def test_040_localCaptivePortalToSecondRack(self): global defaultRackCaptivePortal remote_control.run_command("rm -f /tmp/policy_test_040*") defaultRackCaptivePortal = uvmContext.appManager().instantiate("captive-portal", default_policy_id) assert (defaultRackCaptivePortal != None) defaultRackCaptivePortalData = defaultRackCaptivePortal.getSettings() # turn default capture rule on and basic login defaultRackCaptivePortalData['captureRules']['list'][0]['enabled'] = True defaultRackCaptivePortalData['authenticationType']="LOCAL_DIRECTORY" defaultRackCaptivePortalData['pageType'] = "BASIC_LOGIN" defaultRackCaptivePortal.setSettings(defaultRackCaptivePortalData) # Create local directory user 'test20' uvmContext.localDirectory().setUsers(createLocalDirectoryUser()) # check host table and remove username for host IP userHost = uvmContext.hostTable().getHostTableEntry(remote_control.client_ip) userHost['username'] = "" userHost['usernameCaptivePortal'] = "" uvmContext.hostTable().setHostTableEntry(remote_control.client_ip,userHost) # userHost = uvmContext.hostTable().getHostTableEntry(remote_control.client_ip) # print(userHost) nukeRules() appendRule(createPolicySingleConditionRule("USERNAME","[authenticated]", secondRackId)) # check that basic captive page is shown result = remote_control.run_command("wget -4 -t 2 --timeout=5 -a /tmp/policy_test_040.log -O /tmp/policy_test_040.out http://www.google.com/") assert (result == 0) search = remote_control.run_command("grep -q 'username and password' /tmp/policy_test_040.out") assert (search == 0) # check if local directory login and password works ipfind = remote_control.run_command("grep 'Location' /tmp/policy_test_040.log",stdout=True) ip = re.findall( r'[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:[0-9:]{0,6})', ipfind ) captureIP = ip[0] print('Capture IP address is %s' % captureIP) appid = str(defaultRackCaptivePortal.getAppSettings()["id"]) # print('appid is %s' % appid # debug line) result = remote_control.run_command("wget -q -O /dev/null -t 2 --timeout=5 \'http://" + captureIP + "/capture/handler.py/authpost?username=test20&password=passwd&nonce=9abd7f2eb5ecd82b&method=GET&appid=" + appid + "&host=" + captureIP + "&uri=/\'") assert (result == 0) # verify the username is assigned to the IP userHost = uvmContext.hostTable().getHostTableEntry(remote_control.client_ip) assert (userHost['username'] == "test20") userHost = uvmContext.hostTable().getHostTableEntry(remote_control.client_ip) # firewall on rack 2 is blocking all, we should not get the test.untangle.com page result = remote_control.run_command("wget -q -O /dev/null -4 -t 2 --timeout=5 -a /tmp/policy_test_040a.log -O /tmp/policy_test_040a.out http://www.google.com/") search = remote_control.run_command("grep -q 'Hi!' /tmp/policy_test_040a.out") assert (search != 0) # Or the captive page search = remote_control.run_command("grep -q 'username and password' /tmp/policy_test_040a.out") assert (search != 0) # Logout result = remote_control.run_command("wget -q -O /dev/null -4 -t 2 --timeout=5 -a /tmp/policy_test_040b.log -O /tmp/policy_test_040b.out http://" + captureIP + "/capture/logout") assert (result == 0) search = remote_control.run_command("grep -q 'logged out' /tmp/policy_test_040b.out") assert (search == 0) # remove captive portal and test user uvmContext.localDirectory().setUsers(removeLocalDirectoryUser()) uvmContext.appManager().destroy( defaultRackCaptivePortal.getAppSettings()["id"] ) defaultRackCaptivePortal = None
def test_041_trigger_rule_untag_host(self): settings = uvmContext.eventManager().getSettings() orig_settings = copy.deepcopy(settings) new_rule = create_trigger_rule("TAG_HOST", "localAddr", "test-tag", 30, "test tag rule", "class", "=", "*SessionEvent*", "localAddr", "=", "*"+remote_control.client_ip+"*") settings['triggerRules']['list'] = [ new_rule ] uvmContext.eventManager().setSettings( settings ) result = remote_control.is_online() time.sleep(4) entry = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip ) tag_test = entry.get('tagsString') uvmContext.eventManager().setSettings( orig_settings ) new_rule = create_trigger_rule("UNTAG_HOST", "localAddr", "test*", 30, "test tag rule", "class", "=", "*SessionEvent*", "localAddr", "=", "*"+remote_control.client_ip+"*") settings['triggerRules']['list'] = [ new_rule ] uvmContext.eventManager().setSettings( settings ) result = remote_control.is_online() time.sleep(4) entry = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip ) tag_test2 = entry.get('tagsString') uvmContext.eventManager().setSettings( orig_settings ) assert( tag_test != None ) assert( "test-tag" in tag_test ) assert( tag_test2 == None or "test-tag" not in tag_test2)
def test_060_host_quota(self): if runtests.quick_tests_only: raise unittest.SkipTest('Skipping a time consuming test') global app nuke_rules() priority_level = 7 # Severely Limited given_quota = 10000 # 10k # Remove any existing quota uvmContext.hostTable().removeQuota(remote_control.client_ip) # Record average speed without bandwidth control configured wget_speed_pre = global_functions.get_download_speed() # Create rule to give quota append_rule(create_quota_rule("HOST_HAS_NO_QUOTA","true","GIVE_HOST_QUOTA",given_quota)) # Create penalty for exceeding quota append_rule(create_single_condition_rule("HOST_QUOTA_EXCEEDED","true","SET_PRIORITY",priority_level)) # Download the file so quota is exceeded global_functions.get_download_speed(meg=1) # quota accounting occurs every 60 seconds, so we must wait at least 60 seconds time.sleep(60) # Download file and record the average speed in which the file was download wget_speed_post = global_functions.get_download_speed() print_results( wget_speed_pre, wget_speed_post, wget_speed_pre*0.1, wget_speed_pre*limited_acceptance_ratio ) # Remove quota uvmContext.hostTable().removeQuota(remote_control.client_ip) assert ((wget_speed_post) and (wget_speed_post)) assert (wget_speed_pre * limited_acceptance_ratio > wget_speed_post) events = global_functions.get_events('Bandwidth Control','Quota Events',None,5) assert(events != None) found = global_functions.check_events( events.get('list'), 5, "action", 1, #quota given "size", given_quota, "entity", remote_control.client_ip) assert(found) found = global_functions.check_events( events.get('list'), 5, "action", 2, #quota exceeded "entity", remote_control.client_ip) assert(found) events = global_functions.get_events('Bandwidth Control','Prioritized Sessions',None,5) assert(events != None) found = global_functions.check_events( events.get('list'), 5, "bandwidth_control_priority", priority_level, "c_client_addr", remote_control.client_ip) assert( found )
def test_121_clientUserAgent2(self): entry = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip ) entry['httpUserAgent'] = "Mozilla foo bar" uvmContext.hostTable().setHostTableEntry( remote_control.client_ip, entry ) rules_clear() rule_append( create_rule_single_condition( "HTTP_USER_AGENT", "*Mozilla*" ) ) result = remote_control.run_command("wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/") assert (result != 0) entry['httpUserAgent'] = None uvmContext.hostTable().setHostTableEntry( remote_control.client_ip, entry )
def find_name_in_host_table(hostname='test'): """ Find name in host table """ # Test for username in session found_test_session = False remote_control.run_command( "nohup netcat -d -4 test.untangle.com 80 >/dev/null 2>&1", stdout=False, nowait=True) time.sleep( 2 ) # since we launched netcat in background, give it a second to establish connection host_list = uvmContext.hostTable().getHosts() session_list = host_list['list'] # find session generated with netcat in session table. for i in range(len(session_list)): print(session_list[i]) # print("------------------------------") if (session_list[i]['address'] == remote_control.client_ip) and (session_list[i]['username'] == hostname): found_test_session = True break remote_control.run_command("pkill netcat") return found_test_session
def test_070_penalty_rule(self): global app nuke_rules(self._app) tag_time = 2000000 # remove tags entry = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip) entry['tags']['list'] = [] entry = uvmContext.hostTable().setHostTableEntry( remote_control.client_ip, entry) # Create penalty rule append_rule( self._app, create_penalty_rule("SRC_ADDR", remote_control.client_ip, "TAG_HOST", "penalty-box", tag_time)) # go to test.untangle.com result = remote_control.is_online() # Look for tag entry = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip) print(entry['tags']['list']) found = False for tag in entry['tags']['list']: if tag['name'] == 'penalty-box': found = True assert (found) # remove tags entry['tags']['list'] = [] entry = uvmContext.hostTable().setHostTableEntry( remote_control.client_ip, entry) # check penalty box events = global_functions.get_events('Hosts', 'Hosts Events', None, 50) assert (events != None) event = global_functions.find_event(events.get('list'), 50, "address", remote_control.client_ip, "key", "tags") print(event) assert ((event != None))
def test_161_clientMacAddressStar(self): entry = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip ) if entry.get('macAddress') == None: raise unittest.SkipTest('MAC not known') rules_clear() rule_append( create_rule_single_condition( "SRC_MAC", "*" ) ) result = remote_control.run_command("wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/") assert (result != 0)
def test_020_about_info(self): uid = uvmContext.getServerUID() match = re.search(r'\w{4}-\w{4}-\w{4}.\w{4}', uid) assert( match ) kernel = uvmContext.adminManager().getKernelVersion() match = re.search(r'\d.*', kernel) assert(match) reboot_count = uvmContext.adminManager().getRebootCount() match = re.search(r'\d{1,2}', reboot_count) assert(match) num_hosts = str(uvmContext.hostTable().getCurrentActiveSize()) match = re.search(r'\d{1,2}', num_hosts) assert(match) max_num_hosts = str(uvmContext.hostTable().getMaxActiveSize()) match = re.search(r'\d{1,2}', max_num_hosts) assert(match)
def get_list_of_username_mapped(): """ Get list of mapped users """ entries = uvmContext.hostTable().getHosts()['list'] usernames = [] for entry in entries: print(entry) if entry['usernameDirectoryConnector'] != None and entry['usernameDirectoryConnector'] != "": usernames.append(entry['usernameDirectoryConnector']) return usernames
def test_070_penalty_rule(self): global app nuke_rules() tag_time = 2000000 # remove tags entry = uvmContext.hostTable().getHostTableEntry(remote_control.client_ip) entry['tags']['list'] = [] entry = uvmContext.hostTable().setHostTableEntry(remote_control.client_ip, entry) # Create penalty rule append_rule(create_penalty_rule("SRC_ADDR",remote_control.client_ip,"TAG_HOST","penalty-box",tag_time)) # go to test.untangle.com result = remote_control.is_online() # Look for tag entry = uvmContext.hostTable().getHostTableEntry(remote_control.client_ip) print(entry['tags']['list']) found = False for tag in entry['tags']['list']: if tag['name'] == 'penalty-box': found = True assert(found) # remove tags entry['tags']['list'] = [] entry = uvmContext.hostTable().setHostTableEntry(remote_control.client_ip, entry) # check penalty box events = global_functions.get_events('Hosts','Hosts Events', None, 50) assert(events != None) event = global_functions.find_event( events.get('list'), 50, "address", remote_control.client_ip, "key", "tags" ) print(event) assert((event != None))
def test_033_block_by_Hostname(self): entry = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip ) self.rules_clear() self.rule_add("DST_PORT","53",action="pass") # allow DNS otherwise bridged configs fail self.rule_add("HOST_HOSTNAME",entry['hostname']) result = remote_control.run_command("wget -q -4 -t 2 -O - http://test.untangle.com/test/testPage1.html 2>&1 | grep -q blocked") assert (result == 0) events = global_functions.get_events(self.displayName(),'Blocked Web Events',None,1) assert(events != None) found = global_functions.check_events( events.get('list'), 5, "hostname",entry['hostname'], self.eventAppName() + '_blocked', True, self.eventAppName() + '_flagged', True ) assert( found )
def test_162_clientMacAddressMultiple(self): entry = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip ) if entry.get('macAddress') == None: raise unittest.SkipTest('MAC not known') mac = entry.get('macAddress') rules_clear() rule_append( create_rule_single_condition( "SRC_MAC", "11:22:33:44:55:66," + mac ) ) result1 = remote_control.run_command("wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/") assert (result1 != 0) rules_clear() rule_append( create_rule_single_condition( "SRC_MAC", mac + ",11:22:33:44:55:66" ) ) result2 = remote_control.run_command("wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/") assert (result2 != 0)
def find_name_in_host_table (hostname='test'): """ Find name in host table """ # Test for username in session found_test_session = False remote_control.run_command("nohup netcat -d -4 test.untangle.com 80 >/dev/null 2>&1", stdout=False, nowait=True) time.sleep(2) # since we launched netcat in background, give it a second to establish connection host_list = uvmContext.hostTable().getHosts() session_list = host_list['list'] # find session generated with netcat in session table. for i in range(len(session_list)): print(session_list[i]) # print("------------------------------") if (session_list[i]['address'] == remote_control.client_ip) and (session_list[i]['username'] == hostname): found_test_session = True break remote_control.run_command("pkill netcat") return found_test_session
def test_040_localCaptivePortalToSecondRack(self): global defaultRackCaptivePortal remote_control.run_command("rm -f /tmp/policy_test_040*") defaultRackCaptivePortal = uvmContext.appManager().instantiate( "captive-portal", default_policy_id) assert (defaultRackCaptivePortal != None) defaultRackCaptivePortalData = defaultRackCaptivePortal.getSettings() # turn default capture rule on and basic login defaultRackCaptivePortalData['captureRules']['list'][0][ 'enabled'] = True defaultRackCaptivePortalData['authenticationType'] = "LOCAL_DIRECTORY" defaultRackCaptivePortalData['pageType'] = "BASIC_LOGIN" defaultRackCaptivePortal.setSettings(defaultRackCaptivePortalData) # Create local directory user 'test20' uvmContext.localDirectory().setUsers(createLocalDirectoryUser()) # check host table and remove username for host IP userHost = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip) userHost['username'] = "" userHost['usernameCaptivePortal'] = "" uvmContext.hostTable().setHostTableEntry(remote_control.client_ip, userHost) # userHost = uvmContext.hostTable().getHostTableEntry(remote_control.client_ip) # print(userHost) nukeRules() appendRule( createPolicySingleConditionRule("USERNAME", "[authenticated]", secondRackId)) # check that basic captive page is shown result = remote_control.run_command( "wget -4 -t 2 --timeout=5 -a /tmp/policy_test_040.log -O /tmp/policy_test_040.out http://www.google.com/" ) assert (result == 0) search = remote_control.run_command( "grep -q 'username and password' /tmp/policy_test_040.out") assert (search == 0) # check if local directory login and password works ipfind = remote_control.run_command( "grep 'Location' /tmp/policy_test_040.log", stdout=True) ip = re.findall( r'[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:[0-9:]{0,6})', ipfind) captureIP = ip[0] print('Capture IP address is %s' % captureIP) appid = str(defaultRackCaptivePortal.getAppSettings()["id"]) # print('appid is %s' % appid # debug line) result = remote_control.run_command( "wget -q -O /dev/null -t 2 --timeout=5 \'http://" + captureIP + "/capture/handler.py/authpost?username=test20&password=passwd&nonce=9abd7f2eb5ecd82b&method=GET&appid=" + appid + "&host=" + captureIP + "&uri=/\'") assert (result == 0) # verify the username is assigned to the IP userHost = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip) assert (userHost['username'] == "test20") userHost = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip) # firewall on rack 2 is blocking all, we should not get the test.untangle.com page result = remote_control.run_command( "wget -q -O /dev/null -4 -t 2 --timeout=5 -a /tmp/policy_test_040a.log -O /tmp/policy_test_040a.out http://www.google.com/" ) search = remote_control.run_command( "grep -q 'Hi!' /tmp/policy_test_040a.out") assert (search != 0) # Or the captive page search = remote_control.run_command( "grep -q 'username and password' /tmp/policy_test_040a.out") assert (search != 0) # Logout result = remote_control.run_command( "wget -q -O /dev/null -4 -t 2 --timeout=5 -a /tmp/policy_test_040b.log -O /tmp/policy_test_040b.out http://" + captureIP + "/capture/logout") assert (result == 0) search = remote_control.run_command( "grep -q 'logged out' /tmp/policy_test_040b.out") assert (search == 0) # remove captive portal and test user uvmContext.localDirectory().setUsers(removeLocalDirectoryUser()) uvmContext.appManager().destroy( defaultRackCaptivePortal.getAppSettings()["id"]) defaultRackCaptivePortal = None
def test_061_user_quota(self): if runtests.quick_tests_only: raise unittest.SkipTest('Skipping a time consuming test') global app nuke_rules(self._app) priority_level = 7 # Severely Limited given_quota = 10000 # 10k # Set this host's username username = remote_control.run_command("hostname -s", stdout=True) entry = uvmContext.hostTable().getHostTableEntry( remote_control.client_ip) entry['usernameDirectoryConnector'] = username uvmContext.hostTable().setHostTableEntry(remote_control.client_ip, entry) # Remove any existing quota uvmContext.userTable().removeQuota(username) # Record average speed without bandwidth control configured wget_speed_pre = global_functions.get_download_speed( download_server=target_server) # Create rule to give quota append_rule( self._app, create_quota_rule("USER_HAS_NO_QUOTA", "true", "GIVE_USER_QUOTA", given_quota)) # Create penalty for exceeding quota append_rule( self._app, create_single_condition_rule("USER_QUOTA_EXCEEDED", "true", "SET_PRIORITY", priority_level)) # Download the file so quota is exceeded global_functions.get_download_speed(download_server=target_server, meg=1) # quota accounting occurs every 60 seconds, so we must wait at least 60 seconds time.sleep(60) # Download file and record the average speed in which the file was download wget_speed_post = global_functions.get_download_speed( download_server=target_server) print_results(wget_speed_pre, wget_speed_post, wget_speed_pre * 0.1, wget_speed_pre * limited_acceptance_ratio) # Remove quota uvmContext.userTable().removeQuota(username) # Blank username entry['usernameDirectoryConnector'] = None uvmContext.hostTable().setHostTableEntry(remote_control.client_ip, entry) assert ((wget_speed_post) and (wget_speed_post)) assert (wget_speed_pre * limited_acceptance_ratio > wget_speed_post) events = global_functions.get_events('Bandwidth Control', 'Quota Events', None, 5) assert (events != None) found = global_functions.check_events( events.get('list'), 5, "action", 1, #quota given "size", given_quota, "entity", username) assert (found) found = global_functions.check_events( events.get('list'), 5, "action", 2, #quota exceeded "entity", username) assert (found) events = global_functions.get_events('Bandwidth Control', 'Prioritized Sessions', None, 5) assert (events != None) found = global_functions.check_events(events.get('list'), 5, "bandwidth_control_priority", priority_level, "c_client_addr", remote_control.client_ip) assert (found)