Exemple #1
0
 def test_radgroupreply_custom_entries(self, session):
     radgroupreply_q = session.query(hades.radgroupreply.table)
     custom_reply_row = ("TestGroup", "Egress-VLAN-Name", "+=",
                         "2Servernetz")
     assert custom_reply_row not in radgroupreply_q.all()
     session.execute(hades.radgroupreply_base.insert().values(
         [custom_reply_row]))
     session.flush()
     assert custom_reply_row in radgroupreply_q.all()
Exemple #2
0
def match_hss_lenient(reference: str, session: Session) -> Optional[TUser]:
    """Heuristic to match badly-formed HSS usernames

    If there is one unique „part“ of text (delimited by a comma or whitespace) which matches
    the login of someone living in a Hochschulstraße building, we will allow that to be the user
    we match against.

    TODO remove this once most people don't use that descrpition (wrongly) anymore
    """
    # Yes, this is essentially stupid-ass hard-coding
    hss = session.query(Site).filter(Site.name.like('Hochsch%')).one_or_none()
    valid_parts = [p.lower() for p in re.split(r"[,\s]", reference) if p]

    users_q = session.query(User).filter(User.login.in_(valid_parts))

    if hss:
        users_q = users_q.join(User.room).join(Room.building).filter(Building.site == hss)

    users = users_q.all()
    if len(users) == 1:
        return users[0]
Exemple #3
0
    def test_radusergroup_access(self, session, user):
        host = user.hosts[0]
        switch_ports = [p.switch_port for p in host.room.connected_patch_ports]
        assert len(host.ips) == 1
        assert len(host.interfaces) == 1
        mac = host.interfaces[0].mac
        group = f"{host.ips[0].subnet.vlan.name}_untagged"

        rows = session.query(hades.radusergroup.table).all()
        for switch_port in switch_ports:
            assert (mac, str(switch_port.switch.management_ip), switch_port.name, group, 20) \
                in rows
Exemple #4
0
    def test_radusergroup_blocked(self, session, user):
        host = user.hosts[0]
        switch_ports = [p.switch_port for p in host.room.connected_patch_ports]
        assert len(host.ips) == 1
        assert len(host.interfaces) == 1
        mac = host.interfaces[0].mac

        rows = session.query(hades.radusergroup.table).all()
        for switch_port in switch_ports:
            assert (mac, str(switch_port.switch.management_ip),
                    switch_port.name, 'payment_in_default', -10) in rows
            assert (mac, str(switch_port.switch.management_ip),
                    switch_port.name, 'no_network_access', 0) in rows
Exemple #5
0
    def test_radgroupreply_access_groups(self, session):
        rows = session.query(hades.radgroupreply.table).all()
        vlans = VLAN.q.all()
        for vlan in vlans:
            # TODO properly parametrize this
            group_name = f"{vlan.name}_untagged"
            assert (group_name, "Egress-VLAN-Name", "+=",
                    f"2{vlan.name}") in rows
            assert (group_name, "Fall-Through", ":=", "Yes") in rows

            group_name = f"{vlan.name}_tagged"
            assert (group_name, "Egress-VLAN-Name", "+=",
                    f"1{vlan.name}") in rows
            assert (group_name, "Fall-Through", ":=", "Yes") in rows
Exemple #6
0
    def test_radcheck(self, session, user, switch):
        # <mac> - <nasip> - <nasport> - "Cleartext-Password" - := - <mac> - 10
        # We have one interface with a MAC whose room has two ports on the same switch
        rows = session.query(hades.radcheck.table).all()
        host = user.hosts[0]
        mac = host.interfaces[0].mac
        for row in rows:
            assert row.UserName == mac
            assert row.NASIPAddress == switch.management_ip
            assert row.Attribute == "User-Name"
            assert row.Op == "=*"
            assert row.Value == None
            assert row.Priority == 10

        assert {row.NASPortId for row in rows} \
            == {port.switch_port.name for port in host.room.patch_ports}
Exemple #7
0
 def test_radgroupcheck(self, session):
     rows = session.query(hades.radgroupcheck.table).all()
     assert len(rows) == 1
     row = rows[0]
     assert row == ("unknown", "Auth-Type", ":=", "Accept", 10)
Exemple #8
0
 def test_dhcphost_blocked(self, session):
     rows = session.query(hades.dhcphost.table).all()
     assert len(rows) == 0
Exemple #9
0
 def test_dhcphost_access(self, session, user):
     rows = session.query(hades.dhcphost.table).all()
     assert len(rows) == 1
     row = rows[0]
     host = user.hosts[0]
     assert row == (host.interfaces[0].mac, str(host.ips[0].address))
Exemple #10
0
 def test_radgroupreply_blocking_groups(self, session):
     props = [x[0] for x in session.query(hades.radius_property).all()]
     rows = session.query(hades.radgroupreply.table).all()
     for prop in props:
         assert (prop, "Egress-VLAN-Name", ":=", "2hades-unauth") in rows
         assert (prop, "Fall-Through", ":=", "No") in rows