def test_authenticate_ascii(fake_socket, packets):
"""
client -> AUTHSTART (username)
STATUS_GETPASS <- server
client -> AUTHCONTINUE (password)
STATUS_PASS <- server
"""
client = TACACSClient('127.0.0.1', 49, None, session_id=12345)
client._sock = fake_socket
reply = client.authenticate('username', 'pass')
assert reply.valid
fake_socket.buff.seek(0)
first_header = TACACSHeader.unpacked(fake_socket.buff.read(12))
assert (first_header.version_max, first_header.version_min) == (12, 0)
first_body = fake_socket.buff.read(first_header.length)
assert TACACSAuthenticationStart(
'username', TAC_PLUS_AUTHEN_TYPE_ASCII).packed == first_body
second_header = TACACSHeader.unpacked(fake_socket.buff.read(12))
assert (first_header.version_max, first_header.version_min) == (12, 0)
assert second_header.seq_no > first_header.seq_no
second_body = fake_socket.buff.read()
assert TACACSAuthenticationContinue('pass').packed == second_body
def test_authorize_lesser_priv_lvl(fake_socket, packets):
client = TACACSClient('127.0.0.1', 49, None, session_id=12345)
client._sock = fake_socket
reply = client.authorize(
'username',
arguments=[b"service=shell", b"cmd=show", b"cmdargs=version"],
authen_type=TAC_PLUS_AUTHEN_TYPE_PAP,
priv_lvl=TAC_PLUS_PRIV_LVL_MAX)
assert not reply.valid, "the privilege level sent by the server is less than the requested one (1 < 15)"
def test_client_socket_send(fake_socket, packets, state):
body = TACACSAuthenticationStart('user123', TAC_PLUS_AUTHEN_TYPE_ASCII)
client = TACACSClient('127.0.0.1', 49, None, session_id=12345)
client._sock = fake_socket
packet = client.send(body, TAC_PLUS_AUTHEN)
assert isinstance(packet, TACACSPacket)
reply = TACACSAuthenticationReply.unpacked(packet.body)
assert getattr(reply, state) is True
# the first 12 bytes of the packet represent the header
fake_socket.buff.seek(0)
sent_header, sent_body = (fake_socket.buff.read(12),
fake_socket.buff.read())
body_length = TACACSHeader.unpacked(sent_header).length
assert len(sent_body) == body_length
assert body.packed == sent_body
def test_authorize_ascii(fake_socket, packets):
client = TACACSClient('127.0.0.1', 49, None, session_id=12345)
client._sock = fake_socket
reply = client.authorize(
'username',
arguments=[b"service=shell", b"cmd=show", b"cmdargs=version"])
assert reply.valid
fake_socket.buff.seek(0)
first_header = TACACSHeader.unpacked(fake_socket.buff.read(12))
assert (first_header.version_max, first_header.version_min) == (12, 0)
first_body = fake_socket.buff.read(first_header.length)
assert TACACSAuthorizationStart(
'username',
TAC_PLUS_AUTHEN_METH_TACACSPLUS,
TAC_PLUS_PRIV_LVL_MIN,
TAC_PLUS_AUTHEN_TYPE_ASCII,
[b"service=shell", b"cmd=show", b"cmdargs=version"],
).packed == first_body
def test_authenticate_pap(fake_socket, packets):
"""
client -> AUTHSTART (user+pass)
STATUS_PASS <- server
"""
client = TACACSClient('127.0.0.1', 49, None, session_id=12345)
client._sock = fake_socket
reply = client.authenticate('username',
'pass',
authen_type=TAC_PLUS_AUTHEN_TYPE_PAP)
assert reply.valid
fake_socket.buff.seek(0)
first_header = TACACSHeader.unpacked(fake_socket.buff.read(12))
assert (first_header.version_max, first_header.version_min) == (12, 1)
first_body = fake_socket.buff.read(first_header.length)
assert TACACSAuthenticationStart('username',
TAC_PLUS_AUTHEN_TYPE_PAP,
data=six.b('pass')).packed == first_body
def test_authenticate_chap(fake_socket, packets):
"""
client -> AUTHSTART user+md5challenge(pass)
STATUS_PASS <- server
"""
client = TACACSClient('127.0.0.1', 49, None, session_id=12345)
client._sock = fake_socket
reply = client.authenticate('username',
'pass',
authen_type=TAC_PLUS_AUTHEN_TYPE_CHAP,
chap_ppp_id='A',
chap_challenge='challenge')
assert reply.valid
fake_socket.buff.seek(0)
first_header = TACACSHeader.unpacked(fake_socket.buff.read(12))
assert (first_header.version_max, first_header.version_min) == (12, 1)
first_body = fake_socket.buff.read(first_header.length)
assert TACACSAuthenticationStart(
'username',
TAC_PLUS_AUTHEN_TYPE_CHAP,
data=(six.b('A') + six.b('challenge') +
md5(six.b('Apasschallenge')).digest())).packed == first_body
def test_client_socket_send_wrong_headers(fake_socket, packets):
body = TACACSAuthenticationStart('user123', TAC_PLUS_AUTHEN_TYPE_ASCII)
client = TACACSClient('127.0.0.1', 49, None, session_id=12345)
client._sock = fake_socket
with pytest.raises(socket.error):
client.send(body, TAC_PLUS_AUTHEN)
