2025-05 Updates (#91)

jonmchan · felipesantiago · goruha · web-flow · commit 74706a42bea6 · 2025-05-12T18:31:22.000+03:00
* Update the dependencies as of April 2025

* Fix PAM module is unknown error

* Update test Dockefile base image

* make tests run more reliably on faster machines

* skip chmod proc if proc is not modifiable

* Removed duplicate tests

* adding libqrencode; added tests to ensure qrcode is properly generated

* Update feature-branch.yml

* Update feature-branch.yml

* Update feature-branch.yml

* Update feature-branch.yml

---------

Co-authored-by: Felipe Santiago &lt;felipe@felipesantiago.org&gt;
Co-authored-by: Igor Rodionov &lt;goruha@gmail.com&gt;
diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml
@@ -13,12 +13,12 @@ permissions:
 
 jobs:
   ci-readme:
-    uses: cloudposse/github-actions-workflows/.github/workflows/ci-readme.yml@main
+    uses: cloudposse/.github/.github/workflows/shared-readme.yml@main
     if: ${{ github.event_name == 'push' }}
     secrets: inherit    
 
   ci-codeowners:
-    uses: cloudposse/github-actions-workflows/.github/workflows/ci-codeowners.yml@main
+    uses: cloudposse/.github/.github/workflows/shared-codeowners.yml@main
     with:
       is_fork: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }}
     secrets: inherit
@@ -28,7 +28,7 @@ jobs:
     steps:
       - uses: cloudposse/github-action-release-label-validator@v1
 
-  ci-build-test:
+  test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -40,12 +40,12 @@ jobs:
 
       - name: Run Tests
         shell: bash
-        run: cd test && ./test.sh
+        run: make test
 
       - name: Cleanup
         if: always()
         shell: bash
-        run: cd test && docker-compose down
+        run: make cleantest
 
   ci:
     runs-on: ubuntu-latest
@@ -54,4 +54,4 @@ jobs:
       - run: |
           echo '${{ toJSON(needs) }}'  # easier debug
           ! ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
-    needs: [ ci-readme, ci-codeowners, ci-labels, ci-build-test ]
+    needs: [ ci-readme, ci-codeowners, ci-labels, test ]
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
diff --git a/Dockerfile b/Dockerfile
@@ -78,7 +78,7 @@ LABEL maintainer="erik@cloudposse.com"
 USER root
 
 ## Install dependencies
-RUN apk --update add curl drill groff util-linux bash xauth gettext openssl-dev shadow linux-pam sudo && \
+RUN apk --update add curl drill groff util-linux bash xauth gettext openssl-dev shadow linux-pam libqrencode sudo && \
     rm -rf /etc/ssh/ssh_host_*_key* && \
     rm -f /usr/bin/ssh-agent && \
     rm -f /usr/bin/ssh-keyscan && \
diff --git a/Makefile b/Makefile
@@ -4,7 +4,7 @@ export DOCKER_IMAGE_NAME ?= $(DOCKER_IMAGE):$(DOCKER_TAG)
 export DOCKER_BUILD_FLAGS =
 COPYRIGHT_SOFTWARE_DESCRIPTION := A secure Bastion host implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support
 
-.PHONY: test buildtest
+.PHONY: test cleantest
 
 include $(shell curl --silent -O "https://raw.githubusercontent.com/cloudposse/build-harness/master/templates/Makefile.build-harness"; echo Makefile.build-harness)
 
@@ -29,9 +29,8 @@ run: reset
 		-e SLACK_ENABLED=true \
 			$(DOCKER_IMAGE_NAME)
 
-buildtest:
-	cd test > /dev/null; ./build.sh
-
-
 test:
-	cd test > /dev/null; ./test.sh
+	cd test && ./test.sh
+
+cleantest:
+	cd test && docker compose down
diff --git a/rootfs/etc/init.d/secure-proc b/rootfs/etc/init.d/secure-proc
@@ -2,4 +2,6 @@
 echo "- Locking down /proc"
 chmod 700 /proc
 
-
+if [ "$?" == "1" ]; then
+  echo "Do not have permissions to lockdown /proc"
+fi
diff --git a/test/build.sh b/test/build.sh
diff --git a/test/docker-compose.yml b/test/docker-compose.yml
@@ -5,9 +5,9 @@ services:
       args:
         VERSION: "test"
     volumes:
-      - "$PWD/fixtures/sshrc/sshrc_kill_test.sh:/etc/ssh/sshrc.d/sshrc_kill_test.sh"
-      - "$PWD/fixtures/auth:/auth"
-      - "$PWD/fixtures/server_scripts:/scripts"
+      - "./fixtures/sshrc/sshrc_kill_test.sh:/etc/ssh/sshrc.d/sshrc_kill_test.sh"
+      - "./fixtures/auth:/auth"
+      - "./fixtures/server_scripts:/scripts"
     environment:
       LOG_LEVEL: "DEBUG"
       MFA_PROVIDER: "google-authenticator"
@@ -20,8 +20,8 @@ services:
   test:
     build: "."
     volumes:
-      - "$PWD/fixtures/auth/ida_rsa:/root/.ssh/id_rsa"
-      - "$PWD/fixtures/auth/google_authenticator_code:/code"
-      - "$PWD/fixtures/client_scripts:/scripts"
+      - "./fixtures/auth/ida_rsa:/root/.ssh/id_rsa"
+      - "./fixtures/auth/google_authenticator_code:/code"
+      - "./fixtures/client_scripts:/scripts"
     depends_on:
       - "bastion"
diff --git a/test/fixtures/server_scripts/google-auth.exp b/test/fixtures/server_scripts/google-auth.exp
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+#
+# This Expect script was generated by autoexpect on Mon May  5 15:07:42 2025
+# Expect and autoexpect were both written by Don Libes, NIST.
+#
+# Note that autoexpect does not guarantee a working script.  It
+# necessarily has to guess about certain things.  Two reasons a script
+# might fail are:
+#
+# 1) timing - A surprising number of programs (rn, ksh, zsh, telnet,
+# etc.) and devices discard or ignore keystrokes that arrive "too
+# quickly" after prompts.  If you find your new script hanging up at
+# one spot, try adding a short sleep just before the previous send.
+# Setting "force_conservative" to 1 (see below) makes Expect do this
+# automatically - pausing briefly before sending each character.  This
+# pacifies every program I know of.  The -c flag makes the script do
+# this in the first place.  The -C flag allows you to define a
+# character to toggle this mode off and on.
+
+set force_conservative 0  ;# set to 1 to force conservative mode even if
+			  ;# script wasn't run conservatively originally
+if {$force_conservative} {
+	set send_slow {1 .1}
+	proc send {ignore arg} {
+		sleep .1
+		exp_send -s -- $arg
+	}
+}
+
+#
+# 2) differing output - Some programs produce different output each time
+# they run.  The "date" command is an obvious example.  Another is
+# ftp, if it produces throughput statistics at the end of a file
+# transfer.  If this causes a problem, delete these patterns or replace
+# them with wildcards.  An alternative is to use the -p flag (for
+# "prompt") which makes Expect only look for the last line of output
+# (i.e., the prompt).  The -P flag allows you to define a character to
+# toggle this mode off and on.
+#
+# Read the man page for more info.
+#
+# -Don
+
+
+set timeout -1
+spawn google-authenticator -t
+match_max 100000
+expect "Enter code from app (-1 to skip): "
+send -- "-1\r"
+expect "Do you want me to update your \"/root/.google_authenticator\" file? (y/n) "
+send -- "n\r"
+expect eof
diff --git a/test/fixtures/server_scripts/google_auth_qr_code_generator_test.sh b/test/fixtures/server_scripts/google_auth_qr_code_generator_test.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+cd /scripts
+
+expect google-auth.exp
diff --git a/test/fixtures/server_scripts/setup.sh b/test/fixtures/server_scripts/setup.sh
@@ -3,6 +3,10 @@
 # This script runs on the test bastion server to initialize and setup the test environment.
 syslogd
 
+# Setup expect for google auth test
+apk update
+apk add expect
+
 rm -rf /var/log/sudo-io
 
 useradd -m bastion
diff --git a/test/test.sh b/test/test.sh
@@ -13,9 +13,30 @@ chmod 600 fixtures/auth/ida_rsa
 
 docker compose down
 docker compose up -d --build bastion
+docker compose build test
+
+# wait until bastion is up
+until docker compose exec bastion ps aux|grep -v grep| grep sshd > /dev/null; do echo "Waiting for bastion to come online..."; sleep 1; done
+
+echo "Bastion sshd service started."
+
 docker compose exec bastion /scripts/setup.sh
-sleep 1
-docker compose run test /scripts/google_auth_test.sh
+
+
+# greping for the first line of the left alignment square in the generated QR Code
+docker compose exec bastion /scripts/google_auth_qr_code_generator_test.sh |grep -F "[0m                                                                                          [0m" > /dev/null
+
+retVal=$?
+
+if [ $retVal -ne 0 ]; then
+  echo "${red}* Google Authenticator QR Code Generator Test Failed${reset}"
+  exit $retVal
+else
+  echo "${green}* Google Authenticator QR Code Generator Test Succeeded${reset}"
+fi
+
+
+docker compose run --remove-orphans test /scripts/google_auth_test.sh
 
 retVal=$?
 
@@ -49,7 +70,7 @@ else
   echo "${green}* Slack API Connection Test Succeeded${reset}"
 fi
 
-export SSHRC_KILL_OUTPUT=`docker compose run --build test /scripts/sshrc_kill_test.sh`
+export SSHRC_KILL_OUTPUT=`docker compose run --remove-orphans test /scripts/sshrc_kill_test.sh`
 
 if [[ "$SSHRC_KILL_OUTPUT" == *"this output should never print"* ]]; then
   echo "${red}* Failure to quit after non-zero exit code in sshrc${reset}"
