File: test_keys_to_console.py

package info (click to toggle)
cloud-init 25.3-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 12,412 kB
  • sloc: python: 135,894; sh: 3,883; makefile: 141; javascript: 30; xml: 22
file content (131 lines) | stat: -rw-r--r-- 4,127 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
"""Integration tests for the cc_keys_to_console module.

(This is ported from
``tests/cloud_tests/testcases/modules/keys_to_console.yaml``.)"""

import pytest

from tests.integration_tests import integration_settings
from tests.integration_tests.decorators import retry
from tests.integration_tests.instances import IntegrationInstance
from tests.integration_tests.integration_settings import PLATFORM
from tests.integration_tests.util import (
    HAS_CONSOLE_LOG,
    get_console_log,
    get_syslog_or_console,
)

BLACKLIST_USER_DATA = """\
#cloud-config
ssh_fp_console_blacklist: [ecdsa-sha2-nistp256]
ssh_key_console_blacklist: [ecdsa-sha2-nistp256]
"""

BLACKLIST_ALL_KEYS_USER_DATA = """\
#cloud-config
ssh_fp_console_blacklist: [ssh-ecdsa, ssh-ed25519, ssh-rsa, ecdsa-sha2-nistp256]
"""  # noqa: E501

DISABLED_USER_DATA = """\
#cloud-config
ssh:
  emit_keys_to_console: false
"""

ENABLE_KEYS_TO_CONSOLE_USER_DATA = """\
#cloud-config
ssh:
  emit_keys_to_console: true
users:
 - default
 - name: barfoo
"""


@pytest.mark.user_data(BLACKLIST_USER_DATA)
@pytest.mark.skipif(
    integration_settings.OS_IMAGE_TYPE == "minimal" and not HAS_CONSOLE_LOG,
    reason=f"No console_log available for minimal images on {PLATFORM}",
)
class TestKeysToConsoleBlacklist:
    """Test that the blacklist options work as expected."""

    @pytest.mark.parametrize("key_type", ["ECDSA"])
    def test_excluded_keys(self, class_client, key_type):
        assert "({})".format(key_type) not in get_syslog_or_console(
            class_client
        )

    # retry decorator here because it can take some time to be reflected
    # in syslog
    @retry(tries=60, delay=1)
    @pytest.mark.parametrize("key_type", ["ED25519", "RSA"])
    def test_included_keys(self, class_client, key_type):
        assert "({})".format(key_type) in get_syslog_or_console(class_client)


@pytest.mark.user_data(BLACKLIST_ALL_KEYS_USER_DATA)
@pytest.mark.skipif(
    integration_settings.OS_IMAGE_TYPE == "minimal" and not HAS_CONSOLE_LOG,
    reason=f"No console_log available for minimal images on {PLATFORM}",
)
class TestAllKeysToConsoleBlacklist:
    """Test that when key blacklist contains all key types that
    no header/footer are output.
    """

    def test_header_excluded(self, class_client):
        assert "BEGIN SSH HOST KEY FINGERPRINTS" not in get_syslog_or_console(
            class_client
        )

    def test_footer_excluded(self, class_client):
        assert "END SSH HOST KEY FINGERPRINTS" not in get_syslog_or_console(
            class_client
        )


@pytest.mark.user_data(DISABLED_USER_DATA)
@pytest.mark.skipif(
    integration_settings.OS_IMAGE_TYPE == "minimal" and not HAS_CONSOLE_LOG,
    reason=f"No console_log available for minimal images on {PLATFORM}",
)
class TestKeysToConsoleDisabled:
    """Test that output can be fully disabled."""

    @pytest.mark.parametrize("key_type", ["ECDSA", "ED25519", "RSA"])
    def test_keys_excluded(self, class_client, key_type):
        assert "({})".format(key_type) not in get_syslog_or_console(
            class_client
        )

    def test_header_excluded(self, class_client):
        assert "BEGIN SSH HOST KEY FINGERPRINTS" not in get_syslog_or_console(
            class_client
        )

    def test_footer_excluded(self, class_client):
        assert "END SSH HOST KEY FINGERPRINTS" not in get_syslog_or_console(
            class_client
        )


@pytest.mark.user_data(ENABLE_KEYS_TO_CONSOLE_USER_DATA)
@retry(tries=30, delay=1)
@pytest.mark.skipif(
    integration_settings.OS_IMAGE_TYPE == "minimal" and not HAS_CONSOLE_LOG,
    reason=f"No console_log available for minimal images on {PLATFORM}",
)
@pytest.mark.skipif(
    PLATFORM not in ["ec2", "lxd_container", "oci", "openstack"],
    reason=(
        "No Azure because no console log on Azure. "
        "Other platforms need testing."
    ),
)
def test_duplicate_messaging_console_log(client: IntegrationInstance):
    """Test that output can be enabled disabled."""
    assert (
        "no authorized SSH keys fingerprints found for user barfoo."
        in get_console_log(client)
    )