make sure all requested remote_usernames are allowed to be used

added positive test mocking kmsauth sucessfully decrypting a token

bless/aws_lambda/bless_lambda.py

@@ -138,8 +138,9 @@ def lambda_handler(event, context=None, ca_private_key_password=None,
             # Allow bless to sign the cert for a different remote user than the name of the user who signed it
             allowed_remotes = config.get(KMSAUTH_SECTION, KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION)
             if allowed_remotes:
-                allowed_users = allowed_remotes.split(",")
-                if allowed_users != ['*'] and request.remote_usernames not in allowed_users:
+                allowed_users = allowed_remotes.split(',')
+                requested_remotes = request.remote_usernames.split(',')
+                if allowed_users != ['*'] and not all([u in allowed_users for u in requested_remotes]):
                     return error_response('KMSAuthValidationError',
                                           'unallowed remote_usernames [{}]'.format(request.remote_usernames))
             elif request.remote_usernames != request.bastion_user:

requirements.txt

@@ -23,6 +23,7 @@ pycparser==2.17
 pyflakes==1.5.0
 pyparsing==2.1.10
 pytest==3.0.6
+pytest-mock==1.6.0
 python-dateutil==2.6.0
 s3transfer==0.1.10
 six==1.10.0

tests/aws_lambda/bless-test-kmsauth-different-remote.cfg

@@ -7,7 +7,7 @@ us-west-2_password = bogus-password-for-unit-test
 use_kmsauth = True
 kmsauth_key_id = alias/authnz-iad, alias/authnz-sfo
 kmsauth_serviceid = kmsauth-prod
-kmsauth_remote_usernames_allowed = ubuntu
+kmsauth_remote_usernames_allowed = ubuntu,alloweduser
 
 # todo get from config, with some sane defaults
 #[loggers]

tests/aws_lambda/test_bless_lambda.py

@@ -132,6 +132,16 @@ class Context(object):
     "kmsauth_token": "validkmsauthtoken"
 }
 
+VALID_TEST_KMSAUTH_REQUEST_DIFFERENT_REMOTE_USER = {
+    "remote_usernames": "alloweduser",
+    "public_key_to_sign": EXAMPLE_RSA_PUBLIC_KEY,
+    "command": "ssh user@server",
+    "bastion_ips": "127.0.0.1",
+    "bastion_user": "usera",
+    "bastion_user_ip": "127.0.0.1",
+    "kmsauth_token": "validkmsauthtoken"
+}
+
 os.environ['AWS_REGION'] = 'us-west-2'
 
 
@@ -307,6 +317,10 @@ def test_invalid_request_with_multiple_principals():
 
 
 def test_invalid_request_with_mismatched_bastion_and_remote():
+    '''
+    Test default kmsauth behavior, that a bastion_user and remote_usernames must match
+    :return: 
+    '''
     output = lambda_handler(INVALID_TEST_KMSAUTH_REQUEST_USERNAME_DOESNT_MATCH_REMOTE, context=Context,
                             ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD,
                             entropy_check=False,
@@ -322,3 +336,13 @@ def test_invalid_request_with_unallowed_remote():
                             config_file=os.path.join(os.path.dirname(__file__),
                                                      'bless-test-kmsauth-different-remote.cfg'))
     assert output['errorType'] == 'KMSAuthValidationError'
+
+
+def test_valid_request_with_allowed_remote(mocker):
+    mocker.patch("kmsauth.KMSTokenValidator.decrypt_token")
+    output = lambda_handler(VALID_TEST_KMSAUTH_REQUEST_DIFFERENT_REMOTE_USER, context=Context,
+                            ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD,
+                            entropy_check=False,
+                            config_file=os.path.join(os.path.dirname(__file__),
+                                                     'bless-test-kmsauth-different-remote.cfg'))
+    assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ')