class TestClientAuth(TestCase): def setUp(self): self.port = VALID_PORT config = NuauthConf() # Userdb self.user = PlaintextUser("visiteur", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(config) self.acls = PlaintextAcl() self.acls.addAcl("web", self.port, self.user.gid) self.acls.install(config) # Load nuauth config["nuauth_do_ip_authentication"] = '1' config["nuauth_ip_authentication_module"] = '"ipauth_guest"' config["ipauth_guest_username"] = '******' % self.user.login self.nuauth = Nuauth(config) self.iptables = Iptables() self.nufw = startNufw() def tearDown(self): self.acls.desinstall() self.userdb.desinstall() self.nuauth.stop() self.iptables.flush() def testValid(self): self.iptables.filterTcp(self.port) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
class TestClientAuth(TestCase): def setUp(self): self.port = VALID_PORT self.mark = 1 self.shift = 8 config = NuauthConf() # Userdb self.user = PlaintextUser("guest", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(config) self.acls = PlaintextAcl() self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift)) self.acls.install(config) # Load nuauth config["nuauth_finalize_packet_module"] = '"mark_flag"' config["mark_flag_mark_shift"] = 0 config["mark_flag_flag_shift"] = self.shift config["mark_flag_nbits"] = 16 self.nuauth = Nuauth(config) self.iptables = Iptables() self.nufw = startNufw(["-m"]) self.client = self.user.createClientWithCerts() def tearDown(self): self.acls.desinstall() self.userdb.desinstall() self.client.stop() self.nuauth.stop() self.iptables.flush() def testValid(self): # Connect client and filter port self.assert_(connectClient(self.client)) self.iptables.filterTcp(self.port) # Test connection without QoS (accept) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True) # Test connection with QoS (drop) self.iptables.command( "-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
class TestClientAuth(TestCase): def setUp(self): self.port = VALID_PORT self.mark = 1 self.shift = 8 config = NuauthConf() # Userdb self.user = PlaintextUser("guest", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(config) self.acls = PlaintextAcl() self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift)) self.acls.install(config) # Load nuauth config["nuauth_finalize_packet_module"] = '"mark_flag"' config["mark_flag_mark_shift"] = 0 config["mark_flag_flag_shift"] = self.shift config["mark_flag_nbits"] = 16 self.nuauth = Nuauth(config) self.iptables = Iptables() self.nufw = startNufw(["-m"]) self.client = self.user.createClientWithCerts() def tearDown(self): self.acls.desinstall() self.userdb.desinstall() self.client.stop() self.nuauth.stop() self.iptables.flush() def testValid(self): # Connect client and filter port self.assert_(connectClient(self.client)) self.iptables.filterTcp(self.port) # Test connection without QoS (accept) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True) # Test connection with QoS (drop) self.iptables.command("-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
class TestTLSNufw(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = abspath(config.get("test_cert", "cacert")) def startNuauth(self, dict_args=None): self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath( config.get("test_cert", "crl")) if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[key] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testNufwValidCert(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "nuauth.inl.fr"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwIgnoreFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "127.0.0.1", "-N"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find('certificate verification failed') >= 0: return True return False def testNufwInvalidCA(self): self.startNuauth() invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() self.nuauth.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.startNuauth() self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testStrictMode(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False
class TestClientCert(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = config.get("test_cert", "cacert") self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_auth_by_cert"] = "0" self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testValidCert(self): self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find('certificate verification failed') >= 0: return True return False def testInvalidCert(self): invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() def testStrictMode(self): self.nufw = startNufw(["-d","127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False
class TestTLSNufw(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = abspath(config.get("test_cert", "cacert")) def startNuauth(self, dict_args=None): self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl")) if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[key] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testNufwValidCert(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "nuauth.inl.fr"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwIgnoreFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "127.0.0.1", "-N"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("certificate verification failed") >= 0: return True return False def testNufwInvalidCA(self): self.startNuauth() invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() self.nuauth.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.startNuauth() self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testStrictMode(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False