Skip to content

Commit

Permalink
chore: fix FreeBSD GitHub Action
Browse files Browse the repository at this point in the history
  • Loading branch information
speed47 committed Oct 31, 2023
1 parent d3ece7b commit 822181b
Show file tree
Hide file tree
Showing 4 changed files with 60 additions and 28 deletions.
63 changes: 45 additions & 18 deletions .github/workflows/freebsd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,31 +6,58 @@ on:

jobs:
freebsd:
runs-on: macos-12
runs-on: ubuntu-latest
name: FreeBSD
if: ${{ contains(github.event.pull_request.labels.*.name, 'tests:full') || contains(github.event.pull_request.labels.*.name, 'tests:long') || contains(github.event.pull_request.labels.*.name, 'tests:freebsd') }}
timeout-minutes: 180
if: ${{ contains(github.event.pull_request.labels.*.name, 'tests:freebsd') }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Functional tests under FreeBSD
uses: vmactions/freebsd-vm@v0
uses: cross-platform-actions/action@master
with:
usesh: true
sync: sshfs
operating_system: freebsd
version: '13.2'
shell: bash
sync_files: runner-to-vm
run: |
set -ex
# source this to get the $SSH_DIR var properly filled
source lib/shell/functions.inc
# a few debug commands
set -exu
freebsd-version
mount -o acls /
pkg install -y bash rsync ca_root_nss jq fping screen flock curl
mkdir -p /opt/bastion
rsync -a . /opt/bastion/
/opt/bastion/bin/admin/packages-check.sh -i
/opt/bastion/bin/admin/install-ttyrec.sh -s
/opt/bastion/bin/admin/install-yubico-piv-checker.sh -s
/opt/bastion/bin/admin/install-mkhash-helper.sh -s
/opt/bastion/bin/admin/install --new-install
ssh-keygen -t ed25519 -f id_user
ssh-keygen -t ed25519 -f id_root
WANT_HTTP_PROXY=0 NO_SLEEP=1 user_pubkey=$(cat id_user.pub) root_pubkey=$(cat id_root.pub) TARGET_USER=user5000 /opt/bastion/tests/functional/docker/target_role.sh
id
# to do proper tests, we need the fs to have ACLs enabled
sudo mount -o acls /
# install required packages
sudo pkg update
sudo pkg install -y bash rsync ca_root_nss jq fping screen flock curl
# create required folder
sudo mkdir -p /opt/bastion
# copy bastion code to the proper location
sudo rsync -a . /opt/bastion/
# save default ssh config, so we can restore it when we're done,
# or the github action will fail because the post-run actions it'll
# try to do over ssh won't complete due to our modified ssh config
sudo tar czf /opt/bastion/ssh_config.tar.gz $SSH_DIR/
# setup bastion
sudo /opt/bastion/bin/admin/packages-check.sh -i
sudo /opt/bastion/bin/admin/install-ttyrec.sh -s
sudo /opt/bastion/bin/admin/install-yubico-piv-checker.sh -s
sudo /opt/bastion/bin/admin/install-mkhash-helper.sh -s
sudo /opt/bastion/bin/admin/install --new-install
# by default, this is 0700, but we'll run those as non-root
sudo chmod 0755 /opt/bastion/tests
# generate two sets of keys
ssh-keygen -t ed25519 -f id_user -N ''
ssh-keygen -t ed25519 -f id_root -N ''
# setup the local bastion for tests
sudo env WANT_HTTP_PROXY=0 NO_SLEEP=1 user_pubkey="$(cat id_user.pub)" root_pubkey="$(cat id_root.pub)" TARGET_USER=user5000 /opt/bastion/tests/functional/docker/target_role.sh
# run the tests
/opt/bastion/tests/functional/launch_tests_on_instance.sh --has-mfa=0 --has-mfa-password=1 --has-pamtester=1 --skip-consistency-check --remote-etc-bastion=/usr/local/etc/bastion 127.0.0.1 22 0 user5000 id_user id_root
# restore saved ssh config
sudo tar xzf /opt/bastion/ssh_config.tar.gz -C /
# restart ssh so that the config is taken into account
sudo /etc/rc.d/sshd restart
# now, the post-run of cross-platform-actions will work
10 changes: 6 additions & 4 deletions tests/functional/docker/target_role.sh
Original file line number Diff line number Diff line change
Expand Up @@ -125,15 +125,18 @@ if [ "$OS_FAMILY" = Linux ] ; then
fi

elif [ "$OS_FAMILY" = OpenBSD ] || [ "$OS_FAMILY" = FreeBSD ] || [ "$OS_FAMILY" = NetBSD ] ; then

# setup some 127.0.0.x IPs (needed for our tests)
# this automatically works under Linux on lo
nic=$(ifconfig | perl -ne 'm{^([a-z._0-9]+): flags}i and $nic=$1; m{inet 127\.0\.0\.1} and print $nic and exit')
: "${nic:=lo0}"
i=2
while [ $i -lt 20 ] ; do
ifconfig lo0 127.0.0.$i netmask 255.0.0.0 alias
ifconfig $nic 127.0.0.$i netmask 255.0.0.0 alias
(( i++ ))
done
ifconfig lo0 127.7.7.7 netmask 255.0.0.0 alias
ifconfig $nic 127.7.7.7 netmask 255.0.0.0 alias
echo "Added a few local IP aliases"
ifconfig $nic

set +e
for st in restart onestart
Expand All @@ -150,7 +153,6 @@ if [ -n "$NO_SLEEP" ]; then
fi

if [ "$WANT_HTTP_PROXY" = 1 ]; then

# build a self-signed certificate for the http proxy and adjust the config
openssl req -x509 -nodes -days 7 -newkey rsa:2048 -keyout /tmp/selfsigned.key -out /tmp/selfsigned.crt -subj "/CN=testcert"
chgrp proxyhttp /tmp/selfsigned.key
Expand Down
4 changes: 2 additions & 2 deletions tests/functional/tests.d/200-scripts.sh
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,8 @@ testsuite_scripts()
contain "50-gpg-admins-key.conf updated:"
contain "50-gpg.conf updated:"
contain "Parsed and added 2 keys"
contain "GPGKEYS='CF27BEC1C8266FFE EC6CEA6719EF3700'"
contain '[ "CF27BEC1C8266FFE", "EC6CEA6719EF3700" ]'
contain REGEX "GPGKEYS='(CF27BEC1C8266FFE EC6CEA6719EF3700|EC6CEA6719EF3700 CF27BEC1C8266FFE)'"
contain REGEX '("CF27BEC1C8266FFE", "EC6CEA6719EF3700"|"EC6CEA6719EF3700", "CF27BEC1C8266FFE")'
nocontain "WARN:"
nocontain "ERROR:"
nocontain "Unexpected termination"
Expand Down
11 changes: 7 additions & 4 deletions tests/functional/tests.d/340-selfaccesses.sh
Original file line number Diff line number Diff line change
Expand Up @@ -198,14 +198,17 @@ testsuite_selfaccesses()

# scp & sftp

# patch bastionCommand in config
configchg 's=^\\\\x22bastionCommand\\\\x22.+=\\\\x22bastionCommand\\\\x22:\\\\x22ssh\\\\x20USER\\\\x40'"$remote_ip"'\\\\x20-p\\\\x20'"$remote_port"'\\\\x20-t\\\\x20--\\\\x22,='

## get both helpers first
for proto in scp sftp; do
success $proto $a0 --osh $proto
if [ "$COUNTONLY" != 1 ]; then
tmpb64=$(get_json | $jq '.value.script')
base64 -d <<< "$tmpb64" | gunzip -c > /tmp/${proto}helpertmp
perl -pe "s/ssh $account0\\@\\S+/ssh -p $remote_port $account0\\@$remote_ip/" /tmp/${proto}helpertmp > /tmp/${proto}helper
chmod +x /tmp/${proto}helper
base64 -d <<< "$tmpb64" | gunzip -c > "/tmp/${proto}helper"
perl -i -pe 'print "BASTION_SCP_DEBUG=1\nBASTION_SFTP_DEBUG=1\n" if ++$line==2' "/tmp/${proto}helper"
chmod +x "/tmp/${proto}helper"
unset tmpb64
fi
done
Expand Down Expand Up @@ -243,7 +246,7 @@ testsuite_selfaccesses()

run scp_invalidhostname scp $scp_options -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@_invalid._invalid:uptest /tmp/downloaded
retvalshouldbe 1
contain "Sorry, couldn't resolve the host you specified"
contain REGEX "Sorry, couldn't resolve the host you specified|I was unable to resolve host"

success scp_upload scp $scp_options -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file /etc/passwd $shellaccount@127.0.0.2:uptest
contain "through the bastion to"
Expand Down

0 comments on commit 822181b

Please sign in to comment.