.. _example_service_ssh_access-control_sshaccesscontrol:

##################
Ssh Access Control
##################

Test suite for validating SSH access control options

*************
SSH User Deny
*************

Description
===========

Check that enforcing a user denial will work as expected. ``Test_user`` is set to be
denied through SSH connection, then a connection through this user is tried expecting
failure to connect. ``Admin`` user that hasn't been denied is also tested to confirm unchanged
behavior in this case.

Scenario
========

.. include:: sshaccesscontrol/sshuserdeny

.. raw:: html

  <hr>

**************
SSH User Allow
**************

Description
===========

Check that allowing a user will only let that user connect to the device.
``Test_user`` is set to be unallowed through SSH connection, then a connection through
this user is tried expecting to connect unsuccessfully. The next step will try a SSH connection
through ``Admin`` which is the allowed user, then the connection is succesfull.

Scenario
========

.. include:: sshaccesscontrol/sshuserallow

.. raw:: html

  <hr>

*************
SSH Role Deny
*************

Description
===========

Check that enforcing a role denial will work as expected. ``Test_user`` and ``test_role`` are created
and then the role is assigned to the user. The role is set to be unallowed through SSH connection, then a connection
through this user is tried expecting a failure. The ``admin`` user is also tried to ensure that users that haven't been
denied can still access the router.

Scenario
========

.. include:: sshaccesscontrol/sshroledeny

.. raw:: html

  <hr>

**************
SSH Role Allow
**************

Description
===========

Check that enforcing a role permission will work as expected. Two users and two roles are created.
The roles are assigned to each of the users. ``Test_role`` is then allowed and an SSH connection is tried
with the ``test_user`` assigned that role, expecting to succeed.
``Test_user2`` is tried to ensure the deny by default behavior once an allow is set.

Scenario
========

.. include:: sshaccesscontrol/sshroleallow

.. raw:: html

  <hr>