starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-04-23 17:18:50 +02:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

policy/v2: add SSH compatibility testdata from Tailscale SaaS

Browse Source 
Add 39 test fixtures captured from Tailscale SaaS API responses
to validate SSH policy compilation parity. Each JSON file contains
the SSH policy section and expected compiled SSHRule arrays for 5
test nodes (3 user-owned, 2 tagged).

Test series: SSH-A (basic), SSH-B (specific sources), SSH-C
(destination combos), SSH-D (localpart), SSH-E (edge cases),
SSH-F (multi-rule), SSH-G (acceptEnv).

The data-driven TestSSHDataCompat harness uses cmp.Diff with
principal order tolerance but strict rule ordering (first-match-wins
semantics require exact order).

Updates #3049
This commit is contained in:
Kristoffer Dalby
2026-02-24 19:40:04 +00:00
parent 0acf09bdd2
commit 6c59d3e601
40 changed files with 3498 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
hscontrol/policy/v2/testdata/ssh_results/SSH-A1.json vendored Normal file
View File

@@ -0,0 +1,51 @@
{
"test_id": "SSH-A1",
"policy_file": "ssh_policies/ssh_a1.json",
"ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["root"] }],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": { "rules": [] },
"tagged-prod": { "rules": [] }
}
}

53
hscontrol/policy/v2/testdata/ssh_results/SSH-A2.json vendored Normal file
View File

@@ -0,0 +1,53 @@
{
"test_id": "SSH-A2",
"policy_file": "ssh_policies/ssh_a2.json",
"ssh_section": [
{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["autogroup:nonroot"] }
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": { "rules": [] },
"tagged-prod": { "rules": [] }
}
}

58
hscontrol/policy/v2/testdata/ssh_results/SSH-A3.json vendored Normal file
View File

@@ -0,0 +1,58 @@
{
"test_id": "SSH-A3",
"policy_file": "ssh_policies/ssh_a3.json",
"ssh_section": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["root", "autogroup:nonroot"]
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": { "rules": [] },
"tagged-prod": { "rules": [] }
}
}

32
hscontrol/policy/v2/testdata/ssh_results/SSH-A4.json vendored Normal file
View File

@@ -0,0 +1,32 @@
{
"test_id": "SSH-A4",
"policy_file": "ssh_policies/ssh_a4.json",
"ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["ubuntu"] }],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

34
hscontrol/policy/v2/testdata/ssh_results/SSH-A5.json vendored Normal file
View File

@@ -0,0 +1,34 @@
{
"test_id": "SSH-A5",
"policy_file": "ssh_policies/ssh_a5.json",
"ssh_section": [
{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["root", "ubuntu"] }
],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "root": "root", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

98
hscontrol/policy/v2/testdata/ssh_results/SSH-A6.json vendored Normal file
View File

@@ -0,0 +1,98 @@
{
"test_id": "SSH-A6",
"policy_file": "ssh_policies/ssh_a6.json",
"ssh_section": [
{
"action": "check",
"src": [
"autogroup:member"
],
"dst": [
"autogroup:self"
],
"users": [
"root"
]
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [
{
"nodeIP": "100.90.199.68"
},
{
"nodeIP": "fd7a:115c:a1e0::2d01:c747"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 43200000000000
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [
{
"nodeIP": "100.110.121.96"
},
{
"nodeIP": "fd7a:115c:a1e0::1737:7960"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 43200000000000
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [
{
"nodeIP": "100.103.90.82"
},
{
"nodeIP": "fd7a:115c:a1e0::9e37:5a52"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 43200000000000
}
}
]
},
"tagged-server": {
"rules": []
},
"tagged-prod": {
"rules": []
}
}
}

99
hscontrol/policy/v2/testdata/ssh_results/SSH-A7.json vendored Normal file
View File

@@ -0,0 +1,99 @@
{
"test_id": "SSH-A7",
"policy_file": "ssh_policies/ssh_a7.json",
"ssh_section": [
{
"action": "check",
"src": [
"autogroup:member"
],
"dst": [
"autogroup:self"
],
"users": [
"root"
],
"checkPeriod": "1h"
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [
{
"nodeIP": "100.90.199.68"
},
{
"nodeIP": "fd7a:115c:a1e0::2d01:c747"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [
{
"nodeIP": "100.110.121.96"
},
{
"nodeIP": "fd7a:115c:a1e0::1737:7960"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [
{
"nodeIP": "100.103.90.82"
},
{
"nodeIP": "fd7a:115c:a1e0::9e37:5a52"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
}
]
},
"tagged-server": {
"rules": []
},
"tagged-prod": {
"rules": []
}
}
}

99
hscontrol/policy/v2/testdata/ssh_results/SSH-A8.json vendored Normal file
View File

@@ -0,0 +1,99 @@
{
"test_id": "SSH-A8",
"policy_file": "ssh_policies/ssh_a8.json",
"ssh_section": [
{
"action": "check",
"src": [
"autogroup:member"
],
"dst": [
"autogroup:self"
],
"users": [
"root"
],
"checkPeriod": "always"
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [
{
"nodeIP": "100.90.199.68"
},
{
"nodeIP": "fd7a:115c:a1e0::2d01:c747"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 0
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [
{
"nodeIP": "100.110.121.96"
},
{
"nodeIP": "fd7a:115c:a1e0::1737:7960"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 0
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [
{
"nodeIP": "100.103.90.82"
},
{
"nodeIP": "fd7a:115c:a1e0::9e37:5a52"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 0
}
}
]
},
"tagged-server": {
"rules": []
},
"tagged-prod": {
"rules": []
}
}
}

25
hscontrol/policy/v2/testdata/ssh_results/SSH-B1.json vendored Normal file
View File

@@ -0,0 +1,25 @@
{
"test_id": "SSH-B1",
"policy_file": "ssh_policies/ssh_b1.json",
"ssh_section": [{ "action": "accept", "src": ["kristoffer@dalby.cc"], "dst": ["tag:server"], "users": ["root"] }],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

30
hscontrol/policy/v2/testdata/ssh_results/SSH-B2.json vendored Normal file
View File

@@ -0,0 +1,30 @@
{
"test_id": "SSH-B2",
"policy_file": "ssh_policies/ssh_b2.json",
"ssh_section": [{ "action": "accept", "src": ["group:developers"], "dst": ["tag:server"], "users": ["root"] }],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" }
],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

25
hscontrol/policy/v2/testdata/ssh_results/SSH-B3.json vendored Normal file
View File

@@ -0,0 +1,25 @@
{
"test_id": "SSH-B3",
"policy_file": "ssh_policies/ssh_b3.json",
"ssh_section": [{ "action": "accept", "src": ["tag:prod"], "dst": ["tag:server"], "users": ["root"] }],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.8.15" }, { "nodeIP": "fd7a:115c:a1e0::5b37:80f" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

30
hscontrol/policy/v2/testdata/ssh_results/SSH-B5.json vendored Normal file
View File

@@ -0,0 +1,30 @@
{
"test_id": "SSH-B5",
"policy_file": "ssh_policies/ssh_b5.json",
"ssh_section": [{ "action": "accept", "src": ["user:*@passkey"], "dst": ["tag:server"], "users": ["root"] }],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

30
hscontrol/policy/v2/testdata/ssh_results/SSH-B6.json vendored Normal file
View File

@@ -0,0 +1,30 @@
{
"test_id": "SSH-B6",
"policy_file": "ssh_policies/ssh_b6.json",
"ssh_section": [{ "action": "accept", "src": ["autogroup:tagged"], "dst": ["tag:server"], "users": ["root"] }],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [
{ "nodeIP": "100.103.8.15" },
{ "nodeIP": "100.108.74.26" },
{ "nodeIP": "fd7a:115c:a1e0::5b37:80f" },
{ "nodeIP": "fd7a:115c:a1e0::b901:4a87" }
],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

51
hscontrol/policy/v2/testdata/ssh_results/SSH-C1.json vendored Normal file
View File

@@ -0,0 +1,51 @@
{
"test_id": "SSH-C1",
"policy_file": "ssh_policies/ssh_c1.json",
"ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["root"] }],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": { "rules": [] },
"tagged-prod": { "rules": [] }
}
}

32
hscontrol/policy/v2/testdata/ssh_results/SSH-C2.json vendored Normal file
View File

@@ -0,0 +1,32 @@
{
"test_id": "SSH-C2",
"policy_file": "ssh_policies/ssh_c2.json",
"ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["root"] }],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

27
hscontrol/policy/v2/testdata/ssh_results/SSH-C3.json vendored Normal file
View File

@@ -0,0 +1,27 @@
{
"test_id": "SSH-C3",
"policy_file": "ssh_policies/ssh_c3.json",
"ssh_section": [
{ "action": "accept", "src": ["kristoffer@dalby.cc"], "dst": ["kristoffer@dalby.cc"], "users": ["root"] }
],
"nodes": {
"user1": { "rules": [] },
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": { "rules": [] },
"tagged-server": { "rules": [] },
"tagged-prod": { "rules": [] }
}
}

54
hscontrol/policy/v2/testdata/ssh_results/SSH-C4.json vendored Normal file
View File

@@ -0,0 +1,54 @@
{
"test_id": "SSH-C4",
"policy_file": "ssh_policies/ssh_c4.json",
"ssh_section": [
{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server", "tag:prod"], "users": ["root"] }
],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": {
"rules": [
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
}
}
}

103
hscontrol/policy/v2/testdata/ssh_results/SSH-D10.json vendored Normal file
View File

@@ -0,0 +1,103 @@
{
"test_id": "SSH-D10",
"policy_file": "ssh_policies/ssh_d10.json",
"ssh_section": [
{ "action": "accept", "src": ["user:*@passkey"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": { "rules": [] },
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

131
hscontrol/policy/v2/testdata/ssh_results/SSH-D11.json vendored Normal file
View File

@@ -0,0 +1,131 @@
{
"test_id": "SSH-D11",
"policy_file": "ssh_policies/ssh_d11.json",
"ssh_section": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["tag:server"],
"users": ["localpart:*@passkey", "ubuntu"]
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

131
hscontrol/policy/v2/testdata/ssh_results/SSH-D12.json vendored Normal file
View File

@@ -0,0 +1,131 @@
{
"test_id": "SSH-D12",
"policy_file": "ssh_policies/ssh_d12.json",
"ssh_section": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["tag:server"],
"users": ["localpart:*@passkey", "ubuntu"]
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "", "ubuntu": "ubuntu" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

126
hscontrol/policy/v2/testdata/ssh_results/SSH-D2.json vendored Normal file
View File

@@ -0,0 +1,126 @@
{
"test_id": "SSH-D2",
"policy_file": "ssh_policies/ssh_d2.json",
"ssh_section": [
{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

126
hscontrol/policy/v2/testdata/ssh_results/SSH-D3.json vendored Normal file
View File

@@ -0,0 +1,126 @@
{
"test_id": "SSH-D3",
"policy_file": "ssh_policies/ssh_d3.json",
"ssh_section": [
{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey", "root"] }
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

131
hscontrol/policy/v2/testdata/ssh_results/SSH-D4.json vendored Normal file
View File

@@ -0,0 +1,131 @@
{
"test_id": "SSH-D4",
"policy_file": "ssh_policies/ssh_d4.json",
"ssh_section": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["tag:server"],
"users": ["localpart:*@passkey", "autogroup:nonroot"]
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

131
hscontrol/policy/v2/testdata/ssh_results/SSH-D5.json vendored Normal file
View File

@@ -0,0 +1,131 @@
{
"test_id": "SSH-D5",
"policy_file": "ssh_policies/ssh_d5.json",
"ssh_section": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["tag:server"],
"users": ["localpart:*@passkey", "root", "autogroup:nonroot"]
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

131
hscontrol/policy/v2/testdata/ssh_results/SSH-D6.json vendored Normal file
View File

@@ -0,0 +1,131 @@
{
"test_id": "SSH-D6",
"policy_file": "ssh_policies/ssh_d6.json",
"ssh_section": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["tag:server"],
"users": ["localpart:*@passkey", "autogroup:nonroot"]
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

131
hscontrol/policy/v2/testdata/ssh_results/SSH-D7.json vendored Normal file
View File

@@ -0,0 +1,131 @@
{
"test_id": "SSH-D7",
"policy_file": "ssh_policies/ssh_d7.json",
"ssh_section": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["tag:server"],
"users": ["localpart:*@passkey", "root", "autogroup:nonroot"]
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "*": "=", "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

73
hscontrol/policy/v2/testdata/ssh_results/SSH-D8.json vendored Normal file
View File

@@ -0,0 +1,73 @@
{
"test_id": "SSH-D8",
"policy_file": "ssh_policies/ssh_d8.json",
"ssh_section": [
{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["localpart:*@passkey"] }
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": { "rules": [] },
"tagged-prod": { "rules": [] }
}
}

78
hscontrol/policy/v2/testdata/ssh_results/SSH-D9.json vendored Normal file
View File

@@ -0,0 +1,78 @@
{
"test_id": "SSH-D9",
"policy_file": "ssh_policies/ssh_d9.json",
"ssh_section": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["localpart:*@passkey", "root"]
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": { "rules": [] },
"tagged-prod": { "rules": [] }
}
}

12
hscontrol/policy/v2/testdata/ssh_results/SSH-E3.json vendored Normal file
View File

@@ -0,0 +1,12 @@
{
"test_id": "SSH-E3",
"policy_file": "ssh_policies/ssh_e3.json",
"ssh_section": [],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": { "rules": [] },
"tagged-prod": { "rules": [] }
}
}

12
hscontrol/policy/v2/testdata/ssh_results/SSH-E4.json vendored Normal file
View File

@@ -0,0 +1,12 @@
{
"test_id": "SSH-E4",
"policy_file": "ssh_policies/ssh_e4.json",
"ssh_section": null,
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": { "rules": [] },
"tagged-prod": { "rules": [] }
}
}

38
hscontrol/policy/v2/testdata/ssh_results/SSH-E5.json vendored Normal file
View File

@@ -0,0 +1,38 @@
{
"test_id": "SSH-E5",
"policy_file": "ssh_policies/ssh_e5.json",
"ssh_section": [{ "action": "accept", "src": ["tag:prod"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.8.15" }, { "nodeIP": "fd7a:115c:a1e0::5b37:80f" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.8.15" }, { "nodeIP": "fd7a:115c:a1e0::5b37:80f" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
}
}
}

240
hscontrol/policy/v2/testdata/ssh_results/SSH-E6.json vendored Normal file
View File

@@ -0,0 +1,240 @@
{
"test_id": "SSH-E6",
"policy_file": "ssh_policies/ssh_e6.json",
"ssh_section": [
{
"action": "check",
"src": [
"autogroup:member"
],
"dst": [
"tag:server"
],
"users": [
"localpart:*@passkey"
],
"checkPeriod": "1h"
}
],
"nodes": {
"user1": {
"rules": [
{
"principals": [
{
"nodeIP": "100.90.199.68"
},
{
"nodeIP": "fd7a:115c:a1e0::2d01:c747"
}
],
"sshUsers": {
"root": ""
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
},
{
"principals": [
{
"nodeIP": "100.90.199.68"
},
{
"nodeIP": "fd7a:115c:a1e0::2d01:c747"
}
],
"sshUsers": {
"kratail2tid": "kratail2tid"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [
{
"nodeIP": "100.110.121.96"
},
{
"nodeIP": "fd7a:115c:a1e0::1737:7960"
}
],
"sshUsers": {
"root": ""
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [
{
"nodeIP": "100.103.90.82"
},
{
"nodeIP": "fd7a:115c:a1e0::9e37:5a52"
}
],
"sshUsers": {
"root": ""
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
},
{
"principals": [
{
"nodeIP": "100.103.90.82"
},
{
"nodeIP": "fd7a:115c:a1e0::9e37:5a52"
}
],
"sshUsers": {
"monitorpasskeykradalby": "monitorpasskeykradalby"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [
{
"nodeIP": "100.90.199.68"
},
{
"nodeIP": "fd7a:115c:a1e0::2d01:c747"
}
],
"sshUsers": {
"root": ""
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
},
{
"principals": [
{
"nodeIP": "100.90.199.68"
},
{
"nodeIP": "fd7a:115c:a1e0::2d01:c747"
}
],
"sshUsers": {
"kratail2tid": "kratail2tid"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
},
{
"principals": [
{
"nodeIP": "100.110.121.96"
},
{
"nodeIP": "fd7a:115c:a1e0::1737:7960"
}
],
"sshUsers": {
"root": ""
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
},
{
"principals": [
{
"nodeIP": "100.103.90.82"
},
{
"nodeIP": "fd7a:115c:a1e0::9e37:5a52"
}
],
"sshUsers": {
"root": ""
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
},
{
"principals": [
{
"nodeIP": "100.103.90.82"
},
{
"nodeIP": "fd7a:115c:a1e0::9e37:5a52"
}
],
"sshUsers": {
"monitorpasskeykradalby": "monitorpasskeykradalby"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 3600000000000
}
}
]
},
"tagged-prod": {
"rules": []
}
}
}

74
hscontrol/policy/v2/testdata/ssh_results/SSH-F1.json vendored Normal file
View File

@@ -0,0 +1,74 @@
{
"test_id": "SSH-F1",
"policy_file": "ssh_policies/ssh_f1.json",
"ssh_section": [
{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["root"] },
{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["autogroup:nonroot"] }
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

111
hscontrol/policy/v2/testdata/ssh_results/SSH-F2.json vendored Normal file
View File

@@ -0,0 +1,111 @@
{
"test_id": "SSH-F2",
"policy_file": "ssh_policies/ssh_f2.json",
"ssh_section": [
{
"action": "accept",
"src": [
"autogroup:member"
],
"dst": [
"tag:server"
],
"users": [
"root"
]
},
{
"action": "check",
"src": [
"autogroup:member"
],
"dst": [
"tag:server"
],
"users": [
"root"
]
}
],
"nodes": {
"user1": {
"rules": []
},
"user-kris": {
"rules": []
},
"user-mon": {
"rules": []
},
"tagged-server": {
"rules": [
{
"principals": [
{
"nodeIP": "100.103.90.82"
},
{
"nodeIP": "100.110.121.96"
},
{
"nodeIP": "100.90.199.68"
},
{
"nodeIP": "fd7a:115c:a1e0::1737:7960"
},
{
"nodeIP": "fd7a:115c:a1e0::2d01:c747"
},
{
"nodeIP": "fd7a:115c:a1e0::9e37:5a52"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true,
"sessionDuration": 43200000000000
}
},
{
"principals": [
{
"nodeIP": "100.103.90.82"
},
{
"nodeIP": "100.110.121.96"
},
{
"nodeIP": "100.90.199.68"
},
{
"nodeIP": "fd7a:115c:a1e0::1737:7960"
},
{
"nodeIP": "fd7a:115c:a1e0::2d01:c747"
},
{
"nodeIP": "fd7a:115c:a1e0::9e37:5a52"
}
],
"sshUsers": {
"root": "root"
},
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": {
"rules": []
}
}
}

144
hscontrol/policy/v2/testdata/ssh_results/SSH-F3.json vendored Normal file
View File

@@ -0,0 +1,144 @@
{
"test_id": "SSH-F3",
"policy_file": "ssh_policies/ssh_f3.json",
"ssh_section": [
{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] },
{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["root"] }
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

144
hscontrol/policy/v2/testdata/ssh_results/SSH-F4.json vendored Normal file
View File

@@ -0,0 +1,144 @@
{
"test_id": "SSH-F4",
"policy_file": "ssh_policies/ssh_f4.json",
"ssh_section": [
{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] },
{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["autogroup:nonroot"] }
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "*": "=", "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

177
hscontrol/policy/v2/testdata/ssh_results/SSH-F5.json vendored Normal file
View File

@@ -0,0 +1,177 @@
{
"test_id": "SSH-F5",
"policy_file": "ssh_policies/ssh_f5.json",
"ssh_section": [
{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["localpart:*@passkey"] },
{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }
],
"nodes": {
"user1": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-kris": {
"rules": [
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"user-mon": {
"rules": [
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-server": {
"rules": [
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
"sshUsers": { "kratail2tid": "kratail2tid" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "root": "" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
},
{
"principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
"sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
}
}
]
},
"tagged-prod": { "rules": [] }
}
}

41
hscontrol/policy/v2/testdata/ssh_results/SSH-G1.json vendored Normal file
View File

@@ -0,0 +1,41 @@
{
"test_id": "SSH-G1",
"policy_file": "ssh_policies/ssh_g1.json",
"ssh_section": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["tag:server"],
"users": ["root"],
"acceptEnv": ["GIT_EDITOR", "TERM"]
}
],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
},
"acceptEnv": ["GIT_EDITOR", "TERM"]
}
]
},
"tagged-prod": { "rules": [] }
}
}

41
hscontrol/policy/v2/testdata/ssh_results/SSH-G2.json vendored Normal file
View File

@@ -0,0 +1,41 @@
{
"test_id": "SSH-G2",
"policy_file": "ssh_policies/ssh_g2.json",
"ssh_section": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["tag:server"],
"users": ["root"],
"acceptEnv": ["GIT_*", "CUSTOM_VAR_?"]
}
],
"nodes": {
"user1": { "rules": [] },
"user-kris": { "rules": [] },
"user-mon": { "rules": [] },
"tagged-server": {
"rules": [
{
"principals": [
{ "nodeIP": "100.103.90.82" },
{ "nodeIP": "100.110.121.96" },
{ "nodeIP": "100.90.199.68" },
{ "nodeIP": "fd7a:115c:a1e0::1737:7960" },
{ "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
{ "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
],
"sshUsers": { "root": "root" },
"action": {
"accept": true,
"allowAgentForwarding": true,
"allowLocalPortForwarding": true,
"allowRemotePortForwarding": true
},
"acceptEnv": ["GIT_*", "CUSTOM_VAR_?"]
}
]
},
"tagged-prod": { "rules": [] }
}
}