- dtucker@cvs.openbsd.org 2008/06/10 05:23:32

[addrmatch.sh Makefile] Regress test for Match CIDR rules. ok djm@
author: Darren Tucker <dtucker@zip.com.au> 2008-06-10 23:16:46 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2008-06-10 23:16:46 +1000
commit: 10f9242b86bc570638b5c0e985e4f4b98c1dd073 (patch)
tree: 1e3d5604e39c1680b258c477ecb76fad41294ed6 /regress/addrmatch.sh
parent: d788b7cb35ed9964f8a15201e3b28e992228eadb (diff)
1 files changed, 41 insertions, 0 deletions
diff --git a/regress/addrmatch.sh b/regress/addrmatch.sh
new file mode 100644
index 000000000..f89e9f053
--- /dev/null
+++ b/regress/addrmatch.sh
@@ -0,0 +1,41 @@
+#       $OpenBSD: addrmatch.sh,v 1.0 2008/06/10 05:23:32 dtucker Exp $
+#       Placed in the Public Domain.
+tid="address match"
+mv $OBJ/sshd_proxy $OBJ/sshd_proxy_orig
+run_trial()
+{
+        user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5"
+        verbose "test $descr for $user $addr $host"
+        result=`${SSHD} -f $OBJ/sshd_proxy -T \
+            -C user=${user},addr=${addr},host=${host} | \
+            awk '/passwordauthentication/ {print $2}'`
+        if [ "$result" != "$expected" ]; then
+                fail "failed for $user $addr $host: expected $expected, got $result"
+        fi
+}
+cp $OBJ/sshd_proxy_orig $OBJ/sshd_proxy
+cat >>$OBJ/sshd_proxy <<EOD
+PasswordAuthentication no
+Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com
+        PasswordAuthentication yes
+Match Address 1.1.1.1,::1,!::3,2000::/16
+        PasswordAuthentication yes
+EOD
+run_trial user 192.168.0.1 somehost yes         "permit, first entry"
+run_trial user 192.168.30.1 somehost no         "deny, negative match"
+run_trial user 19.0.0.1 somehost no             "deny, no match"
+run_trial user 10.255.255.254 somehost yes      "permit, list middle"
+run_trial user 192.168.30.1 192.168.0.1 no      "deny, faked IP in hostname"
+run_trial user 1.1.1.1 somehost.example.com yes "permit, bare IP4 address"
+run_trial user ::1 somehost.example.com  yes    "permit, bare IP6 address"
+run_trial user ::2 somehost.exaple.com no       "deny IPv6"
+run_trial user ::3 somehost no                  "deny IP6 negated"
+run_trial user ::4 somehost no                  "deny, IP6 no match"
+run_trial user 2000::1 somehost yes             "permit, IP6 network"
+run_trial user 2001::1 somehost no              "deny, IP6 network"
author	Darren Tucker <dtucker@zip.com.au>	2008-06-10 23:16:46 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2008-06-10 23:16:46 +1000
commit	10f9242b86bc570638b5c0e985e4f4b98c1dd073 (patch)
tree	1e3d5604e39c1680b258c477ecb76fad41294ed6 /regress/addrmatch.sh
parent	d788b7cb35ed9964f8a15201e3b28e992228eadb (diff)

diff --git a/regress/addrmatch.sh b/regress/addrmatch.sh new file mode 100644 index 000000000..f89e9f053 --- /dev/null +++ b/regress/addrmatch.sh
@@ -0,0 +1,41 @@
	1	# $OpenBSD: addrmatch.sh,v 1.0 2008/06/10 05:23:32 dtucker Exp $
	2	# Placed in the Public Domain.
	3
	4	tid="address match"
	5
	6	mv $OBJ/sshd_proxy $OBJ/sshd_proxy_orig
	7
	8	run_trial()
	9	{
	10	user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5"
	11
	12	verbose "test $descr for $user $addr $host"
	13	result=`${SSHD} -f $OBJ/sshd_proxy -T \
	14	-C user=${user},addr=${addr},host=${host} \| \
	15	awk '/passwordauthentication/ {print $2}'`
	16	if [ "$result" != "$expected" ]; then
	17	fail "failed for $user $addr $host: expected $expected, got $result"
	18	fi
	19	}
	20
	21	cp $OBJ/sshd_proxy_orig $OBJ/sshd_proxy
	22	cat >>$OBJ/sshd_proxy <<EOD
	23	PasswordAuthentication no
	24	Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com
	25	PasswordAuthentication yes
	26	Match Address 1.1.1.1,::1,!::3,2000::/16
	27	PasswordAuthentication yes
	28	EOD
	29
	30	run_trial user 192.168.0.1 somehost yes "permit, first entry"
	31	run_trial user 192.168.30.1 somehost no "deny, negative match"
	32	run_trial user 19.0.0.1 somehost no "deny, no match"
	33	run_trial user 10.255.255.254 somehost yes "permit, list middle"
	34	run_trial user 192.168.30.1 192.168.0.1 no "deny, faked IP in hostname"
	35	run_trial user 1.1.1.1 somehost.example.com yes "permit, bare IP4 address"
	36	run_trial user ::1 somehost.example.com yes "permit, bare IP6 address"
	37	run_trial user ::2 somehost.exaple.com no "deny IPv6"
	38	run_trial user ::3 somehost no "deny IP6 negated"
	39	run_trial user ::4 somehost no "deny, IP6 no match"
	40	run_trial user 2000::1 somehost yes "permit, IP6 network"
	41	run_trial user 2001::1 somehost no "deny, IP6 network"