class TestLog(TestCase): def setUp(self): config = getNuauthConf() config["nuauth_tls_request_cert"] = "0" config["nuauth_user_logs_module"] = '"syslog"' config["nuauth_user_session_logs_module"] = '"syslog"' self.nuauth = Nuauth(config) def tearDown(self): self.nuauth.stop() def findLog(self, match): warning("Search string >%s< in log" % match) matched = False for line in self.nuauth.readlines(total_timeout=2.0): if match in line: return True return False def testLogin(self): # Client login client = createClientWithCerts() self.assert_(connectClient(client)) # Check log output self.assert_(self.findLog("[nuauth] User %s connect on " % client.username)) # Client logout client.stop() self.assert_(self.findLog("[nuauth] User %s disconnect on " % client.username))
class TestLog(TestCase): def setUp(self): config = getNuauthConf() config["nuauth_tls_request_cert"] = "0" config["nuauth_user_logs_module"] = '"syslog"' config["nuauth_user_session_logs_module"] = '"syslog"' self.nuauth = Nuauth(config) def tearDown(self): self.nuauth.stop() def findLog(self, match): warning("Search string >%s< in log" % match) matched = False for line in self.nuauth.readlines(total_timeout=2.0): if match in line: return True return False def testLogin(self): # Client login client = createClientWithCerts() self.assert_(connectClient(client)) # Check log output self.assert_( self.findLog("[nuauth] User %s connect on " % client.username)) # Client logout client.stop() self.assert_( self.findLog("[nuauth] User %s disconnect on " % client.username))
class TestPlaintextAuth(TestCase): def setUp(self): config = NuauthConf() self.users = USERDB self.users.install(config) self.nuauth = Nuauth(config) def tearDown(self): self.nuauth.stop() self.users.desinstall() def testUser1(self): user = USERDB[0] client = user.createClientWithCerts() self.assert_(connectClient(client)) client.stop() def testUser2(self): user = USERDB[1] client = user.createClientWithCerts() self.assert_(connectClient(client)) client.stop() def testInvalidLogin(self): user = USERDB[0] client = createClientWithCerts(user.login+"x", user.password) self.assert_(not connectClient(client)) client.stop() def testInvalidPass(self): user = USERDB[1] client = createClientWithCerts(user.login, user.password+"x") self.assert_(not connectClient(client)) client.stop()
class TestClientAuth(TestCase): def setUp(self): self.port = VALID_PORT config = NuauthConf() # Userdb self.user = PlaintextUser("visiteur", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(config) self.acls = PlaintextAcl() self.acls.addAcl("web", self.port, self.user.gid) self.acls.install(config) # Load nuauth config["nuauth_do_ip_authentication"] = '1' config["nuauth_ip_authentication_module"] = '"ipauth_guest"' config["ipauth_guest_username"] = '******' % self.user.login self.nuauth = Nuauth(config) self.iptables = Iptables() self.nufw = startNufw() def tearDown(self): self.acls.desinstall() self.userdb.desinstall() self.nuauth.stop() self.iptables.flush() def testValid(self): self.iptables.filterTcp(self.port) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
class TestConntrack(TestCase): def setUp(self): self.dst_host = socket.gethostbyname(HOST) self.config = NuauthConf() self.acls = PlaintextAcl() self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period="10 secs") self.acls.install(self.config) self.period = PlainPeriodXML() self.period.addPeriod(Period("10 secs", duration=10)) self.period.install(self.config) self.users = USERDB self.users.install(self.config) self.nuauth = Nuauth(self.config) self.nufw = startNufw() self.iptables = Iptables() self.iptables.flush() self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE" % self.dst_host) self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP" % self.dst_host) def tearDown(self): self.nuauth.stop() self.users.desinstall() self.acls.desinstall() self.period.desinstall() def testConnShutdown(self): user = USERDB[0] client = user.createClient() self.assert_(connectClient(client)) start = time.time() conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) conn.connect((self.dst_host, VALID_PORT)) src_port = conn.getsockname()[1] ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT)) ## Check that only one connection is opened to self.assert_(ct_before == 1) ## The connection should be killed 10 seconds after being opened time.sleep(15) ## Check that only one connection is opened to ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT)) self.assert_(ct_after == 0) conn.close() client.stop()
class TestConntrack(TestCase): def setUp(self): self.dst_host = socket.gethostbyname(HOST) self.config = NuauthConf() self.acls = PlaintextAcl() self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period='10 secs' ) self.acls.install(self.config) self.period = PlainPeriodXML() self.period.addPeriod(Period("10 secs", duration = 10)) self.period.install(self.config) self.users = USERDB self.users.install(self.config) self.nuauth = Nuauth(self.config) self.nufw = startNufw() self.iptables = Iptables() self.iptables.flush() self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE' % self.dst_host) self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP' % self.dst_host) def tearDown(self): self.nuauth.stop() self.users.desinstall() self.acls.desinstall() self.period.desinstall() def testConnShutdown(self): user = USERDB[0] client = user.createClient() self.assert_(connectClient(client)) start = time.time() conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) conn.connect((self.dst_host, VALID_PORT)) src_port = conn.getsockname()[1] ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT)) ## Check that only one connection is opened to self.assert_(ct_before == 1) ## The connection should be killed 10 seconds after being opened time.sleep(15) ## Check that only one connection is opened to ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT)) self.assert_(ct_after == 0) conn.close() client.stop()
class TestClientCertAuth(TestCase): def setUp(self): self.nuconfig = NuauthConf() cacert = config.get("test_cert", "cacert") # Userdb self.user = PlaintextUser("user", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(self.nuconfig) # Server self.nuconfig["plaintext_userfile"] = '"%s"' % self.userdb.filename self.nuconfig["nuauth_tls_auth_by_cert"] = "2" self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_cacert"] = '"%s"' % cacert self.nuconfig["nuauth_tls_key"] = '"%s"' % config.get( "test_cert", "nuauth_key") self.nuconfig["nuauth_tls_cert"] = '"%s"' % config.get( "test_cert", "nuauth_cert") self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.client.stop() self.nuauth.stop() self.userdb.desinstall() self.nuconfig.desinstall() def testValidCert(self): # Client cacert = config.get("test_cert", "cacert") cert = config.get("test_cert", "user_cert") key = config.get("test_cert", "user_key") args = ["-C", cert, "-K", key, "-A", cacert] self.client = self.user.createClient(more_args=args) self.client.password = "******" % self.user.password self.assert_(connectClient(self.client)) def testInvalidCert(self): # Expired certificate cacert = config.get("test_cert", "cacert") cert = config.get("test_cert", "user_invalid_cert") key = config.get("test_cert", "user_invalid_key") args = ["-C", cert, "-K", key, "-A", cacert] self.client = self.user.createClient(more_args=args) self.client.password = "******" % self.user.password self.assert_(not connectClient(self.client))
class TestClientCertAuth(TestCase): def setUp(self): self.nuconfig = NuauthConf() cacert = config.get("test_cert", "cacert") # Userdb self.user = PlaintextUser("user", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(self.nuconfig) # Server self.nuconfig["plaintext_userfile"] = '"%s"' % self.userdb.filename self.nuconfig["nuauth_tls_auth_by_cert"] = "2" self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_cacert"] = '"%s"' % cacert self.nuconfig["nuauth_tls_key"] = '"%s"' % config.get("test_cert", "nuauth_key") self.nuconfig["nuauth_tls_cert"] = '"%s"' % config.get("test_cert", "nuauth_cert") self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.client.stop() self.nuauth.stop() self.userdb.desinstall() self.nuconfig.desinstall() def testValidCert(self): # Client cacert = config.get("test_cert", "cacert") cert = config.get("test_cert", "user_cert") key = config.get("test_cert", "user_key") args = ["-C", cert, "-K", key, "-A", cacert] self.client = self.user.createClient(more_args=args) self.client.password = "******" % self.user.password self.assert_(connectClient(self.client)) def testInvalidCert(self): # Expired certificate cacert = config.get("test_cert", "cacert") cert = config.get("test_cert", "user_invalid_cert") key = config.get("test_cert", "user_invalid_key") args = ["-C", cert, "-K", key, "-A", cacert] self.client = self.user.createClient(more_args=args) self.client.password = "******" % self.user.password self.assert_(not connectClient(self.client))
class TestClientAuth(TestCase): def setUp(self): self.port = VALID_PORT self.mark = 1 self.shift = 8 config = NuauthConf() # Userdb self.user = PlaintextUser("guest", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(config) self.acls = PlaintextAcl() self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift)) self.acls.install(config) # Load nuauth config["nuauth_finalize_packet_module"] = '"mark_flag"' config["mark_flag_mark_shift"] = 0 config["mark_flag_flag_shift"] = self.shift config["mark_flag_nbits"] = 16 self.nuauth = Nuauth(config) self.iptables = Iptables() self.nufw = startNufw(["-m"]) self.client = self.user.createClientWithCerts() def tearDown(self): self.acls.desinstall() self.userdb.desinstall() self.client.stop() self.nuauth.stop() self.iptables.flush() def testValid(self): # Connect client and filter port self.assert_(connectClient(self.client)) self.iptables.filterTcp(self.port) # Test connection without QoS (accept) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True) # Test connection with QoS (drop) self.iptables.command( "-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
class TestSYNACKignore(TestCase): def setUp(self): self.iptables = Iptables() self.iptables.command('-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE' % (VALID_PORT, HOST)) config = NuauthConf() self.nuauth = Nuauth(config) self.nufw = startNufw() def tearDown(self): self.nuauth.stop() self.iptables.flush() def testsynack(self): # Create socket self.assertEqual(connectTcp(HOST, VALID_PORT, TIMEOUT), True)
class TestClientAuth(TestCase): def setUp(self): self.port = VALID_PORT self.mark = 1 self.shift = 8 config = NuauthConf() # Userdb self.user = PlaintextUser("guest", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(config) self.acls = PlaintextAcl() self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift)) self.acls.install(config) # Load nuauth config["nuauth_finalize_packet_module"] = '"mark_flag"' config["mark_flag_mark_shift"] = 0 config["mark_flag_flag_shift"] = self.shift config["mark_flag_nbits"] = 16 self.nuauth = Nuauth(config) self.iptables = Iptables() self.nufw = startNufw(["-m"]) self.client = self.user.createClientWithCerts() def tearDown(self): self.acls.desinstall() self.userdb.desinstall() self.client.stop() self.nuauth.stop() self.iptables.flush() def testValid(self): # Connect client and filter port self.assert_(connectClient(self.client)) self.iptables.filterTcp(self.port) # Test connection without QoS (accept) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True) # Test connection with QoS (drop) self.iptables.command("-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark) self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
class TestSYNACKignore(TestCase): def setUp(self): self.iptables = Iptables() self.iptables.command( '-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE' % (VALID_PORT, HOST)) config = NuauthConf() self.nuauth = Nuauth(config) self.nufw = startNufw() def tearDown(self): self.nuauth.stop() self.iptables.flush() def testsynack(self): # Create socket self.assertEqual(connectTcp(HOST, VALID_PORT, TIMEOUT), True)
class TestClientAuth(TestCase): def setUp(self): # Load nuauth nuconfig = NuauthConf() self.nuauth = Nuauth(nuconfig) # Create client self.client = createClientWithCerts() def tearDown(self): self.client.stop() self.nuauth.stop() def testValidPass(self): self.client.password = PASSWORD self.assert_(connectClient(self.client)) def testInvalidPass(self): self.client.password = "******" % PASSWORD self.assert_(not connectClient(self.client))
class TestClientCert(TestCase): def setUp(self): self.cacert = config.get("test_cert", "cacert") nuconfig = NuauthConf() nuconfig["nuauth_tls_auth_by_cert"] = "0" nuconfig["nuauth_tls_request_cert"] = "0" self.nuauth = Nuauth(nuconfig) def tearDown(self): self.client.stop() self.nuauth.stop() def testValidCert(self): self.client = createClient(more_args=["-A", self.cacert]) self.assert_(connectClient(self.client)) def testInvalidCert(self): cacert = config.get("test_cert", "invalid_cacert") self.client = createClient(more_args=["-A", cacert]) self.assert_(not connectClient(self.client))
class TestScript(TestCase): def setUp(self): # Prepare our new scripts self.script_up = ReplaceFile(SCRIPT_UP, SCRIPT % "UP", MODE) self.script_down = ReplaceFile(SCRIPT_DOWN, SCRIPT % "DOWN", MODE) self.script_up.install() self.script_down.install() # Create nuauth config = NuauthConf() config["nuauth_user_session_logs_module"] = '"script"' self.nuauth = Nuauth(config) def tearDown(self): # Restore scripts and nuauth config self.script_up.desinstall() self.script_down.desinstall() self.nuauth.stop() def checkScript(self, match): warning("checkScript(%r)" % match) for line in self.nuauth.readlines(total_timeout=2.0): if line == match: return True return False def testLogin(self): # Client login client = createClientWithCerts() self.assert_(connectClient(client)) # Check log output match = "SCRIPT UP COUNT=2 TEXT >>>%s %s<<<" \ % (client.username, client.ip) self.assert_(self.checkScript(match)) # Client logout client.stop() match = "SCRIPT DOWN COUNT=2 TEXT >>>%s %s<<<" \ % (client.username, client.ip) self.assert_(self.checkScript(match))
class TestSystem(TestCase): def setUp(self): # Start nuauth with our config nuconfig = NuauthConf() nuconfig["nuauth_user_check_module"] = '"system"' self.nuauth = Nuauth(nuconfig) def tearDown(self): # Restore user DB and nuauth config self.nuauth.stop() def testLogin(self): username = config.get("test_system", "username") password = config.get("test_system", "password") client = createClientWithCerts(username, password) self.assert_(connectClient(client)) client.stop() client = createClientWithCerts(username, "xxx%sxxx" % password) self.assert_(not connectClient(client)) client.stop()
class TestSessionExpire(TestCase): def setUp(self): self.expiration = DURATION self.host = HOST # Setup session_expire library nuconfig = NuauthConf() nuconfig['nuauth_user_session_modify_module']='"session_expire"' nuconfig['nuauth_session_duration'] = str(self.expiration) # Install temporary user database self.userdb = PlaintextUserDB() self.userdb.addUser( PlaintextUser(USERNAME, PASSWORD, 42, 42) ) self.userdb.install(nuconfig) self.acls = PlaintextAcl() # Start nuauth self.nuauth = Nuauth(nuconfig) # Create client self.client = createClientWithCerts() def tearDown(self): self.client.stop() self.acls.desinstall() self.nuauth.stop() def testExpire(self): self.assert_(connectClient(self.client)) sleep(self.expiration+DELAY) self.assert_(self.get_session_not_connected()) def get_session_not_connected(self): for line in self.client.readlines(total_timeout=TIMEOUT): if line.lower().find('session not connected') >= 0: return True return False
class TestSessionExpire(TestCase): def setUp(self): self.expiration = DURATION self.host = HOST # Setup session_expire library nuconfig = NuauthConf() nuconfig['nuauth_user_session_modify_module'] = '"session_expire"' nuconfig['nuauth_session_duration'] = str(self.expiration) # Install temporary user database self.userdb = PlaintextUserDB() self.userdb.addUser(PlaintextUser(USERNAME, PASSWORD, 42, 42)) self.userdb.install(nuconfig) self.acls = PlaintextAcl() # Start nuauth self.nuauth = Nuauth(nuconfig) # Create client self.client = createClientWithCerts() def tearDown(self): self.client.stop() self.acls.desinstall() self.nuauth.stop() def testExpire(self): self.assert_(connectClient(self.client)) sleep(self.expiration + DELAY) self.assert_(self.get_session_not_connected()) def get_session_not_connected(self): for line in self.client.readlines(total_timeout=TIMEOUT): if line.lower().find('session not connected') >= 0: return True return False
class TestTLSClient(TestCase): def startNuauth(self, dict_args=None): self.cacert = abspath(config.get("test_cert", "cacert")) self.nuconfig = NuauthConf() if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[key] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def stopNuauth(self): self.nuauth.stop() def tearDown(self): #self.client.stop() pass def testClientFQDNCheck(self): self.startNuauth() client1 = createClient( more_args=["-H", "nuauth.inl.fr", "-A", self.cacert]) client2 = createClient( more_args=["-H", "localhost", "-A", self.cacert]) self.assert_(connectClient(client1)) self.assert_(not connectClient(client2)) client1.stop() client2.stop() self.stopNuauth() def testClientIgnoreFQDNCheck(self): self.startNuauth() client1 = createClient( more_args=["-H", "nuauth.inl.fr", "-A", self.cacert]) client2 = createClient( more_args=["-H", "localhost", "-A", self.cacert, "-N"]) self.assert_(connectClient(client1)) self.assert_(connectClient(client2)) client1.stop() client2.stop() self.stopNuauth() def testClientValidCA(self): self.startNuauth() client = createClient(more_args=["-A", self.cacert]) self.assert_(connectClient(client)) client.stop() self.stopNuauth() def testClientInvalidCA(self): self.startNuauth() cacert = config.get("test_cert", "invalid_cacert") client = createClient(more_args=["-A", cacert]) self.assert_(not connectClient(client)) client.stop() self.stopNuauth() def testClientValidCert(self): args = dict() args["nuauth_tls_request_cert"] = "2" self.startNuauth(args) tls_cert = abspath(config.get("test_cert", "user_cert")) tls_key = abspath(config.get("test_cert", "user_key")) client = createClient( more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key]) self.assert_(connectClient(client)) client.stop() self.stopNuauth() def testClientInvalidCert(self): args = dict() args["nuauth_tls_request_cert"] = "2" self.startNuauth(args) cacert = config.get("test_cert", "invalid_cacert") tls_cert = abspath(config.get("test_cert", "user_invalid_cert")) tls_key = abspath(config.get("test_cert", "user_invalid_key")) client = createClient( more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key]) self.assert_(not connectClient(client)) client.stop() self.stopNuauth() def testClientRevoked(self): args = dict() args["nuauth_tls_request_cert"] = "1" args["nuauth_tls_crl"] = '"%s"' % abspath( config.get("test_cert", "crl")) self.startNuauth(args) client1 = createClientWithCerts() self.assert_(connectClient(client1)) tls_cert = abspath(config.get("test_cert", "user_revoked_cert")) tls_key = abspath(config.get("test_cert", "user_revoked_key")) client2 = createClient( more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key]) self.assert_(not connectClient(client2)) client1.stop() client2.stop() self.stopNuauth() def testClientExpired(self): self.startNuauth() client1 = createClientWithCerts() self.assert_(connectClient(client1)) tls_cert = abspath(config.get("test_cert", "user_expired_cert")) tls_key = abspath(config.get("test_cert", "user_expired_key")) client2 = createClient( more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key]) self.assert_(not connectClient(client2)) client1.stop() client2.stop() self.stopNuauth() def testClientInvalidCRL(self): args = dict() args["nuauth_tls_request_cert"] = "2" self.startNuauth(args) invalid_crl = abspath(config.get("test_cert", "invalid_crl")) client = createClient(more_args=[ "-H", "nuauth.inl.fr", "-A", self.cacert, "-R", invalid_crl ]) self.assert_(not connectClient(client)) client.stop() self.stopNuauth()
class TestTLSNufw(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = abspath(config.get("test_cert", "cacert")) def startNuauth(self, dict_args=None): self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath( config.get("test_cert", "crl")) if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[key] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testNufwValidCert(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "nuauth.inl.fr"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwIgnoreFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "127.0.0.1", "-N"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find('certificate verification failed') >= 0: return True return False def testNufwInvalidCA(self): self.startNuauth() invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() self.nuauth.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.startNuauth() self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testStrictMode(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False
class TestTLSNufw(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = abspath(config.get("test_cert", "cacert")) def startNuauth(self, dict_args=None): self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl")) if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[key] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testNufwValidCert(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "nuauth.inl.fr"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwIgnoreFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "127.0.0.1", "-N"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("certificate verification failed") >= 0: return True return False def testNufwInvalidCA(self): self.startNuauth() invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() self.nuauth.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.startNuauth() self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testStrictMode(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False
class TestTLSClient(TestCase): def startNuauth(self, dict_args=None): self.cacert = abspath(config.get("test_cert", "cacert")) self.nuconfig = NuauthConf() if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[ key ] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def stopNuauth(self): self.nuauth.stop() def tearDown(self): #self.client.stop() pass def testClientFQDNCheck(self): self.startNuauth() client1 = createClient(more_args=["-H","nuauth.inl.fr","-A", self.cacert]) client2 = createClient(more_args=["-H","localhost","-A", self.cacert]) self.assert_(connectClient(client1)) self.assert_(not connectClient(client2)) client1.stop() client2.stop() self.stopNuauth() def testClientIgnoreFQDNCheck(self): self.startNuauth() client1 = createClient(more_args=["-H","nuauth.inl.fr","-A", self.cacert]) client2 = createClient(more_args=["-H","localhost","-A", self.cacert,"-N"]) self.assert_(connectClient(client1)) self.assert_(connectClient(client2)) client1.stop() client2.stop() self.stopNuauth() def testClientValidCA(self): self.startNuauth() client = createClient(more_args=["-A", self.cacert]) self.assert_(connectClient(client)) client.stop() self.stopNuauth() def testClientInvalidCA(self): self.startNuauth() cacert = config.get("test_cert", "invalid_cacert") client = createClient(more_args=["-A", cacert]) self.assert_(not connectClient(client)) client.stop() self.stopNuauth() def testClientValidCert(self): args = dict() args["nuauth_tls_request_cert"] = "2" self.startNuauth(args) tls_cert = abspath(config.get("test_cert", "user_cert")) tls_key = abspath(config.get("test_cert", "user_key")) client = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key]) self.assert_(connectClient(client)) client.stop() self.stopNuauth() def testClientInvalidCert(self): args = dict() args["nuauth_tls_request_cert"] = "2" self.startNuauth(args) cacert = config.get("test_cert", "invalid_cacert") tls_cert = abspath(config.get("test_cert", "user_invalid_cert")) tls_key = abspath(config.get("test_cert", "user_invalid_key")) client = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key]) self.assert_(not connectClient(client)) client.stop() self.stopNuauth() def testClientRevoked(self): args = dict() args["nuauth_tls_request_cert"] = "1" args["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl")) self.startNuauth(args) client1 = createClientWithCerts() self.assert_(connectClient(client1)) tls_cert = abspath(config.get("test_cert", "user_revoked_cert")) tls_key = abspath(config.get("test_cert", "user_revoked_key")) client2 = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key]) self.assert_(not connectClient(client2)) client1.stop() client2.stop() self.stopNuauth() def testClientExpired(self): self.startNuauth() client1 = createClientWithCerts() self.assert_(connectClient(client1)) tls_cert = abspath(config.get("test_cert", "user_expired_cert")) tls_key = abspath(config.get("test_cert", "user_expired_key")) client2 = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key]) self.assert_(not connectClient(client2)) client1.stop() client2.stop() self.stopNuauth() def testClientInvalidCRL(self): args = dict() args["nuauth_tls_request_cert"] = "2" self.startNuauth(args) invalid_crl = abspath(config.get("test_cert", "invalid_crl")) client = createClient(more_args=["-H","nuauth.inl.fr","-A",self.cacert,"-R",invalid_crl]) self.assert_(not connectClient(client)) client.stop() self.stopNuauth()
class TestTLSNuauth(TestCase): def startNuauth(self, dict_args=None): self.cacert = config.get("test_cert", "cacert") self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl")) if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[ key ] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def stopNuauth(self): self.nuauth.stop() def tearDown(self): #self.client.stop() pass def testNuauthValidCA(self): self.startNuauth() self.client = createClientWithCerts() self.assert_(connectClient(self.client)) self.client.stop() self.stopNuauth() def testNuauthInvalidCA(self): cacert = abspath(config.get("test_cert", "invalid_cacert")) args = dict() args["nuauth_tls_cacert"] = "'%s'" % cacert # we must disable CRL for this one, else nuauth fails with an # error (CRL is not issued by CA) args["nuauth_tls_crl"] = None self.startNuauth(args) self.client = createClientWithCerts() self.assert_(not connectClient(self.client)) self.client.stop() self.stopNuauth() def testNuauthRevoked(self): args = dict() args["nuauth_tls_key"] = '"%s"' % abspath(config.get("test_cert", "user_revoked_key")) args["nuauth_tls_cert"] = '"%s"' % abspath(config.get("test_cert", "user_revoked_cert")) self.startNuauth(args) self.client = createClient(more_args=["-H","nuauth.inl.fr","-A",self.cacert,"-R",abspath("./pki/crl.pem")]) self.assert_(not connectClient(self.client)) self.client.stop() self.stopNuauth() def testNuauthExpired(self): args = dict() args["nuauth_tls_key"] = '"%s"' % abspath(config.get("test_cert", "user_expired_key")) args["nuauth_tls_cert"] = '"%s"' % abspath(config.get("test_cert", "user_expired_cert")) self.startNuauth(args) self.client = createClient(more_args=["-H","nuauth.inl.fr","-A",self.cacert]) self.assert_(not connectClient(self.client)) self.client.stop() self.client = createClient(more_args=["-H","nuauth.inl.fr","-Q"]) self.assert_(not connectClient(self.client)) self.client.stop() self.stopNuauth() def testNuauthInvalidCRL(self): args = dict() args["nuauth_tls_request_cert"] = "2" args["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "invalid_crl")) mytest = False try: self.startNuauth(args) except: mytest = True self.assert_(mytest) if not mytest: self.stopNuauth()
class TestClientCert(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = config.get("test_cert", "cacert") self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_auth_by_cert"] = "0" self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testValidCert(self): self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find('certificate verification failed') >= 0: return True return False def testInvalidCert(self): invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() def testStrictMode(self): self.nufw = startNufw(["-d","127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False
class MysqlLog(TestCase): def setUp(self): startNufw(["-s"]) config = NuauthConf() config["nuauth_log_users"] = '9' config["mysql_prefix_version"] = '1' if POSTGRESQL: config.need_restart = True self.conn = pgdb.connect( host=DB_SERVER, user=DB_USER, password=DB_PASSWORD, database=DB_DBNAME) config["nuauth_user_logs_module"] = '"pgsql"' config["nuauth_user_session_logs_module"] = '"pgsql"' else: self.conn = MySQLdb.Connect( host=DB_SERVER, user=DB_USER, passwd=DB_PASSWORD, db=DB_DBNAME) config["nuauth_user_logs_module"] = '"mysql"' config["nuauth_user_session_logs_module"] = '"mysql"' self.users = USERDB self.user = self.users[0] self.acls = PlaintextAcl() self.acls.addAcl("web", VALID_PORT, self.user.gid, log_prefix=LOG_PREFIX) self.users.install(config) self.acls.install(config) self.nuauth = Nuauth(config) self.start_time = int(time()-1.1) def query(self, sql): if POSTGRESQL: prefix = "PostgreSQL" else: prefix = "MySQL" info("%s query: %s" % (prefix, sql)) cursor = self.conn.cursor() cursor.execute(sql) info("%s result: %s rows" % (prefix, cursor.rowcount)) return cursor def fetchone(self, cursor): row = cursor.fetchone() if POSTGRESQL: info("PostgreSQL fetchone(): %s" % repr(row)) else: info("MySQL fetchone(): %s" % repr(row)) return row def tearDown(self): # Stop nuauth self.nuauth.stop() self.conn.close() self.users.desinstall() self.acls.desinstall() def _login(self, sql): # Client login client = self.user.createClientWithCerts() self.assert_(connectClient(client)) # Check number of rows for when in retry(timeout=QUERY_TIMEOUT): cursor = self.query(sql) for line in self.nuauth.readlines(): pass if cursor.rowcount: break self.assertEqual(cursor.rowcount, 1) # Read row columns (ip_saddr, user_id, username, os_sysname, os_release, os_version, end_time) = self.fetchone(cursor) if not POSTGRESQL: ip_saddr = ntohl(ip_saddr) & 0xFFFFFFFF # Check values self.assertEqual(IP(ip_saddr), client.ip) self.assertEqual(user_id, self.user.uid) self.assertEqual(username, client.username) self.assertEqual(os_sysname, OS_SYSNAME) self.assertEqual(os_release, OS_RELEASE) self.assertEqual(os_version, OS_VERSION) return client def _logout(self, sql, client): # Client logout # Use datetime.fromtimestamp() with int(time()) to have microsecond=0 logout_before = datetime_before() client.stop() for when in retry(timeout=QUERY_TIMEOUT): # Get last MySQL row cursor = self.query(sql) # Check number of rows if not cursor.rowcount: continue self.assertEqual(cursor.rowcount, 1) # Read row columns (ip_saddr, user_id, username, os_sysname, os_release, os_version, end_time) = self.fetchone(cursor) if not end_time: continue break # Check values if not POSTGRESQL: # FIXME: Convert string to datetime for PostgreSQL logout_after = datetime_after() self.assert_(logout_before <= end_time <= logout_after)
class MysqlLog(TestCase): def setUp(self): startNufw(["-s"]) config = NuauthConf() config["nuauth_log_users"] = '9' config["mysql_prefix_version"] = '1' if POSTGRESQL: config.need_restart = True self.conn = pgdb.connect(host=DB_SERVER, user=DB_USER, password=DB_PASSWORD, database=DB_DBNAME) config["nuauth_user_logs_module"] = '"pgsql"' config["nuauth_user_session_logs_module"] = '"pgsql"' else: self.conn = MySQLdb.Connect(host=DB_SERVER, user=DB_USER, passwd=DB_PASSWORD, db=DB_DBNAME) config["nuauth_user_logs_module"] = '"mysql"' config["nuauth_user_session_logs_module"] = '"mysql"' self.users = USERDB self.user = self.users[0] self.acls = PlaintextAcl() self.acls.addAcl("web", VALID_PORT, self.user.gid, log_prefix=LOG_PREFIX) self.users.install(config) self.acls.install(config) self.nuauth = Nuauth(config) self.start_time = int(time() - 1.1) def query(self, sql): if POSTGRESQL: prefix = "PostgreSQL" else: prefix = "MySQL" info("%s query: %s" % (prefix, sql)) cursor = self.conn.cursor() cursor.execute(sql) info("%s result: %s rows" % (prefix, cursor.rowcount)) return cursor def fetchone(self, cursor): row = cursor.fetchone() if POSTGRESQL: info("PostgreSQL fetchone(): %s" % repr(row)) else: info("MySQL fetchone(): %s" % repr(row)) return row def tearDown(self): # Stop nuauth self.nuauth.stop() self.conn.close() self.users.desinstall() self.acls.desinstall() def _login(self, sql): # Client login client = self.user.createClientWithCerts() self.assert_(connectClient(client)) # Check number of rows for when in retry(timeout=QUERY_TIMEOUT): cursor = self.query(sql) for line in self.nuauth.readlines(): pass if cursor.rowcount: break self.assertEqual(cursor.rowcount, 1) # Read row columns (ip_saddr, user_id, username, os_sysname, os_release, os_version, end_time) = self.fetchone(cursor) if not POSTGRESQL: ip_saddr = ntohl(ip_saddr) & 0xFFFFFFFF # Check values self.assertEqual(IP(ip_saddr), client.ip) self.assertEqual(user_id, self.user.uid) self.assertEqual(username, client.username) self.assertEqual(os_sysname, OS_SYSNAME) self.assertEqual(os_release, OS_RELEASE) self.assertEqual(os_version, OS_VERSION) return client def _logout(self, sql, client): # Client logout # Use datetime.fromtimestamp() with int(time()) to have microsecond=0 logout_before = datetime_before() client.stop() for when in retry(timeout=QUERY_TIMEOUT): # Get last MySQL row cursor = self.query(sql) # Check number of rows if not cursor.rowcount: continue self.assertEqual(cursor.rowcount, 1) # Read row columns (ip_saddr, user_id, username, os_sysname, os_release, os_version, end_time) = self.fetchone(cursor) if not end_time: continue break # Check values if not POSTGRESQL: # FIXME: Convert string to datetime for PostgreSQL logout_after = datetime_after() self.assert_(logout_before <= end_time <= logout_after)