tailscale/ssh/tailssh/testcontainers/Dockerfile

ARG BASE
FROM ${BASE}

ARG BASE

RUN echo "Install openssh, needed for scp. Also install python3"
RUN if echo "$BASE" | grep "ubuntu:"; then apt-get update -y && apt-get install -y openssh-client python3 python3-pip; fi
RUN if echo "$BASE" | grep "alpine:"; then apk add openssh python3 py3-pip; fi

RUN echo "Install paramiko"
RUN pip3 install paramiko==3.5.1 || pip3 install --break-system-packages paramiko==3.5.1

# Note - on Ubuntu, we do not create the user's home directory, pam_mkhomedir will do that
# for us, and we want to test that PAM gets triggered by Tailscale SSH.
RUN if echo "$BASE" | grep "ubuntu:"; then groupadd -g 10000 groupone && groupadd -g 10001 grouptwo && useradd -g 10000 -G 10001 -u 10002 testuser; fi
# On Alpine, we can't configure pam_mkhomdir, so go ahead and create home directory.
RUN if echo "$BASE" | grep "alpine:"; then addgroup -g 10000 groupone && addgroup -g 10001 grouptwo && adduser -u 10002 -D testuser && addgroup testuser groupone && addgroup testuser grouptwo; fi

RUN if echo "$BASE" | grep "ubuntu:"; then \
    echo "Set up pam_mkhomedir." && \
    sed -i -e 's/Default: no/Default: yes/g' /usr/share/pam-configs/mkhomedir && \
    cat /usr/share/pam-configs/mkhomedir && \
    pam-auth-update --enable mkhomedir \
    ; fi

COPY tailscaled .
COPY tailssh.test .

RUN chmod 755 tailscaled

# Run tests normally.
# On Ubuntu, delete testuser's home directory between tests to verify
# that PAM's pam_mkhomedir recreates it each time.
RUN set -e && \
    eval $(ssh-agent -s) && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding && \
    if echo "$BASE" | grep -q "ubuntu:"; then rm -Rf /home/testuser; fi && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP && \
    if echo "$BASE" | grep -q "ubuntu:"; then rm -Rf /home/testuser; fi && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP && \
    if echo "$BASE" | grep -q "ubuntu:"; then rm -Rf /home/testuser; fi && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH && \
    if echo "$BASE" | grep -q "ubuntu:"; then rm -Rf /home/testuser; fi && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestIntegrationParamiko && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestLocalUnixForwarding && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestReverseUnixForwarding && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestUnixForwardingDenied && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestUnixForwardingPathRestriction

# Run tests as non-root user testuser and make sure tests still pass.
RUN set -e && \
    touch /tmp/tailscalessh.log && \
    chown testuser:groupone /tmp/tailscalessh.log && \
    export TAILSCALED_PATH=$(pwd)/tailscaled && \
    eval $(su -m testuser -c "ssh-agent -s") && \
    su -m testuser -c "./tailssh.test -test.v -test.run 'TestSSHAgentForwarding|TestIntegration|TestDoDropPrivileges'" && \
    echo "Also, deny everyone access to the user's home directory and make sure non file-related tests still pass." && \
    mkdir -p /home/testuser && chown testuser:groupone /home/testuser && chmod 0000 /home/testuser && \
    SKIP_FILE_OPS=1 su -m testuser -c "./tailssh.test -test.v -test.run TestIntegrationSSH" && \
    chmod 0755 /home/testuser && \
    chown root:root /tmp/tailscalessh.log

# On Ubuntu, run tests pretending to be SELinux in enforcing mode.
RUN if echo "$BASE" | grep -q "ubuntu:"; then \
    set -e && \
    echo "Run tests in a system that's pretending to be SELinux in enforcing mode" && \
    mv /usr/bin/login /tmp/login_orig && \
    echo "adsfasdfasdf" > /usr/bin/login && \
    chmod 755 /usr/bin/login && \
    printf "#!/bin/bash\necho 'Enforcing'" > /usr/bin/getenforce && \
    chmod 755 /usr/bin/getenforce && \
    eval $(ssh-agent -s) && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run 'TestSSHAgentForwarding|TestIntegration' && \
    mv /tmp/login_orig /usr/bin/login && \
    rm /usr/bin/getenforce \
    ; fi

# Remove the login command and make sure tests still pass.
RUN set -e && \
    rm $(which login) && \
    eval $(ssh-agent -s) && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding && \
    if echo "$BASE" | grep -q "ubuntu:"; then rm -Rf /home/testuser; fi && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP && \
    if echo "$BASE" | grep -q "ubuntu:"; then rm -Rf /home/testuser; fi && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP && \
    if echo "$BASE" | grep -q "ubuntu:"; then rm -Rf /home/testuser; fi && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH

# Remove the su command and make sure tests still pass.
RUN set -e && \
    chown root:root /tmp/tailscalessh.log && \
    rm $(which su) && \
    eval $(ssh-agent -s) && \
    TAILSCALED_PATH=$(pwd)/tailscaled ./tailssh.test -test.v -test.run 'TestSSHAgentForwarding|TestIntegration|TestDoDropPrivileges'