def setUp(self):
self.port = VALID_PORT
self.mark = 1
self.shift = 8
config = NuauthConf()
# Userdb
self.user = PlaintextUser("guest", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("port",
self.port,
self.user.gid,
flags=(self.mark << self.shift))
self.acls.install(config)
# Load nuauth
config["nuauth_finalize_packet_module"] = '"mark_flag"'
config["mark_flag_mark_shift"] = 0
config["mark_flag_flag_shift"] = self.shift
config["mark_flag_nbits"] = 16
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw(["-m"])
self.client = self.user.createClientWithCerts()
class TestClientAuth(TestCase):
def setUp(self):
self.port = VALID_PORT
config = NuauthConf()
# Userdb
self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("web", self.port, self.user.gid)
self.acls.install(config)
# Load nuauth
config["nuauth_do_ip_authentication"] = '1'
config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
config["ipauth_guest_username"] = '******' % self.user.login
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw()
def tearDown(self):
self.acls.desinstall()
self.userdb.desinstall()
self.nuauth.stop()
self.iptables.flush()
def testValid(self):
self.iptables.filterTcp(self.port)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
class TestClientAuth(TestCase):
def setUp(self):
self.port = VALID_PORT
config = NuauthConf()
# Userdb
self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("web", self.port, self.user.gid)
self.acls.install(config)
# Load nuauth
config["nuauth_do_ip_authentication"] = '1'
config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
config["ipauth_guest_username"] = '******' % self.user.login
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw()
def tearDown(self):
self.acls.desinstall()
self.userdb.desinstall()
self.nuauth.stop()
self.iptables.flush()
def testValid(self):
self.iptables.filterTcp(self.port)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
def setUp(self):
self.iptables = Iptables()
self.iptables.command(
'-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE'
% (VALID_PORT, HOST))
config = NuauthConf()
self.nuauth = Nuauth(config)
self.nufw = startNufw()
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = config.get("test_cert", "cacert")
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_auth_by_cert"] = "0"
self.nuauth = Nuauth(self.nuconfig)
def setUp(self):
self.iptables = Iptables()
self.users = USERDB
self.host = HOST
self.config = NuauthConf()
self.acls = self.func_acls()
# Start nuauth with new config
self.users.install(self.config)
self.nufw = startNufw(["-s"])
def setUp(self):
self.iptables = Iptables()
self.users = USERDB
self.config = NuauthConf()
self.config["xml_defs_periodfile"] = '"%s"' % os.path.abspath(
"../conf/periods.xml")
self.acls = PlaintextAcl()
# Start nuauth with new config
self.users.install(self.config)
self.nufw = startNufw(["-s"])
def setUp(self):
self.iptables = Iptables()
self.users = USERDB
self.acls = PlaintextAcl()
self.acls.addAcl("web", VALID_PORT, self.users[0].gid + 1)
self.config = NuauthConf()
self.config["nuauth_packet_timeout"] = "1"
self.users.install(self.config)
self.acls.install(self.config)
self.nufw = startNufw(["-s"])
class TestPlaintextAcl(TestCase):
def setUp(self):
self.iptables = Iptables()
self.users = USERDB
self.config = NuauthConf()
self.config["xml_defs_periodfile"] = '"%s"' % os.path.abspath("../conf/periods.xml")
self.acls = PlaintextAcl()
# Start nuauth with new config
self.users.install(self.config)
self.nufw = startNufw(["-s"])
def tearDown(self):
# Restore user DB and nuauth config
self.users.desinstall()
self.acls.desinstall()
self.nuauth.stop()
self.iptables.flush()
def testPeriodDrop(self):
self.acls.desinstall()
self.acls = PlaintextAcl()
if time.localtime().tm_hour >= 12:
period = "0-12"
else:
period = "12-24"
self.acls.addAcl("web", VALID_PORT, self.users[0].gid, 1, period=period )
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testPort(self, self.iptables, client, VALID_PORT, False)
self.acls.desinstall()
def testPeriodAccept(self):
self.acls.desinstall()
self.acls = PlaintextAcl()
if time.localtime().tm_hour < 12:
period = "0-12"
else:
period = "12-24"
self.acls.addAcl("web", VALID_PORT, self.users[0].gid, 1, period=period)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client)
self.acls.desinstall()
class TestSYNACKignore(TestCase):
def setUp(self):
self.iptables = Iptables()
self.iptables.command('-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE' % (VALID_PORT, HOST))
config = NuauthConf()
self.nuauth = Nuauth(config)
self.nufw = startNufw()
def tearDown(self):
self.nuauth.stop()
self.iptables.flush()
def testsynack(self):
# Create socket
self.assertEqual(connectTcp(HOST, VALID_PORT, TIMEOUT), True)
def setUp(self):
self.port = VALID_PORT
self.mark = 1
self.shift = 8
config = NuauthConf()
# Userdb
self.user = PlaintextUser("guest", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift))
self.acls.install(config)
# Load nuauth
config["nuauth_finalize_packet_module"] = '"mark_flag"'
config["mark_flag_mark_shift"] = 0
config["mark_flag_flag_shift"] = self.shift
config["mark_flag_nbits"] = 16
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw(["-m"])
self.client = self.user.createClientWithCerts()
def setUp(self):
self.iptables = Iptables()
self.iptables.command('-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE' % (VALID_PORT, HOST))
config = NuauthConf()
self.nuauth = Nuauth(config)
self.nufw = startNufw()
class TestSYNACKignore(TestCase):
def setUp(self):
self.iptables = Iptables()
self.iptables.command(
'-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE'
% (VALID_PORT, HOST))
config = NuauthConf()
self.nuauth = Nuauth(config)
self.nufw = startNufw()
def tearDown(self):
self.nuauth.stop()
self.iptables.flush()
def testsynack(self):
# Create socket
self.assertEqual(connectTcp(HOST, VALID_PORT, TIMEOUT), True)
class TestICMPReject(TestCase):
def setUp(self):
self.iptables = Iptables()
self.users = USERDB
self.acls = PlaintextAcl()
self.acls.addAcl("web", VALID_PORT, self.users[0].gid + 1)
self.config = NuauthConf()
self.config["nuauth_packet_timeout"] = "1"
self.users.install(self.config)
self.acls.install(self.config)
self.nufw = startNufw(["-s"])
def tearDown(self):
# Restore user DB and nuauth config
self.users.desinstall()
self.acls.desinstall()
self.nuauth.stop()
self.iptables.flush()
def testDrop(self):
self.config["nuauth_reject_after_timeout"] = "0"
self.config["nuauth_reject_authenticated_drop"] = "0"
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testPortFailure(self, self.iptables, client, VALID_PORT, ETIMEDOUT)
client.stop()
def testRejectTimedout(self):
self.config["nuauth_reject_after_timeout"] = "1"
self.config["nuauth_reject_authenticated_drop"] = "0"
self.nuauth = Nuauth(self.config)
testPortFailure(self, self.iptables, None, VALID_PORT, ECONNREFUSED)
def testRejectAuthenticated(self):
self.config["nuauth_reject_after_timeout"] = 0
self.config["nuauth_reject_authenticated_drop"] = 1
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testPortFailure(self, self.iptables, client, VALID_PORT, ECONNREFUSED)
client.stop()
def setUp(self):
self.iptables = Iptables()
self.users = USERDB
self.config = NuauthConf()
self.config["xml_defs_periodfile"] = '"%s"' % os.path.abspath("../conf/periods.xml")
self.acls = PlaintextAcl()
# Start nuauth with new config
self.users.install(self.config)
self.nufw = startNufw(["-s"])
class TestICMPReject(TestCase):
def setUp(self):
self.iptables = Iptables()
self.users = USERDB
self.acls = PlaintextAcl()
self.acls.addAcl("web", VALID_PORT, self.users[0].gid+1)
self.config = NuauthConf()
self.config["nuauth_packet_timeout"] = "1"
self.users.install(self.config)
self.acls.install(self.config)
self.nufw = startNufw(["-s"])
def tearDown(self):
# Restore user DB and nuauth config
self.users.desinstall()
self.acls.desinstall()
self.nuauth.stop()
self.iptables.flush()
def testDrop(self):
self.config["nuauth_reject_after_timeout"] = "0"
self.config["nuauth_reject_authenticated_drop"] = "0"
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testPortFailure(self, self.iptables, client, VALID_PORT, ETIMEDOUT)
client.stop()
def testRejectTimedout(self):
self.config["nuauth_reject_after_timeout"] = "1"
self.config["nuauth_reject_authenticated_drop"] = "0"
self.nuauth = Nuauth(self.config)
testPortFailure(self, self.iptables, None, VALID_PORT, ECONNREFUSED)
def testRejectAuthenticated(self):
self.config["nuauth_reject_after_timeout"] = 0
self.config["nuauth_reject_authenticated_drop"] = 1
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testPortFailure(self, self.iptables, client, VALID_PORT, ECONNREFUSED)
client.stop()
def setUp(self):
self.iptables = Iptables()
self.users = USERDB
self.acls = PlaintextAcl()
self.acls.addAcl("web", VALID_PORT, self.users[0].gid+1)
self.config = NuauthConf()
self.config["nuauth_packet_timeout"] = "1"
self.users.install(self.config)
self.acls.install(self.config)
self.nufw = startNufw(["-s"])
def setUp(self):
self.port = VALID_PORT
config = NuauthConf()
# Userdb
self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("web", self.port, self.user.gid)
self.acls.install(config)
# Load nuauth
config["nuauth_do_ip_authentication"] = '1'
config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
config["ipauth_guest_username"] = '******' % self.user.login
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw()
def setUp(self):
self.dst_host = socket.gethostbyname(HOST)
self.config = NuauthConf()
self.acls = PlaintextAcl()
self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period='10 secs' )
self.acls.install(self.config)
self.period = PlainPeriodXML()
self.period.addPeriod(Period("10 secs", duration = 10))
self.period.install(self.config)
self.users = USERDB
self.users.install(self.config)
self.nuauth = Nuauth(self.config)
self.nufw = startNufw()
self.iptables = Iptables()
self.iptables.flush()
self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE' % self.dst_host)
self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP' % self.dst_host)
class TestConntrack(TestCase):
def setUp(self):
self.dst_host = socket.gethostbyname(HOST)
self.config = NuauthConf()
self.acls = PlaintextAcl()
self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period='10 secs' )
self.acls.install(self.config)
self.period = PlainPeriodXML()
self.period.addPeriod(Period("10 secs", duration = 10))
self.period.install(self.config)
self.users = USERDB
self.users.install(self.config)
self.nuauth = Nuauth(self.config)
self.nufw = startNufw()
self.iptables = Iptables()
self.iptables.flush()
self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE' % self.dst_host)
self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP' % self.dst_host)
def tearDown(self):
self.nuauth.stop()
self.users.desinstall()
self.acls.desinstall()
self.period.desinstall()
def testConnShutdown(self):
user = USERDB[0]
client = user.createClient()
self.assert_(connectClient(client))
start = time.time()
conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn.connect((self.dst_host, VALID_PORT))
src_port = conn.getsockname()[1]
ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
## Check that only one connection is opened to
self.assert_(ct_before == 1)
## The connection should be killed 10 seconds after being opened
time.sleep(15)
## Check that only one connection is opened to
ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
self.assert_(ct_after == 0)
conn.close()
client.stop()
class TestConntrack(TestCase):
def setUp(self):
self.dst_host = socket.gethostbyname(HOST)
self.config = NuauthConf()
self.acls = PlaintextAcl()
self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period="10 secs")
self.acls.install(self.config)
self.period = PlainPeriodXML()
self.period.addPeriod(Period("10 secs", duration=10))
self.period.install(self.config)
self.users = USERDB
self.users.install(self.config)
self.nuauth = Nuauth(self.config)
self.nufw = startNufw()
self.iptables = Iptables()
self.iptables.flush()
self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE" % self.dst_host)
self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP" % self.dst_host)
def tearDown(self):
self.nuauth.stop()
self.users.desinstall()
self.acls.desinstall()
self.period.desinstall()
def testConnShutdown(self):
user = USERDB[0]
client = user.createClient()
self.assert_(connectClient(client))
start = time.time()
conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn.connect((self.dst_host, VALID_PORT))
src_port = conn.getsockname()[1]
ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
## Check that only one connection is opened to
self.assert_(ct_before == 1)
## The connection should be killed 10 seconds after being opened
time.sleep(15)
## Check that only one connection is opened to
ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
self.assert_(ct_after == 0)
conn.close()
client.stop()
class TestClientAuth(TestCase):
def setUp(self):
self.port = VALID_PORT
self.mark = 1
self.shift = 8
config = NuauthConf()
# Userdb
self.user = PlaintextUser("guest", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("port",
self.port,
self.user.gid,
flags=(self.mark << self.shift))
self.acls.install(config)
# Load nuauth
config["nuauth_finalize_packet_module"] = '"mark_flag"'
config["mark_flag_mark_shift"] = 0
config["mark_flag_flag_shift"] = self.shift
config["mark_flag_nbits"] = 16
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw(["-m"])
self.client = self.user.createClientWithCerts()
def tearDown(self):
self.acls.desinstall()
self.userdb.desinstall()
self.client.stop()
self.nuauth.stop()
self.iptables.flush()
def testValid(self):
# Connect client and filter port
self.assert_(connectClient(self.client))
self.iptables.filterTcp(self.port)
# Test connection without QoS (accept)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
# Test connection with QoS (drop)
self.iptables.command(
"-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
def setUp(self):
self.dst_host = socket.gethostbyname(HOST)
self.config = NuauthConf()
self.acls = PlaintextAcl()
self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period="10 secs")
self.acls.install(self.config)
self.period = PlainPeriodXML()
self.period.addPeriod(Period("10 secs", duration=10))
self.period.install(self.config)
self.users = USERDB
self.users.install(self.config)
self.nuauth = Nuauth(self.config)
self.nufw = startNufw()
self.iptables = Iptables()
self.iptables.flush()
self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE" % self.dst_host)
self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP" % self.dst_host)
def setUp(self):
self.port = VALID_PORT
config = NuauthConf()
# Userdb
self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("web", self.port, self.user.gid)
self.acls.install(config)
# Load nuauth
config["nuauth_do_ip_authentication"] = '1'
config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
config["ipauth_guest_username"] = '******' % self.user.login
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw()
class TestClientAuth(TestCase):
def setUp(self):
self.port = VALID_PORT
self.mark = 1
self.shift = 8
config = NuauthConf()
# Userdb
self.user = PlaintextUser("guest", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift))
self.acls.install(config)
# Load nuauth
config["nuauth_finalize_packet_module"] = '"mark_flag"'
config["mark_flag_mark_shift"] = 0
config["mark_flag_flag_shift"] = self.shift
config["mark_flag_nbits"] = 16
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw(["-m"])
self.client = self.user.createClientWithCerts()
def tearDown(self):
self.acls.desinstall()
self.userdb.desinstall()
self.client.stop()
self.nuauth.stop()
self.iptables.flush()
def testValid(self):
# Connect client and filter port
self.assert_(connectClient(self.client))
self.iptables.filterTcp(self.port)
# Test connection without QoS (accept)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
# Test connection with QoS (drop)
self.iptables.command("-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
class TestAcl(object):
def setUp(self):
self.iptables = Iptables()
self.users = USERDB
self.host = HOST
self.config = NuauthConf()
self.acls = self.func_acls()
# Start nuauth with new config
self.users.install(self.config)
self.nufw = startNufw(["-s"])
def tearDown(self):
# Restore user DB and nuauth config
self.users.desinstall()
self.nuauth.stop()
self.iptables.flush()
self.acls.desinstall()
def testFilterByGroup(self):
self.acls.addAclFull("Web group", self.host, VALID_PORT, self.users[0].gid)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
testDisallowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def testFilterByUser(self):
self.acls.addAclPerUid("Web user", self.host, VALID_PORT, self.users[0].uid)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
testDisallowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def testValidApplication(self):
self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, App=APPLICATION)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def testInvalidApplication(self):
self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, App=APPLICATION+"xxx")
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host, allow=False)
self.acls.desinstall()
def testValidOS(self):
self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, OS=OS_FULL)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def testInvalidOS(self):
self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, OS=OS_NAME+"xxx")
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host, allow=False)
self.acls.desinstall()
def testOutdevOk(self):
self.acls.addAclFull("outdev test", self.host, VALID_PORT, self.users[0].gid, outdev = IFACE)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def testOutdevNOK(self):
self.acls.addAclFull("outdev test", self.host, VALID_PORT, self.users[0].gid, outdev = "bad0")
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host, allow=False)
self.acls.desinstall()
class TestTLSNufw(TestCase):
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = abspath(config.get("test_cert", "cacert"))
def startNuauth(self, dict_args=None):
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl"))
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[key] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.nuauth.stop()
self.nuconfig.desinstall()
self.iptables.flush()
def connectNuauthNufw(self):
# Open TCP connection just to connect nufw to nuauth
self.iptables.filterTcp(self.port)
connectTcp(HOST, self.port, 0.100)
# nufw side
# "TLS connection to nuauth can NOT be restored"
def testNufwValidCert(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "nuauth.inl.fr"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwIgnoreFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "127.0.0.1", "-N"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def get_tls_cert_invalid(self):
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("certificate verification failed") >= 0:
return True
return False
def testNufwInvalidCA(self):
self.startNuauth()
invalid_cacert = config.get("test_cert", "invalid_cacert")
self.nufw = startNufw(["-a", invalid_cacert])
self.connectNuauthNufw()
self.assert_(self.get_tls_cert_invalid())
self.nufw.stop()
self.nuauth.stop()
# If NuFW does not run under the strict mode, the provided certificates in svn
# will be accepted and the client will be able to authenticate and then be
# accepted by the firewall. This is what we want to check here
def testNotStrictMode(self):
self.startNuauth()
self.nufw = startNufw(["-s"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testStrictMode(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def nufw_connection_is_established(self):
if self.nufw.is_connected_to_nuauth:
return True
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("tls connection to nuauth established") >= 0:
return True
if line.lower().find("tls connection to nuauth restored") >= 0:
return True
return False
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = abspath(config.get("test_cert", "cacert"))
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = abspath(config.get("test_cert", "cacert"))
class TestTLSNufw(TestCase):
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = abspath(config.get("test_cert", "cacert"))
def startNuauth(self, dict_args=None):
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(
config.get("test_cert", "crl"))
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[key] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.nuauth.stop()
self.nuconfig.desinstall()
self.iptables.flush()
def connectNuauthNufw(self):
# Open TCP connection just to connect nufw to nuauth
self.iptables.filterTcp(self.port)
connectTcp(HOST, self.port, 0.100)
# nufw side
# "TLS connection to nuauth can NOT be restored"
def testNufwValidCert(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "nuauth.inl.fr"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwIgnoreFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "127.0.0.1", "-N"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def get_tls_cert_invalid(self):
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find('certificate verification failed') >= 0:
return True
return False
def testNufwInvalidCA(self):
self.startNuauth()
invalid_cacert = config.get("test_cert", "invalid_cacert")
self.nufw = startNufw(["-a", invalid_cacert])
self.connectNuauthNufw()
self.assert_(self.get_tls_cert_invalid())
self.nufw.stop()
self.nuauth.stop()
# If NuFW does not run under the strict mode, the provided certificates in svn
# will be accepted and the client will be able to authenticate and then be
# accepted by the firewall. This is what we want to check here
def testNotStrictMode(self):
self.startNuauth()
self.nufw = startNufw(["-s"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testStrictMode(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def nufw_connection_is_established(self):
if self.nufw.is_connected_to_nuauth:
return True
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("tls connection to nuauth established") >= 0:
return True
if line.lower().find("tls connection to nuauth restored") >= 0:
return True
return False
def setUp(self):
self.iptables = Iptables()
MysqlLog.setUp(self)
class TestPlaintextAcl(TestCase):
def setUp(self):
self.iptables = Iptables()
self.users = USERDB
self.config = NuauthConf()
self.config["xml_defs_periodfile"] = '"%s"' % os.path.abspath(
"../conf/periods.xml")
self.acls = PlaintextAcl()
# Start nuauth with new config
self.users.install(self.config)
self.nufw = startNufw(["-s"])
def tearDown(self):
# Restore user DB and nuauth config
self.users.desinstall()
self.acls.desinstall()
self.nuauth.stop()
self.iptables.flush()
def testPeriodDrop(self):
self.acls.desinstall()
self.acls = PlaintextAcl()
if time.localtime().tm_hour >= 12:
period = "0-12"
else:
period = "12-24"
self.acls.addAcl("web",
VALID_PORT,
self.users[0].gid,
1,
period=period)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testPort(self, self.iptables, client, VALID_PORT, False)
self.acls.desinstall()
def testPeriodAccept(self):
self.acls.desinstall()
self.acls = PlaintextAcl()
if time.localtime().tm_hour < 12:
period = "0-12"
else:
period = "12-24"
self.acls.addAcl("web",
VALID_PORT,
self.users[0].gid,
1,
period=period)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client)
self.acls.desinstall()
class TestClientCert(TestCase):
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = config.get("test_cert", "cacert")
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_auth_by_cert"] = "0"
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.nuauth.stop()
self.nuconfig.desinstall()
self.iptables.flush()
def connectNuauthNufw(self):
# Open TCP connection just to connect nufw to nuauth
self.iptables.filterTcp(self.port)
connectTcp(HOST, self.port, 0.100)
# nufw side
# "TLS connection to nuauth can NOT be restored"
def testValidCert(self):
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
def get_tls_cert_invalid(self):
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find('certificate verification failed') >= 0:
return True
return False
def testInvalidCert(self):
invalid_cacert = config.get("test_cert", "invalid_cacert")
self.nufw = startNufw(["-a", invalid_cacert])
self.connectNuauthNufw()
self.assert_(self.get_tls_cert_invalid())
self.nufw.stop()
# If NuFW does not run under the strict mode, the provided certificates in svn
# will be accepted and the client will be able to authenticate and then be
# accepted by the firewall. This is what we want to check here
def testNotStrictMode(self):
self.nufw = startNufw(["-s"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
def testStrictMode(self):
self.nufw = startNufw(["-d","127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
def nufw_connection_is_established(self):
if self.nufw.is_connected_to_nuauth:
return True
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("tls connection to nuauth established") >= 0:
return True
if line.lower().find("tls connection to nuauth restored") >= 0:
return True
return False
class MysqlLogPacket(MysqlLog):
def setUp(self):
self.iptables = Iptables()
MysqlLog.setUp(self)
def tearDown(self):
MysqlLog.tearDown(self)
self.iptables.flush()
def testFilter(self):
"""
User logs in, opens an authenticated connection, and
closes the connection. Make sure that MySQL records the connection,
only once, with the right parameters.
"""
client = self.user.createClientWithCerts()
time_before = int(time())
timestamp_before = datetime_before()
# Open allowed port
testAllowPort(self, self.iptables, client)
# Query DB
if not POSTGRESQL:
timestamp_field = "timestamp, "
else:
timestamp_field = ""
sql = \
"SELECT username, user_id, client_os, client_app, " \
"tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol, " \
"%sstart_timestamp, end_timestamp, oob_prefix " \
"FROM %s WHERE oob_time_sec >= %s AND state=1;" \
% (timestamp_field, DB_PACKET_TABLE, time_before)
# Do the query
for when in retry(timeout=QUERY_TIMEOUT):
cursor = self.query(sql)
if cursor.rowcount:
break
# Read result
row = self.fetchone(cursor)
timestamp_after = datetime_after()
self.assertEqual(cursor.rowcount, 1)
if POSTGRESQL:
(username, user_id, client_os, client_app,
tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol,
start_timestamp, end_timestamp, oob_prefix) = row
else:
(username, user_id, client_os, client_app,
tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol,
timestamp, start_timestamp, end_timestamp, oob_prefix) = row
# Check values
self.assertEqual(username, client.username)
self.assertEqual(user_id, self.user.uid)
self.assertEqual(client_os, CLIENT_OS)
self.assertEqual(client_app, CLIENT_APP)
self.assertEqual(tcp_dport, VALID_PORT)
self.assertEqual(IP(ip_saddr), client.ip)
self.assert_(timestamp_before <= datetime.fromtimestamp(oob_time_sec) <= timestamp_after)
if not POSTGRESQL:
self.assert_(timestamp and timestamp_before <= timestamp <= timestamp_after)
self.assertEqual(ip_protocol, 6)
self.assertEqual(oob_prefix, OOB_PREFIX)
class MysqlLogPacket(MysqlLog):
def setUp(self):
self.iptables = Iptables()
MysqlLog.setUp(self)
def tearDown(self):
MysqlLog.tearDown(self)
self.iptables.flush()
def testFilter(self):
"""
User logs in, opens an authenticated connection, and
closes the connection. Make sure that MySQL records the connection,
only once, with the right parameters.
"""
client = self.user.createClientWithCerts()
time_before = int(time())
timestamp_before = datetime_before()
# Open allowed port
testAllowPort(self, self.iptables, client)
# Query DB
if not POSTGRESQL:
timestamp_field = "timestamp, "
else:
timestamp_field = ""
sql = \
"SELECT username, user_id, client_os, client_app, " \
"tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol, " \
"%sstart_timestamp, end_timestamp, oob_prefix " \
"FROM %s WHERE oob_time_sec >= %s AND state=1;" \
% (timestamp_field, DB_PACKET_TABLE, time_before)
# Do the query
for when in retry(timeout=QUERY_TIMEOUT):
cursor = self.query(sql)
if cursor.rowcount:
break
# Read result
row = self.fetchone(cursor)
timestamp_after = datetime_after()
self.assertEqual(cursor.rowcount, 1)
if POSTGRESQL:
(username, user_id, client_os, client_app, tcp_dport, ip_saddr,
ip_daddr, oob_time_sec, ip_protocol, start_timestamp,
end_timestamp, oob_prefix) = row
else:
(username, user_id, client_os, client_app, tcp_dport, ip_saddr,
ip_daddr, oob_time_sec, ip_protocol, timestamp, start_timestamp,
end_timestamp, oob_prefix) = row
# Check values
self.assertEqual(username, client.username)
self.assertEqual(user_id, self.user.uid)
self.assertEqual(client_os, CLIENT_OS)
self.assertEqual(client_app, CLIENT_APP)
self.assertEqual(tcp_dport, VALID_PORT)
self.assertEqual(IP(ip_saddr), client.ip)
self.assert_(timestamp_before <= datetime.fromtimestamp(oob_time_sec)
<= timestamp_after)
if not POSTGRESQL:
self.assert_(timestamp
and timestamp_before <= timestamp <= timestamp_after)
self.assertEqual(ip_protocol, 6)
self.assertEqual(oob_prefix, OOB_PREFIX)
def setUp(self):
self.iptables = Iptables()
MysqlLog.setUp(self)
