class TestClientCertAuth(TestCase):
def setUp(self):
self.nuconfig = NuauthConf()
cacert = config.get("test_cert", "cacert")
# Userdb
self.user = PlaintextUser("user", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(self.nuconfig)
# Server
self.nuconfig["plaintext_userfile"] = '"%s"' % self.userdb.filename
self.nuconfig["nuauth_tls_auth_by_cert"] = "2"
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_cacert"] = '"%s"' % cacert
self.nuconfig["nuauth_tls_key"] = '"%s"' % config.get(
"test_cert", "nuauth_key")
self.nuconfig["nuauth_tls_cert"] = '"%s"' % config.get(
"test_cert", "nuauth_cert")
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.client.stop()
self.nuauth.stop()
self.userdb.desinstall()
self.nuconfig.desinstall()
def testValidCert(self):
# Client
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_cert")
key = config.get("test_cert", "user_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(connectClient(self.client))
def testInvalidCert(self):
# Expired certificate
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_invalid_cert")
key = config.get("test_cert", "user_invalid_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(not connectClient(self.client))
class TestClientCertAuth(TestCase):
def setUp(self):
self.nuconfig = NuauthConf()
cacert = config.get("test_cert", "cacert")
# Userdb
self.user = PlaintextUser("user", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(self.nuconfig)
# Server
self.nuconfig["plaintext_userfile"] = '"%s"' % self.userdb.filename
self.nuconfig["nuauth_tls_auth_by_cert"] = "2"
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_cacert"] = '"%s"' % cacert
self.nuconfig["nuauth_tls_key"] = '"%s"' % config.get("test_cert", "nuauth_key")
self.nuconfig["nuauth_tls_cert"] = '"%s"' % config.get("test_cert", "nuauth_cert")
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.client.stop()
self.nuauth.stop()
self.userdb.desinstall()
self.nuconfig.desinstall()
def testValidCert(self):
# Client
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_cert")
key = config.get("test_cert", "user_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(connectClient(self.client))
def testInvalidCert(self):
# Expired certificate
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_invalid_cert")
key = config.get("test_cert", "user_invalid_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(not connectClient(self.client))
class TestTLSNufw(TestCase):
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = abspath(config.get("test_cert", "cacert"))
def startNuauth(self, dict_args=None):
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(
config.get("test_cert", "crl"))
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[key] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.nuauth.stop()
self.nuconfig.desinstall()
self.iptables.flush()
def connectNuauthNufw(self):
# Open TCP connection just to connect nufw to nuauth
self.iptables.filterTcp(self.port)
connectTcp(HOST, self.port, 0.100)
# nufw side
# "TLS connection to nuauth can NOT be restored"
def testNufwValidCert(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "nuauth.inl.fr"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwIgnoreFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "127.0.0.1", "-N"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def get_tls_cert_invalid(self):
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find('certificate verification failed') >= 0:
return True
return False
def testNufwInvalidCA(self):
self.startNuauth()
invalid_cacert = config.get("test_cert", "invalid_cacert")
self.nufw = startNufw(["-a", invalid_cacert])
self.connectNuauthNufw()
self.assert_(self.get_tls_cert_invalid())
self.nufw.stop()
self.nuauth.stop()
# If NuFW does not run under the strict mode, the provided certificates in svn
# will be accepted and the client will be able to authenticate and then be
# accepted by the firewall. This is what we want to check here
def testNotStrictMode(self):
self.startNuauth()
self.nufw = startNufw(["-s"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testStrictMode(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def nufw_connection_is_established(self):
if self.nufw.is_connected_to_nuauth:
return True
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("tls connection to nuauth established") >= 0:
return True
if line.lower().find("tls connection to nuauth restored") >= 0:
return True
return False
class TestClientCert(TestCase):
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = config.get("test_cert", "cacert")
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_auth_by_cert"] = "0"
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.nuauth.stop()
self.nuconfig.desinstall()
self.iptables.flush()
def connectNuauthNufw(self):
# Open TCP connection just to connect nufw to nuauth
self.iptables.filterTcp(self.port)
connectTcp(HOST, self.port, 0.100)
# nufw side
# "TLS connection to nuauth can NOT be restored"
def testValidCert(self):
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
def get_tls_cert_invalid(self):
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find('certificate verification failed') >= 0:
return True
return False
def testInvalidCert(self):
invalid_cacert = config.get("test_cert", "invalid_cacert")
self.nufw = startNufw(["-a", invalid_cacert])
self.connectNuauthNufw()
self.assert_(self.get_tls_cert_invalid())
self.nufw.stop()
# If NuFW does not run under the strict mode, the provided certificates in svn
# will be accepted and the client will be able to authenticate and then be
# accepted by the firewall. This is what we want to check here
def testNotStrictMode(self):
self.nufw = startNufw(["-s"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
def testStrictMode(self):
self.nufw = startNufw(["-d","127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
def nufw_connection_is_established(self):
if self.nufw.is_connected_to_nuauth:
return True
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("tls connection to nuauth established") >= 0:
return True
if line.lower().find("tls connection to nuauth restored") >= 0:
return True
return False
class TestTLSNufw(TestCase):
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = abspath(config.get("test_cert", "cacert"))
def startNuauth(self, dict_args=None):
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl"))
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[key] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def tearDown(self):
self.nuauth.stop()
self.nuconfig.desinstall()
self.iptables.flush()
def connectNuauthNufw(self):
# Open TCP connection just to connect nufw to nuauth
self.iptables.filterTcp(self.port)
connectTcp(HOST, self.port, 0.100)
# nufw side
# "TLS connection to nuauth can NOT be restored"
def testNufwValidCert(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "nuauth.inl.fr"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testNufwIgnoreFQDNCheck(self):
self.startNuauth()
self.nufw = startNufw(["-d", "127.0.0.1"])
self.connectNuauthNufw()
self.assert_(not self.nufw_connection_is_established())
self.nufw.stop()
self.nufw = startNufw(["-d", "127.0.0.1", "-N"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def get_tls_cert_invalid(self):
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("certificate verification failed") >= 0:
return True
return False
def testNufwInvalidCA(self):
self.startNuauth()
invalid_cacert = config.get("test_cert", "invalid_cacert")
self.nufw = startNufw(["-a", invalid_cacert])
self.connectNuauthNufw()
self.assert_(self.get_tls_cert_invalid())
self.nufw.stop()
self.nuauth.stop()
# If NuFW does not run under the strict mode, the provided certificates in svn
# will be accepted and the client will be able to authenticate and then be
# accepted by the firewall. This is what we want to check here
def testNotStrictMode(self):
self.startNuauth()
self.nufw = startNufw(["-s"])
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def testStrictMode(self):
self.startNuauth()
self.nufw = startNufw()
self.connectNuauthNufw()
self.assert_(self.nufw_connection_is_established())
self.nufw.stop()
self.nuauth.stop()
def nufw_connection_is_established(self):
if self.nufw.is_connected_to_nuauth:
return True
for line in self.nufw.readlines(total_timeout=TIMEOUT):
if line.lower().find("tls connection to nuauth established") >= 0:
return True
if line.lower().find("tls connection to nuauth restored") >= 0:
return True
return False
