diff --git a/scripts/reboot-recovery/collect-windows99-vmware-verify.sh b/scripts/reboot-recovery/collect-windows99-vmware-verify.sh index def418fc6..4eea4f11f 100755 --- a/scripts/reboot-recovery/collect-windows99-vmware-verify.sh +++ b/scripts/reboot-recovery/collect-windows99-vmware-verify.sh @@ -7,13 +7,19 @@ CONNECT_TIMEOUT="${WINDOWS99_CONNECT_TIMEOUT:-3}" SSH_TIMEOUT="${WINDOWS99_SSH_TIMEOUT:-3}" SSH_PORT="${WINDOWS99_SSH_PORT:-22}" MAX_AUTH_USERS="${WINDOWS99_MAX_AUTH_USERS:-2}" +MAX_AUTH_USERS_EXPLICIT=0 +if [[ -n "${WINDOWS99_MAX_AUTH_USERS:-}" ]]; then + MAX_AUTH_USERS_EXPLICIT=1 +fi KNOWN_HOSTS_FILE="${WINDOWS99_KNOWN_HOSTS_FILE:-/tmp/awoooi-windows99-known_hosts}" REMOTE_VERIFY_COMMAND="${WINDOWS99_REMOTE_VERIFY_COMMAND:-powershell -NoProfile -ExecutionPolicy Bypass -File .\\windows99-vmware-autostart.ps1 -Mode Verify}" SSH_USERS=(ogt wooo ooo administrator Administrator) +SSH_USERS_EXPLICIT=0 if [[ -n "${WINDOWS99_SSH_USERS:-}" ]]; then # shellcheck disable=SC2206 SSH_USERS=(${WINDOWS99_SSH_USERS}) + SSH_USERS_EXPLICIT=1 fi is_positive_int() { @@ -50,6 +56,7 @@ while [[ $# -gt 0 ]]; do shift # shellcheck disable=SC2206 SSH_USERS=(${1:-}) + SSH_USERS_EXPLICIT=1 ;; --timeout) shift @@ -78,6 +85,12 @@ fi if ! is_positive_int "${MAX_AUTH_USERS}"; then MAX_AUTH_USERS=2 fi +if [[ "${SSH_USERS_EXPLICIT}" == "1" && "${MAX_AUTH_USERS_EXPLICIT}" != "1" ]]; then + MAX_AUTH_USERS="${#SSH_USERS[@]}" +fi +if ! is_positive_int "${MAX_AUTH_USERS}"; then + MAX_AUTH_USERS=2 +fi if [[ "${MODE}" != "check" && "${MODE}" != "collect" ]]; then printf '%s\n' "error=invalid_mode:${MODE}" >&2 diff --git a/scripts/reboot-recovery/tests/test_windows99_vmware_verify_collector.py b/scripts/reboot-recovery/tests/test_windows99_vmware_verify_collector.py index 96e633710..56adfbb7f 100644 --- a/scripts/reboot-recovery/tests/test_windows99_vmware_verify_collector.py +++ b/scripts/reboot-recovery/tests/test_windows99_vmware_verify_collector.py @@ -111,6 +111,45 @@ def test_check_mode_reports_open_ports_and_missing_publickey_auth(tmp_path: Path assert values["windows_update_policy_apply_performed"] == "false" +def test_check_mode_probes_all_explicit_users_without_secret_prompt(tmp_path: Path) -> None: + fake_bin = tmp_path / "bin" + fake_bin.mkdir() + _write_executable( + fake_bin / "nc", + """ + #!/usr/bin/env bash + port="${!#}" + if [[ "$port" == "22" || "$port" == "3389" ]]; then + exit 0 + fi + exit 1 + """, + ) + _write_executable( + fake_bin / "ssh", + """ + #!/usr/bin/env bash + exit 255 + """, + ) + + result = _run_collector( + fake_bin, + "--check", + "--users", + "ogt wooo ooo administrator Administrator", + ) + + assert result.returncode == 0 + values = _key_values(result.stdout) + assert values["ssh_auth_probe_user_limit"] == "5" + assert values["ssh_auth_probed_users"] == "5" + assert values["ssh_batchmode_auth_ready"] == "0" + assert values["verify_collection_status"] == "blocked_ssh_publickey_auth_missing" + assert values["secret_value_read"] == "false" + assert values["password_prompt_allowed"] == "false" + + def test_collect_mode_blocks_without_publickey_auth(tmp_path: Path) -> None: fake_bin = tmp_path / "bin" fake_bin.mkdir()