featureprofiles/feature/gnsi/credentialz/tests/hiba_authentication/hiba_authentication_test.go at 791b4616730df995eb853f79a758b0fe296f3d87 · ram-mac/featureprofiles · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
// Copyright 2024 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package hibaauthentication_test

import (
	"context"
	"fmt"
	"testing"
	"time"

	"github.com/google/go-cmp/cmp"
	"github.com/openconfig/featureprofiles/internal/security/credz"
	"github.com/openconfig/ondatra/gnmi"

	"github.com/openconfig/featureprofiles/internal/deviations"
	"github.com/openconfig/featureprofiles/internal/fptest"
	cpb "github.com/openconfig/gnsi/credentialz"
	"github.com/openconfig/ondatra"
)

const (
	username               = "testuser"
	maxSSHRetryTime        = 30 // Unit is seconds.
	hostCertificateVersion = "v1.0"
)

var (
	hostCertificateCreatedOn = time.Now().Unix()
)

func TestMain(m *testing.M) {
	fptest.RunTests(m)
}

func TestCredentialz(t *testing.T) {
	dut := ondatra.DUT(t, "dut")
	dir := t.TempDir()
	credz.CreateHibaKeys(t, dut, dir)
	credz.SetupUser(t, dut, username)

	// Set only public key authentication for our test.
	credz.RotateAuthenticationTypes(t, dut, []cpb.AuthenticationType{
		cpb.AuthenticationType_AUTHENTICATION_TYPE_PUBKEY,
	})

	t.Run("auth should fail hiba host certificate not present", func(t *testing.T) {
		var startingRejectCounter uint64
		if !deviations.SSHServerCountersUnsupported(dut) {
			startingRejectCounter, _ = credz.GetRejectTelemetry(t, dut)
		}

		// Verify ssh with hiba fails as expected.
		ctx, cancel := context.WithTimeout(t.Context(), 30*time.Second)
		defer cancel()
		startTime := time.Now()
		for {
			_, err := credz.SSHWithCertificate(ctx, t, dut, username, fmt.Sprintf("%s/users", dir))
			if err != nil {
				t.Logf("Dialing ssh failed as expected.")
				break
			}
			if uint64(time.Since(startTime).Seconds()) > maxSSHRetryTime {
				t.Fatalf("Exceeded maxSSHRetryTime, dialing ssh succeeded, but we expected to fail.")
			}
			t.Logf("Dialing ssh succeeded but expected to fail, retrying ...")
			time.Sleep(5 * time.Second)
		}

		if !deviations.SSHServerCountersUnsupported(dut) {
			endingRejectCounter, _ := credz.GetRejectTelemetry(t, dut)
			if endingRejectCounter <= startingRejectCounter {
				t.Fatalf("SSH server reject counter did not increment after unsuccessful login. startCounter: %v, endCounter: %v", startingRejectCounter, endingRejectCounter)
			}
		}
	})

	t.Run("auth should succeed ssh public key authorized for user with hiba granted certificate", func(t *testing.T) {
		// Push host key/certificate to the dut.
		credz.RotateAuthenticationArtifacts(t,
			dut,
			fmt.Sprintf("%s/hosts", dir),
			fmt.Sprintf("%s/hosts", dir),
			hostCertificateVersion,
			uint64(hostCertificateCreatedOn),
		)

		// Setup trusted user ca on the dut.
		credz.RotateTrustedUserCA(t, dut, dir)

		// Setup hiba for authorized principals command.
		credz.RotateAuthorizedPrincipalCheck(t, dut, cpb.AuthorizedPrincipalCheckRequest_TOOL_HIBA_DEFAULT)

		var startingAcceptCounter, startingLastAcceptTime uint64
		if !deviations.SSHServerCountersUnsupported(dut) {
			startingAcceptCounter, startingLastAcceptTime = credz.GetAcceptTelemetry(t, dut)
		}
		ctx, cancel := context.WithTimeout(t.Context(), 30*time.Second)
		defer cancel()
		startTime := time.Now()
		for {
			_, err := credz.SSHWithCertificate(ctx, t, dut, username, fmt.Sprintf("%s/users", dir))
			if err == nil {
				t.Logf("Dialing ssh succeeded as expected.")
				break
			}
			if uint64(time.Since(startTime).Seconds()) > maxSSHRetryTime {
				t.Fatalf("Exceeded maxSSHRetryTime, dialing ssh failed, but we expected to succeed, error: %s", err)
			}
			t.Logf("Dialing ssh failed, retrying ...")
			time.Sleep(5 * time.Second)
		}

		// Verify ssh counters.
		if !deviations.SSHServerCountersUnsupported(dut) {
			endingAcceptCounter, endingLastAcceptTime := credz.GetAcceptTelemetry(t, dut)
			if endingAcceptCounter <= startingAcceptCounter {
				t.Fatalf("SSH server accept counter did not increment after successful login. startCounter: %v, endCounter: %v", startingAcceptCounter, endingAcceptCounter)
			}
			if startingLastAcceptTime == endingLastAcceptTime {
				t.Fatalf("SSH server accept last timestamp did not update after successful login. Timestamp: %v", endingLastAcceptTime)
			}
		}

		// Verify host certificate telemetry.
		if !deviations.SSHServerHostCertificateTelemetryUnsupported(dut) {
			sshServer := gnmi.Get(t, dut, gnmi.OC().System().SshServer().State())
			gotHostCertificateVersion := sshServer.GetActiveHostCertificateVersion()
			if !cmp.Equal(gotHostCertificateVersion, hostCertificateVersion) {
				t.Fatalf(
					"Telemetry reports host certificate version is not correct\n\tgot: %s\n\twant: %s",
					gotHostCertificateVersion, hostCertificateVersion,
				)
			}
			gotHostCertificateCreatedOn := sshServer.GetActiveHostCertificateCreatedOn()
			// if !cmp.Equal(time.Unix(0, int64(gotHostCertificateCreatedOn)), time.Unix(hostCertificateCreatedOn, 0)) {
			if !cmp.Equal(time.Unix(int64(gotHostCertificateCreatedOn), 0), time.Unix(hostCertificateCreatedOn, 0)) {
				t.Fatalf(
					"Telemetry reports host certificate created on is not correct\n\tgot: %d\n\twant: %d",
					gotHostCertificateCreatedOn, hostCertificateCreatedOn,
				)
			}
		}
	})

	t.Cleanup(func() {
		// Cleanup to remove previous policy which only allowed key auth to make sure we don't leave dut in a
		// state where we can't reset config for further tests.
		credz.RotateAuthenticationTypes(t, dut, []cpb.AuthenticationType{
			cpb.AuthenticationType_AUTHENTICATION_TYPE_PASSWORD,
			cpb.AuthenticationType_AUTHENTICATION_TYPE_PUBKEY,
			cpb.AuthenticationType_AUTHENTICATION_TYPE_KBDINTERACTIVE,
		})

		// Remove user ca so subsequent fail cases work.
		// credz.RotateTrustedUserCA(t, dut, "")

		// Clear hiba for authorized principals command.
		credz.RotateAuthorizedPrincipalCheck(t, dut, cpb.AuthorizedPrincipalCheckRequest_TOOL_UNSPECIFIED)

		// Remove host artifacts from the dut.
		// credz.RotateAuthenticationArtifacts(t, dut, "", "", "", 0)
		// SSH configuration cleanup on DUT
		credz.SSHCleanup(t, dut)
	})
}