def test_trivial_subnet_allow(self):
bouncer = self.get_bouncer({'allow': ['62.121.66.0/24']})
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.134'
d = self.check_auth(keycard, bouncer, True)
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.3'
d.addCallback(lambda _: self.check_auth(keycard, bouncer, True))
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.253'
d.addCallback(lambda _: self.check_auth(keycard, bouncer, True))
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.65.12'
d.addCallback(lambda _: self.check_auth(keycard, bouncer, False))
return self.stop_bouncer(bouncer, d)
def test_subnet_allow_and_deny(self):
bouncer = self.get_bouncer({
'deny': ['62.121.66.0/24'],
'allow': ['62.121.0.0/16', '62.122.66.134/32']
})
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.134'
d = self.check_auth(keycard, bouncer, False)
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.65.134'
d.addCallback(lambda _: self.check_auth(keycard, bouncer, True))
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.122.66.134'
d.addCallback(lambda _: self.check_auth(keycard, bouncer, True))
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.123.66.134'
d.addCallback(lambda _: self.check_auth(keycard, bouncer, False))
return self.stop_bouncer(bouncer, d)
def notestUACPCCWrongPassword(self):
factory = pb.FPBClientFactory()
# create
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.address = '127.0.0.1'
# send
d = factory.login(keycard, 'MIND')
c = reactor.connectTCP("127.0.0.1", self.portno, factory)
def uacpccWrongPasswordCallback(keycard):
self.assertEquals(keycard.state, keycards.REQUESTING)
# respond to challenge
keycard.setPassword('wrongpass')
d = factory.login(keycard, 'MIND')
def uacpccWrongPasswordErrback(failure):
# find copied failure
self.failUnless(
failure.check(
"flumotion.common.errors.NotAuthenticatedError"))
return self.clientDisconnect(factory, None)
d.addErrback(uacpccWrongPasswordErrback)
return d
d.addCallback(uacpccWrongPasswordCallback)
return d
def testApprovedTZFromEnvironmentWithFloating(self):
def _restoreTZEnv(result, oldTZ):
if oldTZ is None:
del os.environ['TZ']
else:
os.environ['TZ'] = oldTZ
time.tzset()
eventcalendar.tz.LOCAL = tz.LocalTimezone()
return result
new_end_naive = self.half_an_hour_ago.replace(tzinfo=None)
oldTZ = os.environ.get('TZ', None)
os.environ['TZ'] = 'US/Pacific'
time.tzset()
eventcalendar.tz.LOCAL = tz.LocalTimezone()
data = self.ical_from_specs('', self.half_an_hour_ago,
'', new_end_naive)
self.bouncer = self.bouncer_from_ical(data)
keycard = keycards.KeycardGeneric()
d = defer.maybeDeferred(self.bouncer.authenticate, keycard)
d.addCallback(self._approved_callback)
d.addBoth(_restoreTZEnv, oldTZ)
return d
def check_bouncer(self, component, ctype):
def authenticate(result):
self.authenticate = result
def noauthenticate(result):
util.critical('Error: %s' % result)
reactor.stop()
def success(result):
self.enabled = result # True or False from bouncer status
def failure(result):
util.critical('Error: %s' % result)
reactor.stop()
# Read config and get correct properties for each bouncers
k = keycards.KeycardGeneric()
e = self.model.callRemote('componentCallRemote', component,
'getEnabled')
e.addErrback(failure)
e.addCallback(success)
f = self.model.callRemote('componentCallRemote', component,
'authenticate', k)
f.addErrback(noauthenticate)
f.addCallback(authenticate)
def testAuthentication(self):
k = keycards.KeycardGeneric()
self.assertEquals(k.state, keycards.REQUESTING)
d = self.obj.authenticate(k)
d.addCallback(self.assertAttr, 'state', keycards.AUTHENTICATED)
return d
def notestUACPCCTamperWithChallenge(self):
factory = pb.FPBClientFactory()
# create
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.address = '127.0.0.1'
self.assert_(keycard)
self.assertEquals(keycard.state, keycards.REQUESTING)
# send
d = factory.login(keycard, 'MIND')
c = reactor.connectTCP("127.0.0.1", self.portno, factory)
def uacpccTamperCallback(keycard):
self.assertEquals(keycard.state, keycards.REQUESTING)
# mess with challenge, respond to challenge and resubmit
keycard.challenge = "I am a h4x0r"
keycard.setPassword('test')
d = factory.login(keycard, 'MIND')
def uacpccTamperErrback(failure):
# find copied failure
self.failUnless(
failure.check(
"flumotion.common.errors.NotAuthenticatedError"))
return self.clientDisconnect(factory, None)
d.addErrback(uacpccTamperErrback)
return d
d.addCallback(uacpccTamperCallback)
return d
def test_trivial_deny_allow_default(self):
bouncer = self.get_bouncer({
'deny-default': False,
'deny': ['62.121.66.134/32']
})
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.134'
d = self.check_auth(keycard, bouncer, False)
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.135'
d.addCallback(lambda _: self.check_auth(keycard, bouncer, True))
return self.stop_bouncer(bouncer, d)
def test_trivial_deny(self):
bouncer = self.get_bouncer({'deny': ['62.121.66.134/32']})
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.134'
d = self.check_auth(keycard, bouncer, False)
return self.stop_bouncer(bouncer, d)
def testApprovedUTC(self):
data = self.ical_from_specs('', self.a_day_ago,
'', self.in_half_an_hour)
self.bouncer = self.bouncer_from_ical(data)
keycard = keycards.KeycardGeneric()
d = defer.maybeDeferred(self.bouncer.authenticate, keycard)
d.addCallback(self._approved_callback)
return d
def testInit(self):
keycard = keycards.KeycardGeneric()
keycard.username = '******'
self.assertEquals(keycard.state, keycards.REQUESTING)
d = keycard.getData()
self.assertEquals(d['username'], 'username')
repr(keycard)
def remote_getKeycard(self):
if not self.keycard:
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '127.0.0.1'
#print "Worker keycard %r, id: %d" % (keycard, id(keycard))
self.keycard = keycard
return self.keycard
def testTimeoutAlgorithm(self):
# the plan: make a keycard that expires in 0.75 seconds, and
# set up the component such that it checks for expired keycards
# every half second. this test will check the keycard's
# ttl value at 0.25 seconds and 0.75 seconds, and will
# make sure that at 1.25 seconds that the keycard is out of the
# bouncer.
# check for expired keycards every half a second
self.setKeycardExpireInterval(0.5)
def checkTimeout(k):
def check(expected, inBouncer, furtherChecks):
if k.ttl != expected:
d.errback(
AssertionError('ttl %r != expected %r' %
(k.ttl, expected)))
return
if inBouncer:
if not self.obj.hasKeycard(k):
d.errback(AssertionError('comp missing keycard'))
return
else:
if self.obj.hasKeycard(k):
d.errback(
AssertionError('comp unexpectedly has keycard'))
return
if furtherChecks:
args = furtherChecks.pop(0)
args += (furtherChecks, )
reactor.callLater(*args)
else:
d.callback('success')
reactor.callLater(0.25, check, 0.75, True,
[(0.5, check, 0.25, True),
(0.5, check, -0.25, False)])
d = defer.Deferred()
return d
def checkCalls(res):
self.assertEquals(self.medium.calls,
[('expireKeycard', (k.requesterId, k.id), {})])
return res
k = keycards.KeycardGeneric()
k.ttl = 0.75
self.assertEquals(k.state, keycards.REQUESTING)
d = self.obj.authenticate(k)
d.addCallback(self.assertAttr, 'state', keycards.AUTHENTICATED)
d.addCallback(self.assertAttr, 'ttl', 0.75)
d.addCallback(checkTimeout)
d.addCallback(checkCalls)
return d
def testApprovedBothTZID(self):
new_start = self.half_an_hour_ago.astimezone(self.beijing_tz)
naive_new_start = new_start.replace(tzinfo=None)
new_end = self.in_half_an_hour.astimezone(self.guatemala_tz)
naive_new_end = new_end.replace(tzinfo=None)
data = self.ical_from_specs(';TZID=Asia/Shanghai', naive_new_start,
';TZID=America/Guatemala', naive_new_end)
self.bouncer = self.bouncer_from_ical(data)
keycard = keycards.KeycardGeneric()
d = defer.maybeDeferred(self.bouncer.authenticate, keycard)
d.addCallback(self._approved_callback)
return d
def testDeniedUTCAndFloating(self):
new_start = self.a_day_ago.astimezone(tz.LOCAL)
new_start_naive = new_start.replace(tzinfo=None)
data = self.ical_from_specs('', new_start_naive,
'', self.half_an_hour_ago)
self.bouncer = self.bouncer_from_ical(data)
keycard = keycards.KeycardGeneric()
d = defer.maybeDeferred(self.bouncer.authenticate, keycard)
d.addCallback(self._denied_callback)
return d
def testDeniedTZID(self):
new_end = self.half_an_hour_ago.astimezone(self.beijing_tz)
naive_new_end = new_end.replace(tzinfo=None)
data = self.ical_from_specs('', self.a_day_ago,
';TZID=Asia/Shanghai', naive_new_end)
self.bouncer = self.bouncer_from_ical(data)
keycard = keycards.KeycardGeneric()
d = defer.maybeDeferred(self.bouncer.authenticate, keycard)
d.addCallback(self._denied_callback)
return d
def testInit(self):
keycard = keycards.KeycardGeneric()
keycard.token = 'token'
keycard.address = '127.0.0.1'
self.assertEquals(keycard.state, keycards.REQUESTING)
#self.failUnless(credentials.IToken.providedBy(keycard))
d = keycard.getData()
self.assertEquals(d['token'], 'token')
self.assertEquals(d['address'], '127.0.0.1')
repr(keycard)
def testAutoExpire(self):
def authenticated(_):
self.assertAttr(k, 'state', keycards.REFUSED)
self.assertAttr(k, 'ttl', 0)
self.failIf(self.obj.hasKeycard(k))
self.assertEquals(self.medium.calls, [])
k = keycards.KeycardGeneric()
k.ttl = 0
self.assertEquals(k.state, keycards.REQUESTING)
d = self.obj.authenticate(k)
d.addCallback(authenticated)
return d
def testRevoke(self):
data = self.ical_from_specs('', self.now,
'', self.in_half_an_hour)
self.bouncer = self.bouncer_from_ical(data)
keycard = keycards.KeycardGeneric()
self.bouncer.authenticate(keycard)
data = self.ical_from_specs('', self.a_day_ago,
'', self.half_an_hour_ago)
calendar = self._getCalendarFromString(data)
self.bouncer.get_main_algorithm().iCalScheduler.setCalendar(calendar)
self.failIf(self.bouncer.hasKeycard(keycard))
def issue(self, request):
keycard = keycards.KeycardGeneric()
keycard.username = request.getUser()
keycard.password = request.getPassword()
keycard.address = request.getClientIP()
# args can have lists as values, if more than one specified
token = request.args.get('token', '')
if not isinstance(token, str):
token = token[0]
keycard.token = token
keycard.arguments = request.args
keycard.path = request.path
self.debug("Asking for authentication, generic HTTP")
return keycard
def test_multiple_allows_and_denies(self):
bouncer = self.get_bouncer({
'allow': ['62.121.66.134/32', '62.121.66.133/32'],
'deny': ['62.121.66.135/32', '62.121.66.136/32']
})
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.136'
d = self.check_auth(keycard, bouncer, False)
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.133'
d.addCallback(lambda _: self.check_auth(keycard, bouncer, True))
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.137'
d.addCallback(lambda _: self.check_auth(keycard, bouncer, False))
return self.stop_bouncer(bouncer, d)
def testApprovedBothFloating(self):
new_start = self.half_an_hour_ago.astimezone(tz.LOCAL)
new_end = self.in_half_an_hour.astimezone(tz.LOCAL)
new_start_naive = new_start.replace(tzinfo=None)
new_end_naive = new_end.replace(tzinfo=None)
data = self.ical_from_specs('', new_start_naive,
'', new_end_naive)
self.bouncer = self.bouncer_from_ical(data)
keycard = keycards.KeycardGeneric()
d = defer.maybeDeferred(self.bouncer.authenticate, keycard)
d.addCallback(self._approved_callback)
return d
def testOverlapMoreThanWindowSize(self):
dates = [self.now - timedelta(minutes=1),
self.now + timedelta(seconds=0.6*self.maxKeyCardDuration),
self.now + timedelta(seconds=0.3*self.maxKeyCardDuration),
self.now + timedelta(seconds=0.9*self.maxKeyCardDuration),
self.now + timedelta(seconds=0.6*self.maxKeyCardDuration),
self.now + timedelta(seconds=1.2*self.maxKeyCardDuration),
]
data = self.ical_from_specs(dates)
self.bouncer = self.bouncer_from_ical(data)
keycard = keycards.KeycardGeneric()
d = defer.maybeDeferred(self.bouncer.authenticate, keycard)
d.addCallback(self._approved_and_calculate, self.maxKeyCardDuration)
return d
def testOverlapEndingSimulteanously(self):
dates = [self.now - timedelta(minutes=1),
self.now + timedelta(seconds=0.6*self.maxKeyCardDuration),
self.now - timedelta(minutes=2),
self.now + timedelta(seconds=0.6*self.maxKeyCardDuration),
self.now - timedelta(seconds=10),
self.now - timedelta(seconds=1),
]
data = self.ical_from_specs(dates)
self.bouncer = self.bouncer_from_ical(data)
keycard = keycards.KeycardGeneric()
d = defer.maybeDeferred(self.bouncer.authenticate, keycard)
d.addCallback(self._approved_and_calculate,\
0.6*self.maxKeyCardDuration)
return d
def testKeepAlive(self):
def adjustTTL(_):
self.assertEquals(k.ttl, 0.75)
self.obj.keepAlive('bar', 10)
self.assertEquals(k.ttl, 0.75)
self.obj.keepAlive('foo', 10)
self.assertEquals(k.ttl, 10)
k = keycards.KeycardGeneric()
k.ttl = 0.75
k.issuerName = 'foo'
self.assertEquals(k.state, keycards.REQUESTING)
d = self.obj.authenticate(k)
d.addCallback(self.assertAttr, 'state', keycards.AUTHENTICATED)
d.addCallback(self.assertAttr, 'ttl', 0.75)
d.addCallback(adjustTTL)
return d
def testApprovedKeycardDurationCalculationTZID(self):
in_one_minute = datetime.now(self.beijing_tz) + timedelta(minutes=1)
naive_in_one_minute = in_one_minute.replace(tzinfo=None)
data = self.ical_from_specs('', self.a_day_ago,
';TZID=Asia/Shanghai', naive_in_one_minute)
self.bouncer = self.bouncer_from_ical(data)
keycard = keycards.KeycardGeneric()
d = defer.maybeDeferred(self.bouncer.authenticate, keycard)
def approved_and_calculate(result):
self.failUnless(result)
self.assertEquals(result.state, keycards.AUTHENTICATED)
self.failUnless(result.duration)
self.failIf(result.duration > 60)
d.addCallback(approved_and_calculate)
return d
def issue_KeycardGeneric(self):
keycard = keycards.KeycardGeneric()
keycard.username = self.username
keycard.address = self.address
return keycard
def setUp(self):
keycard = keycards.KeycardGeneric()
keycard.username = '******'
keycard.password = '******'
keycard.address = '62.121.66.134'
self.keycard = keycard