upstream: regress test for sshd_config Include directive; from Jakub

Jelen

OpenBSD-Regress-ID: 0d9224de3297c7a5f51ba68d6e3725a2a9345fa4

3 files changed, 159 insertions, 3 deletions

diff --git a/regress/Makefile b/regress/Makefile
index 34c47e8cb..774c10d41 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.104 2019/09/03 08:37:45 djm Exp $
+#       $OpenBSD: Makefile,v 1.106 2020/01/31 23:25:08 djm Exp $
 
 tests:          prep file-tests t-exec unit
 
@@ -87,6 +87,7 @@ LTESTS= 	connect \
                 principals-command \
                 cert-file \
                 cfginclude \
+                servcfginclude \
                 allow-deny-users \
                 authinfo \
                 sshsig
@@ -122,7 +123,7 @@ CLEANFILES=	*.core actual agent-key.* authorized_keys_${USERNAME} \
                 ssh-rsa_oldfmt \
                 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
                 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
-                sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \
+                sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \
                 sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \
                 t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \
                 t8.out t8.out.pub t9.out t9.out.pub testdata \
diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh
new file mode 100644
index 000000000..b25c8faa8
--- /dev/null
+++ b/regress/servcfginclude.sh
@@ -0,0 +1,154 @@
+#       Placed in the Public Domain.
+
+tid="server config include"
+
+cat > $OBJ/sshd_config.i << _EOF
+HostKey $OBJ/host.ssh-ed25519
+Match host a
+        Banner /aa
+
+Match host b
+        Banner /bb
+        Include $OBJ/sshd_config.i.*
+
+Match host c
+        Include $OBJ/sshd_config.i.*
+        Banner /cc
+
+Match host m
+        Include $OBJ/sshd_config.i.*
+
+Match Host d
+        Banner /dd
+
+Match Host e
+        Banner /ee
+        Include $OBJ/sshd_config.i.*
+
+Match Host f
+        Include $OBJ/sshd_config.i.*
+        Banner /ff
+
+Match Host n
+        Include $OBJ/sshd_config.i.*
+_EOF
+
+cat > $OBJ/sshd_config.i.0 << _EOF
+Match host xxxxxx
+_EOF
+
+cat > $OBJ/sshd_config.i.1 << _EOF
+Match host a
+        Banner /aaa
+
+Match host b
+        Banner /bbb
+
+Match host c
+        Banner /ccc
+
+Match Host d
+        Banner /ddd
+
+Match Host e
+        Banner /eee
+
+Match Host f
+        Banner /fff
+_EOF
+
+cat > $OBJ/sshd_config.i.2 << _EOF
+Match host a
+        Banner /aaaa
+
+Match host b
+        Banner /bbbb
+
+Match host c
+        Banner /cccc
+
+Match Host d
+        Banner /dddd
+
+Match Host e
+        Banner /eeee
+
+Match Host f
+        Banner /ffff
+
+Match all
+        Banner /xxxx
+_EOF
+
+trial() {
+        _host="$1"
+        _exp="$2"
+        _desc="$3"
+        test -z "$_desc" && _desc="test match"
+        trace "$_desc host=$_host expect=$_exp"
+        ${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
+            -C "host=$_host,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out ||
+                fatal "ssh config parse failed: $_desc host=$_host expect=$_exp"
+        _got=`grep -i '^banner ' $OBJ/sshd_config.out | awk '{print $2}'`
+        if test "x$_exp" != "x$_got" ; then
+                fail "$desc_ host $_host include fail: expected $_exp got $_got"
+        fi
+}
+
+trial a /aa
+trial b /bb
+trial c /ccc
+trial d /dd
+trial e /ee
+trial f /fff
+trial m /xxxx
+trial n /xxxx
+trial x none
+
+# Prepare an included config with an error.
+
+cat > $OBJ/sshd_config.i.3 << _EOF
+Banner xxxx
+        Junk
+_EOF
+
+trace "disallow invalid config host=a"
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i \
+    -C "host=a,user=test,addr=127.0.0.1" 2>/dev/null && \
+        fail "sshd include allowed invalid config"
+
+trace "disallow invalid config host=x"
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i \
+    -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
+        fail "sshd include allowed invalid config"
+
+rm -f $OBJ/sshd_config.i.*
+
+# Ensure that a missing include is not fatal.
+cat > $OBJ/sshd_config.i << _EOF
+HostKey $OBJ/host.ssh-ed25519
+Include $OBJ/sshd_config.i.*
+Banner /aa
+_EOF
+
+trial a /aa "missing include non-fatal"
+
+# Ensure that Match/Host in an included config does not affect parent.
+cat > $OBJ/sshd_config.i.x << _EOF
+Match host x
+_EOF
+
+trial a /aa "included file does not affect match state"
+
+# Ensure the empty include directive is not accepted
+cat > $OBJ/sshd_config.i.x << _EOF
+Include
+_EOF
+
+trace "disallow invalid with no argument"
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \
+    -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
+        fail "sshd allowed Include with no argument"
+
+# cleanup
+rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 2c9c3f498..f5e3ee6f5 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: test-exec.sh,v 1.74 2020/01/25 02:57:53 dtucker Exp $
+#       $OpenBSD: test-exec.sh,v 1.75 2020/01/31 23:25:08 djm Exp $
 #       Placed in the Public Domain.
 
 #SUDO=sudo
@@ -239,6 +239,7 @@ echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP
 
 chmod a+rx $OBJ/ssh-log-wrapper.sh
 REAL_SSH="$SSH"
+REAL_SSHD="$SSHD"
 SSH="$SSHLOGWRAP"
 
 # Some test data.  We make a copy because some tests will overwrite it.