From 52c3d3c7948d2224c368cdf7c33e744fe93aac33 Mon Sep 17 00:00:00 2001 From: joerger Date: Fri, 4 Feb 2022 09:52:38 -0800 Subject: [PATCH] Disable xauth tests in CI. Add xauth tests. --- .cloudbuild/scripts/cmd/unit-tests/main.go | 3 +- lib/sshutils/x11/auth.go | 6 +- lib/sshutils/x11/auth_test.go | 66 ++++++++++++++++++++++ 3 files changed, 73 insertions(+), 2 deletions(-) diff --git a/.cloudbuild/scripts/cmd/unit-tests/main.go b/.cloudbuild/scripts/cmd/unit-tests/main.go index 5e3d8b4025508..b984f919fd25e 100644 --- a/.cloudbuild/scripts/cmd/unit-tests/main.go +++ b/.cloudbuild/scripts/cmd/unit-tests/main.go @@ -116,7 +116,8 @@ func runUnitTests(workspace string) error { cmd := exec.Command("make", "test") cmd.Dir = workspace cmd.Env = append(os.Environ(), "TELEPORT_ETCD_TEST=yes") - cmd.Env = append(os.Environ(), "TELEPORT_XAUTH_TEST=yes") + // TODO(Joerger): enabled xauth tests once the updated buildbox is in GCB + // cmd.Env = append(os.Environ(), "TELEPORT_XAUTH_TEST=yes") cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr diff --git a/lib/sshutils/x11/auth.go b/lib/sshutils/x11/auth.go index 7be6ef0647db7..d451589bc1312 100644 --- a/lib/sshutils/x11/auth.go +++ b/lib/sshutils/x11/auth.go @@ -145,7 +145,11 @@ func (x *XAuthCommand) AddEntry(entry XAuthEntry) error { func (x *XAuthCommand) GenerateUntrustedCookie(display Display, timeout time.Duration) error { x.Cmd.Args = append(x.Cmd.Args, "generate", display.String(), mitMagicCookieProto, "untrusted") x.Cmd.Args = append(x.Cmd.Args, "timeout", fmt.Sprint(timeout/time.Second)) - return trace.Wrap(x.run()) + out, err := x.output() + if err != nil { + return trace.Wrap(err, out) + } + return nil } // run Run and wrap error with stderr. diff --git a/lib/sshutils/x11/auth_test.go b/lib/sshutils/x11/auth_test.go index 865847e7f8cff..69af7904ecfd6 100644 --- a/lib/sshutils/x11/auth_test.go +++ b/lib/sshutils/x11/auth_test.go @@ -16,14 +16,80 @@ package x11 import ( "bytes" + "context" "encoding/binary" "encoding/hex" + "os" + "path/filepath" "testing" "github.com/gravitational/trace" "github.com/stretchr/testify/require" ) +func TestXAuthCommands(t *testing.T) { + if os.Getenv("TELEPORT_XAUTH_TEST") == "" { + t.Skip("Skipping test as xauth is not enabled") + } + + ctx := context.Background() + + tmpDir := t.TempDir() + xauthFile := filepath.Join(tmpDir, ".Xauthority") + + l, display, err := OpenNewXServerListener(DefaultDisplayOffset, DefaultMaxDisplay, 0) + require.NoError(t, err) + t.Cleanup(func() { l.Close() }) + + // Wait for connection from generate request + go func() { + conn, err := l.Accept() + require.NoError(t, err) + defer conn.Close() + }() + + // New xauth file should have no entries + xauth := NewXAuthCommand(ctx, xauthFile) + xauthEntry, err := xauth.ReadEntry(display) + require.Error(t, err) + require.True(t, trace.IsNotFound(err)) + require.Nil(t, xauthEntry) + + // Add trusted xauth entry + trustedXauthEntry, err := NewFakeXAuthEntry(display) + require.NoError(t, err) + xauth = NewXAuthCommand(ctx, xauthFile) + err = xauth.AddEntry(*trustedXauthEntry) + require.NoError(t, err) + + // Read back the xauth entry + xauth = NewXAuthCommand(ctx, xauthFile) + xauthEntry, err = xauth.ReadEntry(display) + require.NoError(t, err) + require.Equal(t, trustedXauthEntry, xauthEntry) + + // Remove xauth entries + xauth = NewXAuthCommand(ctx, xauthFile) + err = xauth.RemoveEntries(xauthEntry.Display) + require.NoError(t, err) + + xauth = NewXAuthCommand(ctx, xauthFile) + xauthEntry, err = xauth.ReadEntry(display) + require.Error(t, err) + require.True(t, trace.IsNotFound(err)) + require.Nil(t, xauthEntry) + + // Generate untrusted xauth entry + xauth = NewXAuthCommand(ctx, xauthFile) + err = xauth.GenerateUntrustedCookie(display, 0) + require.Error(t, err) + // TODO(Joerger): xauth generate requires an actual XServer listener + // to be opened, but above we only open a proxy XServer listener. + // This leads to an error, but ideally we'd give the proper response + // to the generate request and this would succeed in creating the entry. + require.Contains(t, err.Error(), "unable to open display") +} + func TestReadAndRewriteXAuthPacket(t *testing.T) { t.Parallel()