Beispiel #1
0
def check_config_values(config, toolbox):
    """
    Validates the values for provided config in the [cloud] section

    Args:
        config (ConfigDict): The config object to check the optional config for
        toolbox (ConfigTestToolbox): Toolbox used to execute the tests

    Returns:
        list of BaseResult
    """
    config_test_resolver = base.get_basic_config_resolver(toolbox)
    config_test_resolver.update({
        'ikey': toolbox.test_is_ikey,
        'skey': toolbox.test_is_skey,
        'skey_protected': toolbox.test_is_string,
        'api_host': toolbox.test_is_string,
        'service_account_username': toolbox.test_is_string,
        'service_account_password': toolbox.test_is_string,
        'service_account_password_protected': toolbox.test_is_string,
        'http_proxy_host': toolbox.test_is_string,
        'http_proxy_port': toolbox.test_valid_port,
    })
    return (
        base.run_config_value_checks(config, config_test_resolver) +
        base.check_for_unexpected_keys(config, toolbox, config_test_resolver) +
        base.check_protected_usage(config, toolbox, ['skey_protected', 'service_account_password_protected'])
    )
def check_config_values(config, toolbox):
    """
    Validates the values for provided config in the [http_proxy]
    section

    Args:
        config (ConfigDict): The config object to check the optional config for
        toolbox (ConfigTestToolbox): Toolbox used to execute the tests

    Returns:
        list of ConfigResult
    """
    problems = []
    config_test_resolver = base.get_basic_config_resolver(toolbox)

    # Add http proxy specific keys
    config_test_resolver.update({
        "api_host": toolbox.test_is_string,
        "port": toolbox.test_valid_port,
        "client_ip": toolbox.test_ip_range,
        "interface": toolbox.test_is_valid_single_ip,
    })

    problems += base.run_config_value_checks(config, config_test_resolver)
    problems += base.check_for_unexpected_keys(config, toolbox,
                                               config_test_resolver)
    return problems
Beispiel #3
0
def check_config_values(config, toolbox):
    config_test_resolver = base.get_basic_config_resolver(toolbox)
    config_test_resolver.update({
        'rikey': toolbox.test_is_rikey,
        'service_account_username': toolbox.test_is_string,
        'service_account_password': toolbox.test_is_string,
        'service_account_password_protected': toolbox.test_is_string,
        'http_proxy_host': toolbox.test_is_string,
        'http_proxy_port': toolbox.test_valid_port,
    })
    return (
        base.run_config_value_checks(config, config_test_resolver) +
        base.check_for_unexpected_keys(config, toolbox, config_test_resolver) +
        base.check_protected_usage(config, toolbox,
                                   ['service_account_password_protected']))
Beispiel #4
0
def check_duo_only_client(config, toolbox=STANDARD_CONFIG_TOOLBOX):
    """Validates a [duo_only_client] section of an authproxy config.
    It should have no key-value pairs, other than possibly anything
    passed down from [main].

    Args:
        config (ConfigDict): The ad_client section config to check
        toolbox (ConfigTestToolbox): Toolbox used to execute the tests
    Returns:
        ConfigCheckResult
    """
    problems = []
    config_test_resolver = base.get_basic_config_resolver(toolbox)

    problems += base.check_for_unexpected_keys(config, toolbox, config_test_resolver)
    problems += base.run_config_value_checks(config, config_test_resolver)

    return ConfigCheckResult(problems)
def _check_config_values(config, toolbox):
    config_value_tests = base.get_basic_config_resolver(toolbox)
    config_value_tests.update({
        'ikey': toolbox.test_is_ikey,
        'skey': toolbox.test_is_skey,
        'skey_protected': toolbox.test_is_string,
        'api_host': toolbox.test_is_string,
        'api_timeout': toolbox.test_is_positive_int,
        'client': toolbox.test_is_string,
        'factors': functools.partial(toolbox.test_valid_permutation,
                                     enum=['auto', 'push', 'phone', 'passcode'], separator=',', repeats=False),
        'failmode': functools.partial(toolbox.test_valid_enum,
                                      enum=['safe', 'secure'], transform=str.lower),
        'port': toolbox.test_valid_port,
        'interface': toolbox.test_is_valid_single_ip,
        'ssl_port': toolbox.test_valid_port,
        'ssl_key_path': toolbox.test_file_readable,
        'ssl_cert_path': toolbox.test_file_readable,
        'exempt_primary_bind': toolbox.test_is_bool,
        'delimiter': toolbox.test_is_string,
        'allow_concat': toolbox.test_is_bool,
        'allow_searches_after_bind': toolbox.test_is_bool,
        'allow_unlimited_binds': toolbox.test_is_bool,
        'minimum_tls_version': toolbox.test_is_tls_version,
        'cipher_list': toolbox.test_is_cipher_list,
        'network_timeout': toolbox.test_is_positive_int,
        'idle_timeout': toolbox.test_is_positive_int,
        'api_port': toolbox.test_valid_port,
        'http_proxy_host': toolbox.test_is_string,
        'http_proxy_port': toolbox.test_valid_port,
        'delimited_password_length': toolbox.test_is_positive_int,
    })

    dynamic_key_tests = {
        'exempt_ou': toolbox.test_dn,
    }

    base.add_dynamic_keys_to_test_resolver(config, config_value_tests, dynamic_key_tests)

    problems = base.run_config_value_checks(config, config_value_tests)
    problems += base.check_for_unexpected_keys(config, toolbox, config_value_tests)
    problems += base.check_protected_usage(config, toolbox, ['skey_protected'])

    return problems
def check_config_values(config, toolbox):
    """ Validates the values for provided config in the [radius_client] section

    Args:
        config (ConfigDict): The config object to check the optional config for
        toolbox (ConfigTestToolbox): Toolbox used to execute the tests

    Returns:
        list of BaseResult
    """
    problems = []

    config_test_resolver = base.get_basic_config_resolver(toolbox)
    config_test_resolver.update({
        "secret": toolbox.test_is_string,
        "secret_protected": toolbox.test_is_string,
        "retries": toolbox.test_is_positive_int,
        "retry_wait": toolbox.test_is_positive_int,
        "nas_ip": toolbox.test_is_valid_single_ip,
        "pass_through_attr_names": toolbox.test_is_string,
        "pass_through_all": toolbox.test_is_bool,
        "pw_codec": toolbox.test_is_codec,
    })

    dynamic_test_resolver = {
        "host": toolbox.test_is_valid_single_ip,
        "port": toolbox.test_valid_port,
    }
    base.add_dynamic_keys_to_test_resolver(config, config_test_resolver,
                                           dynamic_test_resolver)

    problems += base.run_config_value_checks(config, config_test_resolver)

    problems += base.check_for_unexpected_keys(config, toolbox,
                                               config_test_resolver)

    possible_protected_keys = ["secret_protected"]
    problems += base.check_protected_usage(config, toolbox,
                                           possible_protected_keys)

    return problems
Beispiel #7
0
def check_config_values(config, toolbox):
    """
    Validates the values for provided config in the [ad_client] section

    Args:
        config (ConfigDict): The config object to check the optional config for
        toolbox (ConfigTestToolbox): Toolbox used to execute the tests

    Returns:
        list of BaseResult
    """
    problems = []
    config_test_resolver = base.get_basic_config_resolver(toolbox)
    config_dict = {
        "service_account_username":
        toolbox.test_is_string,
        "service_account_password":
        toolbox.test_is_string,
        "service_account_password_protected":
        toolbox.test_is_string,
        "search_dn":
        toolbox.test_dn,
        "security_group_dn":
        toolbox.test_dn,
        "ldap_filter":
        toolbox.test_ldap_filter,
        "timeout":
        toolbox.test_is_int,
        "ssl_ca_certs_file":
        toolbox.test_file_readable,
        "ssl_verify_hostname":
        toolbox.test_is_bool,
        "bind_dn":
        toolbox.test_dn,
        "ntlm_domain":
        toolbox.test_is_string,
        "ntlm_workstation":
        toolbox.test_is_string,
        "port":
        toolbox.test_valid_port,
        "transport":
        functools.partial(toolbox.test_valid_enum,
                          enum=const.AD_TRANSPORTS,
                          transform=str.lower),
        "username_attribute":
        toolbox.test_is_string,
        "at_attribute":
        toolbox.test_is_string,
    }
    if util.is_windows_os():
        config_dict["auth_type"] = functools.partial(
            toolbox.test_valid_enum,
            enum=const.AD_AUTH_TYPES_WIN,
            transform=str.lower)
        config_test_resolver.update(config_dict)
    else:
        config_dict["auth_type"] = functools.partial(
            toolbox.test_valid_enum,
            enum=const.AD_AUTH_TYPES_NIX,
            transform=str.lower)
        config_test_resolver.update(config_dict)
    dynamic_test_resolver = {
        "host": toolbox.test_is_string,
    }
    base.add_dynamic_keys_to_test_resolver(config, config_test_resolver,
                                           dynamic_test_resolver)

    problems += base.run_config_value_checks(config, config_test_resolver)

    problems += base.check_for_unexpected_keys(config, toolbox,
                                               config_test_resolver)

    possible_protected_keys = ["service_account_password_protected"]
    problems += base.check_protected_usage(config, toolbox,
                                           possible_protected_keys)

    return problems
Beispiel #8
0
def check_config_values(config, toolbox):
    """
    Validates the values for provided config in the [ad_client] section

    Args:
        config (ConfigDict): The config object to check the optional config for
        toolbox (ConfigTestToolbox): Toolbox used to execute the tests

    Returns:
        list of BaseResult
    """
    problems = []
    config_test_resolver = base.get_basic_config_resolver(toolbox)
    config_test_resolver.update({
        'service_account_username':
        toolbox.test_is_string,
        'service_account_password':
        toolbox.test_is_string,
        'service_account_password_protected':
        toolbox.test_is_string,
        'search_dn':
        toolbox.test_dn,
        'security_group_dn':
        toolbox.test_dn,
        'ldap_filter':
        toolbox.test_ldap_filter,
        'timeout':
        toolbox.test_is_int,
        'ssl_ca_certs_file':
        toolbox.test_file_readable,
        'ssl_verify_hostname':
        toolbox.test_is_bool,
        'bind_dn':
        toolbox.test_dn,
        'ntlm_domain':
        toolbox.test_is_string,
        'ntlm_workstation':
        toolbox.test_is_string,
        'port':
        toolbox.test_valid_port,
        'transport':
        functools.partial(toolbox.test_valid_enum,
                          enum=const.AD_TRANSPORTS,
                          transform=str.lower),
        'auth_type':
        functools.partial(toolbox.test_valid_enum,
                          enum=const.AD_AUTH_TYPES,
                          transform=str.lower),
        'username_attribute':
        toolbox.test_is_string,
        'at_attribute':
        toolbox.test_is_string,
        'domain_discovery':
        toolbox.test_is_bool,
    })

    dynamic_test_resolver = {
        'host': toolbox.test_is_string,
    }
    base.add_dynamic_keys_to_test_resolver(config, config_test_resolver,
                                           dynamic_test_resolver)

    problems += base.run_config_value_checks(config, config_test_resolver)

    problems += base.check_for_unexpected_keys(config, toolbox,
                                               config_test_resolver)

    possible_protected_keys = ['service_account_password_protected']
    problems += base.check_protected_usage(config, toolbox,
                                           possible_protected_keys)

    return problems
def check_config_values(config, toolbox):
    """
    Validates the values for provided config in the [radius_server_eap]
    section

    Args:
        config (ConfigDict): The config object to check the optional config for
        toolbox (ConfigTestToolbox): Toolbox used to execute the tests

    Returns:
        list of ConfigResult
    """
    problems = []
    config_test_resolver = base.get_basic_config_resolver(toolbox)

    # Add radius server eap specific keys
    config_test_resolver.update({
        'ikey':
        toolbox.test_is_ikey,
        'skey':
        toolbox.test_is_skey,
        'skey_protected':
        toolbox.test_is_string,
        'api_host':
        toolbox.test_is_string,
        'client':
        toolbox.test_is_string,
        'certs':
        toolbox.test_file_readable,
        'pkey':
        toolbox.test_file_readable,
        'port':
        toolbox.test_valid_port,
        'interface':
        toolbox.test_is_valid_single_ip,
        'factors':
        functools.partial(toolbox.test_valid_permutation,
                          enum=['auto', 'push', 'phone', 'passcode'],
                          separator=',',
                          repeats=False),
        'failmode':
        functools.partial(toolbox.test_valid_enum,
                          enum=['safe', 'secure'],
                          transform=str.lower),
        'minimum_tls_version':
        toolbox.test_is_tls_version,
        'cipher_list':
        toolbox.test_is_cipher_list,
        'prompt':
        toolbox.test_is_string,
        'allow_concat':
        toolbox.test_is_bool,
        'delimiter':
        toolbox.test_is_string,
        'delimited_password_length':
        toolbox.test_is_positive_int,
        'pass_through_attr_names':
        toolbox.test_is_string,
        'pw_codec':
        toolbox.test_is_codec,
        'client_ip_attr':
        toolbox.test_is_string,
        'http_proxy_host':
        toolbox.test_is_string,
        'http_proxy_port':
        toolbox.test_valid_port,
        'pass_through_all':
        toolbox.test_is_bool,
    })

    dynamic_test_resolver = {
        'radius_ip': toolbox.test_is_valid_ip,
        'radius_secret': toolbox.test_is_string,
        'radius_secret_protected': toolbox.test_is_string,
    }

    base.add_dynamic_keys_to_test_resolver(config, config_test_resolver,
                                           dynamic_test_resolver)
    problems += base.run_config_value_checks(config, config_test_resolver)
    problems += base.check_for_unexpected_keys(config, toolbox,
                                               config_test_resolver)
    problems += base.check_basic_radius_server_protected_usage(config, toolbox)
    return problems
def _check_config_values(config, toolbox):
    config_value_tests = base.get_basic_config_resolver(toolbox)
    config_value_tests.update({
        "ikey":
        toolbox.test_is_ikey,
        "skey":
        toolbox.test_is_skey,
        "skey_protected":
        toolbox.test_is_string,
        "api_host":
        toolbox.test_is_string,
        "api_timeout":
        toolbox.test_is_positive_int,
        "client":
        toolbox.test_is_string,
        "factors":
        functools.partial(
            toolbox.test_valid_permutation,
            enum=["auto", "push", "phone", "passcode"],
            separator=",",
            repeats=False,
        ),
        "failmode":
        functools.partial(toolbox.test_valid_enum,
                          enum=["safe", "secure"],
                          transform=str.lower),
        "port":
        toolbox.test_valid_port,
        "interface":
        toolbox.test_is_valid_single_ip,
        "ssl_port":
        toolbox.test_valid_port,
        "ssl_key_path":
        toolbox.test_file_readable,
        "ssl_cert_path":
        toolbox.test_file_readable,
        "exempt_primary_bind":
        toolbox.test_is_bool,
        "delimiter":
        toolbox.test_is_string,
        "allow_concat":
        toolbox.test_is_bool,
        "allow_searches_after_bind":
        toolbox.test_is_bool,
        "allow_unlimited_binds":
        toolbox.test_is_bool,
        "minimum_tls_version":
        toolbox.test_is_tls_version,
        "cipher_list":
        toolbox.test_is_cipher_list,
        "network_timeout":
        toolbox.test_is_positive_int,
        "idle_timeout":
        toolbox.test_is_positive_int,
        "api_port":
        toolbox.test_valid_port,
        "http_proxy_host":
        toolbox.test_is_string,
        "http_proxy_port":
        toolbox.test_valid_port,
        "delimited_password_length":
        toolbox.test_is_positive_int,
    })

    dynamic_key_tests = {
        "exempt_ou": toolbox.test_dn,
    }

    base.add_dynamic_keys_to_test_resolver(config, config_value_tests,
                                           dynamic_key_tests)

    problems = base.run_config_value_checks(config, config_value_tests)
    problems += base.check_for_unexpected_keys(config, toolbox,
                                               config_value_tests)
    problems += base.check_protected_usage(config, toolbox, ["skey_protected"])

    return problems