class TestClientAuth(TestCase): def setUp(self): self.port = VALID_PORT config = NuauthConf() # Userdb self.user = PlaintextUser("visiteur", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(config) self.acls = PlaintextAcl() self.acls.addAcl("web", self.port, self.user.gid) self.acls.install(config) # Load nuauth config["nuauth_do_ip_authentication"] = '1' config["nuauth_ip_authentication_module"] = '"ipauth_guest"' config["ipauth_guest_username"] = '******' % self.user.login self.nuauth = Nuauth(config) self.iptables = Iptables() self.nufw = startNufw() def tearDown(self): self.acls.desinstall() self.userdb.desinstall() self.nuauth.stop() self.iptables.flush() def testValid(self): self.iptables.filterTcp(self.port) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
class TestConntrack(TestCase): def setUp(self): self.dst_host = socket.gethostbyname(HOST) self.config = NuauthConf() self.acls = PlaintextAcl() self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period="10 secs") self.acls.install(self.config) self.period = PlainPeriodXML() self.period.addPeriod(Period("10 secs", duration=10)) self.period.install(self.config) self.users = USERDB self.users.install(self.config) self.nuauth = Nuauth(self.config) self.nufw = startNufw() self.iptables = Iptables() self.iptables.flush() self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE" % self.dst_host) self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP" % self.dst_host) def tearDown(self): self.nuauth.stop() self.users.desinstall() self.acls.desinstall() self.period.desinstall() def testConnShutdown(self): user = USERDB[0] client = user.createClient() self.assert_(connectClient(client)) start = time.time() conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) conn.connect((self.dst_host, VALID_PORT)) src_port = conn.getsockname()[1] ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT)) ## Check that only one connection is opened to self.assert_(ct_before == 1) ## The connection should be killed 10 seconds after being opened time.sleep(15) ## Check that only one connection is opened to ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT)) self.assert_(ct_after == 0) conn.close() client.stop()
class TestConntrack(TestCase): def setUp(self): self.dst_host = socket.gethostbyname(HOST) self.config = NuauthConf() self.acls = PlaintextAcl() self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period='10 secs' ) self.acls.install(self.config) self.period = PlainPeriodXML() self.period.addPeriod(Period("10 secs", duration = 10)) self.period.install(self.config) self.users = USERDB self.users.install(self.config) self.nuauth = Nuauth(self.config) self.nufw = startNufw() self.iptables = Iptables() self.iptables.flush() self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE' % self.dst_host) self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP' % self.dst_host) def tearDown(self): self.nuauth.stop() self.users.desinstall() self.acls.desinstall() self.period.desinstall() def testConnShutdown(self): user = USERDB[0] client = user.createClient() self.assert_(connectClient(client)) start = time.time() conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) conn.connect((self.dst_host, VALID_PORT)) src_port = conn.getsockname()[1] ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT)) ## Check that only one connection is opened to self.assert_(ct_before == 1) ## The connection should be killed 10 seconds after being opened time.sleep(15) ## Check that only one connection is opened to ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT)) self.assert_(ct_after == 0) conn.close() client.stop()
class TestPlaintextAcl(TestCase): def setUp(self): self.iptables = Iptables() self.users = USERDB self.config = NuauthConf() self.config["xml_defs_periodfile"] = '"%s"' % os.path.abspath("../conf/periods.xml") self.acls = PlaintextAcl() # Start nuauth with new config self.users.install(self.config) self.nufw = startNufw(["-s"]) def tearDown(self): # Restore user DB and nuauth config self.users.desinstall() self.acls.desinstall() self.nuauth.stop() self.iptables.flush() def testPeriodDrop(self): self.acls.desinstall() self.acls = PlaintextAcl() if time.localtime().tm_hour >= 12: period = "0-12" else: period = "12-24" self.acls.addAcl("web", VALID_PORT, self.users[0].gid, 1, period=period ) self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testPort(self, self.iptables, client, VALID_PORT, False) self.acls.desinstall() def testPeriodAccept(self): self.acls.desinstall() self.acls = PlaintextAcl() if time.localtime().tm_hour < 12: period = "0-12" else: period = "12-24" self.acls.addAcl("web", VALID_PORT, self.users[0].gid, 1, period=period) self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testAllowPort(self, self.iptables, client) self.acls.desinstall()
class TestClientAuth(TestCase): def setUp(self): self.port = VALID_PORT self.mark = 1 self.shift = 8 config = NuauthConf() # Userdb self.user = PlaintextUser("guest", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(config) self.acls = PlaintextAcl() self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift)) self.acls.install(config) # Load nuauth config["nuauth_finalize_packet_module"] = '"mark_flag"' config["mark_flag_mark_shift"] = 0 config["mark_flag_flag_shift"] = self.shift config["mark_flag_nbits"] = 16 self.nuauth = Nuauth(config) self.iptables = Iptables() self.nufw = startNufw(["-m"]) self.client = self.user.createClientWithCerts() def tearDown(self): self.acls.desinstall() self.userdb.desinstall() self.client.stop() self.nuauth.stop() self.iptables.flush() def testValid(self): # Connect client and filter port self.assert_(connectClient(self.client)) self.iptables.filterTcp(self.port) # Test connection without QoS (accept) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True) # Test connection with QoS (drop) self.iptables.command( "-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
class TestSYNACKignore(TestCase): def setUp(self): self.iptables = Iptables() self.iptables.command('-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE' % (VALID_PORT, HOST)) config = NuauthConf() self.nuauth = Nuauth(config) self.nufw = startNufw() def tearDown(self): self.nuauth.stop() self.iptables.flush() def testsynack(self): # Create socket self.assertEqual(connectTcp(HOST, VALID_PORT, TIMEOUT), True)
class TestClientAuth(TestCase): def setUp(self): self.port = VALID_PORT self.mark = 1 self.shift = 8 config = NuauthConf() # Userdb self.user = PlaintextUser("guest", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(config) self.acls = PlaintextAcl() self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift)) self.acls.install(config) # Load nuauth config["nuauth_finalize_packet_module"] = '"mark_flag"' config["mark_flag_mark_shift"] = 0 config["mark_flag_flag_shift"] = self.shift config["mark_flag_nbits"] = 16 self.nuauth = Nuauth(config) self.iptables = Iptables() self.nufw = startNufw(["-m"]) self.client = self.user.createClientWithCerts() def tearDown(self): self.acls.desinstall() self.userdb.desinstall() self.client.stop() self.nuauth.stop() self.iptables.flush() def testValid(self): # Connect client and filter port self.assert_(connectClient(self.client)) self.iptables.filterTcp(self.port) # Test connection without QoS (accept) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True) # Test connection with QoS (drop) self.iptables.command("-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
class TestSYNACKignore(TestCase): def setUp(self): self.iptables = Iptables() self.iptables.command( '-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE' % (VALID_PORT, HOST)) config = NuauthConf() self.nuauth = Nuauth(config) self.nufw = startNufw() def tearDown(self): self.nuauth.stop() self.iptables.flush() def testsynack(self): # Create socket self.assertEqual(connectTcp(HOST, VALID_PORT, TIMEOUT), True)
class TestICMPReject(TestCase): def setUp(self): self.iptables = Iptables() self.users = USERDB self.acls = PlaintextAcl() self.acls.addAcl("web", VALID_PORT, self.users[0].gid + 1) self.config = NuauthConf() self.config["nuauth_packet_timeout"] = "1" self.users.install(self.config) self.acls.install(self.config) self.nufw = startNufw(["-s"]) def tearDown(self): # Restore user DB and nuauth config self.users.desinstall() self.acls.desinstall() self.nuauth.stop() self.iptables.flush() def testDrop(self): self.config["nuauth_reject_after_timeout"] = "0" self.config["nuauth_reject_authenticated_drop"] = "0" self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testPortFailure(self, self.iptables, client, VALID_PORT, ETIMEDOUT) client.stop() def testRejectTimedout(self): self.config["nuauth_reject_after_timeout"] = "1" self.config["nuauth_reject_authenticated_drop"] = "0" self.nuauth = Nuauth(self.config) testPortFailure(self, self.iptables, None, VALID_PORT, ECONNREFUSED) def testRejectAuthenticated(self): self.config["nuauth_reject_after_timeout"] = 0 self.config["nuauth_reject_authenticated_drop"] = 1 self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testPortFailure(self, self.iptables, client, VALID_PORT, ECONNREFUSED) client.stop()
class TestICMPReject(TestCase): def setUp(self): self.iptables = Iptables() self.users = USERDB self.acls = PlaintextAcl() self.acls.addAcl("web", VALID_PORT, self.users[0].gid+1) self.config = NuauthConf() self.config["nuauth_packet_timeout"] = "1" self.users.install(self.config) self.acls.install(self.config) self.nufw = startNufw(["-s"]) def tearDown(self): # Restore user DB and nuauth config self.users.desinstall() self.acls.desinstall() self.nuauth.stop() self.iptables.flush() def testDrop(self): self.config["nuauth_reject_after_timeout"] = "0" self.config["nuauth_reject_authenticated_drop"] = "0" self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testPortFailure(self, self.iptables, client, VALID_PORT, ETIMEDOUT) client.stop() def testRejectTimedout(self): self.config["nuauth_reject_after_timeout"] = "1" self.config["nuauth_reject_authenticated_drop"] = "0" self.nuauth = Nuauth(self.config) testPortFailure(self, self.iptables, None, VALID_PORT, ECONNREFUSED) def testRejectAuthenticated(self): self.config["nuauth_reject_after_timeout"] = 0 self.config["nuauth_reject_authenticated_drop"] = 1 self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testPortFailure(self, self.iptables, client, VALID_PORT, ECONNREFUSED) client.stop()
class MysqlLogPacket(MysqlLog): def setUp(self): self.iptables = Iptables() MysqlLog.setUp(self) def tearDown(self): MysqlLog.tearDown(self) self.iptables.flush() def testFilter(self): """ User logs in, opens an authenticated connection, and closes the connection. Make sure that MySQL records the connection, only once, with the right parameters. """ client = self.user.createClientWithCerts() time_before = int(time()) timestamp_before = datetime_before() # Open allowed port testAllowPort(self, self.iptables, client) # Query DB if not POSTGRESQL: timestamp_field = "timestamp, " else: timestamp_field = "" sql = \ "SELECT username, user_id, client_os, client_app, " \ "tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol, " \ "%sstart_timestamp, end_timestamp, oob_prefix " \ "FROM %s WHERE oob_time_sec >= %s AND state=1;" \ % (timestamp_field, DB_PACKET_TABLE, time_before) # Do the query for when in retry(timeout=QUERY_TIMEOUT): cursor = self.query(sql) if cursor.rowcount: break # Read result row = self.fetchone(cursor) timestamp_after = datetime_after() self.assertEqual(cursor.rowcount, 1) if POSTGRESQL: (username, user_id, client_os, client_app, tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol, start_timestamp, end_timestamp, oob_prefix) = row else: (username, user_id, client_os, client_app, tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol, timestamp, start_timestamp, end_timestamp, oob_prefix) = row # Check values self.assertEqual(username, client.username) self.assertEqual(user_id, self.user.uid) self.assertEqual(client_os, CLIENT_OS) self.assertEqual(client_app, CLIENT_APP) self.assertEqual(tcp_dport, VALID_PORT) self.assertEqual(IP(ip_saddr), client.ip) self.assert_(timestamp_before <= datetime.fromtimestamp(oob_time_sec) <= timestamp_after) if not POSTGRESQL: self.assert_(timestamp and timestamp_before <= timestamp <= timestamp_after) self.assertEqual(ip_protocol, 6) self.assertEqual(oob_prefix, OOB_PREFIX)
class TestAcl(object): def setUp(self): self.iptables = Iptables() self.users = USERDB self.host = HOST self.config = NuauthConf() self.acls = self.func_acls() # Start nuauth with new config self.users.install(self.config) self.nufw = startNufw(["-s"]) def tearDown(self): # Restore user DB and nuauth config self.users.desinstall() self.nuauth.stop() self.iptables.flush() self.acls.desinstall() def testFilterByGroup(self): self.acls.addAclFull("Web group", self.host, VALID_PORT, self.users[0].gid) self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testAllowPort(self, self.iptables, client, self.host) testDisallowPort(self, self.iptables, client, self.host) self.acls.desinstall() def testFilterByUser(self): self.acls.addAclPerUid("Web user", self.host, VALID_PORT, self.users[0].uid) self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testAllowPort(self, self.iptables, client, self.host) testDisallowPort(self, self.iptables, client, self.host) self.acls.desinstall() def testValidApplication(self): self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, App=APPLICATION) self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testAllowPort(self, self.iptables, client, self.host) self.acls.desinstall() def testInvalidApplication(self): self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, App=APPLICATION+"xxx") self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testAllowPort(self, self.iptables, client, self.host, allow=False) self.acls.desinstall() def testValidOS(self): self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, OS=OS_FULL) self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testAllowPort(self, self.iptables, client, self.host) self.acls.desinstall() def testInvalidOS(self): self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, OS=OS_NAME+"xxx") self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testAllowPort(self, self.iptables, client, self.host, allow=False) self.acls.desinstall() def testOutdevOk(self): self.acls.addAclFull("outdev test", self.host, VALID_PORT, self.users[0].gid, outdev = IFACE) self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testAllowPort(self, self.iptables, client, self.host) self.acls.desinstall() def testOutdevNOK(self): self.acls.addAclFull("outdev test", self.host, VALID_PORT, self.users[0].gid, outdev = "bad0") self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testAllowPort(self, self.iptables, client, self.host, allow=False) self.acls.desinstall()
class TestTLSNufw(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = abspath(config.get("test_cert", "cacert")) def startNuauth(self, dict_args=None): self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath( config.get("test_cert", "crl")) if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[key] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testNufwValidCert(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "nuauth.inl.fr"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwIgnoreFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "127.0.0.1", "-N"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find('certificate verification failed') >= 0: return True return False def testNufwInvalidCA(self): self.startNuauth() invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() self.nuauth.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.startNuauth() self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testStrictMode(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False
class TestTLSNufw(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = abspath(config.get("test_cert", "cacert")) def startNuauth(self, dict_args=None): self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl")) if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[key] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testNufwValidCert(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "nuauth.inl.fr"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwIgnoreFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "127.0.0.1", "-N"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("certificate verification failed") >= 0: return True return False def testNufwInvalidCA(self): self.startNuauth() invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() self.nuauth.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.startNuauth() self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testStrictMode(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False
class TestPlaintextAcl(TestCase): def setUp(self): self.iptables = Iptables() self.users = USERDB self.config = NuauthConf() self.config["xml_defs_periodfile"] = '"%s"' % os.path.abspath( "../conf/periods.xml") self.acls = PlaintextAcl() # Start nuauth with new config self.users.install(self.config) self.nufw = startNufw(["-s"]) def tearDown(self): # Restore user DB and nuauth config self.users.desinstall() self.acls.desinstall() self.nuauth.stop() self.iptables.flush() def testPeriodDrop(self): self.acls.desinstall() self.acls = PlaintextAcl() if time.localtime().tm_hour >= 12: period = "0-12" else: period = "12-24" self.acls.addAcl("web", VALID_PORT, self.users[0].gid, 1, period=period) self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testPort(self, self.iptables, client, VALID_PORT, False) self.acls.desinstall() def testPeriodAccept(self): self.acls.desinstall() self.acls = PlaintextAcl() if time.localtime().tm_hour < 12: period = "0-12" else: period = "12-24" self.acls.addAcl("web", VALID_PORT, self.users[0].gid, 1, period=period) self.acls.install(self.config) self.nuauth = Nuauth(self.config) user = self.users[0] client = user.createClientWithCerts() testAllowPort(self, self.iptables, client) self.acls.desinstall()
class TestClientCert(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = config.get("test_cert", "cacert") self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_auth_by_cert"] = "0" self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testValidCert(self): self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find('certificate verification failed') >= 0: return True return False def testInvalidCert(self): invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() def testStrictMode(self): self.nufw = startNufw(["-d","127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False