diff --git a/test/case/infix_services/Readme.adoc b/test/case/infix_services/Readme.adoc index e17270468..64948ebc3 100644 --- a/test/case/infix_services/Readme.adoc +++ b/test/case/infix_services/Readme.adoc @@ -4,3 +4,5 @@ <<< include::services_basic/Readme.adoc[] + +include::ssh_server_config/Readme.adoc[] diff --git a/test/case/infix_services/infix_services.yaml b/test/case/infix_services/infix_services.yaml index 8ed50c210..11301385a 100644 --- a/test/case/infix_services/infix_services.yaml +++ b/test/case/infix_services/infix_services.yaml @@ -6,4 +6,6 @@ # are transparent with respect to IEEE link-local multicast. #- name: services_basic # case: services_basic/test.py -[] + +- name: ssh_server_config + case: ssh_server_config/test.py diff --git a/test/case/infix_services/ssh_server_config/Readme.adoc b/test/case/infix_services/ssh_server_config/Readme.adoc new file mode 100644 index 000000000..118881d81 --- /dev/null +++ b/test/case/infix_services/ssh_server_config/Readme.adoc @@ -0,0 +1,29 @@ +=== SSH server configuration +==== Description +Test SSH server functionality with pre-defined key pair: +1. Enable/Disable SSH service. +2. Configure listen address and port. +3. Validate connectivity using static key pair. + +==== Topology +ifdef::topdoc[] +image::../../test/case/infix_services/ssh_server_config/topology.svg[SSH server configuration topology] +endif::topdoc[] +ifndef::topdoc[] +ifdef::testgroup[] +image::ssh_server_config/topology.svg[SSH server configuration topology] +endif::testgroup[] +ifndef::testgroup[] +image::topology.svg[SSH server configuration topology] +endif::testgroup[] +endif::topdoc[] +==== Test sequence +. Setup topology and attach to the target +. Configure SSH server +. Verify SSH public keys +. Verify it is not possible to access SSH on other IP address +. Disable SSH server + + +<<< + diff --git a/test/case/infix_services/ssh_server_config/test.py b/test/case/infix_services/ssh_server_config/test.py new file mode 100755 index 000000000..5766c08cb --- /dev/null +++ b/test/case/infix_services/ssh_server_config/test.py @@ -0,0 +1,141 @@ +#!/usr/bin/env python3 +""" +SSH server configuration + +Test SSH server functionality with pre-defined key pair: +1. Enable/Disable SSH service. +2. Configure listen address and port. +3. Validate connectivity using static key pair. +""" + +import subprocess +import infamy + +PRIVATE_KEY = "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCtzyoT8/23hSyo7trLaqc6Auj5jvwhhCxUh8WIyfd5G/R9R+/wFEtGo6c6h75/GFCotFCQYvLlqHkrI0QiLYCPo0Rcxzfpy8TZGYjlyD8aYTYeXR2Oow6cjHE3ajQEEPbr5eiV/NBezg00SrCazDN4VHEXcjhl4egaKxDyG1yi98kQISY0+ehNjR/CKOBvOxHqB0N7gUnasbBiiN/iCCkCuDFKnBM6cYrUAvwP/aj+f9dq4lImJ6YpHaSjFKIa2ZFmOi20X0cb0AS1cshjSU2qf9eS2nysbmlC50X8HL9gaIeVInsWTLxEHTrd2gyBCTPO3X6oLJWW7HoB+yA9wp6xAgMBAAECggEACDNXrsaSrFmfFm7jmZikAHmR7LFlfb7W2RupUyeFUrxiDBWscVFBznjK+3jbYPOAnb8ZNIDIqVOKOQHyVWL8d3p6b56yKYik1mHtKrtIl+npg+P8kKXqmvII5vaOsvjqb42izE3X9nsmFhcmjz0uegFQ7yxjUxJGMVLiGyw1khZHFLxAcCzwN2qnxni7MjU2d+ZAtNd4ilSjXZ46Q/6+CyrhoTDUhc+5iqCgXU2wtYWrnvEhCBFd3AYh1vWZuh1TxMgnsfYePk5fHM1AG10XUvI5jOjSkSN+AlJxuXeUSeLyUV4hekem/j/UT3KwVPAiEsBil4KWyneiildXxU5MaQKBgQDm1667T06I/ty6/KZSdfm4EpDKylHohdN8Vr0MfgZSzZgc3bNNMQxAXhGdTIi2keIpitoF+/vLiMhxa9q692XY85eKSOC0Lvv5IRUC9/fUtoKrESOoxwX8SJ3bHj/Xel7Ye0WOXVJcO1/PXO0KFgs2YDRdmQKMFNKS/CdK+2TuCQKBgQDAwEzQ7B3cRYp4R2s230wpSSsPkiJXDQLno82S8K2/vLuWnlwIL3A1833l7PDfp5APABU3EVpQ7EYE6usnO1/HDSZ208uiprx6LIbX0gZVoRnPOKFwRVD7zrYo1n11Lydg8OgKtey5GsruPRbLtAw3/ugayUDCUExXmYlFQLRVaQKBgG+NTrzpiDQfpR8fNGio5jITlrDIsGhDM33klJrS089z1swsPpdQ2nDIhI6VC4PeX4JfvRgjOvySbvqQejTblPYQUOzcZunrwowTdonmtnauc9qi/65x7uyJUu8uYP+J/Qd0Gpq/citr7dLRPyMen/B48RVB+b8j2NZ6z6ombhGxAoGAY2OE+IGX0Bnnkae55/xyKCO7WXcPz/U8lzbGbMs/vEtUKxETAYF8icU5GNL5TUn4pVN0nQWMnYeHf0em437hHyFvwPvq177EFvdYvHZmn8bHKSvZSqvjW0Q2d45J+J/M3Va7P7KZEsV2+Ct10qnPVxxQkGdPxiJjixP3TUdU9WkCgYEAtHa4cwsbgy0HWtNT2smc80jLGFfsX8+/MtgTVdx6zaTybl50hJeVG4kW+7Fvstr78iVl31qPWx14MjoXKTEeVMo6ulrEijnbCx6DgkOwq+EOUvZn0W7ly4RhDDA9W8qdBIAzAGumkCx4456Un3z8wbIVgSZB52IELCBKpbyhSWE=" + +PUBLIC_KEY = "MIIBCgKCAQEArc8qE/P9t4UsqO7ay2qnOgLo+Y78IYQsVIfFiMn3eRv0fUfv8BRLRqOnOoe+fxhQqLRQkGLy5ah5KyNEIi2Aj6NEXMc36cvE2RmI5cg/GmE2Hl0djqMOnIxxN2o0BBD26+XolfzQXs4NNEqwmswzeFRxF3I4ZeHoGisQ8htcovfJECEmNPnoTY0fwijgbzsR6gdDe4FJ2rGwYojf4ggpArgxSpwTOnGK1AL8D/2o/n/XauJSJiemKR2koxSiGtmRZjottF9HG9AEtXLIY0lNqn/Xktp8rG5pQudF/By/YGiHlSJ7Fky8RB063doMgQkzzt1+qCyVlux6AfsgPcKesQIDAQAB" + +SSH_RSA_PUBLIC_KEY="AAAAB3NzaC1yc2EAAAADAQABAAABAQCtzyoT8/23hSyo7trLaqc6Auj5jvwhhCxUh8WIyfd5G/R9R+/wFEtGo6c6h75/GFCotFCQYvLlqHkrI0QiLYCPo0Rcxzfpy8TZGYjlyD8aYTYeXR2Oow6cjHE3ajQEEPbr5eiV/NBezg00SrCazDN4VHEXcjhl4egaKxDyG1yi98kQISY0+ehNjR/CKOBvOxHqB0N7gUnasbBiiN/iCCkCuDFKnBM6cYrUAvwP/aj+f9dq4lImJ6YpHaSjFKIa2ZFmOi20X0cb0AS1cshjSU2qf9eS2nysbmlC50X8HL9gaIeVInsWTLxEHTrd2gyBCTPO3X6oLJWW7HoB+yA9wp6x" + +with infamy.Test() as test: + with test.step("Setup topology and attach to the target"): + env = infamy.Env() + target = env.attach("target", "mgmt") + + _, data1 = env.ltop.xlate("target", "data1") + _, data2 = env.ltop.xlate("target", "data2") + + with test.step("Configure SSH server"): + SSH_PORT_1 = 777 + SSH_ADDRESS_1 = "77.77.77.77" + SSH_ADDRESS_2 = "88.88.88.88" + PREFIX_LENGTH = 24 + + # Disable SSH before remove hostkey to pass YANG-validation. + target.put_config_dicts({"infix-services": { + "ssh": { + "enabled": False + } + }}) + target.delete_xpath("/infix-services:ssh/hostkey[name()='genkey']") + target.put_config_dicts({ + "ietf-keystore": { + "keystore": { + "asymmetric-keys": { + "asymmetric-key": [ + { + "name": "test-host-key", + "public-key-format": "ietf-crypto-types:ssh-public-key-format", + "public-key": PUBLIC_KEY, + "private-key-format": "ietf-crypto-types:rsa-private-key-format", + "cleartext-private-key": PRIVATE_KEY + } + ] + } + } + }, + "ietf-interfaces": { + "interfaces": { + "interface": [ + { + "name": data1, + "ipv4": { + "address": [ + { + "ip": SSH_ADDRESS_1, + "prefix-length": PREFIX_LENGTH + } + ] + } + }, + { + "name": data2, + "ipv4": { + "address": [ + { + "ip": SSH_ADDRESS_2, + "prefix-length": PREFIX_LENGTH + } + ] + } + } + ] + } + }, + "infix-services": { + "ssh": { + "enabled": True, + "hostkey": [ + "test-host-key" + ], + "listen": [ + { + "name": "test-listener-1", + "address": SSH_ADDRESS_1, + "port": SSH_PORT_1 + } + ] + } + } + }) + + with test.step("Verify SSH public keys"): + _, hport1 = env.ltop.xlate("host", "data1") + _, hport2 = env.ltop.xlate("host", "data2") + + with infamy.IsolatedMacVlan(hport1) as ns77: + ns77.addip("77.77.77.70", prefix_length=24) + ns77.must_reach(SSH_ADDRESS_1) + ssh_scan_result = ns77.runsh(f"ssh-keyscan -p {SSH_PORT_1} {SSH_ADDRESS_1}") + lines = [ + line for line in ssh_scan_result.stdout.splitlines() + if line.strip().startswith(f"[{SSH_ADDRESS_1}]:{SSH_PORT_1}") + ] + assert len(lines) == 1, f"Unexpected ssh-keyscan output: {ssh_scan_result.stdout}" + target_public_key = lines[0].split()[2] + + assert target_public_key.strip() == SSH_RSA_PUBLIC_KEY.strip(), "Public key mismatch" + + print("Public key verified successfully.") + + with test.step("Verify it is not possible to access SSH on other IP address"): + with infamy.IsolatedMacVlan(hport2) as ns88: + ns88.addip("88.88.88.80", prefix_length=24) + ns88.must_reach(SSH_ADDRESS_2) + + assert ns88.runsh(f"ssh-keyscan -p {SSH_PORT_1} {SSH_ADDRESS_2}").returncode == 1, "SSH is accessable on wrong interface" + + with test.step("Disable SSH server"): + target.put_config_dict("infix-services", { + "ssh": { + "enabled": False + } + }) + assert(ns77.run( + f"ssh-keyscan -p {SSH_PORT_1} {SSH_ADDRESS_1}", + shell=True, + text=True, + stdout=subprocess.PIPE, + ).returncode == 1) + + test.succeed() diff --git a/test/case/infix_services/ssh_server_config/topology.dot b/test/case/infix_services/ssh_server_config/topology.dot new file mode 100644 index 000000000..6506bc45a --- /dev/null +++ b/test/case/infix_services/ssh_server_config/topology.dot @@ -0,0 +1,24 @@ +graph "1x3" { + layout="neato"; + overlap="false"; + esep="+80"; + + node [shape=record, fontname="DejaVu Sans Mono, Book"]; + edge [color="cornflowerblue", penwidth="2", fontname="DejaVu Serif, Book"]; + + host [ + label="host | { mgmt | data1 | data2 }", + pos="0,12!", + kind="controller", + ]; + + target [ + label="{ mgmt | data1 | data2 } | target", + pos="10,12!", + kind="infix", + ]; + + host:mgmt -- target:mgmt [kind=mgmt, color="lightgray"] + host:data1 -- target:data1 [color="black"] + host:data2 -- target:data2 [color="black"] +} diff --git a/test/case/infix_services/ssh_server_config/topology.svg b/test/case/infix_services/ssh_server_config/topology.svg new file mode 100644 index 000000000..9517e6397 --- /dev/null +++ b/test/case/infix_services/ssh_server_config/topology.svg @@ -0,0 +1,51 @@ + + + + + + +1x3 + + + +host + +host + +mgmt + +data1 + +data2 + + + +target + +mgmt + +data1 + +data2 + +target + + + +host:mgmt--target:mgmt + + + + +host:data1--target:data1 + + + + +host:data2--target:data2 + + + + diff --git a/test/infamy/netconf.py b/test/infamy/netconf.py index f28075665..e33e331c9 100644 --- a/test/infamy/netconf.py +++ b/test/infamy/netconf.py @@ -397,8 +397,8 @@ def delete_xpath(self, xpath): libyang.xpath_del(new, xpath) mod = self.ly.get_module(module) - oldd = mod.parse_data_dict(old, no_state=True) - newd = mod.parse_data_dict(new, no_state=True) + oldd = mod.parse_data_dict(old, no_state=True, validate=False) + newd = mod.parse_data_dict(new, no_state=True, validate=False) lyd = oldd.diff(newd) if lyd is None: diff --git a/test/infamy/restconf.py b/test/infamy/restconf.py index 6d440c19c..3fc2c9830 100644 --- a/test/infamy/restconf.py +++ b/test/infamy/restconf.py @@ -33,7 +33,7 @@ def xpath_to_uri(xpath, extra=None): if matches: for key, value in matches: # replace [key=value] with =value - uri_path = re.sub(rf'\[{key}=["\']{value}["\']\]', f'={value}', xpath) + uri_path = re.sub(rf'\[{re.escape(key)}=["\']{re.escape(value)}["\']\]', f'={value}', xpath) else: uri_path = xpath