ovh · speed47 · Nov 7, 2023 · Oct 29, 2023
diff --git a/.github/workflows/freebsd.yml b/.github/workflows/freebsd.yml
@@ -6,31 +6,63 @@ on:
 
 jobs:
   freebsd:
-    runs-on: macos-12
+    runs-on: ubuntu-latest
     name: FreeBSD
-    if: ${{ contains(github.event.pull_request.labels.*.name, 'tests:full') || contains(github.event.pull_request.labels.*.name, 'tests:long') || contains(github.event.pull_request.labels.*.name, 'tests:freebsd') }}
+    timeout-minutes: 180
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'tests:freebsd') }}
     steps:
     - uses: actions/checkout@v4
       with:
         persist-credentials: false
     - name: Functional tests under FreeBSD
-      uses: vmactions/freebsd-vm@v0
+      uses: cross-platform-actions/action@master
       with:
-        usesh: true
-        sync: sshfs
+        operating_system: freebsd
+        version: '13.2'
+        shell: bash
+        sync_files: runner-to-vm
         run: |
-          set -ex
+          # source this to get the $SSH_DIR var properly filled
+          source lib/shell/functions.inc
+          # a few debug commands
+          set -x
           freebsd-version
-          mount -o acls /
-          pkg install -y bash rsync ca_root_nss jq fping screen flock curl
-          mkdir -p /opt/bastion
-          rsync -a . /opt/bastion/
-          /opt/bastion/bin/admin/packages-check.sh -i
-          /opt/bastion/bin/admin/install-ttyrec.sh -s
-          /opt/bastion/bin/admin/install-yubico-piv-checker.sh -s
-          /opt/bastion/bin/admin/install-mkhash-helper.sh -s
-          /opt/bastion/bin/admin/install --new-install
-          ssh-keygen -t ed25519 -f id_user
-          ssh-keygen -t ed25519 -f id_root
-          WANT_HTTP_PROXY=0 NO_SLEEP=1 user_pubkey=$(cat id_user.pub) root_pubkey=$(cat id_root.pub) TARGET_USER=user5000 /opt/bastion/tests/functional/docker/target_role.sh
-          /opt/bastion/tests/functional/launch_tests_on_instance.sh --has-mfa=0 --has-mfa-password=1 --has-pamtester=1 --skip-consistency-check --remote-etc-bastion=/usr/local/etc/bastion 127.0.0.1 22 0 user5000 id_user id_root
+          id
+          # to do proper tests, we need the fs to have ACLs enabled
+          sudo mount -o acls /
+          # install required packages
+          sudo pkg update
+          sudo pkg install -y bash rsync ca_root_nss jq fping screen flock curl
+          # create required folder
+          sudo mkdir -p /opt/bastion
+          # copy bastion code to the proper location
+          sudo rsync -a . /opt/bastion/
+          # save default ssh config, so we can restore it when we're done,
+          # or the github action will fail because the post-run actions it'll
+          # try to do over ssh won't complete due to our modified ssh config
+          sudo tar czf /opt/bastion/ssh_config.tar.gz $SSH_DIR/
+          # setup bastion
+          sudo /opt/bastion/bin/admin/packages-check.sh -i
+          sudo /opt/bastion/bin/admin/install-ttyrec.sh -s
+          sudo /opt/bastion/bin/admin/install-yubico-piv-checker.sh -s
+          sudo /opt/bastion/bin/admin/install-mkhash-helper.sh -s
+          sudo /opt/bastion/bin/admin/install --new-install
+          # by default, this is 0700, but we'll run those as non-root
+          sudo chmod 0755 /opt/bastion/tests
+          # generate two sets of keys
+          ssh-keygen -t ed25519 -f id_user -N ''
+          ssh-keygen -t ed25519 -f id_root -N ''
+          # setup the local bastion for tests
+          sudo env WANT_HTTP_PROXY=0 NO_SLEEP=1 user_pubkey="$(cat id_user.pub)" root_pubkey="$(cat id_root.pub)" TARGET_USER=user5000 /opt/bastion/tests/functional/docker/target_role.sh
+          # run the tests, then in post-run, restore saved ssh config and restart sshd
+          /opt/bastion/tests/functional/launch_tests_on_instance.sh \
+            --has-mfa=0 \
+            --has-mfa-password=1 \
+            --has-pamtester=1 \
+            --skip-consistency-check \
+            --remote-etc-bastion=/usr/local/etc/bastion \
+            --slowness-factor=2 \
+            --post-run="sudo tar xzf /opt/bastion/ssh_config.tar.gz -C / ; sudo /etc/rc.d/sshd restart" \
+            127.0.0.1 22 0 user5000 id_user id_root
+          # for some reason, any other command below is skipped, so don't try to add anything,
+          # augment --post-run in the script above instead, if needed.
diff --git a/tests/functional/docker/target_role.sh b/tests/functional/docker/target_role.sh
@@ -125,15 +125,18 @@ if [ "$OS_FAMILY" = Linux ] ; then
     fi
 
 elif [ "$OS_FAMILY" = OpenBSD ] || [  "$OS_FAMILY" = FreeBSD ] || [ "$OS_FAMILY" = NetBSD ] ; then
-
     # setup some 127.0.0.x IPs (needed for our tests)
     # this automatically works under Linux on lo
+    nic=$(ifconfig | perl -ne 'm{^([a-z._0-9]+): flags}i and $nic=$1; m{inet 127\.0\.0\.1} and print $nic and exit')
+    : "${nic:=lo0}"
     i=2
     while [ $i -lt 20 ] ; do
-        ifconfig lo0 127.0.0.$i netmask 255.0.0.0 alias
+        ifconfig $nic 127.0.0.$i netmask 255.0.0.0 alias
         (( i++ ))
     done
-    ifconfig lo0 127.7.7.7 netmask 255.0.0.0 alias
+    ifconfig $nic 127.7.7.7 netmask 255.0.0.0 alias
+    echo "Added a few local IP aliases"
+    ifconfig $nic
 
     set +e
     for st in restart onestart
@@ -150,7 +153,6 @@ if [ -n "$NO_SLEEP" ]; then
 fi
 
 if [ "$WANT_HTTP_PROXY" = 1 ]; then
-
     # build a self-signed certificate for the http proxy and adjust the config
     openssl req -x509 -nodes -days 7 -newkey rsa:2048 -keyout /tmp/selfsigned.key -out /tmp/selfsigned.crt -subj "/CN=testcert"
     chgrp proxyhttp /tmp/selfsigned.key

diff --git a/tests/functional/launch_tests_on_instance.sh b/tests/functional/launch_tests_on_instance.sh
@@ -13,8 +13,10 @@ opt_remote_etc_bastion=/etc/bastion
 opt_remote_basedir=$basedir
 opt_skip_consistency_check=0
 opt_no_pause_on_fail=0
+opt_slowness_factor=1
 opt_log_prefix=
 opt_module=
+opt_post_run=
 declare -A capabilities=( [ed25519]=1 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 )
 
 # set the helptext now to get the proper default values
@@ -24,6 +26,8 @@ Test Options:
     --no-pause-on-fail         Don't pause when a test fails
     --log-prefix=X             Prefix all logs by this name
     --module=X                 Only test this module (specify a filename found in \`functional/tests.d/\`), can be specified multiple times
+    --slowness-factor=X        If your test environment is slow, set this to 2, 3 or more to use higher timeouts (default: 1)
+    --post-run=X               Commands to run after we're done testing
 
 Remote OS directory locations:
     --remote-etc-bastion=X     Override the default remote bastion configuration directory (default: $opt_remote_etc_bastion)
@@ -67,9 +71,17 @@ do
         --no-pause-on-fail)
             opt_no_pause_on_fail=1
             ;;
+        --slowness-factor=*)
+            if [[ $optval =~ ^[1-9]$ ]]; then
+                opt_slowness_factor=$optval
+            fi
+            ;;
         --log-prefix=*)
             opt_log_prefix="$optval"
             ;;
+        --post-run=*)
+            opt_post_run="$optval"
+            ;;
         --module=*)
             if [ ! -e "$basedir/tests/functional/tests.d/$optval" ]; then
                 echo "Unknown module specified '$optval', supported modules are:"
@@ -173,8 +185,9 @@ fi
 
     jq="jq --raw-output --compact-output --sort-keys"
     js="--json-greppable"
-    t="timeout --foreground 30"
-    tf="timeout --foreground 15"
+    default_timeout=$((30 * opt_slowness_factor))
+    t="timeout --foreground $default_timeout"
+    tf="timeout --foreground $((default_timeout / 2))"
     a0="  $t ssh -F $mytmpdir/ssh_config -i $account0key1file $account0@$remote_ip -p $remote_port -- $js "
     a1="  $t ssh -F $mytmpdir/ssh_config -i $account1key1file $account1@$remote_ip -p $remote_port -- $js "
     a1k2="$t ssh -F $mytmpdir/ssh_config -i $account1key2file $account1@$remote_ip -p $remote_port -- $js "
@@ -714,6 +727,7 @@ testno=0
 runtests
 echo
 
+set -x
 if [ $((nbfailedret + nbfailedgrep + nbfailedcon + nbfailedgeneric)) -eq 0 ] ; then
     printf "%b%b%b\\n" "$BLACK_ON_GREEN" "All tests succeeded :)" "$NOC"
 else
@@ -738,4 +752,7 @@ update_totalerrors
 
 rm -rf "$mytmpdir"
 trap EXIT
+if [ -n "$opt_post_run" ]; then
+    bash -c "$opt_post_run"
+fi
 exit $totalerrors
diff --git a/tests/functional/tests.d/200-scripts.sh b/tests/functional/tests.d/200-scripts.sh
@@ -58,8 +58,8 @@ testsuite_scripts()
     contain "50-gpg-admins-key.conf updated:"
     contain "50-gpg.conf updated:"
     contain "Parsed and added 2 keys"
-    contain "GPGKEYS='CF27BEC1C8266FFE EC6CEA6719EF3700'"
-    contain '[ "CF27BEC1C8266FFE", "EC6CEA6719EF3700" ]'
+    contain REGEX "GPGKEYS='(CF27BEC1C8266FFE EC6CEA6719EF3700|EC6CEA6719EF3700 CF27BEC1C8266FFE)'"
+    contain REGEX '("CF27BEC1C8266FFE", "EC6CEA6719EF3700"|"EC6CEA6719EF3700", "CF27BEC1C8266FFE")'
     nocontain "WARN:"
     nocontain "ERROR:"
     nocontain "Unexpected termination"

diff --git a/tests/functional/tests.d/340-selfaccesses.sh b/tests/functional/tests.d/340-selfaccesses.sh
@@ -198,14 +198,17 @@ testsuite_selfaccesses()
 
     # scp & sftp
 
+    # patch bastionCommand in config
+    configchg 's=^\\\\x22bastionCommand\\\\x22.+=\\\\x22bastionCommand\\\\x22:\\\\x22ssh\\\\x20USER\\\\x40'"$remote_ip"'\\\\x20-p\\\\x20'"$remote_port"'\\\\x20-t\\\\x20--\\\\x22,='
+
     ## get both helpers first
     for proto in scp sftp; do
         success $proto $a0 --osh $proto
         if [ "$COUNTONLY" != 1 ]; then
             tmpb64=$(get_json | $jq '.value.script')
-            base64 -d <<< "$tmpb64" | gunzip -c > /tmp/${proto}helpertmp
-            perl -pe "s/ssh $account0\\@\\S+/ssh -p $remote_port $account0\\@$remote_ip/" /tmp/${proto}helpertmp > /tmp/${proto}helper
-            chmod +x /tmp/${proto}helper
+            base64 -d <<< "$tmpb64" | gunzip -c > "/tmp/${proto}helper"
+            perl -i -pe 'print "BASTION_SCP_DEBUG=1\nBASTION_SFTP_DEBUG=1\n" if ++$line==2' "/tmp/${proto}helper"
+            chmod +x "/tmp/${proto}helper"
             unset tmpb64
         fi
     done
@@ -243,7 +246,7 @@ testsuite_selfaccesses()
 
     run scp_invalidhostname scp $scp_options -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file $shellaccount@_invalid._invalid:uptest /tmp/downloaded
     retvalshouldbe 1
-    contain "Sorry, couldn't resolve the host you specified"
+    contain REGEX "Sorry, couldn't resolve the host you specified|I was unable to resolve host"
 
     success scp_upload scp $scp_options -F $mytmpdir/ssh_config -S /tmp/scphelper -i $account0key1file /etc/passwd [email protected]:uptest
     contain "through the bastion to"

diff --git a/tests/functional/tests.d/341-selfaccesses-force-password.sh b/tests/functional/tests.d/341-selfaccesses-force-password.sh
@@ -25,7 +25,7 @@ testsuite_selfaccesses_force_password()
     retvalshouldbe 124
     contain 'enter this:'
     a4_password_tmp=$(get_stdout | grep -Eo 'enter this: [a-zA-Z0-9_-]+' | sed -e 's/enter this: //')
-    script a4_setup_pass_2of2 "echo 'set timeout 30; \
+    script a4_setup_pass_2of2 "echo 'set timeout $default_timeout; \
         spawn $a4 --osh selfMFASetupPassword --yes; \
         expect \":\" { sleep 0.2; send \"$a4_password_tmp\\n\"; }; \
         expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \