def test_authorize_lesser_priv_lvl(fake_socket, packets): client = TACACSClient('127.0.0.1', 49, None, session_id=12345) client._sock = fake_socket reply = client.authorize( 'username', arguments=[b"service=shell", b"cmd=show", b"cmdargs=version"], authen_type=TAC_PLUS_AUTHEN_TYPE_PAP, priv_lvl=TAC_PLUS_PRIV_LVL_MAX) assert not reply.valid, "the privilege level sent by the server is less than the requested one (1 < 15)"
def test_authorize_ascii(fake_socket, packets): client = TACACSClient('127.0.0.1', 49, None, session_id=12345) client._sock = fake_socket reply = client.authorize( 'username', arguments=[b"service=shell", b"cmd=show", b"cmdargs=version"]) assert reply.valid fake_socket.buff.seek(0) first_header = TACACSHeader.unpacked(fake_socket.buff.read(12)) assert (first_header.version_max, first_header.version_min) == (12, 0) first_body = fake_socket.buff.read(first_header.length) assert TACACSAuthorizationStart( 'username', TAC_PLUS_AUTHEN_METH_TACACSPLUS, TAC_PLUS_PRIV_LVL_MIN, TAC_PLUS_AUTHEN_TYPE_ASCII, [b"service=shell", b"cmd=show", b"cmdargs=version"], ).packed == first_body
def get_av_pair(arguments, key, default=None): ret = default for av in arguments: avf = av.split("=") if avf[0] == key: ret = avf[1] break return ret cli = TACACSClient('localhost', 49, 'testing123', timeout=10, family=socket.AF_INET) authen = cli.authenticate(token[0], token[1]) if authen.valid == True: auth = cli.authorize(token[0], arguments=["service=tailf"]) groups = get_av_pair(auth.arguments, key="groups") if groups != None: uid = get_av_pair(auth.arguments, key="uid", default=9000) gid = get_av_pair(auth.arguments, key="gid", default=100) home = "/var/confd/homes/{}".format(token[0]) print("accept {} {} {} {}".format(groups, uid, gid, home)) else: print( "reject Cannot retrieve groups AV pair (tailf service) for user {}" .format(token[0])) else: print("reject")