, ecdsa-sha2-nistp256]
+"""  # noqa: E501
+
 DISABLED_USER_DATA = """\
 #cloud-config
 ssh:
@@ -31,6 +36,20 @@ class TestKeysToConsoleBlacklist:
         assert "({})".format(key_type) in syslog
 
 
+@pytest.mark.user_data(BLACKLIST_ALL_KEYS_USER_DATA)
+class TestAllKeysToConsoleBlacklist:
+    """Test that when key blacklist contains all key types that
+    no header/footer are output.
+    """
+    def test_header_excluded(self, class_client):
+        syslog = class_client.read_from_file("/var/log/syslog")
+        assert "BEGIN SSH HOST KEY FINGERPRINTS" not in syslog
+
+    def test_footer_excluded(self, class_client):
+        syslog = class_client.read_from_file("/var/log/syslog")
+        assert "END SSH HOST KEY FINGERPRINTS" not in syslog
+
+
 @pytest.mark.user_data(DISABLED_USER_DATA)
 class TestKeysToConsoleDisabled:
     """Test that output can be fully disabled."""
-- 
cgit v1.2.3