archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

WIP

Browse Source 
Signed-off-by: Percy Wegmann <percy@tailscale.com>
percy/issue16983
Percy Wegmann 3 months ago
parent 1791f87870
commit 7bba8a65f3
No known key found for this signature in database
GPG Key ID: 29D8CDEB4C13D48B
3 changed files with 57 additions and 46 deletions
Show Stats Download Patch File Download Diff File

1
Makefile
Unescape Escape View File

@ -129,6 +129,7 @@ publishdevproxy: check-image-repo ## Build and publish k8s-proxy image to locati
sshintegrationtest: ## Run the SSH integration tests in various Docker containers sshintegrationtest: ## Run the SSH integration tests in various Docker containers
@GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \ @GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \ GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
echo "Testing on debian:trixie" && docker build --build-arg="BASE=debian:trixie" -t ssh-debian-trixie ssh/tailssh/testcontainers && \
echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \ echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \ echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \ echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \

80
ssh/tailssh/tailssh_integration_test.go
Unescape Escape View File

@ -97,10 +97,10 @@ func TestIntegrationSSH(t *testing.T) {
debugTest.Store(false) debugTest.Store(false)
}) })
homeDir := "/home/testuser" // homeDir := "/home/testuser"
if runtime.GOOS == "darwin" { // if runtime.GOOS == "darwin" {
homeDir = "/Users/testuser" // homeDir = "/Users/testuser"
} // }
tests := []struct { tests := []struct {
cmd string cmd string
@ -108,40 +108,47 @@ func TestIntegrationSSH(t *testing.T) {
forceV1Behavior bool forceV1Behavior bool
skip bool skip bool
allowSendEnv bool allowSendEnv bool
requiresShell bool
}{ }{
// {
// cmd: "id",
// want: []string{"testuser", "groupone", "grouptwo"},
// forceV1Behavior: false,
// },
// {
// cmd: "id",
// want: []string{"testuser", "groupone", "grouptwo"},
// forceV1Behavior: true,
// },
// {
// cmd: "pwd",
// want: []string{homeDir},
// skip: os.Getenv("SKIP_FILE_OPS") == "1" || !fallbackToSUAvailable(),
// forceV1Behavior: false,
// },
// {
// cmd: "echo 'hello'",
// want: []string{"hello"},
// skip: os.Getenv("SKIP_FILE_OPS") == "1" || !fallbackToSUAvailable(),
// forceV1Behavior: false,
// },
// {
// cmd: `echo "${GIT_ENV_VAR:-unset1} ${EXACT_MATCH:-unset2} ${TESTING:-unset3} ${NOT_ALLOWED:-unset4}"`,
// want: []string{"working1 working2 working3 unset4"},
// forceV1Behavior: false,
// allowSendEnv: true,
// },
// {
// cmd: `echo "${GIT_ENV_VAR:-unset1} ${EXACT_MATCH:-unset2} ${TESTING:-unset3} ${NOT_ALLOWED:-unset4}"`,
// want: []string{"unset1 unset2 unset3 unset4"},
// forceV1Behavior: false,
// allowSendEnv: false,
// },
{ {
cmd: "id", cmd: `locale`,
want: []string{"testuser", "groupone", "grouptwo"}, want: []string{"UTF-8"},
forceV1Behavior: false,
},
{
cmd: "id",
want: []string{"testuser", "groupone", "grouptwo"},
forceV1Behavior: true, forceV1Behavior: true,
}, requiresShell: true,
{
cmd: "pwd",
want: []string{homeDir},
skip: os.Getenv("SKIP_FILE_OPS") == "1" || !fallbackToSUAvailable(),
forceV1Behavior: false,
},
{
cmd: "echo 'hello'",
want: []string{"hello"},
skip: os.Getenv("SKIP_FILE_OPS") == "1" || !fallbackToSUAvailable(),
forceV1Behavior: false,
},
{
cmd: `echo "${GIT_ENV_VAR:-unset1} ${EXACT_MATCH:-unset2} ${TESTING:-unset3} ${NOT_ALLOWED:-unset4}"`,
want: []string{"working1 working2 working3 unset4"},
forceV1Behavior: false,
allowSendEnv: true,
},
{
cmd: `echo "${GIT_ENV_VAR:-unset1} ${EXACT_MATCH:-unset2} ${TESTING:-unset3} ${NOT_ALLOWED:-unset4}"`,
want: []string{"unset1 unset2 unset3 unset4"},
forceV1Behavior: false,
allowSendEnv: false,
}, },
} }
@ -152,6 +159,9 @@ func TestIntegrationSSH(t *testing.T) {
// run every test both without and with a shell // run every test both without and with a shell
for _, shell := range []bool{false, true} { for _, shell := range []bool{false, true} {
if test.requiresShell && !shell {
continue
}
shellQualifier := "no_shell" shellQualifier := "no_shell"
if shell { if shell {
shellQualifier = "shell" shellQualifier = "shell"

22
ssh/tailssh/testcontainers/Dockerfile
Unescape Escape View File

@ -4,7 +4,7 @@ FROM ${BASE}
ARG BASE ARG BASE
RUN echo "Install openssh, needed for scp. Also install python3" RUN echo "Install openssh, needed for scp. Also install python3"
RUN if echo "$BASE" | grep "ubuntu:"; then apt-get update -y && apt-get install -y openssh-client python3 python3-pip; fi RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then apt-get update -y && apt-get install -y openssh-client python3 python3-pip; fi
RUN if echo "$BASE" | grep "alpine:"; then apk add openssh python3 py3-pip; fi RUN if echo "$BASE" | grep "alpine:"; then apk add openssh python3 py3-pip; fi
RUN echo "Install paramiko" RUN echo "Install paramiko"
@ -12,11 +12,11 @@ RUN pip3 install paramiko==3.5.1 || pip3 install --break-system-packages paramik
# Note - on Ubuntu, we do not create the user's home directory, pam_mkhomedir will do that # Note - on Ubuntu, we do not create the user's home directory, pam_mkhomedir will do that
# for us, and we want to test that PAM gets triggered by Tailscale SSH. # for us, and we want to test that PAM gets triggered by Tailscale SSH.
RUN if echo "$BASE" | grep "ubuntu:"; then groupadd -g 10000 groupone && groupadd -g 10001 grouptwo && useradd -g 10000 -G 10001 -u 10002 testuser; fi RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then groupadd -g 10000 groupone && groupadd -g 10001 grouptwo && useradd -g 10000 -G 10001 -u 10002 testuser; fi
# On Alpine, we can't configure pam_mkhomdir, so go ahead and create home directory. # On Alpine, we can't configure pam_mkhomdir, so go ahead and create home directory.
RUN if echo "$BASE" | grep "alpine:"; then addgroup -g 10000 groupone && addgroup -g 10001 grouptwo && adduser -u 10002 -D testuser && addgroup testuser groupone && addgroup testuser grouptwo; fi RUN if echo "$BASE" | grep "alpine:"; then addgroup -g 10000 groupone && addgroup -g 10001 grouptwo && adduser -u 10002 -D testuser && addgroup testuser groupone && addgroup testuser grouptwo; fi
RUN if echo "$BASE" | grep "ubuntu:"; then \ RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then \
echo "Set up pam_mkhomedir." && \ echo "Set up pam_mkhomedir." && \
sed -i -e 's/Default: no/Default: yes/g' /usr/share/pam-configs/mkhomedir && \ sed -i -e 's/Default: no/Default: yes/g' /usr/share/pam-configs/mkhomedir && \
cat /usr/share/pam-configs/mkhomedir && \ cat /usr/share/pam-configs/mkhomedir && \
@ -30,13 +30,13 @@ RUN chmod 755 tailscaled
RUN echo "First run tests normally." RUN echo "First run tests normally."
RUN eval `ssh-agent -s` && TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding RUN eval `ssh-agent -s` && TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationParamiko RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationParamiko
RUN echo "Then run tests as non-root user testuser and make sure tests still pass." RUN echo "Then run tests as non-root user testuser and make sure tests still pass."
@ -50,7 +50,7 @@ RUN TAILSCALED_PATH=`pwd`tailscaled SKIP_FILE_OPS=1 su -m testuser -c "./tailssh
RUN chmod 0755 /home/testuser RUN chmod 0755 /home/testuser
RUN chown root:root /tmp/tailscalessh.log RUN chown root:root /tmp/tailscalessh.log
RUN if echo "$BASE" | grep "ubuntu:"; then \ RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then \
echo "Then run tests in a system that's pretending to be SELinux in enforcing mode" && \ echo "Then run tests in a system that's pretending to be SELinux in enforcing mode" && \
# Remove execute permissions for /usr/bin/login so that it fails. # Remove execute permissions for /usr/bin/login so that it fails.
mv /usr/bin/login /tmp/login_orig && \ mv /usr/bin/login /tmp/login_orig && \
@ -70,11 +70,11 @@ RUN if echo "$BASE" | grep "ubuntu:"; then \
RUN echo "Then remove the login command and make sure tests still pass." RUN echo "Then remove the login command and make sure tests still pass."
RUN rm `which login` RUN rm `which login`
RUN eval `ssh-agent -s` && TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding RUN eval `ssh-agent -s` && TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
RUN echo "Then remove the su command and make sure tests still pass." RUN echo "Then remove the su command and make sure tests still pass."

Write Preview
Loading…
Cancel
Save