Add Openssh integration tests to CI (#942)

aws · May 10, 2023 · 0a4a615 · 0a4a615
1 parent a106ff0
commit 0a4a615
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 0 deletions.
diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_linux_x86_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_linux_x86_omnibus.yaml
@@ -353,6 +353,14 @@ batch:
         compute-type: BUILD_GENERAL1_LARGE
         image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-20.04_clang-9x_latest
 
+    - identifier: openssh_integration
+      buildspec: ./tests/ci/codebuild/linux-x86/openssh_integration.yml
+      env:
+        type: LINUX_CONTAINER
+        privileged-mode: false
+        compute-type: BUILD_GENERAL1_LARGE
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:amazonlinux-2023_clang-15x_sanitizer_latest
+
     - identifier: postgres_integration
       buildspec: ./tests/ci/codebuild/linux-x86/postgres_integration.yml
       env:

diff --git a/tests/ci/codebuild/linux-x86/openssh_integration.yml b/tests/ci/codebuild/linux-x86/openssh_integration.yml
@@ -0,0 +1,9 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+version: 0.2
+
+phases:
+  build:
+    commands:
+      - ./tests/ci/run_openssh_integration.sh
diff --git a/tests/ci/run_openssh_integration.sh b/tests/ci/run_openssh_integration.sh
@@ -0,0 +1,117 @@
+#!/bin/bash -exu
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+source tests/ci/common_posix_setup.sh
+
+# Set up environment.
+
+# ROOT
+#  |
+#  - AWS_LC_DIR
+#    |
+#    - aws-lc
+#  |
+#  - SCRATCH_FOLDER
+#    |
+#    - openssh-portable
+#    - AWS_LC_BUILD_FOLDER
+#    - AWS_LC_INSTALL_FOLDER
+#    - OPENSSH_INSTALL_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+AWS_LC_DIR=$(pwd)
+pushd ..
+ROOT=$(pwd)
+popd
+
+SCRATCH_FOLDER="${ROOT}/SCRATCH_AWSLC_OPENSSH_INTERN_TEST"
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+OPENSSH_WORKSPACE_FOLDER="${SCRATCH_FOLDER}/openssh-portable"
+OPENSSH_INSTALL_FOLDER="${SCRATCH_FOLDER}/openssh-install"
+
+NINJA_COMMAND=ninja
+if ! ${NINJA_COMMAND} --version; then
+  NINJA_COMMAND=ninja-build
+fi
+
+# Make script execution idempotent.
+rm -rf "${SCRATCH_FOLDER}"
+mkdir -p "${SCRATCH_FOLDER}"
+pushd "${SCRATCH_FOLDER}"
+
+# Test helper functions.
+
+function aws_lc_build() {
+  export GOPROXY=direct
+  ${CMAKE_COMMAND} "${AWS_LC_DIR}" -GNinja "-B${AWS_LC_BUILD_FOLDER}" "-DCMAKE_INSTALL_PREFIX=${AWS_LC_INSTALL_FOLDER}" "$@"
+  ${NINJA_COMMAND} -C "${AWS_LC_BUILD_FOLDER}" install
+  ls -R "${AWS_LC_INSTALL_FOLDER}"
+  rm -rf "${AWS_LC_BUILD_FOLDER:?}"/*
+}
+
+function install_aws_lc() {
+  AWS_LC_LIB_FOLDER=$(readlink -f "${AWS_LC_INSTALL_FOLDER}"/lib*)
+  # This installs AWS-LC as the "libcrypto" for the system
+  echo "${AWS_LC_LIB_FOLDER}" > /etc/ld.so.conf.d/aws-lc.conf
+  rm -f /etc/ld.so.cache
+  ldconfig
+}
+
+function openssh_build() {
+  pushd "${OPENSSH_WORKSPACE_FOLDER}"
+  autoreconf
+  # The RSA_meth_XXX functions are not implemented by AWS-LC, and the implementation provided by OpenSSH also doesn't compile for us.
+  # Fortunately, these functions are only needed for pkcs11 support, which is disabled for our build.
+  # See: https://github.com/openssh/openssh-portable/pull/385
+  export CFLAGS="-DAWS_LC_INTERNAL_IGNORE_BN_SET_FLAGS=1 -DHAVE_RSA_METH_FREE=1 -DHAVE_RSA_METH_DUP=1 -DHAVE_RSA_METH_SET1_NAME=1 -DHAVE_RSA_METH_SET_PRIV_ENC=1 -DHAVE_RSA_METH_SET_PRIV_DEC=1"
+  ./configure --with-ssl-dir="${AWS_LC_INSTALL_FOLDER}" --prefix="${OPENSSH_INSTALL_FOLDER}" --disable-pkcs11
+  make install
+  ls -R "${OPENSSH_INSTALL_FOLDER}"
+  popd
+}
+
+function checkout_openssh_branch() {
+  pushd "${OPENSSH_WORKSPACE_FOLDER}"
+  make clean
+  git clean -f -d
+  git checkout --track origin/"$1"
+  popd
+}
+
+function openssh_run_tests() {
+  pushd "${OPENSSH_WORKSPACE_FOLDER}"
+  if ! id -u sshd; then
+    useradd sshd
+  fi
+  export TEST_SSH_UNSAFE_PERMISSIONS=1
+  export SKIP_LTESTS="$@"
+  make tests
+  popd
+}
+
+mkdir -p "${AWS_LC_BUILD_FOLDER}" "${AWS_LC_INSTALL_FOLDER}" "${OPENSSH_INSTALL_FOLDER}"
+
+# Get latest OpenSSH version.
+git clone https://github.com/openssh/openssh-portable.git
+ls
+
+# Buld AWS-LC as a shared library
+aws_lc_build -DBUILD_SHARED_LIBS=1
+install_aws_lc
+
+CODEBUILD_SKIPPED_TESTS="agent-subprocess forwarding multiplex forward-control agent-restrict connection-timeout"
+
+# Using default branch. Build openssh and run tests.
+openssh_build
+openssh_run_tests "${CODEBUILD_SKIPPED_TESTS}"
+
+# Using branch V_8_9
+checkout_openssh_branch V_8_9
+openssh_build
+# In v8.9, the "percent" test requires the 'openssl' cli command
+openssh_run_tests "percent ${CODEBUILD_SKIPPED_TESTS}"
+
+popd
+