ssh: T6013: support SSH AuthorizedPrincipalsFile in use with trusted-user-ca-key

Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces a new CLI node per user to support defining the authorized principals used by any given PKI certificate. It is now possible to associate SSH login users with their respective principals. Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
author: Takeru Hayasaka <hayatake396@gmail.com> 2024-12-28 19:58:02 +0000
committer: Christian Breunig <christian@breunig.cc> 2025-05-29 13:57:48 +0200
commit: 6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd (patch)
tree: 6c3c060d70a3d48f5b10709f9be067f6a9d49f33 /smoketest/scripts/cli/test_service_ssh.py
parent: e604e68a5a77718a25b60737dcb9699b84c8e34b (diff)
download: vyos-1x-6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd.tar.gz
vyos-1x-6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd.zip
1 files changed, 88 insertions, 1 deletions
diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py
index fa08a5b32..db83f14c3 100755
--- a/smoketest/scripts/cli/test_service_ssh.py
+++ b/smoketest/scripts/cli/test_service_ssh.py
@@ -39,6 +39,7 @@ key_rsa = '/etc/ssh/ssh_host_rsa_key'
 key_dsa = '/etc/ssh/ssh_host_dsa_key'
 key_ed25519 = '/etc/ssh/ssh_host_ed25519_key'
 trusted_user_ca_key = '/etc/ssh/trusted_user_ca_key'
+authorized_principals_dir = '/etc/ssh/authorized_principals'
 
 
 def get_config_value(key):
@@ -380,18 +381,104 @@ class TestServiceSSH(VyOSUnitTestSHIM.TestCase):
 
         trusted_user_ca_key_config = get_config_value('TrustedUserCAKeys')
         self.assertIn(trusted_user_ca_key, trusted_user_ca_key_config)
+        authorize_principals_file_config = get_config_value('AuthorizedPrincipalsFile')
+        self.assertIn('none', authorize_principals_file_config)
 
         with open(trusted_user_ca_key, 'r') as file:
             ca_key_contents = file.read()
         self.assertIn(ca_root_cert_data, ca_key_contents)
 
-        self.cli_delete(base_path + ['trusted-user-ca-key'])
+        self.cli_delete(
+            base_path + ['trusted-user-ca-key', 'ca-certificate', ca_cert_name]
+        )
         self.cli_delete(['pki', 'ca', ca_cert_name])
         self.cli_commit()
 
         # Verify the CA key is removed
         trusted_user_ca_key_config = get_config_value('TrustedUserCAKeys')
         self.assertNotIn(trusted_user_ca_key, trusted_user_ca_key_config)
+        authorize_principals_file_config = get_config_value('AuthorizedPrincipalsFile')
+        self.assertNotIn('none', authorize_principals_file_config)
+
+    def test_ssh_trusted_user_ca_key_and_bind_user_with_principal(self):
+        ca_cert_name = 'test_ca'
+        bind_user = 'test_user'
+        principals = ['test_principal_alice', 'test_principal_bob']
+        test_user = 'ssh_test'
+        test_pass = 'v2i57DZs8idUwMN3VC92'
+
+        # Create a test user
+        self.cli_set(
+            [
+                'system',
+                'login',
+                'user',
+                test_user,
+                'authentication',
+                'plaintext-password',
+                test_pass,
+            ]
+        )
+
+        # set pki ca <ca_cert_name> certificate <ca_key_data>
+        # set service ssh trusted-user-ca-key ca-certificate <ca_cert_name>
+        # set service ssh trusted-user-ca-key bind-user <bind_user> principal <principals>
+        self.cli_set(
+            pki_path
+            + [
+                'ca',
+                ca_cert_name,
+                'certificate',
+                ca_root_cert_data.replace('\n', ''),
+            ]
+        )
+        self.cli_set(
+            base_path + ['trusted-user-ca-key', 'ca-certificate', ca_cert_name]
+        )
+        for principal in principals:
+            self.cli_set(
+                base_path
+                + [
+                    'trusted-user-ca-key',
+                    'bind-user',
+                    bind_user,
+                    'principal',
+                    principal,
+                ]
+            )
+        self.cli_commit()
+
+        trusted_user_ca_key_config = get_config_value('TrustedUserCAKeys')
+        self.assertIn(trusted_user_ca_key, trusted_user_ca_key_config)
+        authorized_principals_file = f'{authorized_principals_dir}/{bind_user}'
+        self.assertTrue(os.path.exists(authorized_principals_file))
+
+        with open(authorized_principals_file, 'r') as file:
+            authorized_principals = file.read()
+        for principal in principals:
+            self.assertIn(principal, authorized_principals)
+
+        for principal in principals:
+            self.cli_delete(
+                base_path
+                + [
+                    'trusted-user-ca-key',
+                    'bind-user',
+                    bind_user,
+                    'principal',
+                    principal,
+                ]
+            )
+
+        self.cli_delete(
+            base_path + ['trusted-user-ca-key', 'ca-certificate', ca_cert_name]
+        )
+        self.cli_delete(['pki', 'ca', ca_cert_name])
+        self.cli_delete(['system', 'login', 'user', test_user])
+        self.cli_commit()
+
+        # Verify the authorized principals file is removed
+        self.assertFalse(os.path.exists(authorized_principals_file))
 
 
 if __name__ == '__main__':
author	Takeru Hayasaka <hayatake396@gmail.com>	2024-12-28 19:58:02 +0000
committer	Christian Breunig <christian@breunig.cc>	2025-05-29 13:57:48 +0200
commit	6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd (patch)
tree	6c3c060d70a3d48f5b10709f9be067f6a9d49f33 /smoketest/scripts/cli/test_service_ssh.py
parent	e604e68a5a77718a25b60737dcb9699b84c8e34b (diff)
download	vyos-1x-6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd.tar.gz vyos-1x-6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd.zip