def test_authorize_lesser_priv_lvl(fake_socket, packets):
client = TACACSClient('127.0.0.1', 49, None, session_id=12345)
client._sock = fake_socket
reply = client.authorize(
'username',
arguments=[b"service=shell", b"cmd=show", b"cmdargs=version"],
authen_type=TAC_PLUS_AUTHEN_TYPE_PAP,
priv_lvl=TAC_PLUS_PRIV_LVL_MAX)
assert not reply.valid, "the privilege level sent by the server is less than the requested one (1 < 15)"
def test_authorize_ascii(fake_socket, packets):
client = TACACSClient('127.0.0.1', 49, None, session_id=12345)
client._sock = fake_socket
reply = client.authorize(
'username',
arguments=[b"service=shell", b"cmd=show", b"cmdargs=version"])
assert reply.valid
fake_socket.buff.seek(0)
first_header = TACACSHeader.unpacked(fake_socket.buff.read(12))
assert (first_header.version_max, first_header.version_min) == (12, 0)
first_body = fake_socket.buff.read(first_header.length)
assert TACACSAuthorizationStart(
'username',
TAC_PLUS_AUTHEN_METH_TACACSPLUS,
TAC_PLUS_PRIV_LVL_MIN,
TAC_PLUS_AUTHEN_TYPE_ASCII,
[b"service=shell", b"cmd=show", b"cmdargs=version"],
).packed == first_body
def get_av_pair(arguments, key, default=None):
ret = default
for av in arguments:
avf = av.split("=")
if avf[0] == key:
ret = avf[1]
break
return ret
cli = TACACSClient('localhost',
49,
'testing123',
timeout=10,
family=socket.AF_INET)
authen = cli.authenticate(token[0], token[1])
if authen.valid == True:
auth = cli.authorize(token[0], arguments=["service=tailf"])
groups = get_av_pair(auth.arguments, key="groups")
if groups != None:
uid = get_av_pair(auth.arguments, key="uid", default=9000)
gid = get_av_pair(auth.arguments, key="gid", default=100)
home = "/var/confd/homes/{}".format(token[0])
print("accept {} {} {} {}".format(groups, uid, gid, home))
else:
print(
"reject Cannot retrieve groups AV pair (tailf service) for user {}"
.format(token[0]))
else:
print("reject")
