Skip to content

Commit

Permalink
tests: Support Ubuntu 22.04 as test suite runner (controller)
Browse files Browse the repository at this point in the history 
To do so the test suite allows a weak cryptographic alogorithm (SHA1) to be
used, principally for CentOS 6 targets. This can be removed if/when support
for older (legacy) targets is dropped.

Only the test suite enables this known weak alogorithm. Mitogen as-shipped
doesn't enable or disable algorithms.
  • Loading branch information
@moreati
moreati committed Jul 5, 2023
1 parent ec212a1 commit 5636ec0
Show file tree
Hide file tree
Showing 8 changed files with 124 additions and 106 deletions.
18 changes: 17 additions & 1 deletion tests/ansible/ansible.cfg
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,5 +48,21 @@ host_pattern_mismatch = error
task_output_limit = 10

[ssh_connection]
ssh_args = -o UserKnownHostsFile=/dev/null -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s
# https://www.openssh.com/legacy.html
# ssh-rsa uses SHA1. Least worst available with CentOS 7 sshd.
# Rejected by default in newer ssh clients (e.g. Ubuntu 22.04).
# Duplicated cases in
# - tests/ansible/ansible.cfg
# - tests/ansible/integration/connection_delegation/delegate_to_template.yml
# - tests/ansible/integration/connection_delegation/stack_construction.yml
# - tests/ansible/integration/process/unix_socket_cleanup.yml
# - tests/ansible/integration/ssh/variables.yml
# - tests/testlib.py
ssh_args =
-o ControlMaster=auto
-o ControlPersist=60s
-o ForwardAgent=yes
-o HostKeyAlgorithms=+ssh-rsa
-o PubkeyAcceptedKeyTypes=+ssh-rsa
-o UserKnownHostsFile=/dev/null
pipelining = True
28 changes: 12 additions & 16 deletions tests/ansible/integration/connection_delegation/delegate_to_template.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,12 @@
'python_path': ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
'-o',
'ForwardAgent=yes',
'-o',
'ControlMaster=auto',
'-o',
'ControlPersist=60s',
-o, ControlMaster=auto,
-o, ControlPersist=60s,
-o, ForwardAgent=yes,
-o, HostKeyAlgorithms=+ssh-rsa,
-o, PubkeyAcceptedKeyTypes=+ssh-rsa,
-o, UserKnownHostsFile=/dev/null,
],
'ssh_debug_level': null,
'ssh_path': 'ssh',
Expand All @@ -74,14 +72,12 @@
'python_path': ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
'-o',
'ForwardAgent=yes',
'-o',
'ControlMaster=auto',
'-o',
'ControlPersist=60s',
-o, ControlMaster=auto,
-o, ControlPersist=60s,
-o, ForwardAgent=yes,
-o, HostKeyAlgorithms=+ssh-rsa,
-o, PubkeyAcceptedKeyTypes=+ssh-rsa,
-o, UserKnownHostsFile=/dev/null,
],
'ssh_debug_level': null,
'ssh_path': 'ssh',
Expand Down
98 changes: 42 additions & 56 deletions tests/ansible/integration/connection_delegation/stack_construction.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,14 +81,12 @@
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
'-o',
'ForwardAgent=yes',
'-o',
'ControlMaster=auto',
'-o',
'ControlPersist=60s',
-o, ControlMaster=auto,
-o, ControlPersist=60s,
-o, ForwardAgent=yes,
-o, HostKeyAlgorithms=+ssh-rsa,
-o, PubkeyAcceptedKeyTypes=+ssh-rsa,
-o, UserKnownHostsFile=/dev/null,
],
'ssh_debug_level': null,
'ssh_path': 'ssh',
Expand Down Expand Up @@ -126,14 +124,12 @@
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
'-o',
'ForwardAgent=yes',
'-o',
'ControlMaster=auto',
'-o',
'ControlPersist=60s',
-o, ControlMaster=auto,
-o, ControlPersist=60s,
-o, ForwardAgent=yes,
-o, HostKeyAlgorithms=+ssh-rsa,
-o, PubkeyAcceptedKeyTypes=+ssh-rsa,
-o, UserKnownHostsFile=/dev/null,
],
'ssh_debug_level': null,
'ssh_path': 'ssh',
Expand Down Expand Up @@ -182,14 +178,12 @@
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
'-o',
'ForwardAgent=yes',
'-o',
'ControlMaster=auto',
'-o',
'ControlPersist=60s',
-o, ControlMaster=auto,
-o, ControlPersist=60s,
-o, ForwardAgent=yes,
-o, HostKeyAlgorithms=+ssh-rsa,
-o, PubkeyAcceptedKeyTypes=+ssh-rsa,
-o, UserKnownHostsFile=/dev/null,
],
'ssh_debug_level': null,
'ssh_path': 'ssh',
Expand Down Expand Up @@ -227,14 +221,12 @@
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
'-o',
'ForwardAgent=yes',
'-o',
'ControlMaster=auto',
'-o',
'ControlPersist=60s',
-o, ControlMaster=auto,
-o, ControlPersist=60s,
-o, ForwardAgent=yes,
-o, HostKeyAlgorithms=+ssh-rsa,
-o, PubkeyAcceptedKeyTypes=+ssh-rsa,
-o, UserKnownHostsFile=/dev/null,
],
'ssh_debug_level': null,
'ssh_path': 'ssh',
Expand All @@ -257,14 +249,12 @@
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
'-o',
'ForwardAgent=yes',
'-o',
'ControlMaster=auto',
'-o',
'ControlPersist=60s',
-o, ControlMaster=auto,
-o, ControlPersist=60s,
-o, ForwardAgent=yes,
-o, HostKeyAlgorithms=+ssh-rsa,
-o, PubkeyAcceptedKeyTypes=+ssh-rsa,
-o, UserKnownHostsFile=/dev/null,
],
'ssh_debug_level': null,
'ssh_path': 'ssh',
Expand Down Expand Up @@ -313,14 +303,12 @@
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
'-o',
'ForwardAgent=yes',
'-o',
'ControlMaster=auto',
'-o',
'ControlPersist=60s',
-o, ControlMaster=auto,
-o, ControlPersist=60s,
-o, ForwardAgent=yes,
-o, HostKeyAlgorithms=+ssh-rsa,
-o, PubkeyAcceptedKeyTypes=+ssh-rsa,
-o, UserKnownHostsFile=/dev/null,
],
'ssh_debug_level': null,
'ssh_path': 'ssh',
Expand Down Expand Up @@ -359,14 +347,12 @@
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
'-o',
'ForwardAgent=yes',
'-o',
'ControlMaster=auto',
'-o',
'ControlPersist=60s',
-o, ControlMaster=auto,
-o, ControlPersist=60s,
-o, ForwardAgent=yes,
-o, HostKeyAlgorithms=+ssh-rsa,
-o, PubkeyAcceptedKeyTypes=+ssh-rsa,
-o, UserKnownHostsFile=/dev/null,
],
'ssh_debug_level': null,
'ssh_path': 'ssh',
Expand Down
2 changes: 1 addition & 1 deletion tests/ansible/integration/process/unix_socket_cleanup.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

- shell: >
ANSIBLE_STRATEGY=mitogen_linear
ANSIBLE_SSH_ARGS=""
ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
ansible -m shell -c local -a whoami
{% for inv in ansible_inventory_sources %}
-i "{{ inv }}"
Expand Down
16 changes: 8 additions & 8 deletions tests/ansible/integration/ssh/variables.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
shell: >
ANSIBLE_ANY_ERRORS_FATAL=false
ANSIBLE_STRATEGY=mitogen_linear
ANSIBLE_SSH_ARGS=""
ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
ansible -m shell -a whoami
{% for inv in ansible_inventory_sources %}
-i "{{ inv }}"
Expand All @@ -34,7 +34,7 @@
shell: >
ANSIBLE_ANY_ERRORS_FATAL=false
ANSIBLE_STRATEGY=mitogen_linear
ANSIBLE_SSH_ARGS=""
ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
ansible -m shell -a whoami
{% for inv in ansible_inventory_sources %}
-i "{{ inv }}"
Expand All @@ -59,7 +59,7 @@
shell: >
ANSIBLE_ANY_ERRORS_FATAL=false
ANSIBLE_STRATEGY=mitogen_linear
ANSIBLE_SSH_ARGS=""
ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
ansible -m shell -a whoami
{% for inv in ansible_inventory_sources %}
-i "{{ inv }}"
Expand All @@ -76,7 +76,7 @@
shell: >
ANSIBLE_ANY_ERRORS_FATAL=false
ANSIBLE_STRATEGY=mitogen_linear
ANSIBLE_SSH_ARGS=""
ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
ansible -m shell -a whoami
{% for inv in ansible_inventory_sources %}
-i "{{ inv }}"
Expand All @@ -101,7 +101,7 @@
shell: >
ANSIBLE_ANY_ERRORS_FATAL=false
ANSIBLE_STRATEGY=mitogen_linear
ANSIBLE_SSH_ARGS=""
ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
ansible -m shell -a whoami
{% for inv in ansible_inventory_sources %}
-i "{{ inv }}"
Expand All @@ -118,7 +118,7 @@
shell: >
ANSIBLE_ANY_ERRORS_FATAL=false
ANSIBLE_STRATEGY=mitogen_linear
ANSIBLE_SSH_ARGS=""
ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
ansible -m shell -a whoami
{% for inv in ansible_inventory_sources %}
-i "{{ inv }}"
Expand Down Expand Up @@ -148,7 +148,7 @@
shell: >
ANSIBLE_ANY_ERRORS_FATAL=false
ANSIBLE_STRATEGY=mitogen_linear
ANSIBLE_SSH_ARGS=""
ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
ansible -m shell -a whoami
{% for inv in ansible_inventory_sources %}
-i "{{ inv }}"
Expand All @@ -165,7 +165,7 @@
shell: >
ANSIBLE_ANY_ERRORS_FATAL=false
ANSIBLE_STRATEGY=mitogen_linear
ANSIBLE_SSH_ARGS=""
ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
ansible -m shell -a whoami
{% for inv in ansible_inventory_sources %}
-i "{{ inv }}"
Expand Down
8 changes: 5 additions & 3 deletions tests/ssh_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,12 +134,13 @@ def test_pubkey_specified(self):

def test_enforce_unknown_host_key(self):
fp = tempfile.NamedTemporaryFile()
ssh_args = self.docker_ssh_default_kwargs.get('ssh_args', [])
try:
e = self.assertRaises(mitogen.ssh.HostKeyError,
lambda: self.docker_ssh(
username='mitogen__has_sudo_pubkey',
password='has_sudo_password',
ssh_args=['-o', 'UserKnownHostsFile ' + fp.name],
ssh_args=ssh_args + ['-o', 'UserKnownHostsFile %s' % fp.name],
check_host_keys='enforce',
)
)
Expand All @@ -149,11 +150,12 @@ def test_enforce_unknown_host_key(self):

def test_accept_enforce_host_keys(self):
fp = tempfile.NamedTemporaryFile()
ssh_args = self.docker_ssh_default_kwargs.get('ssh_args', [])
try:
context = self.docker_ssh(
username='mitogen__has_sudo',
password='has_sudo_password',
ssh_args=['-o', 'UserKnownHostsFile ' + fp.name],
ssh_args=ssh_args + ['-o', 'UserKnownHostsFile %s' % fp.name],
check_host_keys='accept',
)
context.shutdown(wait=True)
Expand All @@ -166,7 +168,7 @@ def test_accept_enforce_host_keys(self):
context = self.docker_ssh(
username='mitogen__has_sudo',
password='has_sudo_password',
ssh_args=['-o', 'UserKnownHostsFile ' + fp.name],
ssh_args=ssh_args + ['-o', 'UserKnownHostsFile %s' % fp.name],
check_host_keys='enforce',
)
context.shutdown(wait=True)
Expand Down
31 changes: 26 additions & 5 deletions tests/testlib.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -631,12 +631,33 @@ def tearDownClass(cls):
cls.dockerized_ssh.close()
super(DockerMixin, cls).tearDownClass()

@property
def docker_ssh_default_kwargs(self):
return {
'hostname': self.dockerized_ssh.host,
'port': self.dockerized_ssh.port,
'check_host_keys': 'ignore',
'ssh_debug_level': 3,
# https://www.openssh.com/legacy.html
# ssh-rsa uses SHA1. Least worst available with CentOS 7 sshd.
# Rejected by default in newer ssh clients (e.g. Ubuntu 22.04).
# Duplicated cases in
# - tests/ansible/ansible.cfg
# - tests/ansible/integration/connection_delegation/delegate_to_template.yml
# - tests/ansible/integration/connection_delegation/stack_construction.yml
# - tests/ansible/integration/process/unix_socket_cleanup.yml
# - tests/ansible/integration/ssh/variables.yml
# - tests/testlib.py
'ssh_args': [
'-o', 'HostKeyAlgorithms +ssh-rsa',
'-o', 'PubkeyAcceptedKeyTypes +ssh-rsa',
],
'python_path': self.dockerized_ssh.python_path,
}

def docker_ssh(self, **kwargs):
kwargs.setdefault('hostname', self.dockerized_ssh.host)
kwargs.setdefault('port', self.dockerized_ssh.port)
kwargs.setdefault('check_host_keys', 'ignore')
kwargs.setdefault('ssh_debug_level', 3)
kwargs.setdefault('python_path', self.dockerized_ssh.python_path)
for k, v in self.docker_ssh_default_kwargs.items():
kwargs.setdefault(k, v)
return self.router.ssh(**kwargs)

def docker_ssh_any(self, **kwargs):
Expand Down
Loading

0 comments on commit 5636ec0

Please sign in to comment.