def test_auth_unavailable_server_name(self):
ra = RadiusAuth("thisdoesnotexistandshouldnotresolve.net", self.secret, self.identifier)
result = ra.authenticate(self.username, self.password, update_user_info=False)
self.assertFalse(result)
def test_auth_bad_server_name(self):
ra = RadiusAuth("thisisnotavalid/hostname.net", self.secret, self.identifier)
result = ra.authenticate(self.username, self.password, update_user_info=False)
self.assertFalse(result)
def test_auth_backup(self):
ra = RadiusAuth("127.0.0.1", b"invalid_password", self.identifier, backup_server=self.server, backup_server_secret=self.secret)
result = ra.authenticate(self.username, self.password, update_user_info=False)
self.assertTrue(result)
def test_auth_auth_info_roles_override_caps_insensitive(self):
roles = ["admin", "power", "can_delete"]
roles_map_file_path = self.write_auth_csv(self.username.upper(), roles)
try:
ra = RadiusAuth(self.server, self.secret, self.identifier, vendor_code=self.vendor_code, roles_attribute_id=self.roles_attribute_id)
result = ra.authenticate(self.username, self.password, update_user_info=True, directory=self.tmp_dir, roles_map_file_path=roles_map_file_path)
self.assertTrue(result)
users = UserInfo.getAllUsers(self.tmp_dir)
self.assertEqual(len(users), 1)
# Get the user
user = users[0]
self.assertTrue(user.username, self.username)
# Make sure the roles exist:
if 'can_delete' not in user.roles:
self.fail("can_delete not in the roles (%s)" % (user.roles))
if 'admin' not in user.roles:
self.fail("admin not in the roles (%s)" % (user.roles))
if 'power' not in user.roles:
self.fail("power not in the roles (%s)" % (user.roles))
self.assertEqual(len(user.roles), 3)
finally:
os.remove(roles_map_file_path)
def test_auth_backup_no_backup_password(self):
# The script should use the secret from the primary server if the password for the backup server is blank
ra = RadiusAuth("127.0.0.1", self.secret, self.identifier, backup_server=self.server, backup_server_secret=None)
result = ra.authenticate(self.username, self.password, update_user_info=False)
self.assertTrue(result)
def test_auth_nologin(self):
# Write out a roles map with 'nologin' for the user
roles = ["admin", "power", "nologin"]
roles_map_file_path = self.write_auth_csv(self.username, roles)
try:
# Try authentication
ra = RadiusAuth(self.server, self.secret, self.identifier, self.roles_key, vendor_code=self.vendor_code, roles_attribute_id=self.roles_attribute_id)
result = ra.authenticate(self.username, self.password, update_user_info=True, directory=self.tmp_dir, roles_map_file_path=roles_map_file_path)
self.assertFalse(result)
users = UserInfo.getAllUsers(self.tmp_dir)
self.assertEqual(len(users), 1)
# Get the user
user = users[0]
self.assertEqual(user.username, bytesToString(self.username))
# Make sure the nologin role exists:
if 'nologin' not in user.roles:
self.fail("nologin not in the roles (%s)" % (user.roles))
finally:
os.remove(roles_map_file_path)
def test_auth_invalid_password(self):
ra = RadiusAuth(self.server, self.secret, self.identifier)
result = ra.authenticate(self.username, "changeme", update_user_info=False)
self.assertFalse(result)
def test_auth_auth_info_junk_in_dir(self):
with open(os.path.join(self.tmp_dir, "some_junk.csv"), "w") as junk_file:
# Write out some junk in the directory and see if it handled well (we will write a CSV since it isn't valid JSON)
junk_file.write("This is just some stuff that isn't valid JSON")
# Now, proceed with the authentication attempt and make sure the correct result occurs
ra = RadiusAuth(self.server, self.secret, self.identifier, vendor_code=self.vendor_code, roles_attribute_id=self.roles_attribute_id)
result = ra.authenticate(self.username, self.password, update_user_info=True, directory=self.tmp_dir)
self.assertTrue(result)
users = UserInfo.getAllUsers(self.tmp_dir)
self.assertEqual(len(users), 1)
# Get the user
user = users[0]
self.assertEqual(stringToBytes(user.username), self.username)
# Make sure the roles exist:
if 'can_delete' not in user.roles:
self.fail("can_delete not in the roles (%s)" % (user.roles))
if 'admin' not in user.roles:
self.fail("admin not in the roles (%s)" % (user.roles))
def test_auth_invalid_username(self):
ra = RadiusAuth(self.server, self.secret, self.identifier)
result = ra.authenticate("not_real", self.password, update_user_info=False)
self.assertFalse(result)
def test_auth_valid(self):
ra = RadiusAuth(self.server, self.secret, self.identifier)
result = ra.authenticate(self.username, self.password, update_user_info=False)
self.assertTrue(result)
def test_auth_auth_info_custom_roles_key(self):
ra = RadiusAuth(self.server, self.secret, self.identifier, roles_key="(28, 15)")
result = ra.authenticate(self.username, self.password, update_user_info=True, directory=self.tmp_dir)
self.assertTrue(result)
users = UserInfo.getAllUsers(self.tmp_dir)
self.assertEqual(len(users), 1)
# Get the user
user = users[0]
self.assertTrue(user.username, self.username)
# Make sure the roles list is empty (since we entered a roles key that doesn't match the one used by the server and is therefore invalid)
self.assertEqual(user.roles, [])
def testSettings(self, server, secret, identifier, username, password):
"""
Try to perform an authentication attempt and return a boolean indicating if the user account could be authenticated.
Arguments:
server -- The RADIUS server to authenticate to
secret -- The secret to use when logging into the Radius server
identifier -- The identifier of the source doing the authentication (can be none)
username -- The user account to test
password -- The password for the user account to use
"""
ra = RadiusAuth(server, secret, identifier)
try:
return ra.authenticate(username, password, False)
except pyrad.client.Timeout:
return False
def test_auth_auth_info_default_roles(self):
expected_roles=["manager", "analyst"]
# Authenticate using an invalid roles key so that we use the default roles, not the one provided by the server
ra = RadiusAuth(self.server, self.secret, self.identifier, roles_key="(28, 15)", default_roles=expected_roles)
result = ra.authenticate(self.username, self.password, update_user_info=True, directory=self.tmp_dir)
self.assertTrue(result)
users = UserInfo.getAllUsers(self.tmp_dir)
self.assertEqual(len(users), 1)
# Get the user
user = users[0]
self.assertTrue(user.username, self.username)
self.assertEqual(sorted(user.roles), sorted(expected_roles))
def test_auth_auth_info(self):
ra = RadiusAuth(self.server, self.secret, self.identifier, vendor_code = self.vendor_code, roles_attribute_id=self.roles_attribute_id)
result = ra.authenticate(self.username, self.password, update_user_info=True, directory=self.tmp_dir)
self.assertTrue(result)
users = UserInfo.getAllUsers(self.tmp_dir)
self.assertEqual(len(users), 1)
# Get the user
user = users[0]
self.assertTrue(user.username, self.username)
# Make sure the roles exist:
if 'can_delete' not in user.roles:
self.fail("can_delete not in the roles (%s)" % (user.roles))
if 'admin' not in user.roles:
self.fail("admin not in the roles (%s)" % (user.roles))
def test_auth_auth_info_roles_override(self):
"""
This ensures that the CSV file containing the overrides for the roles is correctly loaded and used.
This tests the underlying functions getRolesFromLookup() and loadRolesMap()
"""
roles = ["admin", "power", "can_delete"]
roles_map_file_path = self.write_auth_csv(self.username, roles)
try:
ra = RadiusAuth(self.server, self.secret, self.identifier, vendor_code=self.vendor_code, roles_attribute_id=self.roles_attribute_id)
result = ra.authenticate(self.username, self.password, update_user_info=True, directory=self.tmp_dir, roles_map_file_path=roles_map_file_path)
self.assertTrue(result)
users = UserInfo.getAllUsers(self.tmp_dir)
self.assertEqual(len(users), 1)
# Get the user
user = users[0]
self.assertTrue(user.username, self.username)
# Make sure the roles exist:
if 'can_delete' not in user.roles:
self.fail("can_delete not in the roles (%s)" % (user.roles))
if 'admin' not in user.roles:
self.fail("admin not in the roles (%s)" % (user.roles))
if 'power' not in user.roles:
self.fail("power not in the roles (%s)" % (user.roles))
self.assertEqual(len(user.roles), 3)
finally:
os.remove(roles_map_file_path)
