add tests for allowing remote_usernames to differ

Netflix · May 7, 2017 · 7e8f30f · 7e8f30f
1 parent b3e4eab
commit 7e8f30f
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 4 deletions.
diff --git a/bless/aws_lambda/bless_lambda.py b/bless/aws_lambda/bless_lambda.py
@@ -136,11 +136,12 @@ def lambda_handler(event, context=None, ca_private_key_password=None,
     if config.get(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION):
         if request.kmsauth_token:
             # Allow bless to sign the cert for a different remote user than the name of the user who signed it
-            if KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION:
-                allowed_users = KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION.split(",")
-                if allowed_users != '*' and request.remote_usernames not in allowed_users:
+            allowed_remotes = config.get(KMSAUTH_SECTION, KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION)
+            if allowed_remotes:
+                allowed_users = allowed_remotes.split(",")
+                if allowed_users != ['*'] and request.remote_usernames not in allowed_users:
                     return error_response('KMSAuthValidationError',
-                                          'invalid remote_usernames [{}]'.format(request.remote_usernames))
+                                          'unallowed remote_usernames [{}]'.format(request.remote_usernames))
             elif request.remote_usernames != request.bastion_user:
                     return error_response('KMSAuthValidationError',
                                           'remote_usernames must be the same as bastion_user')

diff --git a/tests/aws_lambda/bless-test-kmsauth-different-remote.cfg b/tests/aws_lambda/bless-test-kmsauth-different-remote.cfg
@@ -0,0 +1,33 @@
+[Bless CA]
+ca_private_key_file = tests/aws_lambda/only-use-for-unit-tests.pem
+us-east-1_password = bogus-password-for-unit-test
+us-west-2_password = bogus-password-for-unit-test
+
+[KMS Auth]
+use_kmsauth = True
+kmsauth_key_id = alias/authnz-iad, alias/authnz-sfo
+kmsauth_serviceid = kmsauth-prod
+kmsauth_remote_usernames_allowed = ubuntu
+
+# todo get from config, with some sane defaults
+#[loggers]
+#keys=root
+#
+#[handlers]
+#keys=stream_handler
+#
+#[formatters]
+#keys=formatter
+#
+#[logger_root]
+#level=INFO
+#handlers=stream_handler
+#
+#[handler_stream_handler]
+#class=StreamHandler
+#level=DEBUG
+#formatter=formatter
+#args=(sys.stderr,)
+#
+#[formatter_formatter]
+#format=%(asctime)s %(name)-12s %(levelname)-8s %(message)s
diff --git a/tests/aws_lambda/test_bless_lambda.py b/tests/aws_lambda/test_bless_lambda.py
@@ -112,6 +112,27 @@ class Context(object):
     "bastion_user_ip": "127.0.0.1"
 }
 
+INVALID_TEST_KMSAUTH_REQUEST_USERNAME_DOESNT_MATCH_REMOTE = {
+    "remote_usernames": "userb",
+    "public_key_to_sign": EXAMPLE_RSA_PUBLIC_KEY,
+    "command": "ssh user@server",
+    "bastion_ips": "127.0.0.1",
+    "bastion_user": "usera",
+    "bastion_user_ip": "127.0.0.1",
+    "kmsauth_token": "validkmsauthtoken"
+}
+
+VALID_TEST_KMSAUTH_REQUEST_DIFFERENT_REMOTE_USER = {
+    "remote_usernames": "ubuntu",
+    "public_key_to_sign": EXAMPLE_RSA_PUBLIC_KEY,
+    "command": "ssh user@server",
+    "bastion_ips": "127.0.0.1",
+    "bastion_user": "usera",
+    "bastion_user_ip": "127.0.0.1",
+    "kmsauth_token": "validkmsauthtoken"
+}
+
+
 os.environ['AWS_REGION'] = 'us-west-2'
 
 
@@ -284,3 +305,19 @@ def test_invalid_request_with_multiple_principals():
                             config_file=os.path.join(os.path.dirname(__file__),
                                                      'bless-test.cfg'))
     assert output['errorType'] == 'InputValidationError'
+
+def test_invalid_request_with_mismatched_bastion_and_remote():
+    output = lambda_handler(INVALID_TEST_KMSAUTH_REQUEST_USERNAME_DOESNT_MATCH_REMOTE, context=Context,
+                            ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD,
+                            entropy_check=False,
+                            config_file=os.path.join(os.path.dirname(__file__),
+                                                     'bless-test-kmsauth.cfg'))
+    assert output['errorType'] == 'KMSAuthValidationError'
+
+def test_valid_request_with_allowed_remote():
+    output = lambda_handler(VALID_TEST_KMSAUTH_REQUEST_DIFFERENT_REMOTE_USER, context=Context,
+                            ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD,
+                            entropy_check=False,
+                            config_file=os.path.join(os.path.dirname(__file__),
+                                                     'bless-test-kmsauth-different-remote.cfg'))
+    assert output['errorType'] == 'KMSAuthValidationError'