def test_iso_http_check_MIME_allow_a3(self):
# 下发配置
print(
'1、下发http的隔离代理:代理ip为前置机安全卡的ip,port为2287,等待nginx的24个进程起来;预期cat /etc/jsac/http.stream应该包含代理ip和port,且netstat -anp |grep tcp应该可以查看到监听ip和端口'
)
fun.send(rbmExc, message.addhttp_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.addhttp_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut',
self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'FrontDut',
self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
# 数据检查
print(
'2、下发http的MIME白名单,参数为:所有MIME类型,等待nginx的24个进程起来;cat /etc/jsac/http.json文件应该包含:s_content_type和MIME所有类型'
)
fun.send(rbmExc, message.httpcheck3['SetHttpCheck'], FrontDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
add_res2 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
assert add_res2 == 1
for key in self.case3_step2:
re = fun.wait_data(self.case3_step2[key][0], 'FrontDut',
self.case3_step2[key][1], '配置', 100)
print(re)
assert self.case3_step2[key][1] in re
MIME_res = fun.cmd(
r"cat /usr/local/nginx/lua/http.lua | grep =\{ | grep -v local",
'FrontDut')
print('查看MIME白名单为:{}'.format(MIME_res))
# 发送get请求,不指定内容的普通请求
print('3、控制台发送get请求,不包含请求内容;请求成功,请求到的内容为server的index.html文件内包含的内容')
content = http_check.http_get(http_url)
print('get普通请求的请求内容为:{}'.format(content))
assert content == http_content
# 发送get请求,请求内容包含MIME白名单
print('4、控制台发送get请求,请求内容包含MIME白名单:doc;请求成功,状态码返回为200')
status_code = http_check.http_get(self.base_uri, self.data, flag=1)
print('get请求内容包含MIME白名单返回的状态码为:{}'.format(status_code))
assert status_code == 200
# 发送get请求,请求内容包含MIME第一个白名单
print('5、控制台发送get请求,请求内容包含MIME白名单:js;请求成功,状态码返回为200')
status_code1 = http_check.http_get(self.case2_uri1, self.data, flag=1)
print('get请求内容包含MIM第一个白名单{}返回的状态码为:{}'.format(self.case2_uri1,
status_code1))
assert status_code1 == 200
# 发送get请求,请求内容包含MIME第二个白名单
print('6、控制台发送get请求,请求内容包含MIME白名单:mps;请求成功,状态码返回为200')
status_code2 = http_check.http_get(self.case2_uri2, self.data, flag=1)
print('get请求内容包含MIM第二个白名单{}返回的状态码为:{}'.format(self.case2_uri2,
status_code2))
assert status_code2 == 200
# 发送get请求,请求内容包含MIME第三个白名单
print('7、控制台发送get请求,请求内容包含MIME白名单:gif;请求成功,状态码返回为200')
status_code3 = http_check.http_get(self.case2_uri3, self.data, flag=1)
print('get请求内容包含MIM第三个白名单{}返回的状态码为:{}'.format(self.case2_uri3,
status_code3))
assert status_code3 == 200
# 发送get请求,请求内容包含MIME第四个白名单
print('8、控制台发送get请求,请求内容包含MIME白名单:tsv;请求成功,状态码返回为200')
status_code4 = http_check.http_get(self.case2_uri4, self.data, flag=1)
print('get请求内容包含MIM第四个白名单{}返回的状态码为:{}'.format(self.case2_uri4,
status_code4))
assert status_code4 == 200
# 发送get请求,请求内容包含MIME第五个白名单
print('9、控制台发送get请求,请求内容包含MIME白名单:avi;请求成功,状态码返回为200')
status_code5 = http_check.http_get(self.case2_uri5, self.data, flag=1)
print('get请求内容包含MIM第五个白名单{}返回的状态码为:{}'.format(self.case2_uri5,
status_code5))
assert status_code5 == 200
# 移除策略,还原环境
print(
'10、移除代理策略,清空环境,等待nginx的24个进程起来;netstat -anp |grep tcp应该查看不到监听ip和端口'
)
fun.send(rbmExc, message.delhttp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delhttp_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
fdel_res = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert fdel_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert bdel_res == 1
# 检查策略移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0],
'FrontDut',
self.case1_step1[key][1],
'配置',
100,
flag='不存在')
print(re)
assert self.case1_step1[key][1] not in re
# 检查网页访问策略是否清空
print(
'11、移除网页访问策略,等待nginx的24个进程起来;cat /etc/jsac/http.json文件应该不包含:http协议'
)
fun.send(rbmExc, message.delhttpcheck['DropHttpCheck'], FrontDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
del_res2 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
assert del_res2 == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0],
'FrontDut',
self.delcheck[key][1],
'配置',
100,
flag='不存在')
assert self.delcheck[key][1] not in re
def test_iso_http_check_uri_a2(self):
# 下发配置
print('1、下发http的隔离代理:代理ip为前置机安全卡的ip,port为2287,等待nginx的24个进程起来;预期netstat -anp |grep tcp应该可以查看到监听ip和端口')
fun.send(rbmExc, message.addhttp_front['AddCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.addhttp_back['AddCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
front_res = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert front_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert back_res == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut', self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'FrontDut', self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
# 数据检查
print('2、下发多个http的get黑名单,参数1为:test,参数2为juson,等待nginx的24个进程起来;cat /etc/jsac/http.json文件应该包含:c_http_uri和uri黑名单参数:test和juson')
fun.send(rbmExc, message.httpcheck2['SetHttpCheck'], FrontDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
add_res2 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
assert add_res2 == 1
for key in self.case2_step2:
re = fun.wait_data(self.case2_step2[key][0], 'FrontDut', self.case2_step2[key][1], '配置', 100)
print(re)
assert self.case2_step2[key][1] in re
# 发送get请求,不包含黑名单内容的普通请求
print('3、控制台发送get请求,不包含请求内容;请求成功,请求到的内容为server的index.html文件内包含的内容')
content = http_check.http_get(http_url)
print('多个黑名单时get普通请求的请求内容为:{}'.format(content))
assert content == http_content
# 发送post请求,不包含黑名单内容的普通请求
print('4、控制台发送post请求,不包含请求内容;请求成功,请求到的内容为server的index.html文件内包含的内容')
content = http_check.http_post(http_url)
print('多个黑名单时get普通请求的请求内容为:{}'.format(content))
assert content == http_content
# 发送get请求,请求内容包含第一个黑名单
print('5、控制台发送get请求,请求内容包含黑名单test;请求失败,状态码返回为403')
status_code = http_check.http_get(self.case2_uri1,self.data)
print('多个黑名单时get请求内容包含第一个黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 发送post请求,请求内容包含第一个黑名单
print('6、控制台发送post请求,请求内容包含黑名单test;请求失败,状态码返回为403')
status_code = http_check.http_post(self.case2_uri1, self.data)
print('多个黑名单时get请求内容包含第一个黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 发送get请求,请求内容包含第二个黑名单
print('7、控制台发送get请求,请求内容包含黑名单juson;请求失败,状态码返回为403')
status_code = http_check.http_get(self.case2_uri2, self.data)
print('多个黑名单时get请求内容包含第二个黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 发送post请求,请求内容包含第二个黑名单
print('8、控制台发送post请求,请求内容包含黑名单juson;请求失败,状态码返回为403')
status_code = http_check.http_post(self.case2_uri2, self.data)
print('多个黑名单时get请求内容包含第二个黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 移除策略,还原环境
print('9、移除代理策略,清空环境,等待nginx的24个进程起来;netstat -anp |grep tcp应该查看不到监听ip和端口')
fun.send(rbmExc, message.delhttp_front['DelCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.delhttp_back['DelCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
fdel_res = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert fdel_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert bdel_res == 1
# 检查策略移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut', self.case1_step1[key][1], '配置', 100, flag='不存在')
print(re)
assert self.case1_step1[key][1] not in re
# 检查网页访问策略是否清空
print('10、移除网页访问策略,等待nginx的24个进程起来;cat /etc/jsac/http.json文件应该不包含:c_http_uri和uri黑名单参数:test、juson')
fun.send(rbmExc, message.delhttpcheck['DropHttpCheck'], FrontDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
del_res2 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
assert del_res2 == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0], 'FrontDut', self.delcheck[key][1], '配置', 100, flag='不存在')
assert self.delcheck[key][1] not in re
def test_iso_ftp_large_file_a1(self):
# 下发配置
fun.send(rbmExc, message.addftp_front['AddCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.addftp_back['AddCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
front_res = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert front_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert back_res == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut', self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'FrontDut', self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
# 登录ftp服务器,下载一个100M大小的文件
fp = con_ftp.connect_ftp(proxy_ip, self.ftp_proxy_port, self.ftp_user, self.ftp_pass)
print('欢迎语是:{}'.format(fp.getwelcome()))
result = con_ftp.downFile(fp, self.case2_downremotePath, self.case2_downlocalPath)
print('ftp走隔离下载一个100M大小的文件结果为:{}'.format(result))
assert result == 1
# 移除策略,清空环境
fun.send(rbmExc, message.delftp_front['DelCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.delftp_back['DelCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
fdel_res = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert fdel_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert bdel_res == 1
# 检查策略移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut', self.case1_step1[key][1], '配置', 100, flag='不存在')
print(re)
assert self.case1_step1[key][1] not in re
def test_verifymod_DelAuthCert_function(self):
# 开启认证服务
print(
'1.开启认证服务,通过命令ps -ef | grep verifymod、netstat -ultpn查询服务进程有/usr/local/ipauth/verifymod /etc/jsac/Initialize.conf、服务有监听443端口说明服务开启成功'
)
fun.send(rbmExc, message.verifymod_switch_start['ManageAuthServer'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step1:
re1 = fun.wait_data(self.case1_step1[key][0], 'gw',
self.case1_step1[key][1], '检查认证服务进程', 100)
assert self.case1_step1[key][1] in re1
for key in self.case1_step2:
re2 = fun.wait_data(self.case1_step2[key][0], 'gw',
self.case1_step2[key][1], '检查认证监听端口', 100)
assert self.case1_step2[key][1] in re2
print(
'2.下发根证书文件到设备上,ls /usr/local/ipauth/file/CAdb/可以查看到根证书md5值c970dfa3234ed84ccac2e819a1276026'
)
fun.send(rbmExc, message.verifymod_AddAuthCert['AddAuthCert'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step3:
print(self.case1_step3[key][0])
re1 = fun.wait_data(self.case1_step3[key][0], 'gw',
self.case1_step3[key][1], '检查根证书', 100)
assert self.case1_step3[key][1] in re1
print(
'3.客户端向认证服务器发起认证请求,请求命令curl --cert /opt/test2certandkey.pem:123456 https://www.testCA.cn:443,认证请求返回结果verify success说明请求发送成功'
)
print('发送认证url:', self.case1_step4["step1"][0])
for key in self.case1_step4:
re1 = fun.cmd(self.case1_step4[key][0], 'c')
print(re1)
assert self.case1_step4[key][1] in re1
print(
'4.用命令tail -1 /var/log/jsac.verifymod.log查询网关设备认证日志文件 及用命令ipauth-jsac --auth --show查询认证ip表,日志查询到"jsacaudit 源ip success",认证ip表查询到源ip说明认证成功'
)
fun.wait_data(self.case1_step5["step1"][0], 'gw',
self.case1_step5["step1"][1], '检查认证日志', 100)
for key in self.case1_step5:
re1 = fun.cmd(self.case1_step5[key][0], 'gw')
assert self.case1_step5[key][1] in re1
fun.wait_data(self.case1_step6["step1"][0], 'gw',
self.case1_step6["step1"][2], '检查认证ip', 100)
for key in self.case1_step6:
re1 = fun.cmd(self.case1_step6[key][0], 'gw')
assert self.case1_step6[key][2] in re1
print(
'5.使用命令ipauth-jsac --clear将记录的认证ip清除掉,使用命令ipauth-jsac --auth --show查询不到认证ip说明ip清除成功'
)
fun.send(rbmExc, message.verifymod_DropAuthIp['DropAuthIp'],
domain_rmb, base_path)
fun.wait_data(self.case1_step6["step1"][0],
'gw',
self.case1_step6["step1"][2],
'检查认证ip',
100,
flag='不存在')
for key in self.case1_step6:
re1 = fun.cmd(self.case1_step6[key][0], 'gw')
assert self.case1_step6[key][2] not in re1
print(
'6.移除根证书文件,根证书移除成功,ls /usr/local/ipauth/file/CAdb/无法查到证书md5值c970dfa3234ed84ccac2e819a1276026'
)
fun.send(rbmExc, message.verifymod_DelAuthCert['DelAuthCert'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step3:
re1 = fun.wait_data(self.case1_step3[key][0],
'gw',
self.case1_step3[key][1],
'移除根证书',
100,
flag='不存在')
assert self.case1_step3[key][1] not in re1
print(
'7.再次从客户端向认证服务器发起认证请求,请求命令curl --cert /opt/test2certandkey.pem:123456 https://www.testCA.cn:443,认证请求返回结果无verify success说明请求发送正常'
)
print('发送认证url:', self.case1_step4["step1"][0])
for key in self.case1_step4:
re1 = fun.cmd(self.case1_step4[key][0], 'c')
print(re1)
assert self.case1_step4[key][1] not in re1
print(
'8.用命令tail -1 /var/log/jsac.verifymod.log查询网关设备认证日志文件 及用命令ipauth-jsac --auth --show查询认证ip表,日志查询到"jsacaudit 源ip fail",认证ip无源ip说明正常'
)
fun.wait_data(self.case2_step4["step1"][0], 'gw',
self.case2_step4["step1"][1], '检查认证日志', 100)
for key in self.case2_step4:
re1 = fun.cmd(self.case2_step4[key][0], 'gw')
assert self.case2_step4[key][1] in re1
fun.wait_data(self.case1_step6["step1"][0],
'gw',
self.case1_step6["step1"][2],
'检查认证ip',
100,
flag='不存在')
for key in self.case1_step6:
re1 = fun.cmd(self.case1_step6[key][0], 'gw')
assert self.case1_step6[key][2] not in re1
# 关闭认证服务
print(
'9.关闭认证服务,通过命令ps -ef | grep verifymod、netstat -ultpn查询不到服务进程/usr/local/ipauth/verifymod /etc/jsac/Initialize.conf、且认证服务端口443也不存在'
)
fun.send(rbmExc, message.verifymod_switch_stop['ManageAuthServer'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step1:
re1 = fun.wait_data(self.case1_step1[key][0],
'gw',
self.case1_step1[key][1],
'检查认证服务进程',
100,
flag='不存在')
assert self.case1_step1[key][1] not in re1
for key in self.case1_step2:
re2 = fun.wait_data(self.case1_step2[key][0],
'gw',
self.case1_step2[key][1],
'检查认证监听端口',
100,
flag='不存在')
assert self.case1_step2[key][1] not in re2
def test_http_check_post_a1(self):
# 下发配置
fun.send(rbmExc, message.addhttp['AddAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
add_res1 = fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
assert add_res1 == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'gw', self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
fun.send(rbmExc, message.httpcheck1['SetHttpCheck'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
add_res2 = fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
assert add_res2 == 1
for key in self.case1_step2:
re = fun.wait_data(self.case1_step2[key][0], 'gw', self.case1_step2[key][1], '配置', 100)
print(re)
assert self.case1_step2[key][1] in re
# 发送post请求,不包含黑名单内容的普通请求
content = http_check.http_post(url)
print('post普通请求的请求内容为:{}'.format(content))
assert content == http_content
# 发送post请求,请求内容不包含黑名单内容
content = http_check.http_post(url, self.data)
print('post请求内容不包含黑名单的请求应返回的内容为:{}'.format(content))
assert content == http_content
# 发送post请求,请求内容包含黑名单
status_code = http_check.http_post(url, self.case1_data)
print('post请求内容包含黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 移除策略,还原环境
fun.send(rbmExc, message.delhttp['DelAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_res1 = fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
assert del_res1 == 1
# 检查代理是否成功移除
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'gw', self.case1_step1[key][1], '配置', 100, flag='不存在')
assert self.case1_step1[key][1] not in re
# 检查网页访问策略是否清空
fun.send(rbmExc, message.delhttpcheck['DropHttpCheck'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_res2 = fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
assert del_res2 == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0], 'gw', self.delcheck[key][1], '配置', 100, flag='不存在')
assert self.delcheck[key][1] not in re
def test_verifymod_acl(self):
# 开启认证服务
print(
'1.开启认证服务,通过命令ps -ef | grep verifymod、netstat -ultpn查询服务进程及服务端口是否存在,服务进程有/usr/local/ipauth/verifymod /etc/jsac/Initialize.conf、服务有监听443端口说明服务开启成功'
)
fun.send(rbmExc, message.verifymod_switch_start['ManageAuthServer'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step1:
re1 = fun.wait_data(self.case1_step1[key][0], 'gw',
self.case1_step1[key][1], '检查认证服务进程', 100)
assert self.case1_step1[key][1] in re1
for key in self.case1_step2:
re2 = fun.wait_data(self.case1_step2[key][0], 'gw',
self.case1_step2[key][1], '检查认证监听端口', 100)
assert self.case1_step2[key][1] in re2
print(
'2.下发根证书文件到设备上,使用命令ls /usr/local/ipauth/file/CAdb/可以查看到证书md5值c970dfa3234ed84ccac2e819a1276026'
)
fun.send(rbmExc, message.verifymod_AddAuthCert['AddAuthCert'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step3:
print(self.case1_step3[key][0])
re1 = fun.wait_data(self.case1_step3[key][0], 'gw',
self.case1_step3[key][1], '检查根证书', 100)
assert self.case1_step3[key][1] in re1
print(
'3.使用命令export cardid=0&&defconf --action drop开启靠近客户端卡的默认开关,使用export cardid=0&&defconf --show命令查看有action: drop说明正常'
)
fun.cmd(self.case1_step4["step1"][0], 'gw')
re1 = fun.cmd(self.case1_step4["step1"][1], 'gw')
print(re1)
assert self.case1_step4["step1"][2] in re1
print(
'4.下发acl放行策略到靠近客户端的网卡上,使用export cardid=0&&tupleacl --get命令查看有目的端口为443的acl策略说明正常'
)
fun.send(rbmExc, message.acl_add['AddAclPolicy'], domain_rmb,
base_path)
for key in self.case1_step5:
re1 = fun.cmd(self.case1_step5[key][0], 'gw')
print(re1)
assert self.case1_step5[key][1] in re1
print('5.客户端向认证服务器发起认证请求,认证请求返回结果verify success说明正常')
print('发送认证url:', self.case1_step6["step1"][0])
for key in self.case1_step6:
re1 = fun.cmd(self.case1_step6[key][0], 'c')
print(re1)
assert self.case1_step6[key][1] in re1
print(
'6.使用命令tail -1 /var/log/jsac.verifymod.log查询网关设备认证日志 及用命令ipauth-jsac --auth --show查询认证ip,查询日志有"jsacaudit 源ip success",查询认证ip表有源ip说明认证成功'
)
fun.wait_data(self.case1_step7["step1"][0], 'gw',
self.case1_step7["step1"][1], '检查认证日志', 100)
for key in self.case1_step7:
re1 = fun.cmd(self.case1_step7[key][0], 'gw')
assert self.case1_step7[key][1] in re1
fun.wait_data(self.case1_step8["step1"][0], 'gw',
self.case1_step8["step1"][2], '检查认证ip', 100)
for key in self.case1_step8:
re1 = fun.cmd(self.case1_step8[key][0], 'gw')
assert self.case1_step8[key][2] in re1
print(
'7.使用命令export cardid=0&&defconf --action forward关闭靠近客户端卡的默认开关,使用export cardid=0&&defconf --show命令查看有action: forward说明正常'
)
fun.cmd(self.case1_step4["step2"][0], 'gw')
re1 = fun.cmd(self.case1_step4["step2"][1], 'gw')
print(re1)
assert self.case1_step4["step2"][2] in re1
print(
'8.移除acl策略,使用export cardid=0&&tupleacl --get命令查看无目的端口为443的acl策略说明策略移除成功'
)
fun.send(rbmExc, message.acl_del['DelAclPolicy'], domain_rmb,
base_path)
for key in self.case1_step5:
re1 = fun.cmd(self.case1_step5[key][0], 'gw')
print(re1)
assert self.case1_step5[key][1] not in re1
print(
'9.使用命令ipauth-jsac --clear将记录的认证ip清除掉,使用命令ipauth-jsac --auth --show查询不到认证源ip说明ip清除成功'
)
fun.wait_data(self.case1_step8["step1"][1], 'gw',
self.case1_step8["step1"][3], '检查认证ip', 100)
for key in self.case1_step8:
re1 = fun.cmd(self.case1_step8[key][0], 'gw')
print(re1)
assert self.case1_step8[key][2] not in re1
print(
'10.移除根证书文件,根证书移除成功,ls /usr/local/ipauth/file/CAdb/无法查到证书md5值c970dfa3234ed84ccac2e819a1276026'
)
fun.send(rbmExc, message.verifymod_DelAuthCert['DelAuthCert'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step3:
re1 = fun.wait_data(self.case1_step3[key][0],
'gw',
self.case1_step3[key][1],
'移除根证书',
100,
flag='不存在')
assert self.case1_step3[key][1] not in re1
# 关闭认证服务
print(
'11.关闭认证服务,通过命令ps -ef | grep verifymod、netstat -ultpn查询不到服务进程/usr/local/ipauth/verifymod /etc/jsac/Initialize.conf、且认证服务端口443也不存在'
)
fun.send(rbmExc, message.verifymod_switch_stop['ManageAuthServer'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step1:
re1 = fun.wait_data(self.case1_step1[key][0],
'gw',
self.case1_step1[key][1],
'检查认证服务进程',
100,
flag='不存在')
assert self.case1_step1[key][1] not in re1
for key in self.case1_step2:
re2 = fun.wait_data(self.case1_step2[key][0],
'gw',
self.case1_step2[key][1],
'检查认证监听端口',
100,
flag='不存在')
assert self.case1_step2[key][1] not in re2
def test_iso_http_large_file_a1(self):
# 下发配置
fun.send(rbmExc, message.addhttp_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.addhttp_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut',
self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'FrontDut',
self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
# 发送get请求,验证get请求是否正常
print('请求地址为{}'.format(http_url))
content = http_check.http_get(http_url)
print('验证隔离下的get请求内容为:{}'.format(content))
# 发送get请求,验证隔离下的http策略下载一个10G大小的文件
print('下载的服务器地址为{}'.format(self.downfile_url))
result = http_check.http_download(self.downfile_url,
self.downlocalPath)
assert result == 1
# 判断文件大小是否是10G
file_size = os.path.getsize(self.downlocalPath)
file_size = file_size / float(1024 * 1024) # 将单位转化为M
print("file_size: ", file_size)
assert 95.0 <= file_size <= 105.0
# 移除策略,清空环境
fun.send(rbmExc, message.delhttp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delhttp_back['DelCustomAppPolicy'],
BackDomain, base_path)
fdel_res = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert fdel_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert bdel_res == 1
# 检查策略移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0],
'FrontDut',
self.case1_step1[key][1],
'配置',
100,
flag='不存在')
print(re)
assert self.case1_step1[key][1] not in re
def test_iso_mail_check_subject_a2(self):
# 下发配置
print(
'1、下发邮件的隔离代理:代理ip为前置机安全卡的ip,port为8885(smtp)和8886(pop3),等待nginx的24个进程起来;cat /etc/jsac/customapp.stream应该包含代理ip和port,netstat -anp |grep tcp应该可以查看到监听ip和端口'
)
fun.send(rbmExc, message.addsmtp_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.addsmtp_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res1 == 1
fun.send(rbmExc, message.addpop3_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.addpop3_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res2 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res2 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res2 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res2 == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut',
self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'FrontDut',
self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
print(
'2、下发黑名单主题:test和abc,等待nginx的24个进程起来;cat /etc/jsac/filter.json文件应该包含:deny-topic和黑名单主题:test、abc'
)
fun.send(rbmExc, message.mailcheck2['SetMailCheck'], FrontDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
add_check = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
assert add_check == 1
for key in self.case2_step2:
re = fun.wait_data(self.case2_step2[key][0], 'FrontDut',
self.case2_step2[key][1], '配置', 100)
print(re)
assert self.case2_step2[key][1] in re
# 发送邮件,邮件地址为黑名单主题
print('3、控制台发送邮件,邮件主题为黑名单主题:test,查看发送结果;发送失败')
result1 = send_smtp.post_email(self.mail_sender, self.mail_receivers,
self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port,
self.mail_user, self.mail_pass,
self.attach_path, self.file,
self.case2_title1, self.context, 0, 0)
print('第一个黑名单主题{}结果为:{}'.format(self.case2_title1, result1))
assert result1 == 0
print('4、控制台发送邮件,邮件主题为黑名单主题:abc,查看发送结果;发送失败')
result2 = send_smtp.post_email(self.mail_sender, self.mail_receivers,
self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port,
self.mail_user, self.mail_pass,
self.attach_path, self.file,
self.case2_title2, self.context, 0, 0)
print('第二个黑名单主题{}结果为:{}'.format(self.case2_title2, result2))
assert result2 == 0
# 发送邮件,邮件地址为非黑名单主题
print('5、控制台发送邮件,邮件主题为非黑名单主题,查看发送结果;发送成功')
result3 = send_smtp.post_email(self.mail_sender, self.mail_receivers,
self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port,
self.mail_user, self.mail_pass,
self.attach_path, self.file,
self.case2_title3, self.context, 0, 0)
print('非黑名单主题{}结果为:{}'.format(self.case2_title3, result3))
assert result3 == 1
# 接收邮件
print('6、接收邮件,查看pop3协议收到的邮件主题是否为非黑名单主题;接收邮件主题为非黑名单主题')
msg = recv_pop3.get_email(self.pop3_email, self.pop3_pwd,
self.pop3_server_host, self.pop3_server_port)
mail_list = recv_pop3.print_info(msg) # 解析
assert self.case2_title3, self.context in mail_list
print('白名单接收者{}成功接收邮件'.format(self.pop3_email))
# 移除策略,还原环境
print(
'7、移除邮件的隔离策略,清空环境,等待nginx的24个进程起来;cat /etc/jsac/customapp.stream应该不包含代理ip和port'
)
fun.send(rbmExc, message.delsmtp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delsmtp_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
fdel_res1 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert fdel_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res1 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert bdel_res1 == 1
fun.send(rbmExc, message.delpop3_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delpop3_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
fdel_res2 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert fdel_res2 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res2 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert bdel_res2 == 1
# 检查策略移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0],
'FrontDut',
self.case1_step1[key][1],
'配置',
100,
flag='不存在')
print(re)
assert self.case1_step1[key][1] not in re
# 检查邮件策略是否清空
print(
'8、移除邮件策略,等待nginx的24个进程起来;cat /etc/jsac/filter.json文件应该不包含:mail协议')
fun.send(rbmExc, message.delmailcheck['DropMailCheck'], FrontDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
del_check = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
assert del_check == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0],
'FrontDut',
self.delcheck[key][1],
'配置',
100,
flag='不存在')
assert self.delcheck[key][1] not in re
def data_check_setup_met(dut='gw'):
start = time.time()
fun.wait_data('ps -ef |grep agentjsac', dut, '/usr/bin/agentjsac -c /etc/jsac/agentjsac.config')
fun.nginx_worker('ps -ef |grep nginx', dut, 'nginx: worker process')
print("=========================== data_check_setup_met 结束 耗时:{}s ==================================".format(
time.time() - start))
def test_customapp_ruler_action_deny(self):
# 下发配置
fun.send(rbmExc, message.add_app_ruler_action_deny_front['AddCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.add_app_ruler_action_deny_back['AddCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process',name= '前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert back_res1 == 1
fun.send(rbmExc, message.set_app_default_action_allow['SetCustomAppAction'], FrontDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert front_res1 == 1
# 检查配置下发是否成功
for key in self.case7_step1:
re = fun.wait_data(self.case7_step1[key][0], 'FrontDut', self.case7_step1[key][1], '前置机配置', 100)
assert self.case7_step1[key][1] in re
for key in self.case7_step2:
re = fun.wait_data(self.case7_step2[key][0], 'FrontDut', self.case7_step2[key][1], '前置机配置', 100)
assert self.case7_step2[key][1] in re
for key in self.case0_step1:
re = fun.wait_data(self.case0_step1[key][0], 'BackDut', self.case0_step1[key][1], '后置机配置', 100)
assert self.case0_step1[key][1] in re
# 发送请求,检测定制应用通信策略是否生效
status_code = http_check.http_get(url,flag=1)
print('url:', url)
print('验证规则动作为拒绝,默认动作、应用动作为允许时的定制应用通行策略,get请求的请求内容为:{}'.format(status_code),',请求被禁止。')
assert status_code == 0
# 文件查看audit日志
fun.wait_data(f"grep -n {proxy_port} /usr/local/nginx/logs/audit.log |tail -1", 'FrontDut',self.case7_step3['step1'][0], '检查cmdword get', 300, flag='存在')
for key in self.case7_step3:
re = fun.cmd(f"grep -n {proxy_port} /usr/local/nginx/logs/audit.log |tail -1 ", 'FrontDut')
print('re:', re)
assert self.case7_step3[key][0] in re
#移除策略
fun.send(rbmExc, message.del_app_upstream_front['DelCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.del_app_upstream_back['DelCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert back_res1 == 1
# 检查配置移除是否成功
for key in self.case7_step4:
re = fun.wait_data(self.case7_step4[key][0], 'FrontDut', self.case7_step4[key][1], '前置机配置', 100,flag='不存在')
assert self.case7_step4[key][1] not in re
for key in self.case0_step1:
re = fun.wait_data(self.case0_step1[key][0], 'BackDut', self.case0_step1[key][1], '后置机配置', 100, flag='不存在')
assert self.case0_step1[key][1] not in re
def iso_teardown_met(protocol, base_path):
start = time.time()
if protocol == 'mail':
fun.send(rbmExc, message.delsmtp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delsmtp_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
fun.nginx_worker('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
fun.nginx_worker('ps -ef |grep nginx', 'BackDut',
'nginx: worker process')
fun.send(rbmExc, message.delpop3_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delpop3_back['DelCustomAppPolicy'],
BackDomain, base_path)
elif protocol == 'ftp':
fun.send(rbmExc, message.delftp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delftp_back['DelCustomAppPolicy'], BackDomain,
base_path)
elif protocol == 'tcp_http':
fun.send(rbmExc, message.deltcp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.deltcp_back['DelCustomAppPolicy'], BackDomain,
base_path)
elif protocol == 'http':
fun.send(rbmExc, message.delhttp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delhttp_back['DelCustomAppPolicy'],
BackDomain, base_path)
elif protocol == 'http_post':
fun.send(rbmExc, message.delhttp_front_post['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delhttp_back_post['DelCustomAppPolicy'],
BackDomain, base_path)
elif protocol == 'http_redirect':
fun.send(rbmExc, message.delhttp_redirect_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delhttp_redirect_back['DelCustomAppPolicy'],
BackDomain, base_path)
elif protocol == 'dns':
fun.send(rbmExc, message.deludp_dns_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.deludp_dns_back['DelCustomAppPolicy'],
BackDomain, base_path)
elif protocol == 'ssh':
fun.send(rbmExc, message.deltcp_ssh_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.deltcp_ssh_back['DelCustomAppPolicy'],
BackDomain, base_path)
elif protocol == 'app_allow':
fun.send(rbmExc, message.del_app_upstream_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.del_app_upstream_back['DelCustomAppPolicy'],
BackDomain, base_path)
elif protocol == 'app_deny':
fun.send(rbmExc, message.del_app_action_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.del_app_action_back['DelCustomAppPolicy'],
BackDomain, base_path)
elif protocol == 'app_scp':
fun.send(rbmExc, message.del_app_scp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.del_app_scp_back['DelCustomAppPolicy'],
BackDomain, base_path)
elif protocol == 'app_end_deny':
fun.send(rbmExc, message.del_app_end_deny_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.del_app_end_deny_back['DelCustomAppPolicy'],
BackDomain, base_path)
else:
pass
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
print(
"=========================== iso_teardown_met 结束 耗时:{}s =================================="
.format(time.time() - start))
def test_customapp_ruler_action_allow(self):
# 下发配置
fun.send(rbmExc, message.add_app_ruler_action_allow_front['AddCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.add_app_ruler_action_allow_back['AddCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process',name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process',name='后置机nginx进程')
assert back_res1 == 1
fun.send(rbmExc, message.set_app_default_action_deny['SetCustomAppAction'], FrontDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process',name= '前置机nginx进程')
assert front_res1 == 1
# 检查配置下发是否成功
for key in self.case6_step1:
re = fun.wait_data(self.case6_step1[key][0], 'FrontDut', self.case6_step1[key][1], '前置机配置', 100)
assert self.case6_step1[key][1] in re
for key in self.case6_step2:
re = fun.wait_data(self.case6_step2[key][0], 'FrontDut', self.case6_step2[key][1], '前置机配置', 100)
assert self.case6_step2[key][1] in re
for key in self.case0_step1:
re = fun.wait_data(self.case0_step1[key][0], 'BackDut', self.case0_step1[key][1], '后置机配置', 100)
assert self.case0_step1[key][1] in re
# 发送请求,检测定制应用通信策略是否生效
status_code = http_check.http_get(url,flag=1)
print('url:', url)
print('验证规则动作为允许,应用动作、默认动作为拒绝时的定制应用通行策略,get请求的请求内容为:{}'.format(status_code))
assert status_code == 200
#移除策略
fun.send(rbmExc, message.del_app_end_deny_front['DelCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.del_app_end_deny_back['DelCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert back_res1 == 1
# 检查配置移除是否成功
for key in self.case6_step3:
re = fun.wait_data(self.case6_step3[key][0], 'FrontDut', self.case6_step3[key][1], '前置机配置', 100,flag='不存在')
assert self.case6_step3[key][1] not in re
for key in self.case0_step1:
re = fun.wait_data(self.case0_step1[key][0], 'BackDut', self.case0_step1[key][1], '后置机配置', 100, flag='不存在')
assert self.case0_step1[key][1] not in re
def test_iso_mail_check_addr_a2(self):
# 下发配置
print('1、下发邮件的隔离代理:代理ip为前置机安全卡的ip,port为8885(smtp)和8886(pop3),等待nginx的24个进程起来;cat /etc/jsac/customapp.stream应该包含代理ip和port,netstat -anp |grep tcp应该可以查看到监听ip和端口')
fun.send(rbmExc, message.addsmtp_front['AddCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.addsmtp_back['AddCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert back_res1 == 1
fun.send(rbmExc, message.addpop3_front['AddCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.addpop3_back['AddCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
front_res2 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert front_res2 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res2 = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert back_res2 == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut', self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'FrontDut', self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
print('2、下发mail的地址白名单:[email protected]和[email protected],等待nginx的24个进程起来;cat /etc/jsac/filter.json文件应该包含:allow-from和邮件白名单地址:[email protected]、[email protected]')
fun.send(rbmExc, message.mailcheck2['SetMailCheck'], FrontDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
add_check = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
assert add_check == 1
for key in self.case2_step2:
re = fun.wait_data(self.case2_step2[key][0], 'FrontDut', self.case2_step2[key][1], '配置', 100)
print(re)
assert self.case2_step2[key][1] in re
# 发送邮件,邮件地址为白名单地址
print('3、控制台发送邮件,地址为白名单地址[email protected],查看发送结果;发送成功')
result1 = send_smtp.post_email(self.mail_sender, self.mail_receivers, self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port, self.mail_user, self.mail_pass,
self.attach_path, self.file, self.title, self.context, 0, 0)
print('白名单地址{}结果为:{}'.format(self.mail_sender, result1))
assert result1 == 1
# 接收邮件
print('4、接收邮件,接收地址为白名单[email protected],查看接收结果;接收成功')
msg = recv_pop3.get_email(self.pop3_email, self.pop3_pwd, self.pop3_server_host, self.pop3_server_port)
mail_list = recv_pop3.print_info(msg) # 解析
assert self.title, self.context in mail_list
print('白名单接收者{}成功接收邮件'.format(self.pop3_email))
# 发送邮件,邮件地址为非白名单地址
print('5、控制台发送邮件,地址为非白名单地址,查看发送结果;发送失败')
result2 = send_smtp.post_email(self.deny_mail, self.mail_receivers, self.mail_cc, self.mail_bcc, self.mail_host,
self.mail_port, self.deny_mail, self.deny_pwd, self.attach_path, self.file,
self.title, self.context, 0, 0)
print('非白名单地址{}结果为:{}'.format(self.deny_mail, result2))
assert result2 == 0
# 移除策略,还原环境
print('6、移除邮件的隔离策略,清空环境,等待nginx的24个进程起来;cat /etc/jsac/customapp.stream应该不包含代理ip和port')
fun.send(rbmExc, message.delsmtp_front['DelCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.delsmtp_back['DelCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
fdel_res1 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert fdel_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res1 = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert bdel_res1 == 1
fun.send(rbmExc, message.delpop3_front['DelCustomAppPolicy'], FrontDomain, base_path)
fun.send(rbmExc, message.delpop3_back['DelCustomAppPolicy'], BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
fdel_res2 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process', name='前置机nginx进程')
assert fdel_res2 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res2 = fun.nginx_worker('ps -ef |grep nginx', 'BackDut', 'nginx: worker process', name='后置机nginx进程')
assert bdel_res2 == 1
# 检查策略移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut', self.case1_step1[key][1], '配置', 100, flag='不存在')
print(re)
assert self.case1_step1[key][1] not in re
# 检查邮件策略是否清空
print('7、移除邮件策略,等待nginx的24个进程起来;cat /etc/jsac/filter.json文件应该不包含:mail协议')
fun.send(rbmExc, message.delmailcheck['DropMailCheck'], FrontDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
del_check = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut', 'nginx: worker process')
assert del_check == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0], 'FrontDut', self.delcheck[key][1], '配置', 100, flag='不存在')
assert self.delcheck[key][1] not in re
def test_report_acl_QosRate_updown_PassDrop_count(self):
# 开启acl命中统计开关并检查结果
fun.send(Exc_rmb, message.set_ReportAclCount_open['EnableAclCount'],
domain_rmb, base_path)
for key in self.case5_step1:
print('ip:', baseinfo.gwManageIp)
re = fun.cmd(self.case5_step1[key][0], 'gw')
print('re:', re)
assert self.case5_step1[key][1] in re
# 下发acl策略并检查结果-----查询失败问题待调查
fun.send(Exc_rmb, message.AddAclPolicy_QosRate['AddAclPolicy'],
domain_rmb, base_path)
# for key in self.case5_step2:
# print('ip:',baseinfo.gwManageIp)
# re = fun.cmd(self.case5_step2[key][0],'gw',thread=1)
# print('key:',self.case5_step2[key][0])
# print('re:',re)
# assert self.case5_step2[key][1] in re
# 服务端抓取报文
cap_iface, cap_filter, cap_num, cap_pcap = self.pkt5_cfg['capture'][0], self.pkt5_cfg['capture'][1], \
self.pkt5_cfg['capture'][2], self.pkt5_cfg['capture'][3]
pre_cfg = fun.pkt_capture(cap_iface, cap_filter, cap_num, cap_pcap)
fun.cmd(pre_cfg, 's', thread=1)
print('step wait')
time.sleep(20)
# 客户端发送正常请求报文
c_iface, c_num, c_pcap = self.pkt5_cfg["send"][0], self.pkt5_cfg[
"send"][1], self.pkt5_cfg["send"][2]
send_cmd = fun.pkt_send(c_iface, c_num, c_pcap)
fun.cmd(send_cmd, 'c', thread=1)
print('tcpreplay命令发送成功')
# jsac.agentjsac.info.log文件查看命中统计数
fun.wait_data(
"grep -n ReportAclCount /var/log/jsac.agentjsac.info.log |tail -1",
'gw',
self.case5_step3['step1'][0],
'检查qos限速数',
300,
flag='存在')
for key in self.case5_step3:
re = fun.cmd(
f"grep -n QosDropDownPac /var/log/jsac.agentjsac.info.log |tail -1 ",
'gw')
print('re:', re)
assert self.case5_step3[key][0] in re
# 检查报文是否存在
# fun.wait_data(f"ls /opt/pkt/ | grep pcap", 'gw', self.pkt5_cfg['capture'][3], '检查服务端抓包结果', 300, flag='存在')
pcap_file = fun.search('/opt/pkt', 'pcap', 's')
assert cap_pcap in pcap_file
print('服务端抓到报文:{}'.format(self.read_5))
print('step wait')
# 关闭acl命中统计开关并检查结果
fun.send(Exc_rmb, message.set_ReportAclCount_close['EnableAclCount'],
domain_rmb, base_path)
for key in self.case5_step4:
re = fun.cmd(self.case5_step4[key][0], 'gw')
print('re:', re)
assert self.case5_step4[key][1] in re
# 移除掉acl策略并检查结果
fun.send(Exc_rmb, message.DelAclPolicy_HitCount['DelAclPolicy'],
domain_rmb, base_path)
def test_mail_check_alltype_a1(self):
# 下发配置
fun.send(rbmExc, message.addsmtp['AddAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
smtp_res1 = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert smtp_res1 == 1
fun.send(rbmExc, message.addpop3['AddAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
pop3_res1 = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert pop3_res1 == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'gw',
self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'gw',
self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
fun.send(rbmExc, message.mailcheck1['SetMailCheck'], rbmDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
add_check = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert add_check == 1
for key in self.case1_step2:
re = fun.wait_data(self.case1_step2[key][0], 'gw',
self.case1_step2[key][1], '配置', 100)
print(re)
assert self.case1_step2[key][1] in re
# 1、发送邮件,邮件地址为非白名单地址
result1 = send_smtp.post_email(self.deny_mail, self.mail_receivers,
self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port,
self.deny_mail, self.deny_pwd,
self.attach_path, self.deny_name_file,
self.title, self.context, 0, 1)
print('非白名单地址{}结果为:{}'.format(self.deny_mail, result1))
assert result1 == 0
# 2、发送邮件,邮件地址为黑名单主题
result2 = send_smtp.post_email(self.mail_sender, self.mail_receivers,
self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port,
self.mail_user, self.mail_pass,
self.attach_path, self.deny_name_file,
self.deny_title, self.context, 0, 1)
print('黑名单主题{}结果为:{}'.format(self.deny_title, result2))
assert result2 == 0
# 3、发送邮件,邮件地址为黑名单文件名
result3 = send_smtp.post_email(self.mail_sender, self.mail_receivers,
self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port,
self.mail_user, self.mail_pass,
self.attach_file, self.deny_name_file,
self.title, self.context, 0, 1)
print('黑名单文件名{}结果为:{}'.format(self.deny_name_file, result3))
assert result3 == 0
# 4、发送邮件,邮件地址为黑名单文件扩展名
result4 = send_smtp.post_email(
self.mail_sender, self.mail_receivers, self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port, self.mail_user, self.mail_pass,
self.attach_extend, self.deny_extend_file, self.title,
self.context, 0, 1)
print('黑名单文件扩展名{}结果为:{}'.format(self.deny_extend_file, result4))
assert result4 == 0
# 5、发送邮件,邮件地址为白名单地址、非黑名单主题、非黑名单文件名、非黑名单文件扩展名
result5 = send_smtp.post_email(self.mail_sender, self.mail_receivers,
self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port,
self.mail_user, self.mail_pass,
self.attach_path, self.file, self.title,
self.context, 0, 1)
print('各种参数均为白名单结果为:{}'.format(result5))
assert result5 == 1
# 接收邮件
msg = recv_pop3.get_email(self.pop3_email, self.pop3_pwd,
self.pop3_server_host, self.pop3_server_port)
mail_list = recv_pop3.print_info(msg) # 解析
assert self.title, self.context in mail_list
# 移除策略,还原环境
fun.send(rbmExc, message.delsmtp['DelAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_smtp = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert del_smtp == 1
fun.send(rbmExc, message.delpop3['DelAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_pop3 = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert del_pop3 == 1
# 检查代理是否成功移除
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0],
'gw',
self.case1_step1[key][1],
'配置',
100,
flag='不存在')
assert self.case1_step1[key][1] not in re
# 检查邮件策略是否清空
fun.send(rbmExc, message.delmailcheck['DropMailCheck'], rbmDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_check = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert del_check == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0],
'gw',
self.delcheck[key][1],
'配置',
100,
flag='不存在')
assert self.delcheck[key][1] not in re
def iso_setup_class(dut):
start = time.time()
fun.wait_data('ps -ef |grep jsac', dut, 'jsac_master')
for i in range(4):
fun.wait_data('ps -ef |grep jsac', dut, f'jsac_worker{i}')
print("=========================== 设备{}iso_setup_class 结束 耗时:{}s ==================================".format(dut, (time.time() - start)))
def test_ftp_check_user_a1(self):
# 下发配置
fun.send(rbmExc, message.addftp['AddAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
add_res1 = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert add_res1 == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'gw',
self.case1_step1[key][1], '配置', 100)
print('-------re1: ', re)
print('-------self.case1_step1[key][0]: ',
self.case1_step1[key][0])
print('-------self.case1_step1[key][1]: ',
self.case1_step1[key][1])
assert self.case1_step1[key][1] in re
# 检查配置下发是否成功
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'gw',
self.case1_step11[key][1], '配置', 100)
print('-------re11: ', re)
print('-------self.case1_step11[key][0]: ',
self.case1_step11[key][0])
print('-------self.case1_step11[key][1]: ',
self.case1_step11[key][1])
assert self.case1_step11[key][1] in re
print('self.host, self.port, self.username, self.password:'******'SetFtpCheck'], rbmDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
add_res2 = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert add_res2 == 1
for key in self.case1_step2:
re = fun.wait_data(self.case1_step2[key][0], 'gw',
self.case1_step2[key][1], '配置', 100)
print('case1_step2_re: ', re)
assert self.case1_step2[key][1] in re
# 登录ftp服务器,用户为白名单用户
fp = con_ftp.connect_ftp(self.host, self.port, self.username,
self.password)
print('ftp白名单欢迎语是:{}'.format(fp.getwelcome()))
assert '220' in fp.getwelcome()
# 登录ftp服务器,用户为非白名单用户
fp = con_ftp.connect_ftp(self.host, self.port, self.case1_deny_user,
self.password)
print('ftp非白名单用户{}结果为:{}'.format(self.case1_deny_user, fp))
assert fp == 0
#移除策略,还原环境
fun.send(rbmExc, message.delftp['DelAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_res1 = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert del_res1 == 1
# 检查代理是否成功移除
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0],
'gw',
self.case1_step1[key][1],
'配置',
100,
flag='不存在')
assert self.case1_step1[key][1] not in re
# 检查ftp传输策略是否清空
fun.send(rbmExc, message.delftpcheck['DropFtpCheck'], rbmDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_res2 = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert del_res2 == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0],
'gw',
self.delcheck[key][1],
'配置',
100,
flag='不存在')
assert self.delcheck[key][1] not in re
def test_http_check_get_post_uri_a1(self):
# 下发配置
fun.send(rbmExc, message.addhttp['AddAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'gw',
self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
fun.send(rbmExc, message.httpcheck1['SetHttpCheck'], rbmDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
for key in self.case1_step2:
re = fun.wait_data(self.case1_step2[key][0], 'gw',
self.case1_step2[key][1], '配置', 100)
print(re)
assert self.case1_step2[key][1] in re
# 1、发送get请求,不包含黑名单内容的普通请求
content = http_check.http_get(url)
print('1、get普通请求的请求内容为:{}'.format(content))
assert content == http_content
# 2、发送post请求,不包含黑名单内容的普通请求
content = http_check.http_post(url)
print('2、post普通请求的请求内容为:{}'.format(content))
assert content == http_content
# 3、发送get请求,请求内容包含第一个get黑名单
status_code = http_check.http_get(url, self.case1_get_data1)
print('3、get请求内容包含第一个get黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 4、发送get请求,请求内容包含第二个get黑名单
status_code = http_check.http_get(url, self.case1_get_data2)
print('4、get请求内容包含第二个get黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 5、发送get请求,请求内容包含第一个uri黑名单
status_code = http_check.http_get(self.case1_uri1, self.data)
print('5、get请求内容包含第一个uri黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 6、发送get请求,请求内容包含第二个uri黑名单
status_code = http_check.http_get(self.case1_uri2, self.data)
print('6、get请求内容包含第二个uri黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 7、发送get请求,请求内容包含第一个post黑名单
content = http_check.http_get(url, self.case1_post_data1)
print('7、get请求内容包含第一个post黑名单的请求内容为:{}'.format(content))
assert content == http_content
# 8、发送get请求,请求内容包含第二个post黑名单
content = http_check.http_get(url, self.case1_post_data2)
print('8、get请求内容包含第二个post黑名单的请求内容为:{}'.format(content))
assert content == http_content
# 9、发送post请求,请求内容包含第一个post黑名单
status_code = http_check.http_post(url, self.case1_post_data1)
print('9、post请求内容包含第一个post黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 10、发送post请求,请求内容包含第二个post黑名单
status_code = http_check.http_post(url, self.case1_post_data2)
print('10、post请求内容包含第二个post黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 11、发送post请求,请求内容包含第一个uri黑名单
status_code = http_check.http_post(self.case1_uri1, self.data)
print('11、post请求内容包含第一个uri黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 12、发送post请求,请求内容包含第二个uri黑名单
status_code = http_check.http_post(self.case1_uri2, self.data)
print('12、post请求内容包含第二个uri黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 13、发送post请求,请求内容包含第一个get黑名单
content = http_check.http_post(url, self.case1_get_data1)
print('13、post请求内容包含第一个get黑名单的请求内容为:{}'.format(content))
assert content == http_content
# 14、发送post请求,请求内容包含第二个get黑名单
content = http_check.http_post(url, self.case1_get_data2)
print('14、post请求内容包含第二个get黑名单的请求内容为:{}'.format(content))
assert content == http_content
def test_iso_http_large_file_a2(self):
# 下发配置
fun.send(rbmExc, message.addhttp_front_post['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.addhttp_back_post['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res == 1
# 检查配置下发是否成功
for key in self.case2_step1:
re = fun.wait_data(self.case2_step1[key][0], 'FrontDut',
self.case2_step1[key][1], '配置', 100)
print(re)
assert self.case2_step1[key][1] in re
for key in self.case2_step11:
re = fun.wait_data(self.case2_step11[key][0], 'FrontDut',
self.case2_step11[key][1], '配置', 100)
print(re)
assert self.case2_step11[key][1] in re
# 初始化,检查server端无post.txt文件
post_file = fun.search('/home/lwq', 'txt', 'BG8010Server')
print(post_file)
if 'post.txt' in post_file:
fun.cmd('rm -f /home/lwq/post.txt ', 'BG8010Server')
# 服务器端开启post上传服务
post_cmd = ['cd /home/lwq', 'python3 Server.py']
fun.cmd(post_cmd, 'httpServer', thread=1, list_flag=True)
# 发送post请求,验证post请求是否正常
print('请求地址为{}'.format(self.up_url))
content = http_check.http_post(self.up_url)
print('post普通请求的请求内容为:{}'.format(content))
# 发送post请求,验证隔离下的http策略上传一个10G大小的文件
print('上传的服务器地址为{}'.format(self.upfile_url))
result = http_check.http_upload(self.upfile_url, self.upfilename,
self.uplocalPath, self.upMIME_type)
assert result == 1
# 检查文件是否生成
post_file = fun.search('/home/lwq', 'txt', 'httpServer')
print('检查/home/lwq/目录下所有以txt结尾的文件列表为:{}'.format(post_file))
assert 'post.txt' in post_file
# 移除策略,清空环境
fun.send(rbmExc, message.delhttp_front_post['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delhttp_back_post['DelCustomAppPolicy'],
BackDomain, base_path)
fdel_res = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert fdel_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert bdel_res == 1
# 检查策略移除是否成功
for key in self.case2_step1:
re = fun.wait_data(self.case2_step1[key][0],
'FrontDut',
self.case2_step1[key][1],
'配置',
100,
flag='不存在')
print(re)
assert self.case2_step1[key][1] not in re
def test_ftp_check_alltype_a1(self):
# 下发配置
fun.send(rbmExc, message.addftp['AddAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
add_res1 = fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
assert add_res1 == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'gw', self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'gw', self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
fun.send(rbmExc, message.ftpcheck1['SetFtpCheck'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
add_res2 = fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
assert add_res2 == 1
for key in self.case1_step2:
re = fun.wait_data(self.case1_step2[key][0], 'gw', self.case1_step2[key][1], '配置', 100)
print(re)
assert self.case1_step2[key][1] in re
# 1、登录ftp服务器,用户为白名单用户
fp = con_ftp.connect_ftp(self.host, self.port, self.username, self.password)
print('欢迎语是:{}'.format(fp.getwelcome()))
assert '220' in fp.getwelcome()
# 2、登录ftp服务器,用户为非白名单用户
fp2 = con_ftp.connect_ftp(self.host, self.port, self.deny_user, self.password)
print('ftp非白名单用户{}结果为:{}'.format(self.deny_user,fp2))
assert fp2 == 0
# 3、登录ftp服务器,上传文件扩展名为白名单
fp = con_ftp.connect_ftp(self.host, self.port, self.username, self.password)
print('欢迎语是:{}'.format(fp.getwelcome()))
result1 = con_ftp.uploadFile(fp, self.case1_upremotePath, self.case1_uplocalPath)
print('ftp上传文件扩展名{}为白名单结果为:{}'.format(self.case1_uplocalPath,result1))
assert result1 == 1
# 4、登录ftp服务器,上传文件扩展名为非白名单
fp = con_ftp.connect_ftp(self.host, self.port, self.username, self.password)
print('欢迎语是:{}'.format(fp.getwelcome()))
result2 = con_ftp.uploadFile(fp, self.case1_deny_upremotePath, self.case1_deny_uplocalPath)
print('ftp上传文件扩展名{}为非白名单结果为:{}'.format(self.case1_deny_uplocalPath,result2))
assert result2 == 0
# 5、登录ftp服务器,下载文件扩展名为白名单(下载命令被禁止)
fp = con_ftp.connect_ftp(self.host, self.port, self.username, self.password)
print('欢迎语是:{}'.format(fp.getwelcome()))
result3 = con_ftp.downFile(fp, self.case1_downremotePath, self.case1_downlocalPath)
print('ftp下载(下载命令被禁止)文件扩展名{}为白名单结果为:{}'.format(self.case1_downremotePath,result3))
assert result3 == 0
#6、 登录ftp服务器,下载文件扩展名为非白名单(下载命令被禁止)
fp = con_ftp.connect_ftp(self.host, self.port, self.username, self.password)
print('欢迎语是:{}'.format(fp.getwelcome()))
result4 = con_ftp.downFile(fp, self.case1_deny_downremotePath, self.case1_deny_downlocalPath)
print('ftp下载(下载命令被禁止)文件扩展名{}为非白名单结果为:{}'.format(self.case1_deny_downremotePath,result4))
assert result4 == 0
# 移除策略,还原环境
fun.send(rbmExc, message.delftp['DelAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_res1 = fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
assert del_res1 == 1
# 检查代理是否成功移除
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'gw', self.case1_step1[key][1], '配置', 100, flag='不存在')
assert self.case1_step1[key][1] not in re
# 检查ftp传输策略是否清空
fun.send(rbmExc, message.delftpcheck['DropFtpCheck'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_res2 = fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
assert del_res2 == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0], 'gw', self.delcheck[key][1], '配置', 100, flag='不存在')
assert self.delcheck[key][1] not in re
def test_verifymod_switch(self):
# 开启认证服务
print(
'1.开启认证服务,通过命令ps -ef | grep verifymod、netstat -ultpn查询服务进程有/usr/local/ipauth/verifymod /etc/jsac/Initialize.conf、服务有监听443端口说明服务开启成功'
)
fun.send(rbmExc, message.verifymod_switch_start['ManageAuthServer'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step1:
re1 = fun.wait_data(self.case1_step1[key][0], 'gw',
self.case1_step1[key][1], '检查认证服务进程', 100)
assert self.case1_step1[key][1] in re1
for key in self.case1_step2:
re2 = fun.wait_data(self.case1_step2[key][0], 'gw',
self.case1_step2[key][1], '检查认证监听端口', 100)
assert self.case1_step2[key][1] in re2
print(
'2.下发根证书文件到设备上,ls /usr/local/ipauth/file/CAdb/可以查看到根证书md5值c970dfa3234ed84ccac2e819a1276026'
)
fun.send(rbmExc, message.verifymod_AddAuthCert['AddAuthCert'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step3:
print(self.case1_step3[key][0])
re1 = fun.wait_data(self.case1_step3[key][0], 'gw',
self.case1_step3[key][1], '检查根证书', 100)
assert self.case1_step3[key][1] in re1
print(
'3.使用命令export cardid=0&&switch-jsac --set --switch on --module 13开启靠近客户端卡上的认证开关,使用命令export cardid=0&&switch-jsac --get检查有“13 IP_AUTH_MODULE 1 in on”说明认证开关开启成功'
)
for key in self.case3_step1:
fun.cmd(self.case3_step1[key][0], 'gw')
re1 = fun.cmd(self.case3_step1[key][1], 'gw')
print(re1)
assert self.case3_step1[key][2] in re1
print(
'4.客户端向认证服务器发起认证请求,请求命令curl --cert /opt/test2certandkey.pem:123456 https://www.testCA.cn:443,认证请求返回结果verify success说明请求发送成功'
)
print('发送认证url:', self.case1_step4["step1"][0])
for key in self.case1_step4:
re1 = fun.cmd(self.case1_step4[key][0], 'c')
print(re1)
assert self.case1_step4[key][1] in re1
print(
'5.用命令tail -1 /var/log/jsac.verifymod.log查询网关设备认证日志文件 及用命令ipauth-jsac --auth --show查询认证ip表,日志查询到"jsacaudit 源ip success",认证ip表查询到源ip说明认证成功'
)
fun.wait_data(self.case1_step5["step1"][0], 'gw',
self.case1_step5["step1"][1], '检查认证日志', 100)
for key in self.case1_step5:
re1 = fun.cmd(self.case1_step5[key][0], 'gw')
assert self.case1_step5[key][1] in re1
fun.wait_data(self.case1_step6["step1"][0], 'gw',
self.case1_step6["step1"][2], '检查认证ip', 100)
for key in self.case1_step6:
re1 = fun.cmd(self.case1_step6[key][0], 'gw')
assert self.case1_step6[key][2] in re1
print(
'6.客户端向服务端发起http请求验证联通性,请求命令curl http://{dip}:80 >/opt/verifymod_curl.txt,服务端nginx服务返回结果为Welcome to nginx!说明http联通性正常'
)
print('发送http请求', self.case3_step2["step1"][0])
fun.cmd(self.case3_step2["step1"][0], 'c')
re = fun.wait_data(self.case3_step2["step"][1], 'c',
self.case3_step2["curl"][2], '检查http请求', 100)
assert self.case3_step2["step"][2] in re
print('正常http请求发送成功')
print(
'7.使用命令ipauth-jsac --clear将记录的认证ip清除掉,使用命令ipauth-jsac --auth --show查询不到认证ip说明ip清除成功'
)
fun.wait_data(self.case1_step6["step1"][1], 'gw',
self.case1_step6["step1"][3], '检查认证ip', 100)
for key in self.case1_step6:
re1 = fun.cmd(self.case1_step6[key][0], 'gw')
print(re1)
assert self.case1_step6[key][2] not in re1
print(
'8.再次从客户端向服务端发起http请求验证联通性,请求命令curl http://{dip}:80 >/opt/verifymod_curl.txt,服务端nginx服务没有返回结果Welcome to nginx!说明http联通失败'
)
print('发送http请求', self.case3_step2["step1"][0])
fun.cmd(self.case3_step2["step1"][0], 'c')
re = fun.wait_data(self.case3_step2["step"][1],
'c',
self.case3_step2["curl"][2],
'检查http请求',
100,
flag='不存在')
assert self.case3_step2["step"][2] not in re
print('http请求发送失败')
print(
'9.使用命令export cardid=0&&switch-jsac --set --switch off --module 13关闭靠近客户端卡上的认证开关,使用命令export cardid=0&&switch-jsac --get检查有“13 IP_AUTH_MODULE 1 in off”说明认证开关关闭成功'
)
for key in self.case3_step3:
print(self.case3_step3[key][0])
re1 = fun.cmd(self.case3_step3[key][0], 'gw')
assert self.case3_step3[key][1] in re1
print(
'10.移除根证书文件,根证书移除成功,ls /usr/local/ipauth/file/CAdb/无法查到证书md5值c970dfa3234ed84ccac2e819a1276026'
)
fun.send(rbmExc, message.verifymod_DelAuthCert['DelAuthCert'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step3:
re1 = fun.wait_data(self.case1_step3[key][0],
'gw',
self.case1_step3[key][1],
'移除根证书',
100,
flag='不存在')
assert self.case1_step3[key][1] not in re1
# 关闭认证服务
print(
'11.关闭认证服务,通过命令ps -ef | grep verifymod、netstat -ultpn查询不到服务进程/usr/local/ipauth/verifymod /etc/jsac/Initialize.conf、且认证服务端口443也不存在'
)
fun.send(rbmExc, message.verifymod_switch_stop['ManageAuthServer'],
domain_rmb, base_path)
# 检查配置下发是否成功
for key in self.case1_step1:
re1 = fun.wait_data(self.case1_step1[key][0],
'gw',
self.case1_step1[key][1],
'检查认证服务进程',
100,
flag='不存在')
assert self.case1_step1[key][1] not in re1
for key in self.case1_step2:
re2 = fun.wait_data(self.case1_step2[key][0],
'gw',
self.case1_step2[key][1],
'检查认证监听端口',
100,
flag='不存在')
assert self.case1_step2[key][1] not in re2
# 删除/opt/cipso_curl.txt文件
print(
'12.使用命令rm -f /opt/verifymod*.txt,在客户端删除第6步http请求结果的文件/opt/verifymod*.txt,使用命令ls /opt/ |grep txt在客户端查询不到文件/opt/verifymod*.txt说明删除成功'
)
fun.cmd("rm -f /opt/verifymod*.txt", 'c')
re1 = fun.cmd("ls /opt/ |grep txt", 'c')
print('客户端txt文件查询结果是:', re1)
assert self.case3_step2["step2"][0] not in re1
def test_iso_ftp_up_down_a1(self):
# 下发配置
fun.send(rbmExc, message.addsmtp_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.addsmtp_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res1 == 1
fun.send(rbmExc, message.addpop3_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.addpop3_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res2 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res2 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res2 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res2 == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut',
self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'FrontDut',
self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
# # 发送邮件,检测隔离代理是否生效
# print('--------------------准备发送邮件,检测隔离代理是否生效-------------------------')
# result = send_smtp.post_email(self.mail_sender, self.mail_receivers, self.mail_cc, self.mail_bcc,
# self.mail_host, self.mail_port, self.mail_user, self.mail_pass,
# self.attach_path, self.file, self.title, self.context, 0, 1)
# print('隔离下的邮件代理结果为:{}'.format(result))
# assert result == 1
#
# # 接收邮件
# print('-------------------------准备接收邮件----------------------------------')
# msg = recv_pop3.get_email(self.pop3_email, self.pop3_pwd, proxy_ip, self.pop3_proxy_port)
# print('pop3获取邮件返回的内容是:'.format(msg))
# mail_list = recv_pop3.print_info(msg) # 解析
# print('接收邮件解析到的列表为{}'.format(mail_list))
# assert self.title, self.context in mail_list
# 移除策略,清空环境
print(
'-------------------------准备移除策略,清空环境----------------------------------'
)
fun.send(rbmExc, message.delsmtp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delsmtp_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
fdel_res1 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert fdel_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res1 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert bdel_res1 == 1
fun.send(rbmExc, message.delpop3_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delpop3_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
fdel_res2 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert fdel_res2 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res2 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert bdel_res2 == 1
# 检查策略移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0],
'FrontDut',
self.case1_step1[key][1],
'配置',
100,
flag='不存在')
print(re)
assert self.case1_step1[key][1] not in re
def test_gw(self):
# 下发配置并检查结果
print(
'1.客户端下发管理口标记策略,命令iptables -I POSTROUTING -t mangle -p tcp -j CIPSO --doi 16 --level 12 --cat 0xe7,0x90,0xf1,0x36 -d {pcap_dip} --dport 80,使用iptables -t mangle -nL命令查看策略包含0xe7,0x90,0xf1,0x36'
)
fun.cmd(self.case1_step1["step1"][0], 'c')
for key in self.case1_step1:
re0 = fun.cmd(self.case1_step1["step1"][1], 'c')
print(re0)
assert self.case1_step1["step1"][2] in re0
print(
'2.客户端下发管理口标记策略,命令iptables -I PREROUTING -t mangle -p tcp -s {pcap_dip} --sport 80 -j CIPSO --rm,使用iptables -t mangle -nL命令查看策略包含rm'
)
fun.cmd(self.case1_step1["step2"][0], 'c')
for key in self.case1_step1:
re0 = fun.cmd(self.case1_step1["step2"][1], 'c')
print(re0)
assert self.case1_step1["step2"][2] in re0
print(
'3.在网关设备靠近客户端的网卡上下发acl策略,命令tupleacl --add --sip {pcap_sip} --dip {pcap_dip} --dp 80 --l4p 6 --action forward --netlbl strip --drop on --mode BLP --doi 16 --level 16 --type 1 --value 0xe7,0x90,0xf1,0x36\n'
',export cardid=0&&tupleacl --get命令查看策略包含目的ip')
fun.cmd(self.case1_step2["step1"][0], 'gw')
for key in self.case1_step2:
re0 = fun.cmd(self.case1_step2[key][1], 'gw')
print(re0)
assert self.case1_step2[key][2] in re0
# 客户端发送http请求
print(
'4.在客户端使用curl命令发送http请求,命令curl http://{pcap_dip}:80 >/opt/cipso_gw_tcp.txt,服务端nginx服务返回结果为Welcome to nginx!即为正常'
)
print(self.cipso_tcp["curl"][0])
fun.cmd(self.cipso_tcp["curl"][0], 'c')
re = fun.wait_data(self.cipso_tcp["curl"][1], 'c',
self.cipso_tcp["curl"][2], '检查http请求', 100)
assert self.cipso_tcp["curl"][2] in re
print('正常http请求发送成功')
# 移除策略
print(
'5.客户端移除管理口标记策略,命令iptables -D POSTROUTING -t mangle -p tcp -j CIPSO --doi 16 --level 12 --cat 0xe7,0x90,0xf1,0x36 -d {pcap_dip} --dport 80,\n'
'命令iptables -D PREROUTING -t mangle -p tcp -s {pcap_dip} --sport {dport} -j CIPSO --rm可以使用iptables -t mangle -nL命令查看策略不包含目的ip'
)
fun.cmd(self.case1_step3["step1"][0], 'c')
fun.cmd(self.case1_step3["step2"][0], 'c')
for key in self.case1_step3:
re0 = fun.cmd(self.case1_step3["step2"][1], 'c')
print(re0)
assert self.case1_step3["step2"][2] not in re0
print(
'6.网关设备使用命令export cardid=0&&tupleacl --clear移除acl标记策略,网关设备移除策略成功,可以使用tupleacl --get命令查看策略不包含目的ip'
)
fun.cmd(self.case1_step4["step1"][0], 'gw')
for key in self.case1_step4:
re0 = fun.cmd(self.case1_step4[key][1], 'gw')
print(re0)
assert self.case1_step4[key][2] not in re0
print(
'7.rm -f /opt/cipso*.txt在客户端删除第4步http请求结果的文件,ls /opt/ |grep txt命令查询不到cipso_gw_tcp.txt说明文件删除成功'
)
#删除/opt/cipso_curl.txt文件
fun.cmd("rm -f /opt/cipso*.txt", 'c')
re1 = fun.cmd("ls /opt/ |grep txt", 'c')
print('客户端txt文件查询结果是:', re1)
assert self.cipso_tcp["txt"][0] not in re1
def test_iso_http_check_get_post_uri_MIME_a2(self):
# 下发配置
print(
'1、下发http的隔离代理:代理ip为前置机安全卡的ip,port为2287,等待nginx的24个进程起来;预期netstat -anp |grep tcp应该可以查看到监听ip和端口'
)
fun.send(rbmExc, message.addhttp_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.addhttp_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut',
self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'FrontDut',
self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
# 数据检查
print(
'2、下发http的get黑名单,参数为:hello、juson;post黑名单:123、456;uri黑名单:mzh、hkl;MIME黑名单:css、avi,等待nginx的24个进程起来;预期cat /etc/jsac/http.json文件应该包含:c_get_args和get黑名单参数:123'
)
fun.send(rbmExc, message.httpcheck2['SetHttpCheck'], FrontDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
add_res2 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
assert add_res2 == 1
for key in self.case2_step2:
re = fun.wait_data(self.case2_step2[key][0], 'FrontDut',
self.case2_step2[key][1], '配置', 100)
assert self.case2_step2[key][1] in re
# 1、发送get请求,不包含黑名单内容的普通请求
print('3、控制台发送get请求,不包含请求内容;请求成功,请求到的内容为server的index.html文件内包含的内容')
content = http_check.http_get(http_url)
print('1、get普通请求的请求内容为:{}'.format(content))
assert content == http_content
# 2、发送post请求,不包含黑名单内容的普通请求
print('4、控制台发送post请求,不包含请求内容;请求成功,请求到的内容为server的index.html文件内包含的内容')
content = http_check.http_post(http_url)
print('2、post普通请求的请求内容为:{}'.format(content))
assert content == http_content
# 3、发送get请求,请求内容包含第一个get黑名单
print('5、控制台发送get请求,请求内容包含get黑名单hello;请求失败,状态码返回为403')
status_code = http_check.http_get(http_url, self.case1_get_data1)
print('3、get请求内容包含第一个get黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 4、发送get请求,请求内容包含第二个get黑名单
print('6、控制台发送get请求,请求内容包含get黑名单juson;请求失败,状态码返回为403')
status_code = http_check.http_get(http_url, self.case1_get_data2)
print('4、get请求内容包含第二个get黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 5、发送get请求,请求内容包含第一个uri黑名单
print('7、控制台发送get请求,请求内容包含uri黑名单mzh;请求失败,状态码返回为403')
status_code = http_check.http_get(self.case1_uri1, self.data)
print('5、get请求内容包含第一个uri黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 6、发送get请求,请求内容包含第二个uri黑名单
print('8、控制台发送get请求,请求内容包含uri黑名单hkl;请求失败,状态码返回为403')
status_code = http_check.http_get(self.case1_uri2, self.data)
print('6、get请求内容包含第二个uri黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 7、发送get请求,请求内容包含第一个post黑名单
print(
'9、控制台发送get请求,请求内容包含post黑名单123;请求成功,请求到的内容为server的index.html文件内包含的内容'
)
content = http_check.http_get(http_url, self.case1_post_data1)
print('7、get请求内容包含第一个post黑名单的请求内容为:{}'.format(content))
assert content == http_content
# 8、发送get请求,请求内容包含第二个post黑名单
print(
'10、控制台发送get请求,请求内容包含post黑名单456;请求成功,请求到的内容为server的index.html文件内包含的内容'
)
content = http_check.http_get(http_url, self.case1_post_data2)
print('8、get请求内容包含第二个post黑名单的请求内容为:{}'.format(content))
assert content == http_content
# 9、发送post请求,请求内容包含第一个post黑名单
print('11、控制台发送post请求,请求内容包含post黑名单123;请求失败,状态码返回为403')
status_code = http_check.http_post(http_url, self.case1_post_data1)
print('9、post请求内容包含第一个post黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 10、发送post请求,请求内容包含第二个post黑名单
print('12、控制台发送post请求,请求内容包含post黑名单456;请求失败,状态码返回为403')
status_code = http_check.http_post(http_url, self.case1_post_data2)
print('10、post请求内容包含第二个post黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 11、发送post请求,请求内容包含第一个uri黑名单
print('13、控制台发送post请求,请求内容包含uri黑名单mzh;请求失败,状态码返回为403')
status_code = http_check.http_post(self.case1_uri1, self.data)
print('11、post请求内容包含第一个uri黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 12、发送post请求,请求内容包含第二个uri黑名单
print('14、控制台发送post请求,请求内容包含uri黑名单hkl;请求失败,状态码返回为403')
status_code = http_check.http_post(self.case1_uri2, self.data)
print('12、post请求内容包含第二个uri黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 13、发送post请求,请求内容包含第一个get黑名单
print(
'15、控制台发送post请求,请求内容包含get黑名单hello;请求成功,请求到的内容为server的index.html文件内包含的内容'
)
content = http_check.http_post(http_url, self.case1_get_data1)
print('13、post请求内容包含第一个get黑名单的请求内容为:{}'.format(content))
assert content == http_content
# 14、发送post请求,请求内容包含第二个get黑名单
print(
'16、控制台发送post请求,请求内容包含get黑名单juson;请求成功,请求到的内容为server的index.html文件内包含的内容'
)
content = http_check.http_post(http_url, self.case1_get_data2)
print('14、post请求内容包含第二个get黑名单的请求内容为:{}'.format(content))
assert content == http_content
# 15、发送get请求,请求内容包含第一个MIME黑名单
print('17、控制台发送get请求,请求内容包含MIME黑名单css;请求失败,状态码返回为403')
status_code = http_check.http_get(self.case1_MIME1, self.data, flag=1)
print('15、get请求内容包含第一个MIME黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 16、发送get请求,请求内容包含第二个MIME黑名单
print('18、控制台发送get请求,请求内容包含MIME黑名单avi;请求失败,状态码返回为403')
status_code = http_check.http_get(self.case1_MIME2, self.data, flag=1)
print('16、get请求内容包含第二个MIME黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 17、发送get请求,请求内容包含MIME类型不在黑名单
print('19、控制台发送get请求,请求内容包含MIME类型但不在黑白名单:pdf;请求成功,状态码返回为200')
status_code = http_check.http_get(self.base_uri, self.data, flag=1)
print('17、get请求内容包含MIME类型不在白名单返回的状态码为:{}'.format(status_code))
assert status_code == 200
# 18、发送get请求,请求内容包含MIME黑名单和post黑名单
print('20、控制台发送get请求,请求内容包含MIME黑名单:avi和post黑名单:123;请求失败,状态码返回为403')
status_code = http_check.http_get(self.case1_MIME2,
self.case1_post_data1,
flag=1)
print('18、get请求内容包含MIME黑名单和post黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 18、发送get请求,请求内容包含MIME类型不为黑名单和get黑名单
print(
'21、控制台发送get请求,请求内容包含MIME类型但不在黑名单:pdf和get黑名单:hello;请求失败,状态码返回为403')
status_code = http_check.http_get(self.base_uri,
self.case1_get_data1,
flag=1)
print('18、get请求内容包含MIME类型不为黑名单和get黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 移除策略,还原环境
print(
'22、移除代理策略,清空环境,等待nginx的24个进程起来;netstat -anp |grep tcp应该查看不到监听ip和端口;'
)
fun.send(rbmExc, message.delhttp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delhttp_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
fdel_res = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert fdel_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert bdel_res == 1
# 检查策略移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0],
'FrontDut',
self.case1_step1[key][1],
'配置',
100,
flag='不存在')
print(re)
assert self.case1_step1[key][1] not in re
# 检查网页访问策略是否清空
print(
'23、移除网页访问策略,等待nginx的24个进程起来;cat /etc/jsac/http.json文件应该不包含:http协议'
)
fun.send(rbmExc, message.delhttpcheck['DropHttpCheck'], FrontDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
del_res2 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
assert del_res2 == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0],
'FrontDut',
self.delcheck[key][1],
'配置',
100,
flag='不存在')
assert self.delcheck[key][1] not in re
def test_customapp_order_capital(self):
# 下发配置
fun.send(rbmExc,
message.add_app_order_capital_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc,
message.add_app_order_capital_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res1 == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut',
self.case1_step1[key][1], '前置机配置', 100)
assert self.case1_step1[key][1] in re
for key in self.case1_step2:
re = fun.wait_data(self.case1_step2[key][0], 'FrontDut',
self.case1_step2[key][1], '前置机配置', 100)
assert self.case1_step2[key][1] in re
for key in self.case0_step1:
re = fun.wait_data(self.case0_step1[key][0], 'BackDut',
self.case0_step1[key][1], '后置机配置', 100)
assert self.case0_step1[key][1] in re
# 发送请求,检测定制应用通信策略是否生效
status_code = http_check.http_get(url, flag=1)
print('url:', url)
print('定制应用命令为大写时,get请求的请求内容为:{}'.format(status_code))
assert status_code == 200
# 文件查看audit日志
fun.wait_data(
f"grep -n {proxy_port} /usr/local/nginx/logs/audit.log |tail -2",
'FrontDut',
self.case1_step3['step1'][0],
'检查大写字母cmdword GET',
300,
flag='存在')
for key in self.case1_step3:
re = fun.cmd(
f"grep -n {proxy_port} /usr/local/nginx/logs/audit.log |tail -2 ",
'FrontDut')
print('re:', re)
assert self.case1_step3[key][0] in re
#移除策略
fun.send(rbmExc, message.del_app_end_deny_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.del_app_end_deny_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res1 == 1
#检查配置移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0],
'FrontDut',
self.case1_step1[key][1],
'前置机配置',
100,
flag='不存在')
assert self.case1_step1[key][1] not in re
for key in self.case0_step1:
re = fun.wait_data(self.case0_step1[key][0],
'BackDut',
self.case0_step1[key][1],
'后置机配置',
100,
flag='不存在')
assert self.case0_step1[key][1] not in re
def test_customapp_direction_upstream(self):
# 下发配置
fun.send(rbmExc, message.add_app_upstream_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.add_app_upstream_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res1 == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut',
self.case1_step1[key][1], '前置机配置', 100)
assert self.case1_step1[key][1] in re
for key in self.case1_step2:
re = fun.wait_data(self.case1_step2[key][0], 'FrontDut',
self.case1_step2[key][1], '前置机配置', 100)
assert self.case1_step2[key][1] in re
for key in self.case0_step1:
re = fun.wait_data(self.case0_step1[key][0], 'BackDut',
self.case0_step1[key][1], '后置机配置', 100)
assert self.case0_step1[key][1] in re
# 发送请求,检测定制应用上行通信策略是否生效
status_code = http_check.http_get(url, flag=1)
print('url:', url)
print('定制应用上行、get请求的请求内容为:{}'.format(status_code))
assert status_code == 0
#移除策略
fun.send(rbmExc, message.del_app_upstream_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.del_app_upstream_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res1 == 1
#检查配置移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0],
'FrontDut',
self.case1_step1[key][1],
'前置机配置',
100,
flag='不存在')
assert self.case1_step1[key][1] not in re
for key in self.case0_step1:
re = fun.wait_data(self.case0_step1[key][0],
'BackDut',
self.case0_step1[key][1],
'后置机配置',
100,
flag='不存在')
assert self.case0_step1[key][1] not in re
def test_customapp_scp_upload(self):
# 下发配置
fun.send(rbmExc,
message.add_app_scp_upload_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.add_app_scp_upload_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res1 == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut',
self.case1_step1[key][1], '前置机配置', 100)
assert self.case1_step1[key][1] in re
for key in self.case1_step2:
re = fun.wait_data(self.case1_step2[key][0], 'FrontDut',
self.case1_step2[key][1], '前置机配置', 100)
assert self.case1_step2[key][1] in re
for key in self.case0_step1:
re = fun.wait_data(self.case0_step1[key][0], 'BackDut',
self.case0_step1[key][1], '后置机配置', 100)
assert self.case0_step1[key][1] in re
#客户端创建文件100M.txt
txt_cmd = f"dd if=/dev/zero of=/opt/pkt/{txt} bs=1M count=100"
print('创建文件命令是:', txt_cmd)
fun.cmd(txt_cmd, 'BG8010Client', thread=1)
fun.wait_data(f"ls /opt/pkt/ |grep txt",
'BG8010Client',
self.txt_file['step1'][0],
'检查客户端文件是否创建成功',
300,
flag='存在')
txt_file = fun.search('/opt/pkt', 'txt', 'BG8010Client')
print('客户端/opt/pkt/路径下创建文件查询结果是:', txt_file)
assert txt in txt_file
print('客户端创建文件成功')
print(
"---------------------------------------------------------------------"
)
# 发送请求,检测定制应用ssh协议通信策略是否生效
scp_upload = f"sshpass -p {BG8010ServerPwd} scp -P {Lport} /opt/pkt/{txt} root@{proxy_ip}:/opt/pkt/"
print('客户端发送的scp上传命令是:', scp_upload)
fun.cmd(scp_upload, 'BG8010Client', thread=1)
time.sleep(5)
print(
"---------------------------------------------------------------------"
)
#检查scp上传结果
fun.wait_data("ls /opt/pkt/ | grep txt",
'BG8010Server',
self.txt_file['step1'][0],
'检查文件结果',
300,
flag='存在')
txt_file = fun.search('/opt/pkt', 'txt', 'BG8010Server')
print('服务端/opt/pkt/路径下文件查询结果是:', txt_file)
assert txt in txt_file
print('scp上传文件成功')
print(
"---------------------------------------------------------------------"
)
# 文件查看audit日志
fun.wait_data(
f"grep -n {Lport} /usr/local/nginx/logs/audit.log |tail -1",
'FrontDut',
self.case1_step3['step1'][0],
'检查ssh日志结果',
300,
flag='存在')
for key in self.case1_step3:
re = fun.cmd(
f"grep -n {Lport} /usr/local/nginx/logs/audit.log |tail -1 ",
'FrontDut')
print('re:', re)
assert self.case1_step3[key][0] in re
#移除策略
fun.send(rbmExc, message.del_app_scp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.del_app_scp_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res1 = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res1 == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res1 = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res1 == 1
#检查配置移除是否成功
for key in self.case1_step4:
re = fun.wait_data(self.case1_step4[key][0],
'FrontDut',
self.case1_step4[key][1],
'前置机配置',
100,
flag='不存在')
assert self.case1_step4[key][1] not in re
for key in self.case0_step1:
re = fun.wait_data(self.case0_step1[key][0],
'BackDut',
self.case0_step1[key][1],
'后置机配置',
100,
flag='不存在')
assert self.case0_step1[key][1] not in re
def test_mail_check_extend_a2(self):
# 下发配置
fun.send(rbmExc, message.addsmtp['AddAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
smtp_res1 = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert smtp_res1 == 1
fun.send(rbmExc, message.addpop3['AddAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
pop3_res1 = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert pop3_res1 == 1
# 检查配置下发是否成功
for key in self.case2_step1:
re = fun.wait_data(self.case2_step1[key][0], 'gw',
self.case2_step1[key][1], '配置', 100)
print(re)
assert self.case2_step1[key][1] in re
for key in self.case2_step11:
re = fun.wait_data(self.case2_step11[key][0], 'gw',
self.case2_step11[key][1], '配置', 100)
print(re)
assert self.case2_step11[key][1] in re
fun.send(rbmExc, message.mailcheck2['SetMailCheck'], rbmDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
add_check = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert add_check == 1
for key in self.case2_step2:
re = fun.wait_data(self.case2_step2[key][0], 'gw',
self.case2_step2[key][1], '配置', 100)
print(re)
assert self.case2_step2[key][1] in re
# 发送邮件,邮件地址为黑名单文件扩展名
result1 = send_smtp.post_email(self.mail_sender, self.mail_receivers,
self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port,
self.mail_user, self.mail_pass,
self.case2_attach1, self.case2_file1,
self.case2_title, self.context, 0, 1)
print('第一个黑名单文件扩展名{}结果为:{}'.format(self.case2_file1, result1))
assert result1 == 0
result2 = send_smtp.post_email(self.mail_sender, self.mail_receivers,
self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port,
self.mail_user, self.mail_pass,
self.case2_attach2, self.case2_file2,
self.case2_title, self.context, 0, 1)
print('第二个黑名单文件扩展名{}结果为:{}'.format(self.case2_file2, result2))
assert result2 == 0
# 发送邮件,邮件地址为非黑名单文件扩展名
result3 = send_smtp.post_email(self.mail_sender, self.mail_receivers,
self.mail_cc, self.mail_bcc,
self.mail_host, self.mail_port,
self.mail_user, self.mail_pass,
self.case2_attach3, self.case2_file3,
self.case2_title, self.context, 0, 1)
print('非黑名单文件扩展名{}结果为:{}'.format(self.case2_file3, result3))
assert result3 == 1
# 接收邮件
msg = recv_pop3.get_email(self.pop3_email, self.pop3_pwd,
self.pop3_server_host, self.pop3_server_port)
mail_list = recv_pop3.print_info(msg) # 解析
assert self.case2_title, self.context in mail_list
# 移除策略,还原环境
fun.send(rbmExc, message.delsmtp['DelAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_smtp = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert del_smtp == 1
fun.send(rbmExc, message.delpop3['DelAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_pop3 = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert del_pop3 == 1
# 检查代理是否成功移除
for key in self.case2_step1:
re = fun.wait_data(self.case2_step1[key][0],
'gw',
self.case2_step1[key][1],
'配置',
100,
flag='不存在')
assert self.case2_step1[key][1] not in re
# 检查邮件策略是否清空
fun.send(rbmExc, message.delmailcheck['DropMailCheck'], rbmDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
del_check = fun.nginx_worker('ps -ef |grep nginx', 'gw',
'nginx: worker process')
assert del_check == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0],
'gw',
self.delcheck[key][1],
'配置',
100,
flag='不存在')
assert self.delcheck[key][1] not in re
def test_http_check_MIME_deny_a2(self):
# 下发配置
fun.send(rbmExc, message.addhttp['AddAgent'], rbmDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
# 检查配置下发是否成功
for key in self.case2_step1:
re = fun.wait_data(self.case2_step1[key][0], 'gw',
self.case2_step1[key][1], '配置', 100)
print(re)
assert self.case2_step1[key][1] in re
fun.send(rbmExc, message.httpcheck2['SetHttpCheck'], rbmDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'gw', 'nginx: worker process')
fun.nginx_worker('ps -ef |grep nginx', 'gw', 'nginx: worker process')
for key in self.case2_step2:
re = fun.wait_data(self.case2_step2[key][0], 'gw',
self.case2_step2[key][1], '配置', 100)
print(re)
assert self.case2_step2[key][1] in re
# 发送get请求,不指定内容的普通请求
content = http_check.http_get(url)
print('get普通请求的请求内容为:{}'.format(content))
assert content == http_content
# 发送get请求,请求内容不包含MIME黑名单
status_code = http_check.http_get(self.base_uri, self.data, flag=1)
print('get请求内容不包含MIME黑名单返回的状态码为:{}'.format(status_code))
assert status_code == 200
# 发送get请求,请求内容包含MIME第一个黑名单
status_code1 = http_check.http_get(self.case2_uri1, self.data, flag=1)
print('get请求内容包含MIM第一个黑名单{}返回的状态码为:{}'.format(self.case2_uri1,
status_code1))
assert status_code1 == 403
# 发送get请求,请求内容包含MIME第二个黑名单
status_code2 = http_check.http_get(self.case2_uri2, self.data, flag=1)
print('get请求内容包含MIM第二个黑名单{}返回的状态码为:{}'.format(self.case2_uri2,
status_code2))
assert status_code2 == 403
# 发送get请求,请求内容包含MIME第三个黑名单
status_code3 = http_check.http_get(self.case2_uri3, self.data, flag=1)
print('get请求内容包含MIM第三个黑名单{}返回的状态码为:{}'.format(self.case2_uri3,
status_code3))
assert status_code3 == 403
# 发送get请求,请求内容包含MIME第四个黑名单
status_code4 = http_check.http_get(self.case2_uri4, self.data, flag=1)
print('get请求内容包含MIM第四个黑名单{}返回的状态码为:{}'.format(self.case2_uri4,
status_code4))
assert status_code4 == 403
# 发送get请求,请求内容包含MIME第五个黑名单
status_code5 = http_check.http_get(self.case2_uri5, self.data, flag=1)
print('get请求内容包含MIM第五个黑名单{}返回的状态码为:{}'.format(self.case2_uri5,
status_code5))
assert status_code5 == 403
def test_iso_http_check_MIME_allow_a1(self):
# 下发配置
print(
'1、下发http的隔离代理:代理ip为前置机安全卡的ip,port为2287,等待nginx的24个进程起来;预期netstat -anp |grep tcp应该可以查看到监听ip和端口'
)
fun.send(rbmExc, message.addhttp_front['AddCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.addhttp_back['AddCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
front_res = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert front_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
back_res = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert back_res == 1
# 检查配置下发是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0], 'FrontDut',
self.case1_step1[key][1], '配置', 100)
print(re)
assert self.case1_step1[key][1] in re
for key in self.case1_step11:
re = fun.wait_data(self.case1_step11[key][0], 'FrontDut',
self.case1_step11[key][1], '配置', 100)
print(re)
assert self.case1_step11[key][1] in re
# 数据检查
print(
'2、下发http的MIME白名单,参数为:pdf,等待nginx的24个进程起来;预期cat /etc/jsac/http.json文件应该包含:s_content_type和MIME白名单参数:pdf'
)
fun.send(rbmExc, message.httpcheck1['SetHttpCheck'], FrontDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
add_res2 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
assert add_res2 == 1
for key in self.case1_step2:
re = fun.wait_data(self.case1_step2[key][0], 'FrontDut',
self.case1_step2[key][1], '配置', 100)
assert self.case1_step2[key][1] in re
# 发送get请求,不指定内容的普通请求
print('3、控制台发送get请求,不包含请求内容;请求成功,请求到的内容为server的index.html文件内包含的内容')
content = http_check.http_get(http_url)
print('get普通请求的请求内容为:{}'.format(content))
assert content == http_content
# 发送get请求,请求内容不包含MIME白名单
print('4、控制台发送get请求,请求内容不包含MIME白名单;请求失败,状态码返回为403')
status_code = http_check.http_get(self.base_uri, self.data, flag=1)
print('get请求内容不包含MIME白名单返回的状态码为:{}'.format(status_code))
assert status_code == 403
# 发送get请求,请求内容包含MIME白名单
print('5、控制台发送get请求,请求内容包含MIME白名单:pdf;请求成功,状态码返回为200')
status_code = http_check.http_get(self.case1_uri, self.data, flag=1)
print('get请求内容包含MIM第一个E白名单返回的状态码为:{}'.format(status_code))
assert status_code == 200
# 移除策略,还原环境
print(
'6、移除代理策略,清空环境,等待nginx的24个进程起来;cat /etc/jsac/http.stream应该不包含代理ip和port'
)
fun.send(rbmExc, message.delhttp_front['DelCustomAppPolicy'],
FrontDomain, base_path)
fun.send(rbmExc, message.delhttp_back['DelCustomAppPolicy'],
BackDomain, base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
fdel_res = fun.nginx_worker('ps -ef |grep nginx',
'FrontDut',
'nginx: worker process',
name='前置机nginx进程')
assert fdel_res == 1
fun.wait_data('ps -ef |grep nginx', 'BackDut', 'nginx: worker process')
bdel_res = fun.nginx_worker('ps -ef |grep nginx',
'BackDut',
'nginx: worker process',
name='后置机nginx进程')
assert bdel_res == 1
# 检查策略移除是否成功
for key in self.case1_step1:
re = fun.wait_data(self.case1_step1[key][0],
'FrontDut',
self.case1_step1[key][1],
'配置',
100,
flag='不存在')
print(re)
assert self.case1_step1[key][1] not in re
# 检查网页访问策略是否清空
print(
'7、移除网页访问策略,等待nginx的24个进程起来;cat /etc/jsac/http.json文件应该不包含:http协议')
fun.send(rbmExc, message.delhttpcheck['DropHttpCheck'], FrontDomain,
base_path)
fun.wait_data('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
del_res2 = fun.nginx_worker('ps -ef |grep nginx', 'FrontDut',
'nginx: worker process')
assert del_res2 == 1
for key in self.delcheck:
re = fun.wait_data(self.delcheck[key][0],
'FrontDut',
self.delcheck[key][1],
'配置',
100,
flag='不存在')
assert self.delcheck[key][1] not in re
