diff --git a/hscontrol/policy/v2/tailscale_ssh_data_compat_test.go b/hscontrol/policy/v2/tailscale_ssh_data_compat_test.go new file mode 100644 index 00000000..b94460e9 --- /dev/null +++ b/hscontrol/policy/v2/tailscale_ssh_data_compat_test.go @@ -0,0 +1,344 @@ +// This file is "generated" by Claude. +// It contains a data-driven test that reads SSH-*.json test files captured +// from Tailscale SaaS. Each file contains: +// - The SSH section of the policy +// - The expected SSHPolicy rules for each of 5 test nodes +// +// The test loads each JSON file, constructs a full policy from the SSH section, +// applies it through headscale's SSH policy compilation, and compares the output +// against Tailscale's actual behavior. +// +// Tests that are known to fail due to unimplemented features or known +// differences are skipped with a TODO comment explaining the root cause. +// As headscale's SSH implementation improves, tests should be removed +// from the skip list. +// +// Test data source: testdata/ssh_results/SSH-*.json +// Captured from: Tailscale SaaS API + tailscale debug localapi + +package v2 + +import ( + "encoding/json" + "os" + "path/filepath" + "strings" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/juanfont/headscale/hscontrol/types" + "github.com/stretchr/testify/require" + "gorm.io/gorm" + "tailscale.com/tailcfg" +) + +// sshTestFile represents the JSON structure of a captured SSH test file. +type sshTestFile struct { + TestID string `json:"test_id"` + PolicyFile string `json:"policy_file"` + SSHSection json.RawMessage `json:"ssh_section"` + Nodes map[string]sshNodeCapture `json:"nodes"` +} + +// sshNodeCapture represents the expected SSH rules for a single node. +type sshNodeCapture struct { + Rules json.RawMessage `json:"rules"` +} + +// setupSSHDataCompatUsers returns the 3 test users for SSH data-driven +// compatibility tests. The user configuration matches the Tailscale test +// environment with email domains preserved for localpart matching: +// - kratail2tid@example.com (converted from @passkey) +// - kristoffer@dalby.cc (kept as-is — different domain for localpart exclusion) +// - monitorpasskeykradalby@example.com (converted from @passkey) +func setupSSHDataCompatUsers() types.Users { + return types.Users{ + { + Model: gorm.Model{ID: 1}, + Name: "kratail2tid", + Email: "kratail2tid@example.com", + }, + { + Model: gorm.Model{ID: 2}, + Name: "kristoffer", + Email: "kristoffer@dalby.cc", + }, + { + Model: gorm.Model{ID: 3}, + Name: "monitorpasskeykradalby", + Email: "monitorpasskeykradalby@example.com", + }, + } +} + +// setupSSHDataCompatNodes returns the 5 test nodes for SSH data-driven +// compatibility tests. Node GivenNames match the keys in the JSON files: +// - user1 (owned by kratail2tid) +// - user-kris (owned by kristoffer) +// - user-mon (owned by monitorpasskeykradalby) +// - tagged-server (tag:server) +// - tagged-prod (tag:prod) +func setupSSHDataCompatNodes(users types.Users) types.Nodes { + return types.Nodes{ + &types.Node{ + ID: 1, + GivenName: "user1", + User: &users[0], + UserID: &users[0].ID, + IPv4: ptrAddr("100.90.199.68"), + IPv6: ptrAddr("fd7a:115c:a1e0::2d01:c747"), + Hostinfo: &tailcfg.Hostinfo{}, + }, + &types.Node{ + ID: 2, + GivenName: "user-kris", + User: &users[1], + UserID: &users[1].ID, + IPv4: ptrAddr("100.110.121.96"), + IPv6: ptrAddr("fd7a:115c:a1e0::1737:7960"), + Hostinfo: &tailcfg.Hostinfo{}, + }, + &types.Node{ + ID: 3, + GivenName: "user-mon", + User: &users[2], + UserID: &users[2].ID, + IPv4: ptrAddr("100.103.90.82"), + IPv6: ptrAddr("fd7a:115c:a1e0::9e37:5a52"), + Hostinfo: &tailcfg.Hostinfo{}, + }, + &types.Node{ + ID: 4, + GivenName: "tagged-server", + IPv4: ptrAddr("100.108.74.26"), + IPv6: ptrAddr("fd7a:115c:a1e0::b901:4a87"), + Tags: []string{"tag:server"}, + Hostinfo: &tailcfg.Hostinfo{}, + }, + &types.Node{ + ID: 5, + GivenName: "tagged-prod", + IPv4: ptrAddr("100.103.8.15"), + IPv6: ptrAddr("fd7a:115c:a1e0::5b37:80f"), + Tags: []string{"tag:prod"}, + Hostinfo: &tailcfg.Hostinfo{}, + }, + } +} + +// convertSSHPolicyEmails converts Tailscale SaaS email domains to +// headscale-compatible format in the raw policy JSON. +// +// Tailscale uses provider-specific email formats: +// - kratail2tid@passkey (passkey auth) +// - kristoffer@dalby.cc (email auth — kept as-is) +// - monitorpasskeykradalby@passkey (passkey auth) +// +// The @passkey domain is converted to @example.com. The @dalby.cc domain +// is kept as-is to preserve localpart matching semantics (kristoffer should +// NOT match localpart:*@example.com, just as it doesn't match +// localpart:*@passkey in Tailscale SaaS). +func convertSSHPolicyEmails(s string) string { + s = strings.ReplaceAll(s, "@passkey", "@example.com") + + return s +} + +// constructSSHFullPolicy builds a complete headscale policy from the +// ssh_section captured from Tailscale SaaS. +// +// The base policy includes: +// - groups matching the Tailscale test environment +// - tagOwners for tag:server and tag:prod +// - A permissive ACL allowing all traffic (matches the grants wildcard +// in the original Tailscale policy) +// - The SSH section from the test file +func constructSSHFullPolicy(sshSection json.RawMessage) string { + // Base policy template with groups, tagOwners, and ACLs + // User references match the converted email addresses. + const basePolicyPrefix = `{ + "groups": { + "group:admins": ["kratail2tid@example.com"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@example.com"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@example.com"], + "tag:prod": ["kratail2tid@example.com"] + }, + "acls": [{"action": "accept", "src": ["*"], "dst": ["*:*"]}]` + + // Handle null or empty SSH section + if len(sshSection) == 0 || string(sshSection) == "null" { + // No SSH section at all (like SSH-E4) + return basePolicyPrefix + "\n}" + } + + sshStr := string(sshSection) + + // Convert Tailscale email domains + sshStr = convertSSHPolicyEmails(sshStr) + + return basePolicyPrefix + `, + "ssh": ` + sshStr + "\n}" +} + +// loadSSHTestFile loads and parses a single SSH test JSON file. +func loadSSHTestFile(t *testing.T, path string) sshTestFile { + t.Helper() + + content, err := os.ReadFile(path) + require.NoError(t, err, "failed to read test file %s", path) + + var tf sshTestFile + + err = json.Unmarshal(content, &tf) + require.NoError(t, err, "failed to parse test file %s", path) + + return tf +} + +// sshSkipReasons documents why each skipped test fails and what needs to be +// fixed. Tests are grouped by root cause to identify high-impact changes. +// +// 37 of 39 tests are expected to pass. +var sshSkipReasons = map[string]string{ + // user:*@domain source alias not yet implemented. + // These tests use "src": ["user:*@passkey"] which requires UserWildcard + // alias type support. Will be added in a follow-up PR that implements + // user:*@domain across all contexts (ACLs, grants, tagOwners, autoApprovers). + "SSH-B5": "user:*@domain source alias not yet implemented", + "SSH-D10": "user:*@domain source alias not yet implemented", +} + +// TestSSHDataCompat is a data-driven test that loads all SSH-*.json test files +// captured from Tailscale SaaS and compares headscale's SSH policy compilation +// against the real Tailscale behavior. +// +// Each JSON file contains: +// - The SSH section of the policy +// - Expected SSH rules per node (5 nodes) +// +// The test constructs a full headscale policy from the SSH section, converts +// Tailscale user email formats to headscale format, and runs the policy +// through unmarshalPolicy and compileSSHPolicy. +func TestSSHDataCompat(t *testing.T) { + t.Parallel() + + files, err := filepath.Glob( + filepath.Join("testdata", "ssh_results", "SSH-*.json"), + ) + require.NoError(t, err, "failed to glob test files") + require.NotEmpty( + t, + files, + "no SSH-*.json test files found in testdata/ssh_results/", + ) + + t.Logf("Loaded %d SSH test files", len(files)) + + users := setupSSHDataCompatUsers() + nodes := setupSSHDataCompatNodes(users) + + for _, file := range files { + tf := loadSSHTestFile(t, file) + + t.Run(tf.TestID, func(t *testing.T) { + t.Parallel() + + // Check if this test is in the skip list + if reason, ok := sshSkipReasons[tf.TestID]; ok { + t.Skipf( + "TODO: %s — see sshSkipReasons comments for details", + reason, + ) + + return + } + + // Construct full policy from SSH section + policyJSON := constructSSHFullPolicy(tf.SSHSection) + + pol, err := unmarshalPolicy([]byte(policyJSON)) + require.NoError( + t, + err, + "%s: policy should parse successfully\nPolicy:\n%s", + tf.TestID, + policyJSON, + ) + + for nodeName, capture := range tf.Nodes { + t.Run(nodeName, func(t *testing.T) { + node := findNodeByGivenName(nodes, nodeName) + require.NotNilf( + t, + node, + "node %s not found in test setup", + nodeName, + ) + + // Compile headscale SSH policy for this node + gotSSH, err := pol.compileSSHPolicy( + "unused-server-url", + users, + node.View(), + nodes.ViewSlice(), + ) + require.NoError( + t, + err, + "%s/%s: failed to compile SSH policy", + tf.TestID, + nodeName, + ) + + // Parse expected rules from JSON capture + var wantRules []*tailcfg.SSHRule + if len(capture.Rules) > 0 && + string(capture.Rules) != "null" { + err = json.Unmarshal(capture.Rules, &wantRules) + require.NoError( + t, + err, + "%s/%s: failed to unmarshal expected rules", + tf.TestID, + nodeName, + ) + } + + // Build expected SSHPolicy from the rules + var wantSSH *tailcfg.SSHPolicy + if len(wantRules) > 0 { + wantSSH = &tailcfg.SSHPolicy{Rules: wantRules} + } + + // Normalize: treat empty-rules SSHPolicy as nil + if gotSSH != nil && len(gotSSH.Rules) == 0 { + gotSSH = nil + } + + // Compare headscale output against Tailscale expected. + // EquateEmpty treats nil and empty slices as equal. + // Sort principals within rules (order doesn't matter). + // Do NOT sort rules — order matters (first-match-wins). + opts := cmp.Options{ + cmpopts.SortSlices(func(a, b *tailcfg.SSHPrincipal) bool { + return a.NodeIP < b.NodeIP + }), + cmpopts.EquateEmpty(), + } + if diff := cmp.Diff(wantSSH, gotSSH, opts...); diff != "" { + t.Errorf( + "%s/%s: SSH policy mismatch (-tailscale +headscale):\n%s", + tf.TestID, + nodeName, + diff, + ) + } + }) + } + }) + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-A1.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-A1.json new file mode 100644 index 00000000..7313deab --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A1.json @@ -0,0 +1,51 @@ +{ + "test_id": "SSH-A1", + "policy_file": "ssh_policies/ssh_a1.json", + "ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["root"] }], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { "rules": [] }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-A2.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-A2.json new file mode 100644 index 00000000..a9151058 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A2.json @@ -0,0 +1,53 @@ +{ + "test_id": "SSH-A2", + "policy_file": "ssh_policies/ssh_a2.json", + "ssh_section": [ + { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["autogroup:nonroot"] } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { "rules": [] }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-A3.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-A3.json new file mode 100644 index 00000000..85ab9637 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A3.json @@ -0,0 +1,58 @@ +{ + "test_id": "SSH-A3", + "policy_file": "ssh_policies/ssh_a3.json", + "ssh_section": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["autogroup:self"], + "users": ["root", "autogroup:nonroot"] + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { "rules": [] }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-A4.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-A4.json new file mode 100644 index 00000000..5a50b980 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A4.json @@ -0,0 +1,32 @@ +{ + "test_id": "SSH-A4", + "policy_file": "ssh_policies/ssh_a4.json", + "ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["ubuntu"] }], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-A5.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-A5.json new file mode 100644 index 00000000..326255bb --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A5.json @@ -0,0 +1,34 @@ +{ + "test_id": "SSH-A5", + "policy_file": "ssh_policies/ssh_a5.json", + "ssh_section": [ + { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["root", "ubuntu"] } + ], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "root": "root", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-A6.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-A6.json new file mode 100644 index 00000000..542396c1 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A6.json @@ -0,0 +1,98 @@ +{ + "test_id": "SSH-A6", + "policy_file": "ssh_policies/ssh_a6.json", + "ssh_section": [ + { + "action": "check", + "src": [ + "autogroup:member" + ], + "dst": [ + "autogroup:self" + ], + "users": [ + "root" + ] + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.90.199.68" + }, + { + "nodeIP": "fd7a:115c:a1e0::2d01:c747" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 43200000000000 + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.110.121.96" + }, + { + "nodeIP": "fd7a:115c:a1e0::1737:7960" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 43200000000000 + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.103.90.82" + }, + { + "nodeIP": "fd7a:115c:a1e0::9e37:5a52" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 43200000000000 + } + } + ] + }, + "tagged-server": { + "rules": [] + }, + "tagged-prod": { + "rules": [] + } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-A7.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-A7.json new file mode 100644 index 00000000..9e73aba4 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A7.json @@ -0,0 +1,99 @@ +{ + "test_id": "SSH-A7", + "policy_file": "ssh_policies/ssh_a7.json", + "ssh_section": [ + { + "action": "check", + "src": [ + "autogroup:member" + ], + "dst": [ + "autogroup:self" + ], + "users": [ + "root" + ], + "checkPeriod": "1h" + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.90.199.68" + }, + { + "nodeIP": "fd7a:115c:a1e0::2d01:c747" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.110.121.96" + }, + { + "nodeIP": "fd7a:115c:a1e0::1737:7960" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.103.90.82" + }, + { + "nodeIP": "fd7a:115c:a1e0::9e37:5a52" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + } + ] + }, + "tagged-server": { + "rules": [] + }, + "tagged-prod": { + "rules": [] + } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-A8.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-A8.json new file mode 100644 index 00000000..097a8516 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A8.json @@ -0,0 +1,99 @@ +{ + "test_id": "SSH-A8", + "policy_file": "ssh_policies/ssh_a8.json", + "ssh_section": [ + { + "action": "check", + "src": [ + "autogroup:member" + ], + "dst": [ + "autogroup:self" + ], + "users": [ + "root" + ], + "checkPeriod": "always" + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.90.199.68" + }, + { + "nodeIP": "fd7a:115c:a1e0::2d01:c747" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 0 + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.110.121.96" + }, + { + "nodeIP": "fd7a:115c:a1e0::1737:7960" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 0 + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.103.90.82" + }, + { + "nodeIP": "fd7a:115c:a1e0::9e37:5a52" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 0 + } + } + ] + }, + "tagged-server": { + "rules": [] + }, + "tagged-prod": { + "rules": [] + } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-B1.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-B1.json new file mode 100644 index 00000000..e68797cb --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-B1.json @@ -0,0 +1,25 @@ +{ + "test_id": "SSH-B1", + "policy_file": "ssh_policies/ssh_b1.json", + "ssh_section": [{ "action": "accept", "src": ["kristoffer@dalby.cc"], "dst": ["tag:server"], "users": ["root"] }], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-B2.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-B2.json new file mode 100644 index 00000000..46eb8aa3 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-B2.json @@ -0,0 +1,30 @@ +{ + "test_id": "SSH-B2", + "policy_file": "ssh_policies/ssh_b2.json", + "ssh_section": [{ "action": "accept", "src": ["group:developers"], "dst": ["tag:server"], "users": ["root"] }], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" } + ], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-B3.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-B3.json new file mode 100644 index 00000000..765a4d53 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-B3.json @@ -0,0 +1,25 @@ +{ + "test_id": "SSH-B3", + "policy_file": "ssh_policies/ssh_b3.json", + "ssh_section": [{ "action": "accept", "src": ["tag:prod"], "dst": ["tag:server"], "users": ["root"] }], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.8.15" }, { "nodeIP": "fd7a:115c:a1e0::5b37:80f" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-B5.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-B5.json new file mode 100644 index 00000000..279217b7 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-B5.json @@ -0,0 +1,30 @@ +{ + "test_id": "SSH-B5", + "policy_file": "ssh_policies/ssh_b5.json", + "ssh_section": [{ "action": "accept", "src": ["user:*@passkey"], "dst": ["tag:server"], "users": ["root"] }], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-B6.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-B6.json new file mode 100644 index 00000000..b4cf7914 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-B6.json @@ -0,0 +1,30 @@ +{ + "test_id": "SSH-B6", + "policy_file": "ssh_policies/ssh_b6.json", + "ssh_section": [{ "action": "accept", "src": ["autogroup:tagged"], "dst": ["tag:server"], "users": ["root"] }], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.103.8.15" }, + { "nodeIP": "100.108.74.26" }, + { "nodeIP": "fd7a:115c:a1e0::5b37:80f" }, + { "nodeIP": "fd7a:115c:a1e0::b901:4a87" } + ], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-C1.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-C1.json new file mode 100644 index 00000000..c95409f1 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-C1.json @@ -0,0 +1,51 @@ +{ + "test_id": "SSH-C1", + "policy_file": "ssh_policies/ssh_c1.json", + "ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["root"] }], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { "rules": [] }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-C2.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-C2.json new file mode 100644 index 00000000..21f3722b --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-C2.json @@ -0,0 +1,32 @@ +{ + "test_id": "SSH-C2", + "policy_file": "ssh_policies/ssh_c2.json", + "ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["root"] }], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-C3.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-C3.json new file mode 100644 index 00000000..6c8a651a --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-C3.json @@ -0,0 +1,27 @@ +{ + "test_id": "SSH-C3", + "policy_file": "ssh_policies/ssh_c3.json", + "ssh_section": [ + { "action": "accept", "src": ["kristoffer@dalby.cc"], "dst": ["kristoffer@dalby.cc"], "users": ["root"] } + ], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { "rules": [] }, + "tagged-server": { "rules": [] }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-C4.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-C4.json new file mode 100644 index 00000000..14edec5a --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-C4.json @@ -0,0 +1,54 @@ +{ + "test_id": "SSH-C4", + "policy_file": "ssh_policies/ssh_c4.json", + "ssh_section": [ + { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server", "tag:prod"], "users": ["root"] } + ], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D10.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D10.json new file mode 100644 index 00000000..ae37ff0c --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D10.json @@ -0,0 +1,103 @@ +{ + "test_id": "SSH-D10", + "policy_file": "ssh_policies/ssh_d10.json", + "ssh_section": [ + { "action": "accept", "src": ["user:*@passkey"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { "rules": [] }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D11.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D11.json new file mode 100644 index 00000000..f87426ef --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D11.json @@ -0,0 +1,131 @@ +{ + "test_id": "SSH-D11", + "policy_file": "ssh_policies/ssh_d11.json", + "ssh_section": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["tag:server"], + "users": ["localpart:*@passkey", "ubuntu"] + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D12.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D12.json new file mode 100644 index 00000000..197d9668 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D12.json @@ -0,0 +1,131 @@ +{ + "test_id": "SSH-D12", + "policy_file": "ssh_policies/ssh_d12.json", + "ssh_section": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["tag:server"], + "users": ["localpart:*@passkey", "ubuntu"] + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "", "ubuntu": "ubuntu" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D2.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D2.json new file mode 100644 index 00000000..20c79efd --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D2.json @@ -0,0 +1,126 @@ +{ + "test_id": "SSH-D2", + "policy_file": "ssh_policies/ssh_d2.json", + "ssh_section": [ + { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D3.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D3.json new file mode 100644 index 00000000..a8fc399c --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D3.json @@ -0,0 +1,126 @@ +{ + "test_id": "SSH-D3", + "policy_file": "ssh_policies/ssh_d3.json", + "ssh_section": [ + { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey", "root"] } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D4.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D4.json new file mode 100644 index 00000000..5a7dc71c --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D4.json @@ -0,0 +1,131 @@ +{ + "test_id": "SSH-D4", + "policy_file": "ssh_policies/ssh_d4.json", + "ssh_section": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["tag:server"], + "users": ["localpart:*@passkey", "autogroup:nonroot"] + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D5.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D5.json new file mode 100644 index 00000000..f9a4f5f4 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D5.json @@ -0,0 +1,131 @@ +{ + "test_id": "SSH-D5", + "policy_file": "ssh_policies/ssh_d5.json", + "ssh_section": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["tag:server"], + "users": ["localpart:*@passkey", "root", "autogroup:nonroot"] + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D6.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D6.json new file mode 100644 index 00000000..d11f4a3c --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D6.json @@ -0,0 +1,131 @@ +{ + "test_id": "SSH-D6", + "policy_file": "ssh_policies/ssh_d6.json", + "ssh_section": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["tag:server"], + "users": ["localpart:*@passkey", "autogroup:nonroot"] + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D7.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D7.json new file mode 100644 index 00000000..84dcbce4 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D7.json @@ -0,0 +1,131 @@ +{ + "test_id": "SSH-D7", + "policy_file": "ssh_policies/ssh_d7.json", + "ssh_section": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["tag:server"], + "users": ["localpart:*@passkey", "root", "autogroup:nonroot"] + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "*": "=", "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D8.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D8.json new file mode 100644 index 00000000..9242e93c --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D8.json @@ -0,0 +1,73 @@ +{ + "test_id": "SSH-D8", + "policy_file": "ssh_policies/ssh_d8.json", + "ssh_section": [ + { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["localpart:*@passkey"] } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { "rules": [] }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-D9.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-D9.json new file mode 100644 index 00000000..7abd3b71 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D9.json @@ -0,0 +1,78 @@ +{ + "test_id": "SSH-D9", + "policy_file": "ssh_policies/ssh_d9.json", + "ssh_section": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["autogroup:self"], + "users": ["localpart:*@passkey", "root"] + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { "rules": [] }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-E3.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-E3.json new file mode 100644 index 00000000..3585b996 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-E3.json @@ -0,0 +1,12 @@ +{ + "test_id": "SSH-E3", + "policy_file": "ssh_policies/ssh_e3.json", + "ssh_section": [], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { "rules": [] }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-E4.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-E4.json new file mode 100644 index 00000000..645d8d0f --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-E4.json @@ -0,0 +1,12 @@ +{ + "test_id": "SSH-E4", + "policy_file": "ssh_policies/ssh_e4.json", + "ssh_section": null, + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { "rules": [] }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-E5.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-E5.json new file mode 100644 index 00000000..94f67545 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-E5.json @@ -0,0 +1,38 @@ +{ + "test_id": "SSH-E5", + "policy_file": "ssh_policies/ssh_e5.json", + "ssh_section": [{ "action": "accept", "src": ["tag:prod"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.8.15" }, { "nodeIP": "fd7a:115c:a1e0::5b37:80f" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.8.15" }, { "nodeIP": "fd7a:115c:a1e0::5b37:80f" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-E6.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-E6.json new file mode 100644 index 00000000..8dfd5f97 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-E6.json @@ -0,0 +1,240 @@ +{ + "test_id": "SSH-E6", + "policy_file": "ssh_policies/ssh_e6.json", + "ssh_section": [ + { + "action": "check", + "src": [ + "autogroup:member" + ], + "dst": [ + "tag:server" + ], + "users": [ + "localpart:*@passkey" + ], + "checkPeriod": "1h" + } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.90.199.68" + }, + { + "nodeIP": "fd7a:115c:a1e0::2d01:c747" + } + ], + "sshUsers": { + "root": "" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + }, + { + "principals": [ + { + "nodeIP": "100.90.199.68" + }, + { + "nodeIP": "fd7a:115c:a1e0::2d01:c747" + } + ], + "sshUsers": { + "kratail2tid": "kratail2tid" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.110.121.96" + }, + { + "nodeIP": "fd7a:115c:a1e0::1737:7960" + } + ], + "sshUsers": { + "root": "" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.103.90.82" + }, + { + "nodeIP": "fd7a:115c:a1e0::9e37:5a52" + } + ], + "sshUsers": { + "root": "" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + }, + { + "principals": [ + { + "nodeIP": "100.103.90.82" + }, + { + "nodeIP": "fd7a:115c:a1e0::9e37:5a52" + } + ], + "sshUsers": { + "monitorpasskeykradalby": "monitorpasskeykradalby" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.90.199.68" + }, + { + "nodeIP": "fd7a:115c:a1e0::2d01:c747" + } + ], + "sshUsers": { + "root": "" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + }, + { + "principals": [ + { + "nodeIP": "100.90.199.68" + }, + { + "nodeIP": "fd7a:115c:a1e0::2d01:c747" + } + ], + "sshUsers": { + "kratail2tid": "kratail2tid" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + }, + { + "principals": [ + { + "nodeIP": "100.110.121.96" + }, + { + "nodeIP": "fd7a:115c:a1e0::1737:7960" + } + ], + "sshUsers": { + "root": "" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + }, + { + "principals": [ + { + "nodeIP": "100.103.90.82" + }, + { + "nodeIP": "fd7a:115c:a1e0::9e37:5a52" + } + ], + "sshUsers": { + "root": "" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + }, + { + "principals": [ + { + "nodeIP": "100.103.90.82" + }, + { + "nodeIP": "fd7a:115c:a1e0::9e37:5a52" + } + ], + "sshUsers": { + "monitorpasskeykradalby": "monitorpasskeykradalby" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 3600000000000 + } + } + ] + }, + "tagged-prod": { + "rules": [] + } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-F1.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-F1.json new file mode 100644 index 00000000..47bd1356 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F1.json @@ -0,0 +1,74 @@ +{ + "test_id": "SSH-F1", + "policy_file": "ssh_policies/ssh_f1.json", + "ssh_section": [ + { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["root"] }, + { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["autogroup:nonroot"] } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-F2.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-F2.json new file mode 100644 index 00000000..61bc3b4b --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F2.json @@ -0,0 +1,111 @@ +{ + "test_id": "SSH-F2", + "policy_file": "ssh_policies/ssh_f2.json", + "ssh_section": [ + { + "action": "accept", + "src": [ + "autogroup:member" + ], + "dst": [ + "tag:server" + ], + "users": [ + "root" + ] + }, + { + "action": "check", + "src": [ + "autogroup:member" + ], + "dst": [ + "tag:server" + ], + "users": [ + "root" + ] + } + ], + "nodes": { + "user1": { + "rules": [] + }, + "user-kris": { + "rules": [] + }, + "user-mon": { + "rules": [] + }, + "tagged-server": { + "rules": [ + { + "principals": [ + { + "nodeIP": "100.103.90.82" + }, + { + "nodeIP": "100.110.121.96" + }, + { + "nodeIP": "100.90.199.68" + }, + { + "nodeIP": "fd7a:115c:a1e0::1737:7960" + }, + { + "nodeIP": "fd7a:115c:a1e0::2d01:c747" + }, + { + "nodeIP": "fd7a:115c:a1e0::9e37:5a52" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER", + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true, + "sessionDuration": 43200000000000 + } + }, + { + "principals": [ + { + "nodeIP": "100.103.90.82" + }, + { + "nodeIP": "100.110.121.96" + }, + { + "nodeIP": "100.90.199.68" + }, + { + "nodeIP": "fd7a:115c:a1e0::1737:7960" + }, + { + "nodeIP": "fd7a:115c:a1e0::2d01:c747" + }, + { + "nodeIP": "fd7a:115c:a1e0::9e37:5a52" + } + ], + "sshUsers": { + "root": "root" + }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { + "rules": [] + } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-F3.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-F3.json new file mode 100644 index 00000000..d16f5f31 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F3.json @@ -0,0 +1,144 @@ +{ + "test_id": "SSH-F3", + "policy_file": "ssh_policies/ssh_f3.json", + "ssh_section": [ + { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }, + { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["root"] } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-F4.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-F4.json new file mode 100644 index 00000000..43dc27dc --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F4.json @@ -0,0 +1,144 @@ +{ + "test_id": "SSH-F4", + "policy_file": "ssh_policies/ssh_f4.json", + "ssh_section": [ + { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }, + { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["autogroup:nonroot"] } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "*": "=", "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-F5.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-F5.json new file mode 100644 index 00000000..9065a0f7 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F5.json @@ -0,0 +1,177 @@ +{ + "test_id": "SSH-F5", + "policy_file": "ssh_policies/ssh_f5.json", + "ssh_section": [ + { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["localpart:*@passkey"] }, + { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] } + ], + "nodes": { + "user1": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-kris": { + "rules": [ + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "user-mon": { + "rules": [ + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-server": { + "rules": [ + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }], + "sshUsers": { "kratail2tid": "kratail2tid" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "root": "" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + }, + { + "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }], + "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + } + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-G1.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-G1.json new file mode 100644 index 00000000..153dd354 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-G1.json @@ -0,0 +1,41 @@ +{ + "test_id": "SSH-G1", + "policy_file": "ssh_policies/ssh_g1.json", + "ssh_section": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["tag:server"], + "users": ["root"], + "acceptEnv": ["GIT_EDITOR", "TERM"] + } + ], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + }, + "acceptEnv": ["GIT_EDITOR", "TERM"] + } + ] + }, + "tagged-prod": { "rules": [] } + } +} diff --git a/hscontrol/policy/v2/testdata/ssh_results/SSH-G2.json b/hscontrol/policy/v2/testdata/ssh_results/SSH-G2.json new file mode 100644 index 00000000..fb6fbcf6 --- /dev/null +++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-G2.json @@ -0,0 +1,41 @@ +{ + "test_id": "SSH-G2", + "policy_file": "ssh_policies/ssh_g2.json", + "ssh_section": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["tag:server"], + "users": ["root"], + "acceptEnv": ["GIT_*", "CUSTOM_VAR_?"] + } + ], + "nodes": { + "user1": { "rules": [] }, + "user-kris": { "rules": [] }, + "user-mon": { "rules": [] }, + "tagged-server": { + "rules": [ + { + "principals": [ + { "nodeIP": "100.103.90.82" }, + { "nodeIP": "100.110.121.96" }, + { "nodeIP": "100.90.199.68" }, + { "nodeIP": "fd7a:115c:a1e0::1737:7960" }, + { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }, + { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" } + ], + "sshUsers": { "root": "root" }, + "action": { + "accept": true, + "allowAgentForwarding": true, + "allowLocalPortForwarding": true, + "allowRemotePortForwarding": true + }, + "acceptEnv": ["GIT_*", "CUSTOM_VAR_?"] + } + ] + }, + "tagged-prod": { "rules": [] } + } +}