package ProFTPD::Tests::Modules::mod_sftp::wrap2; use lib qw(t/lib); use base qw(ProFTPD::TestSuite::Child); use strict; use File::Copy; use File::Path qw(mkpath rmtree); use File::Spec; use IO::Handle; use IPC::Open3; use POSIX qw(:fcntl_h); use Socket; use ProFTPD::TestSuite::FTP; use ProFTPD::TestSuite::Utils qw(:auth :config :features :running :test :testsuite); $| = 1; my $order = 0; my $TESTS = { sftp_wrap2_file_login => { order => ++$order, test_class => [qw(bug forking mod_wrap2_file sftp ssh2)], }, sftp_wrap2_sql_login => { order => ++$order, test_class => [qw(bug forking mod_sql_sqlite mod_wrap2_sql sftp ssh2)], }, sftp_wrap2_deny_msg_on_connect_bug3670 => { order => ++$order, test_class => [qw(bug forking mod_wrap2_file sftp ssh2)], }, sftp_wrap2_deny_msg_on_auth_bug3670 => { order => ++$order, test_class => [qw(bug forking mod_wrap2_file sftp ssh2)], }, }; sub new { return shift()->SUPER::new(@_); } sub list_tests { # Check for the required Perl modules: # # Net-SSH2 # Net-SSH2-SFTP my $required = [qw( Net::SSH2 Net::SSH2::SFTP )]; foreach my $req (@$required) { eval "use $req"; if ($@) { print STDERR "\nWARNING:\n + Module '$req' not found, skipping all tests\n"; if ($ENV{TEST_VERBOSE}) { print STDERR "Unable to load $req: $@\n"; } return qw(testsuite_empty_test); } } return testsuite_get_runnable_tests($TESTS); } sub set_up { my $self = shift; $self->SUPER::set_up(@_); # Make sure that mod_sftp does not complain about permissions on the hostkey # files. my $rsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_rsa_key'); my $dsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_dsa_key'); unless (chmod(0400, $rsa_host_key, $dsa_host_key)) { die("Can't set perms on $rsa_host_key, $dsa_host_key: $!"); } } sub sftp_wrap2_file_login { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/sftp.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/sftp.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/sftp.scoreboard"); my $log_file = File::Spec->rel2abs('tests.log'); my $auth_user_file = File::Spec->rel2abs("$tmpdir/sftp.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/sftp.group"); my $fh; my $allow_file = File::Spec->rel2abs("$tmpdir/sftp.allow"); if (open($fh, "> $allow_file")) { print $fh "proftpd: ALL\n"; unless (close($fh)) { die("Can't write $allow_file: $!"); } } else { die("Can't open $allow_file: $!"); } my $deny_file = File::Spec->rel2abs("$tmpdir/sftp.deny"); if (open($fh, "> $deny_file")) { print $fh "ALL: ALL\n"; unless (close($fh)) { die("Can't write $deny_file: $!"); } } else { die("Can't open $deny_file: $!"); } my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $rsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_rsa_key'); my $dsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_dsa_key'); my $rsa_priv_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/test_rsa_key'); my $rsa_pub_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/test_rsa_key.pub'); my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 ssh2:20 sftp:20 scp:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, IfModules => { 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_sftp.c' => [ "SFTPEngine on", "SFTPLog $log_file", "SFTPHostKey $rsa_host_key", "SFTPHostKey $dsa_host_key", ], 'mod_wrap2.c' => { WrapEngine => 'on', WrapLog => $log_file, WrapTables => "file:$allow_file file:$deny_file", WrapDenyMsg => "User '%u' denied by access rules", WrapAllowMsg => "User '%u' allowed by access rules", }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } require Net::SSH2; my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { my $ssh2 = Net::SSH2->new(); sleep(1); unless ($ssh2->connect('127.0.0.1', $port)) { my ($err_code, $err_name, $err_str) = $ssh2->error(); die("Can't connect to SSH2 server: [$err_name] ($err_code) $err_str"); } if ($ssh2->auth_publickey($user, $rsa_pub_key, $rsa_priv_key)) { die("Publickey auth succeeded unexpectedly"); } unless ($ssh2->auth_password($user, $passwd)) { my ($err_code, $err_name, $err_str) = $ssh2->error(); die("Can't login to SSH2 server: [$err_name] ($err_code) $err_str"); } my $sftp = $ssh2->sftp(); unless ($sftp) { my ($err_code, $err_name, $err_str) = $ssh2->error(); die("Can't use SFTP on SSH2 server: [$err_name] ($err_code) $err_str"); } $sftp = undef; $ssh2->disconnect(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { die($ex); } unlink($log_file); } sub sftp_wrap2_sql_login { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/sftp.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/sftp.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/sftp.scoreboard"); my $log_file = File::Spec->rel2abs('tests.log'); my $auth_user_file = File::Spec->rel2abs("$tmpdir/wrap2.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/wrap2.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $db_file = File::Spec->rel2abs("$tmpdir/proftpd.db"); # Build up sqlite3 command to create allow, deny tables and populate them my $db_script = File::Spec->rel2abs("$tmpdir/proftpd.sql"); my $fh; if (open($fh, "> $db_script")) { print $fh < 0 && $ENV{TEST_VERBOSE}) { print STDERR "Output: ", join('', @output), "\n"; } unlink($db_script); my $rsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_rsa_key'); my $dsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_dsa_key'); my $rsa_priv_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/test_rsa_key'); my $rsa_pub_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/test_rsa_key.pub'); my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 ssh2:20 sftp:20 scp:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, IfModules => { 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_sftp.c' => [ "SFTPEngine on", "SFTPLog $log_file", "SFTPHostKey $rsa_host_key", "SFTPHostKey $dsa_host_key", ], 'mod_sql.c' => [ 'SQLAuthenticate off', "SQLConnectInfo $db_file", 'SQLNamedQuery get-allowed-clients SELECT "allowed FROM ftpallow WHERE name = \'%u\'"', 'SQLNamedQuery get-denied-clients SELECT "denied FROM ftpdeny WHERE name = \'%u\'"', "SQLLogFile $log_file", ], 'mod_wrap2.c' => { WrapEngine => 'on', WrapLog => $log_file, WrapTables => "sql:/get-allowed-clients sql:/get-denied-clients", WrapDenyMsg => "User '%u' denied by access rules", WrapAllowMsg => "User '%u' allowed by access rules", }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } require Net::SSH2; my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { my $ssh2 = Net::SSH2->new(); sleep(1); unless ($ssh2->connect('127.0.0.1', $port)) { my ($err_code, $err_name, $err_str) = $ssh2->error(); die("Can't connect to SSH2 server: [$err_name] ($err_code) $err_str"); } if ($ssh2->auth_publickey($user, $rsa_pub_key, $rsa_priv_key)) { die("Publickey auth succeeded unexpectedly"); } unless ($ssh2->auth_password($user, $passwd)) { my ($err_code, $err_name, $err_str) = $ssh2->error(); die("Can't login to SSH2 server: [$err_name] ($err_code) $err_str"); } my $sftp = $ssh2->sftp(); unless ($sftp) { my ($err_code, $err_name, $err_str) = $ssh2->error(); die("Can't use SFTP on SSH2 server: [$err_name] ($err_code) $err_str"); } $sftp = undef; $ssh2->disconnect(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { die($ex); } unlink($log_file); } sub sftp_wrap2_deny_msg_on_connect_bug3670 { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/sftp.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/sftp.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/sftp.scoreboard"); my $log_file = File::Spec->rel2abs('tests.log'); my $auth_user_file = File::Spec->rel2abs("$tmpdir/sftp.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/sftp.group"); my $fh; my $allow_file = File::Spec->rel2abs("$tmpdir/sftp.allow"); if (open($fh, "> $allow_file")) { close($fh); } else { die("Can't open $allow_file: $!"); } my $deny_file = File::Spec->rel2abs("$tmpdir/sftp.deny"); if (open($fh, "> $deny_file")) { print $fh "ALL: ALL\n"; unless (close($fh)) { die("Can't write $deny_file: $!"); } } else { die("Can't open $deny_file: $!"); } my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $rsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_rsa_key'); my $dsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_dsa_key'); my $rsa_priv_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/test_rsa_key'); my $rsa_pub_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/test_rsa_key.pub'); my $deny_msg = '"SFTP denied by access rules"'; # Note: This test only passes correctly IFF mod_sftp is loaded BEFORE # mod_wrap2, not after. This means that mod_sftp needs to appear AFTER # mod_wrap2 in the --with-modules list, or appear BEFORE mod_wrap2 in # a list of LoadModule directives. # # mod_sftp's sess_init() callback is where the 'SSH2' protocol is set # for the session. The event listener for mod_wrap2's "disconnect this # client on connect because it isn't allowed by the access rules" has # a condition that checks for whether the session is an SSH2 session or # not (lest it trigger improperly for an FTP session). So if mod_wrap2's # sess_init() callback triggers first, it will disconnect the session # (and generate the event) before mod_sftp's sess_init() callback has had # a chance to set the "SSH2" bit for the session, then mod_sftp won't # properly send the WrapDenyMsg to the SSH2 client. my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 ssh2:20 sftp:20 scp:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, IfModules => { 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_sftp.c' => [ "SFTPEngine on", "SFTPLog $log_file", "SFTPHostKey $rsa_host_key", "SFTPHostKey $dsa_host_key", "SFTPOptions PessimisticKexinit", ], 'mod_wrap2.c' => { WrapEngine => 'on', WrapLog => $log_file, WrapTables => "file:$allow_file file:$deny_file", WrapDenyMsg => $deny_msg, WrapOptions => 'CheckOnConnect', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } require Net::SSH2; my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { sleep(1); my $proto = getprotobyname('tcp'); my $sock; unless (socket($sock, PF_INET, SOCK_STREAM, $proto)) { die("Can't create socket: $!"); } my $in_addr = inet_aton('127.0.0.1'); my $addr = sockaddr_in($port, $in_addr); unless (connect($sock, $addr)) { die("Can't connect to 127.0.0.1:$port: $!"); } print $sock "SSH-2.0-MySFTPTestClient\r\n"; my $buflen = 1024; my $buf = ''; my $tmp; my $res; while (my $res = read($sock, $tmp, $buflen)) { $buf .= $tmp; } close($sock); chomp($buf); $buf =~ s/"//g; $deny_msg =~ s/'//g; $deny_msg =~ s/"//g; $self->assert($buf eq $deny_msg, test_msg("Expected '$deny_msg', got '$buf'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { die($ex); } unlink($log_file); } sub sftp_wrap2_deny_msg_on_auth_bug3670 { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/sftp.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/sftp.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/sftp.scoreboard"); my $log_file = File::Spec->rel2abs('tests.log'); my $auth_user_file = File::Spec->rel2abs("$tmpdir/sftp.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/sftp.group"); my $fh; my $allow_file = File::Spec->rel2abs("$tmpdir/sftp.allow"); if (open($fh, "> $allow_file")) { close($fh); } else { die("Can't open $allow_file: $!"); } my $deny_file = File::Spec->rel2abs("$tmpdir/sftp.deny"); if (open($fh, "> $deny_file")) { print $fh "ALL: ALL\n"; unless (close($fh)) { die("Can't write $deny_file: $!"); } } else { die("Can't open $deny_file: $!"); } my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $rsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_rsa_key'); my $dsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_dsa_key'); my $rsa_priv_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/test_rsa_key'); my $rsa_pub_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/test_rsa_key.pub'); my $deny_msg = '"SFTP denied by access rules"'; my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 ssh2:20 sftp:20 scp:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, IfModules => { 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_sftp.c' => [ "SFTPEngine on", "SFTPLog $log_file", "SFTPHostKey $rsa_host_key", "SFTPHostKey $dsa_host_key", ], 'mod_wrap2.c' => { WrapEngine => 'on', WrapLog => $log_file, WrapTables => "file:$allow_file file:$deny_file", WrapDenyMsg => $deny_msg, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } require Net::SSH2; my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { my $ssh2 = Net::SSH2->new(); sleep(1); unless ($ssh2->connect('127.0.0.1', $port)) { my ($err_code, $err_name, $err_str) = $ssh2->error(); die("Can't connect to SSH2 server: [$err_name] ($err_code) $err_str (see unit test notes)"); } if ($ssh2->auth_password($user, $passwd)) { die("Password authentication succeeded unexpectedly"); } my ($err_code, $err_name, $err_str) = $ssh2->error(); $ssh2->disconnect(); # Unfortunately, the Net::SSH2::SFTP API doesn't provide the error # text as sent by the SFTP server. }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { die($ex); } unlink($log_file); } 1;