class TestLog(TestCase):
def setUp(self):
config = getNuauthConf()
config["nuauth_tls_request_cert"] = "0"
config["nuauth_user_logs_module"] = '"syslog"'
config["nuauth_user_session_logs_module"] = '"syslog"'
self.nuauth = Nuauth(config)
def tearDown(self):
self.nuauth.stop()
def findLog(self, match):
warning("Search string >%s< in log" % match)
matched = False
for line in self.nuauth.readlines(total_timeout=2.0):
if match in line:
return True
return False
def testLogin(self):
# Client login
client = createClientWithCerts()
self.assert_(connectClient(client))
# Check log output
self.assert_(self.findLog("[nuauth] User %s connect on " % client.username))
# Client logout
client.stop()
self.assert_(self.findLog("[nuauth] User %s disconnect on " % client.username))
class TestLog(TestCase):
def setUp(self):
config = getNuauthConf()
config["nuauth_tls_request_cert"] = "0"
config["nuauth_user_logs_module"] = '"syslog"'
config["nuauth_user_session_logs_module"] = '"syslog"'
self.nuauth = Nuauth(config)
def tearDown(self):
self.nuauth.stop()
def findLog(self, match):
warning("Search string >%s< in log" % match)
matched = False
for line in self.nuauth.readlines(total_timeout=2.0):
if match in line:
return True
return False
def testLogin(self):
# Client login
client = createClientWithCerts()
self.assert_(connectClient(client))
# Check log output
self.assert_(
self.findLog("[nuauth] User %s connect on " % client.username))
# Client logout
client.stop()
self.assert_(
self.findLog("[nuauth] User %s disconnect on " % client.username))
class TestPlaintextAuth(TestCase):
def setUp(self):
config = NuauthConf()
self.users = USERDB
self.users.install(config)
self.nuauth = Nuauth(config)
def tearDown(self):
self.nuauth.stop()
self.users.desinstall()
def testUser1(self):
user = USERDB[0]
client = user.createClientWithCerts()
self.assert_(connectClient(client))
client.stop()
def testUser2(self):
user = USERDB[1]
client = user.createClientWithCerts()
self.assert_(connectClient(client))
client.stop()
def testInvalidLogin(self):
user = USERDB[0]
client = createClientWithCerts(user.login+"x", user.password)
self.assert_(not connectClient(client))
client.stop()
def testInvalidPass(self):
user = USERDB[1]
client = createClientWithCerts(user.login, user.password+"x")
self.assert_(not connectClient(client))
client.stop()
class TestClientAuth(TestCase):
def setUp(self):
self.port = VALID_PORT
config = NuauthConf()
# Userdb
self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("web", self.port, self.user.gid)
self.acls.install(config)
# Load nuauth
config["nuauth_do_ip_authentication"] = '1'
config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
config["ipauth_guest_username"] = '******' % self.user.login
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw()
def tearDown(self):
self.acls.desinstall()
self.userdb.desinstall()
self.nuauth.stop()
self.iptables.flush()
def testValid(self):
self.iptables.filterTcp(self.port)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
class TestClientAuth(TestCase):
def setUp(self):
self.port = VALID_PORT
config = NuauthConf()
# Userdb
self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("web", self.port, self.user.gid)
self.acls.install(config)
# Load nuauth
config["nuauth_do_ip_authentication"] = '1'
config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
config["ipauth_guest_username"] = '******' % self.user.login
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw()
def tearDown(self):
self.acls.desinstall()
self.userdb.desinstall()
self.nuauth.stop()
self.iptables.flush()
def testValid(self):
self.iptables.filterTcp(self.port)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
class TestConntrack(TestCase):
def setUp(self):
self.dst_host = socket.gethostbyname(HOST)
self.config = NuauthConf()
self.acls = PlaintextAcl()
self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period="10 secs")
self.acls.install(self.config)
self.period = PlainPeriodXML()
self.period.addPeriod(Period("10 secs", duration=10))
self.period.install(self.config)
self.users = USERDB
self.users.install(self.config)
self.nuauth = Nuauth(self.config)
self.nufw = startNufw()
self.iptables = Iptables()
self.iptables.flush()
self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE" % self.dst_host)
self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP" % self.dst_host)
def tearDown(self):
self.nuauth.stop()
self.users.desinstall()
self.acls.desinstall()
self.period.desinstall()
def testConnShutdown(self):
user = USERDB[0]
client = user.createClient()
self.assert_(connectClient(client))
start = time.time()
conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn.connect((self.dst_host, VALID_PORT))
src_port = conn.getsockname()[1]
ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
## Check that only one connection is opened to
self.assert_(ct_before == 1)
## The connection should be killed 10 seconds after being opened
time.sleep(15)
## Check that only one connection is opened to
ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
self.assert_(ct_after == 0)
conn.close()
client.stop()
class TestConntrack(TestCase):
def setUp(self):
self.dst_host = socket.gethostbyname(HOST)
self.config = NuauthConf()
self.acls = PlaintextAcl()
self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period='10 secs' )
self.acls.install(self.config)
self.period = PlainPeriodXML()
self.period.addPeriod(Period("10 secs", duration = 10))
self.period.install(self.config)
self.users = USERDB
self.users.install(self.config)
self.nuauth = Nuauth(self.config)
self.nufw = startNufw()
self.iptables = Iptables()
self.iptables.flush()
self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE' % self.dst_host)
self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP' % self.dst_host)
def tearDown(self):
self.nuauth.stop()
self.users.desinstall()
self.acls.desinstall()
self.period.desinstall()
def testConnShutdown(self):
user = USERDB[0]
client = user.createClient()
self.assert_(connectClient(client))
start = time.time()
conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn.connect((self.dst_host, VALID_PORT))
src_port = conn.getsockname()[1]
ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
## Check that only one connection is opened to
self.assert_(ct_before == 1)
## The connection should be killed 10 seconds after being opened
time.sleep(15)
## Check that only one connection is opened to
ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
self.assert_(ct_after == 0)
conn.close()
client.stop()
class TestClientCertAuth(TestCase):
def setUp(self):
self.nuconfig = NuauthConf()
cacert = config.get("test_cert", "cacert")
# Userdb
self.user = PlaintextUser("user", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(self.nuconfig)
# Server
self.nuconfig["plaintext_userfile"] = '"%s"' % self.userdb.filename
self.nuconfig["nuauth_tls_auth_by_cert"] = "2"
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_cacert"] = '"%s"' % cacert
self.nuconfig["nuauth_tls_key"] = '"%s"' % config.get(
"test_cert", "nuauth_key")
self.nuconfig["nuauth_tls_cert"] = '"%s"' % config.get(
"test_cert", "nuauth_cert")
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.client.stop()
self.nuauth.stop()
self.userdb.desinstall()
self.nuconfig.desinstall()
def testValidCert(self):
# Client
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_cert")
key = config.get("test_cert", "user_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(connectClient(self.client))
def testInvalidCert(self):
# Expired certificate
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_invalid_cert")
key = config.get("test_cert", "user_invalid_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(not connectClient(self.client))
class TestClientCertAuth(TestCase):
def setUp(self):
self.nuconfig = NuauthConf()
cacert = config.get("test_cert", "cacert")
# Userdb
self.user = PlaintextUser("user", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(self.nuconfig)
# Server
self.nuconfig["plaintext_userfile"] = '"%s"' % self.userdb.filename
self.nuconfig["nuauth_tls_auth_by_cert"] = "2"
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_cacert"] = '"%s"' % cacert
self.nuconfig["nuauth_tls_key"] = '"%s"' % config.get("test_cert", "nuauth_key")
self.nuconfig["nuauth_tls_cert"] = '"%s"' % config.get("test_cert", "nuauth_cert")
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.client.stop()
self.nuauth.stop()
self.userdb.desinstall()
self.nuconfig.desinstall()
def testValidCert(self):
# Client
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_cert")
key = config.get("test_cert", "user_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(connectClient(self.client))
def testInvalidCert(self):
# Expired certificate
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_invalid_cert")
key = config.get("test_cert", "user_invalid_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(not connectClient(self.client))
class TestClientAuth(TestCase):
def setUp(self):
self.port = VALID_PORT
self.mark = 1
self.shift = 8
config = NuauthConf()
# Userdb
self.user = PlaintextUser("guest", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("port",
self.port,
self.user.gid,
flags=(self.mark << self.shift))
self.acls.install(config)
# Load nuauth
config["nuauth_finalize_packet_module"] = '"mark_flag"'
config["mark_flag_mark_shift"] = 0
config["mark_flag_flag_shift"] = self.shift
config["mark_flag_nbits"] = 16
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw(["-m"])
self.client = self.user.createClientWithCerts()
def tearDown(self):
self.acls.desinstall()
self.userdb.desinstall()
self.client.stop()
self.nuauth.stop()
self.iptables.flush()
def testValid(self):
# Connect client and filter port
self.assert_(connectClient(self.client))
self.iptables.filterTcp(self.port)
# Test connection without QoS (accept)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
# Test connection with QoS (drop)
self.iptables.command(
"-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
class TestSYNACKignore(TestCase):
def setUp(self):
self.iptables = Iptables()
self.iptables.command('-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE' % (VALID_PORT, HOST))
config = NuauthConf()
self.nuauth = Nuauth(config)
self.nufw = startNufw()
def tearDown(self):
self.nuauth.stop()
self.iptables.flush()
def testsynack(self):
# Create socket
self.assertEqual(connectTcp(HOST, VALID_PORT, TIMEOUT), True)
class TestClientAuth(TestCase):
def setUp(self):
self.port = VALID_PORT
self.mark = 1
self.shift = 8
config = NuauthConf()
# Userdb
self.user = PlaintextUser("guest", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift))
self.acls.install(config)
# Load nuauth
config["nuauth_finalize_packet_module"] = '"mark_flag"'
config["mark_flag_mark_shift"] = 0
config["mark_flag_flag_shift"] = self.shift
config["mark_flag_nbits"] = 16
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw(["-m"])
self.client = self.user.createClientWithCerts()
def tearDown(self):
self.acls.desinstall()
self.userdb.desinstall()
self.client.stop()
self.nuauth.stop()
self.iptables.flush()
def testValid(self):
# Connect client and filter port
self.assert_(connectClient(self.client))
self.iptables.filterTcp(self.port)
# Test connection without QoS (accept)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
# Test connection with QoS (drop)
self.iptables.command("-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
class TestSYNACKignore(TestCase):
def setUp(self):
self.iptables = Iptables()
self.iptables.command(
'-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE'
% (VALID_PORT, HOST))
config = NuauthConf()
self.nuauth = Nuauth(config)
self.nufw = startNufw()
def tearDown(self):
self.nuauth.stop()
self.iptables.flush()
def testsynack(self):
# Create socket
self.assertEqual(connectTcp(HOST, VALID_PORT, TIMEOUT), True)
class TestClientAuth(TestCase):
def setUp(self):
# Load nuauth
nuconfig = NuauthConf()
self.nuauth = Nuauth(nuconfig)
# Create client
self.client = createClientWithCerts()
def tearDown(self):
self.client.stop()
self.nuauth.stop()
def testValidPass(self):
self.client.password = PASSWORD
self.assert_(connectClient(self.client))
def testInvalidPass(self):
self.client.password = "******" % PASSWORD
self.assert_(not connectClient(self.client))
class TestClientCert(TestCase):
def setUp(self):
self.cacert = config.get("test_cert", "cacert")
nuconfig = NuauthConf()
nuconfig["nuauth_tls_auth_by_cert"] = "0"
nuconfig["nuauth_tls_request_cert"] = "0"
self.nuauth = Nuauth(nuconfig)
def tearDown(self):
self.client.stop()
self.nuauth.stop()
def testValidCert(self):
self.client = createClient(more_args=["-A", self.cacert])
self.assert_(connectClient(self.client))
def testInvalidCert(self):
cacert = config.get("test_cert", "invalid_cacert")
self.client = createClient(more_args=["-A", cacert])
self.assert_(not connectClient(self.client))
class TestClientCert(TestCase):
def setUp(self):
self.cacert = config.get("test_cert", "cacert")
nuconfig = NuauthConf()
nuconfig["nuauth_tls_auth_by_cert"] = "0"
nuconfig["nuauth_tls_request_cert"] = "0"
self.nuauth = Nuauth(nuconfig)
def tearDown(self):
self.client.stop()
self.nuauth.stop()
def testValidCert(self):
self.client = createClient(more_args=["-A", self.cacert])
self.assert_(connectClient(self.client))
def testInvalidCert(self):
cacert = config.get("test_cert", "invalid_cacert")
self.client = createClient(more_args=["-A", cacert])
self.assert_(not connectClient(self.client))
class TestClientAuth(TestCase):
def setUp(self):
# Load nuauth
nuconfig = NuauthConf()
self.nuauth = Nuauth(nuconfig)
# Create client
self.client = createClientWithCerts()
def tearDown(self):
self.client.stop()
self.nuauth.stop()
def testValidPass(self):
self.client.password = PASSWORD
self.assert_(connectClient(self.client))
def testInvalidPass(self):
self.client.password = "******" % PASSWORD
self.assert_(not connectClient(self.client))
class TestScript(TestCase):
def setUp(self):
# Prepare our new scripts
self.script_up = ReplaceFile(SCRIPT_UP, SCRIPT % "UP", MODE)
self.script_down = ReplaceFile(SCRIPT_DOWN, SCRIPT % "DOWN", MODE)
self.script_up.install()
self.script_down.install()
# Create nuauth
config = NuauthConf()
config["nuauth_user_session_logs_module"] = '"script"'
self.nuauth = Nuauth(config)
def tearDown(self):
# Restore scripts and nuauth config
self.script_up.desinstall()
self.script_down.desinstall()
self.nuauth.stop()
def checkScript(self, match):
warning("checkScript(%r)" % match)
for line in self.nuauth.readlines(total_timeout=2.0):
if line == match:
return True
return False
def testLogin(self):
# Client login
client = createClientWithCerts()
self.assert_(connectClient(client))
# Check log output
match = "SCRIPT UP COUNT=2 TEXT >>>%s %s<<<" \
% (client.username, client.ip)
self.assert_(self.checkScript(match))
# Client logout
client.stop()
match = "SCRIPT DOWN COUNT=2 TEXT >>>%s %s<<<" \
% (client.username, client.ip)
self.assert_(self.checkScript(match))
class TestScript(TestCase):
def setUp(self):
# Prepare our new scripts
self.script_up = ReplaceFile(SCRIPT_UP, SCRIPT % "UP", MODE)
self.script_down = ReplaceFile(SCRIPT_DOWN, SCRIPT % "DOWN", MODE)
self.script_up.install()
self.script_down.install()
# Create nuauth
config = NuauthConf()
config["nuauth_user_session_logs_module"] = '"script"'
self.nuauth = Nuauth(config)
def tearDown(self):
# Restore scripts and nuauth config
self.script_up.desinstall()
self.script_down.desinstall()
self.nuauth.stop()
def checkScript(self, match):
warning("checkScript(%r)" % match)
for line in self.nuauth.readlines(total_timeout=2.0):
if line == match:
return True
return False
def testLogin(self):
# Client login
client = createClientWithCerts()
self.assert_(connectClient(client))
# Check log output
match = "SCRIPT UP COUNT=2 TEXT >>>%s %s<<<" \
% (client.username, client.ip)
self.assert_(self.checkScript(match))
# Client logout
client.stop()
match = "SCRIPT DOWN COUNT=2 TEXT >>>%s %s<<<" \
% (client.username, client.ip)
self.assert_(self.checkScript(match))
class TestSystem(TestCase):
def setUp(self):
# Start nuauth with our config
nuconfig = NuauthConf()
nuconfig["nuauth_user_check_module"] = '"system"'
self.nuauth = Nuauth(nuconfig)
def tearDown(self):
# Restore user DB and nuauth config
self.nuauth.stop()
def testLogin(self):
username = config.get("test_system", "username")
password = config.get("test_system", "password")
client = createClientWithCerts(username, password)
self.assert_(connectClient(client))
client.stop()
client = createClientWithCerts(username, "xxx%sxxx" % password)
self.assert_(not connectClient(client))
client.stop()
class TestSystem(TestCase):
def setUp(self):
# Start nuauth with our config
nuconfig = NuauthConf()
nuconfig["nuauth_user_check_module"] = '"system"'
self.nuauth = Nuauth(nuconfig)
def tearDown(self):
# Restore user DB and nuauth config
self.nuauth.stop()
def testLogin(self):
username = config.get("test_system", "username")
password = config.get("test_system", "password")
client = createClientWithCerts(username, password)
self.assert_(connectClient(client))
client.stop()
client = createClientWithCerts(username, "xxx%sxxx" % password)
self.assert_(not connectClient(client))
client.stop()
class TestSessionExpire(TestCase):
def setUp(self):
self.expiration = DURATION
self.host = HOST
# Setup session_expire library
nuconfig = NuauthConf()
nuconfig['nuauth_user_session_modify_module']='"session_expire"'
nuconfig['nuauth_session_duration'] = str(self.expiration)
# Install temporary user database
self.userdb = PlaintextUserDB()
self.userdb.addUser( PlaintextUser(USERNAME, PASSWORD, 42, 42) )
self.userdb.install(nuconfig)
self.acls = PlaintextAcl()
# Start nuauth
self.nuauth = Nuauth(nuconfig)
# Create client
self.client = createClientWithCerts()
def tearDown(self):
self.client.stop()
self.acls.desinstall()
self.nuauth.stop()
def testExpire(self):
self.assert_(connectClient(self.client))
sleep(self.expiration+DELAY)
self.assert_(self.get_session_not_connected())
def get_session_not_connected(self):
for line in self.client.readlines(total_timeout=TIMEOUT):
if line.lower().find('session not connected') >= 0:
return True
return False
class TestSessionExpire(TestCase):
def setUp(self):
self.expiration = DURATION
self.host = HOST
# Setup session_expire library
nuconfig = NuauthConf()
nuconfig['nuauth_user_session_modify_module'] = '"session_expire"'
nuconfig['nuauth_session_duration'] = str(self.expiration)
# Install temporary user database
self.userdb = PlaintextUserDB()
self.userdb.addUser(PlaintextUser(USERNAME, PASSWORD, 42, 42))
self.userdb.install(nuconfig)
self.acls = PlaintextAcl()
# Start nuauth
self.nuauth = Nuauth(nuconfig)
# Create client
self.client = createClientWithCerts()
def tearDown(self):
self.client.stop()
self.acls.desinstall()
self.nuauth.stop()
def testExpire(self):
self.assert_(connectClient(self.client))
sleep(self.expiration + DELAY)
self.assert_(self.get_session_not_connected())
def get_session_not_connected(self):
for line in self.client.readlines(total_timeout=TIMEOUT):
if line.lower().find('session not connected') >= 0:
return True
return False
class TestTLSClient(TestCase):
def startNuauth(self, dict_args=None):
self.cacert = abspath(config.get("test_cert", "cacert"))
self.nuconfig = NuauthConf()
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[key] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def stopNuauth(self):
self.nuauth.stop()
def tearDown(self):
#self.client.stop()
pass
def testClientFQDNCheck(self):
self.startNuauth()
client1 = createClient(
more_args=["-H", "nuauth.inl.fr", "-A", self.cacert])
client2 = createClient(
more_args=["-H", "localhost", "-A", self.cacert])
self.assert_(connectClient(client1))
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientIgnoreFQDNCheck(self):
self.startNuauth()
client1 = createClient(
more_args=["-H", "nuauth.inl.fr", "-A", self.cacert])
client2 = createClient(
more_args=["-H", "localhost", "-A", self.cacert, "-N"])
self.assert_(connectClient(client1))
self.assert_(connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientValidCA(self):
self.startNuauth()
client = createClient(more_args=["-A", self.cacert])
self.assert_(connectClient(client))
client.stop()
self.stopNuauth()
def testClientInvalidCA(self):
self.startNuauth()
cacert = config.get("test_cert", "invalid_cacert")
client = createClient(more_args=["-A", cacert])
self.assert_(not connectClient(client))
client.stop()
self.stopNuauth()
def testClientValidCert(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
self.startNuauth(args)
tls_cert = abspath(config.get("test_cert", "user_cert"))
tls_key = abspath(config.get("test_cert", "user_key"))
client = createClient(
more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key])
self.assert_(connectClient(client))
client.stop()
self.stopNuauth()
def testClientInvalidCert(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
self.startNuauth(args)
cacert = config.get("test_cert", "invalid_cacert")
tls_cert = abspath(config.get("test_cert", "user_invalid_cert"))
tls_key = abspath(config.get("test_cert", "user_invalid_key"))
client = createClient(
more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key])
self.assert_(not connectClient(client))
client.stop()
self.stopNuauth()
def testClientRevoked(self):
args = dict()
args["nuauth_tls_request_cert"] = "1"
args["nuauth_tls_crl"] = '"%s"' % abspath(
config.get("test_cert", "crl"))
self.startNuauth(args)
client1 = createClientWithCerts()
self.assert_(connectClient(client1))
tls_cert = abspath(config.get("test_cert", "user_revoked_cert"))
tls_key = abspath(config.get("test_cert", "user_revoked_key"))
client2 = createClient(
more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key])
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientExpired(self):
self.startNuauth()
client1 = createClientWithCerts()
self.assert_(connectClient(client1))
tls_cert = abspath(config.get("test_cert", "user_expired_cert"))
tls_key = abspath(config.get("test_cert", "user_expired_key"))
client2 = createClient(
more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key])
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientInvalidCRL(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
self.startNuauth(args)
invalid_crl = abspath(config.get("test_cert", "invalid_crl"))
client = createClient(more_args=[
"-H", "nuauth.inl.fr", "-A", self.cacert, "-R", invalid_crl
])
self.assert_(not connectClient(client))
client.stop()
self.stopNuauth()
class TestTLSNufw(TestCase):
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = abspath(config.get("test_cert", "cacert"))
def startNuauth(self, dict_args=None):
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(
config.get("test_cert", "crl"))
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[key] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.nuauth.stop()
self.nuconfig.desinstall()
self.iptables.flush()
def connectNuauthNufw(self):
# Open TCP connection just to connect nufw to nuauth
self.iptables.filterTcp(self.port)
connectTcp(HOST, self.port, 0.100)
# nufw side
# "TLS connection to nuauth can NOT be restored"
def testNufwValidCert(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "nuauth.inl.fr"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwIgnoreFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "127.0.0.1", "-N"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def get_tls_cert_invalid(self):
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find('certificate verification failed') >= 0:
return True
return False
def testNufwInvalidCA(self):
self.startNuauth()
invalid_cacert = config.get("test_cert", "invalid_cacert")
self.nufw = startNufw(["-a", invalid_cacert])
self.connectNuauthNufw()
self.assert_(self.get_tls_cert_invalid())
self.nufw.stop()
self.nuauth.stop()
# If NuFW does not run under the strict mode, the provided certificates in svn
# will be accepted and the client will be able to authenticate and then be
# accepted by the firewall. This is what we want to check here
def testNotStrictMode(self):
self.startNuauth()
self.nufw = startNufw(["-s"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testStrictMode(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def nufw_connection_is_established(self):
if self.nufw.is_connected_to_nuauth:
return True
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("tls connection to nuauth established") >= 0:
return True
if line.lower().find("tls connection to nuauth restored") >= 0:
return True
return False
class TestTLSNufw(TestCase):
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = abspath(config.get("test_cert", "cacert"))
def startNuauth(self, dict_args=None):
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl"))
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[key] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.nuauth.stop()
self.nuconfig.desinstall()
self.iptables.flush()
def connectNuauthNufw(self):
# Open TCP connection just to connect nufw to nuauth
self.iptables.filterTcp(self.port)
connectTcp(HOST, self.port, 0.100)
# nufw side
# "TLS connection to nuauth can NOT be restored"
def testNufwValidCert(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "nuauth.inl.fr"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwIgnoreFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "127.0.0.1", "-N"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def get_tls_cert_invalid(self):
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("certificate verification failed") >= 0:
return True
return False
def testNufwInvalidCA(self):
self.startNuauth()
invalid_cacert = config.get("test_cert", "invalid_cacert")
self.nufw = startNufw(["-a", invalid_cacert])
self.connectNuauthNufw()
self.assert_(self.get_tls_cert_invalid())
self.nufw.stop()
self.nuauth.stop()
# If NuFW does not run under the strict mode, the provided certificates in svn
# will be accepted and the client will be able to authenticate and then be
# accepted by the firewall. This is what we want to check here
def testNotStrictMode(self):
self.startNuauth()
self.nufw = startNufw(["-s"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testStrictMode(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def nufw_connection_is_established(self):
if self.nufw.is_connected_to_nuauth:
return True
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("tls connection to nuauth established") >= 0:
return True
if line.lower().find("tls connection to nuauth restored") >= 0:
return True
return False
class TestTLSClient(TestCase):
def startNuauth(self, dict_args=None):
self.cacert = abspath(config.get("test_cert", "cacert"))
self.nuconfig = NuauthConf()
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[ key ] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def stopNuauth(self):
self.nuauth.stop()
def tearDown(self):
#self.client.stop()
pass
def testClientFQDNCheck(self):
self.startNuauth()
client1 = createClient(more_args=["-H","nuauth.inl.fr","-A", self.cacert])
client2 = createClient(more_args=["-H","localhost","-A", self.cacert])
self.assert_(connectClient(client1))
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientIgnoreFQDNCheck(self):
self.startNuauth()
client1 = createClient(more_args=["-H","nuauth.inl.fr","-A", self.cacert])
client2 = createClient(more_args=["-H","localhost","-A", self.cacert,"-N"])
self.assert_(connectClient(client1))
self.assert_(connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientValidCA(self):
self.startNuauth()
client = createClient(more_args=["-A", self.cacert])
self.assert_(connectClient(client))
client.stop()
self.stopNuauth()
def testClientInvalidCA(self):
self.startNuauth()
cacert = config.get("test_cert", "invalid_cacert")
client = createClient(more_args=["-A", cacert])
self.assert_(not connectClient(client))
client.stop()
self.stopNuauth()
def testClientValidCert(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
self.startNuauth(args)
tls_cert = abspath(config.get("test_cert", "user_cert"))
tls_key = abspath(config.get("test_cert", "user_key"))
client = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key])
self.assert_(connectClient(client))
client.stop()
self.stopNuauth()
def testClientInvalidCert(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
self.startNuauth(args)
cacert = config.get("test_cert", "invalid_cacert")
tls_cert = abspath(config.get("test_cert", "user_invalid_cert"))
tls_key = abspath(config.get("test_cert", "user_invalid_key"))
client = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key])
self.assert_(not connectClient(client))
client.stop()
self.stopNuauth()
def testClientRevoked(self):
args = dict()
args["nuauth_tls_request_cert"] = "1"
args["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl"))
self.startNuauth(args)
client1 = createClientWithCerts()
self.assert_(connectClient(client1))
tls_cert = abspath(config.get("test_cert", "user_revoked_cert"))
tls_key = abspath(config.get("test_cert", "user_revoked_key"))
client2 = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key])
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientExpired(self):
self.startNuauth()
client1 = createClientWithCerts()
self.assert_(connectClient(client1))
tls_cert = abspath(config.get("test_cert", "user_expired_cert"))
tls_key = abspath(config.get("test_cert", "user_expired_key"))
client2 = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key])
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientInvalidCRL(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
self.startNuauth(args)
invalid_crl = abspath(config.get("test_cert", "invalid_crl"))
client = createClient(more_args=["-H","nuauth.inl.fr","-A",self.cacert,"-R",invalid_crl])
self.assert_(not connectClient(client))
client.stop()
self.stopNuauth()
class TestTLSNuauth(TestCase):
def startNuauth(self, dict_args=None):
self.cacert = config.get("test_cert", "cacert")
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl"))
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[ key ] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def stopNuauth(self):
self.nuauth.stop()
def tearDown(self):
#self.client.stop()
pass
def testNuauthValidCA(self):
self.startNuauth()
self.client = createClientWithCerts()
self.assert_(connectClient(self.client))
self.client.stop()
self.stopNuauth()
def testNuauthInvalidCA(self):
cacert = abspath(config.get("test_cert", "invalid_cacert"))
args = dict()
args["nuauth_tls_cacert"] = "'%s'" % cacert
# we must disable CRL for this one, else nuauth fails with an
# error (CRL is not issued by CA)
args["nuauth_tls_crl"] = None
self.startNuauth(args)
self.client = createClientWithCerts()
self.assert_(not connectClient(self.client))
self.client.stop()
self.stopNuauth()
def testNuauthRevoked(self):
args = dict()
args["nuauth_tls_key"] = '"%s"' % abspath(config.get("test_cert", "user_revoked_key"))
args["nuauth_tls_cert"] = '"%s"' % abspath(config.get("test_cert", "user_revoked_cert"))
self.startNuauth(args)
self.client = createClient(more_args=["-H","nuauth.inl.fr","-A",self.cacert,"-R",abspath("./pki/crl.pem")])
self.assert_(not connectClient(self.client))
self.client.stop()
self.stopNuauth()
def testNuauthExpired(self):
args = dict()
args["nuauth_tls_key"] = '"%s"' % abspath(config.get("test_cert", "user_expired_key"))
args["nuauth_tls_cert"] = '"%s"' % abspath(config.get("test_cert", "user_expired_cert"))
self.startNuauth(args)
self.client = createClient(more_args=["-H","nuauth.inl.fr","-A",self.cacert])
self.assert_(not connectClient(self.client))
self.client.stop()
self.client = createClient(more_args=["-H","nuauth.inl.fr","-Q"])
self.assert_(not connectClient(self.client))
self.client.stop()
self.stopNuauth()
def testNuauthInvalidCRL(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
args["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "invalid_crl"))
mytest = False
try:
self.startNuauth(args)
except:
mytest = True
self.assert_(mytest)
if not mytest:
self.stopNuauth()
class TestClientCert(TestCase):
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = config.get("test_cert", "cacert")
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_auth_by_cert"] = "0"
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.nuauth.stop()
self.nuconfig.desinstall()
self.iptables.flush()
def connectNuauthNufw(self):
# Open TCP connection just to connect nufw to nuauth
self.iptables.filterTcp(self.port)
connectTcp(HOST, self.port, 0.100)
# nufw side
# "TLS connection to nuauth can NOT be restored"
def testValidCert(self):
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
def get_tls_cert_invalid(self):
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find('certificate verification failed') >= 0:
return True
return False
def testInvalidCert(self):
invalid_cacert = config.get("test_cert", "invalid_cacert")
self.nufw = startNufw(["-a", invalid_cacert])
self.connectNuauthNufw()
self.assert_(self.get_tls_cert_invalid())
self.nufw.stop()
# If NuFW does not run under the strict mode, the provided certificates in svn
# will be accepted and the client will be able to authenticate and then be
# accepted by the firewall. This is what we want to check here
def testNotStrictMode(self):
self.nufw = startNufw(["-s"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
def testStrictMode(self):
self.nufw = startNufw(["-d","127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
def nufw_connection_is_established(self):
if self.nufw.is_connected_to_nuauth:
return True
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("tls connection to nuauth established") >= 0:
return True
if line.lower().find("tls connection to nuauth restored") >= 0:
return True
return False
class MysqlLog(TestCase):
def setUp(self):
startNufw(["-s"])
config = NuauthConf()
config["nuauth_log_users"] = '9'
config["mysql_prefix_version"] = '1'
if POSTGRESQL:
config.need_restart = True
self.conn = pgdb.connect(
host=DB_SERVER,
user=DB_USER,
password=DB_PASSWORD,
database=DB_DBNAME)
config["nuauth_user_logs_module"] = '"pgsql"'
config["nuauth_user_session_logs_module"] = '"pgsql"'
else:
self.conn = MySQLdb.Connect(
host=DB_SERVER,
user=DB_USER,
passwd=DB_PASSWORD,
db=DB_DBNAME)
config["nuauth_user_logs_module"] = '"mysql"'
config["nuauth_user_session_logs_module"] = '"mysql"'
self.users = USERDB
self.user = self.users[0]
self.acls = PlaintextAcl()
self.acls.addAcl("web", VALID_PORT, self.user.gid, log_prefix=LOG_PREFIX)
self.users.install(config)
self.acls.install(config)
self.nuauth = Nuauth(config)
self.start_time = int(time()-1.1)
def query(self, sql):
if POSTGRESQL:
prefix = "PostgreSQL"
else:
prefix = "MySQL"
info("%s query: %s" % (prefix, sql))
cursor = self.conn.cursor()
cursor.execute(sql)
info("%s result: %s rows" % (prefix, cursor.rowcount))
return cursor
def fetchone(self, cursor):
row = cursor.fetchone()
if POSTGRESQL:
info("PostgreSQL fetchone(): %s" % repr(row))
else:
info("MySQL fetchone(): %s" % repr(row))
return row
def tearDown(self):
# Stop nuauth
self.nuauth.stop()
self.conn.close()
self.users.desinstall()
self.acls.desinstall()
def _login(self, sql):
# Client login
client = self.user.createClientWithCerts()
self.assert_(connectClient(client))
# Check number of rows
for when in retry(timeout=QUERY_TIMEOUT):
cursor = self.query(sql)
for line in self.nuauth.readlines():
pass
if cursor.rowcount:
break
self.assertEqual(cursor.rowcount, 1)
# Read row columns
(ip_saddr, user_id, username, os_sysname,
os_release, os_version, end_time) = self.fetchone(cursor)
if not POSTGRESQL:
ip_saddr = ntohl(ip_saddr) & 0xFFFFFFFF
# Check values
self.assertEqual(IP(ip_saddr), client.ip)
self.assertEqual(user_id, self.user.uid)
self.assertEqual(username, client.username)
self.assertEqual(os_sysname, OS_SYSNAME)
self.assertEqual(os_release, OS_RELEASE)
self.assertEqual(os_version, OS_VERSION)
return client
def _logout(self, sql, client):
# Client logout
# Use datetime.fromtimestamp() with int(time()) to have microsecond=0
logout_before = datetime_before()
client.stop()
for when in retry(timeout=QUERY_TIMEOUT):
# Get last MySQL row
cursor = self.query(sql)
# Check number of rows
if not cursor.rowcount:
continue
self.assertEqual(cursor.rowcount, 1)
# Read row columns
(ip_saddr, user_id, username, os_sysname,
os_release, os_version, end_time) = self.fetchone(cursor)
if not end_time:
continue
break
# Check values
if not POSTGRESQL:
# FIXME: Convert string to datetime for PostgreSQL
logout_after = datetime_after()
self.assert_(logout_before <= end_time <= logout_after)
class MysqlLog(TestCase):
def setUp(self):
startNufw(["-s"])
config = NuauthConf()
config["nuauth_log_users"] = '9'
config["mysql_prefix_version"] = '1'
if POSTGRESQL:
config.need_restart = True
self.conn = pgdb.connect(host=DB_SERVER,
user=DB_USER,
password=DB_PASSWORD,
database=DB_DBNAME)
config["nuauth_user_logs_module"] = '"pgsql"'
config["nuauth_user_session_logs_module"] = '"pgsql"'
else:
self.conn = MySQLdb.Connect(host=DB_SERVER,
user=DB_USER,
passwd=DB_PASSWORD,
db=DB_DBNAME)
config["nuauth_user_logs_module"] = '"mysql"'
config["nuauth_user_session_logs_module"] = '"mysql"'
self.users = USERDB
self.user = self.users[0]
self.acls = PlaintextAcl()
self.acls.addAcl("web",
VALID_PORT,
self.user.gid,
log_prefix=LOG_PREFIX)
self.users.install(config)
self.acls.install(config)
self.nuauth = Nuauth(config)
self.start_time = int(time() - 1.1)
def query(self, sql):
if POSTGRESQL:
prefix = "PostgreSQL"
else:
prefix = "MySQL"
info("%s query: %s" % (prefix, sql))
cursor = self.conn.cursor()
cursor.execute(sql)
info("%s result: %s rows" % (prefix, cursor.rowcount))
return cursor
def fetchone(self, cursor):
row = cursor.fetchone()
if POSTGRESQL:
info("PostgreSQL fetchone(): %s" % repr(row))
else:
info("MySQL fetchone(): %s" % repr(row))
return row
def tearDown(self):
# Stop nuauth
self.nuauth.stop()
self.conn.close()
self.users.desinstall()
self.acls.desinstall()
def _login(self, sql):
# Client login
client = self.user.createClientWithCerts()
self.assert_(connectClient(client))
# Check number of rows
for when in retry(timeout=QUERY_TIMEOUT):
cursor = self.query(sql)
for line in self.nuauth.readlines():
pass
if cursor.rowcount:
break
self.assertEqual(cursor.rowcount, 1)
# Read row columns
(ip_saddr, user_id, username, os_sysname, os_release, os_version,
end_time) = self.fetchone(cursor)
if not POSTGRESQL:
ip_saddr = ntohl(ip_saddr) & 0xFFFFFFFF
# Check values
self.assertEqual(IP(ip_saddr), client.ip)
self.assertEqual(user_id, self.user.uid)
self.assertEqual(username, client.username)
self.assertEqual(os_sysname, OS_SYSNAME)
self.assertEqual(os_release, OS_RELEASE)
self.assertEqual(os_version, OS_VERSION)
return client
def _logout(self, sql, client):
# Client logout
# Use datetime.fromtimestamp() with int(time()) to have microsecond=0
logout_before = datetime_before()
client.stop()
for when in retry(timeout=QUERY_TIMEOUT):
# Get last MySQL row
cursor = self.query(sql)
# Check number of rows
if not cursor.rowcount:
continue
self.assertEqual(cursor.rowcount, 1)
# Read row columns
(ip_saddr, user_id, username, os_sysname, os_release, os_version,
end_time) = self.fetchone(cursor)
if not end_time:
continue
break
# Check values
if not POSTGRESQL:
# FIXME: Convert string to datetime for PostgreSQL
logout_after = datetime_after()
self.assert_(logout_before <= end_time <= logout_after)
