def testClientIgnoreFQDNCheck(self):
self.startNuauth()
client1 = createClient(more_args=["-H","nuauth.inl.fr","-A", self.cacert])
client2 = createClient(more_args=["-H","localhost","-A", self.cacert,"-N"])
self.assert_(connectClient(client1))
self.assert_(connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testLogin(self):
username = config.get("test_system", "username")
password = config.get("test_system", "password")
client = createClientWithCerts(username, password)
self.assert_(connectClient(client))
client.stop()
client = createClientWithCerts(username, "xxx%sxxx" % password)
self.assert_(not connectClient(client))
client.stop()
def testLogin(self):
username = config.get("test_system", "username")
password = config.get("test_system", "password")
client = createClientWithCerts(username, password)
self.assert_(connectClient(client))
client.stop()
client = createClientWithCerts(username, "xxx%sxxx" % password)
self.assert_(not connectClient(client))
client.stop()
def testClientIgnoreFQDNCheck(self):
self.startNuauth()
client1 = createClient(
more_args=["-H", "nuauth.inl.fr", "-A", self.cacert])
client2 = createClient(
more_args=["-H", "localhost", "-A", self.cacert, "-N"])
self.assert_(connectClient(client1))
self.assert_(connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientExpired(self):
self.startNuauth()
client1 = createClientWithCerts()
self.assert_(connectClient(client1))
tls_cert = abspath(config.get("test_cert", "user_expired_cert"))
tls_key = abspath(config.get("test_cert", "user_expired_key"))
client2 = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key])
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testNuauthExpired(self):
args = dict()
args["nuauth_tls_key"] = '"%s"' % abspath(config.get("test_cert", "user_expired_key"))
args["nuauth_tls_cert"] = '"%s"' % abspath(config.get("test_cert", "user_expired_cert"))
self.startNuauth(args)
self.client = createClient(more_args=["-H","nuauth.inl.fr","-A",self.cacert])
self.assert_(not connectClient(self.client))
self.client.stop()
self.client = createClient(more_args=["-H","nuauth.inl.fr","-Q"])
self.assert_(not connectClient(self.client))
self.client.stop()
self.stopNuauth()
def testClientExpired(self):
self.startNuauth()
client1 = createClientWithCerts()
self.assert_(connectClient(client1))
tls_cert = abspath(config.get("test_cert", "user_expired_cert"))
tls_key = abspath(config.get("test_cert", "user_expired_key"))
client2 = createClient(
more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key])
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientRevoked(self):
args = dict()
args["nuauth_tls_request_cert"] = "1"
args["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl"))
self.startNuauth(args)
client1 = createClientWithCerts()
self.assert_(connectClient(client1))
tls_cert = abspath(config.get("test_cert", "user_revoked_cert"))
tls_key = abspath(config.get("test_cert", "user_revoked_key"))
client2 = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key])
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testSASLAuthNOK(self):
self.config["nuauth_tls_auth_by_cert"] = 0
self.config["session_authtype_sasl_groups"] = "\"123\""
self.nuauth = Nuauth(self.config)
self.client = self.user.createClientWithCerts()
self.assert_(not connectClient(self.client))
def testBlacklistAuthNOK(self):
self.config["nuauth_tls_auth_by_cert"] = 0
self.config["session_authtype_blacklist_groups"] = "\"42\""
self.nuauth = Nuauth(self.config)
self.client = self.user.createClientWithCerts()
self.assert_(not connectClient(self.client))
def testClientRevoked(self):
args = dict()
args["nuauth_tls_request_cert"] = "1"
args["nuauth_tls_crl"] = '"%s"' % abspath(
config.get("test_cert", "crl"))
self.startNuauth(args)
client1 = createClientWithCerts()
self.assert_(connectClient(client1))
tls_cert = abspath(config.get("test_cert", "user_revoked_cert"))
tls_key = abspath(config.get("test_cert", "user_revoked_key"))
client2 = createClient(
more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key])
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
self.stopNuauth()
def testClientInvalidCA(self):
self.startNuauth()
cacert = config.get("test_cert", "invalid_cacert")
client = createClient(more_args=["-A", cacert])
self.assert_(not connectClient(client))
client.stop()
self.stopNuauth()
def testBlacklistAuthNOK(self):
self.config["nuauth_tls_auth_by_cert"] = 0
self.config["session_authtype_blacklist_groups"] = '"42"'
self.nuauth = Nuauth(self.config)
self.client = self.user.createClientWithCerts()
self.assert_(not connectClient(self.client))
def testLoginNormal(self):
# Change login policy to 0
self.config["nuauth_single_ip_client_limit"] = 0
self.config["nuauth_single_user_client_limit"] = 0
self.nuauth = Nuauth(self.config)
# Test user1
client1 = self.userA.createClientWithCerts()
self.assert_(connectClient(client1))
# Test user2
client2 = self.userB.createClientWithCerts()
self.assert_(connectClient(client2))
client1.stop()
client2.stop()
def testSASLAuthNOK(self):
self.config["nuauth_tls_auth_by_cert"] = 0
self.config["session_authtype_sasl_groups"] = '"123"'
self.nuauth = Nuauth(self.config)
self.client = self.user.createClientWithCerts()
self.assert_(not connectClient(self.client))
def testClientInvalidCA(self):
self.startNuauth()
cacert = config.get("test_cert", "invalid_cacert")
client = createClient(more_args=["-A", cacert])
self.assert_(not connectClient(client))
client.stop()
self.stopNuauth()
def testLoginNormal(self):
# Change login policy to 0
self.config["nuauth_single_ip_client_limit"] = 0
self.config["nuauth_single_user_client_limit"] = 0
self.nuauth = Nuauth(self.config)
# Test user1
client1 = self.userA.createClientWithCerts()
self.assert_(connectClient(client1))
# Test user2
client2 = self.userB.createClientWithCerts()
self.assert_(connectClient(client2))
client1.stop()
client2.stop()
def _login(self, sql):
# Client login
client = self.user.createClientWithCerts()
self.assert_(connectClient(client))
# Check number of rows
for when in retry(timeout=QUERY_TIMEOUT):
cursor = self.query(sql)
for line in self.nuauth.readlines():
pass
if cursor.rowcount:
break
self.assertEqual(cursor.rowcount, 1)
# Read row columns
(ip_saddr, user_id, username, os_sysname, os_release, os_version,
end_time) = self.fetchone(cursor)
if not POSTGRESQL:
ip_saddr = ntohl(ip_saddr) & 0xFFFFFFFF
# Check values
self.assertEqual(IP(ip_saddr), client.ip)
self.assertEqual(user_id, self.user.uid)
self.assertEqual(username, client.username)
self.assertEqual(os_sysname, OS_SYSNAME)
self.assertEqual(os_release, OS_RELEASE)
self.assertEqual(os_version, OS_VERSION)
return client
def _login(self, sql):
# Client login
client = self.user.createClientWithCerts()
self.assert_(connectClient(client))
# Check number of rows
for when in retry(timeout=QUERY_TIMEOUT):
cursor = self.query(sql)
for line in self.nuauth.readlines():
pass
if cursor.rowcount:
break
self.assertEqual(cursor.rowcount, 1)
# Read row columns
(ip_saddr, user_id, username, os_sysname,
os_release, os_version, end_time) = self.fetchone(cursor)
if not POSTGRESQL:
ip_saddr = ntohl(ip_saddr) & 0xFFFFFFFF
# Check values
self.assertEqual(IP(ip_saddr), client.ip)
self.assertEqual(user_id, self.user.uid)
self.assertEqual(username, client.username)
self.assertEqual(os_sysname, OS_SYSNAME)
self.assertEqual(os_release, OS_RELEASE)
self.assertEqual(os_version, OS_VERSION)
return client
def testLoginIP(self):
# Change login policy to 1 login/IP
self.config["nuauth_single_ip_client_limit"] = 1
self.config["nuauth_single_user_client_limit"] = 0
self.nuauth = Nuauth(self.config)
# Different users can't log from same IP
# Test user1
client1 = self.userA.createClientWithCerts()
self.assert_(connectClient(client1))
# Test user2
client2 = self.userB.createClientWithCerts()
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
def testLoginOne(self):
# Change login policy to 1 login/user
self.config["nuauth_single_ip_client_limit"] = 0
self.config["nuauth_single_user_client_limit"] = 1
self.nuauth = Nuauth(self.config)
# User can't log twice
# Test user1
client1 = self.userA.createClientWithCerts()
self.assert_(connectClient(client1))
# Test user1
client2 = self.userA.createClientWithCerts()
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
def testLoginOne(self):
# Change login policy to 1 login/user
self.config["nuauth_single_ip_client_limit"] = 0
self.config["nuauth_single_user_client_limit"] = 1
self.nuauth = Nuauth(self.config)
# User can't log twice
# Test user1
client1 = self.userA.createClientWithCerts()
self.assert_(connectClient(client1))
# Test user1
client2 = self.userA.createClientWithCerts()
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
def testLoginIP(self):
# Change login policy to 1 login/IP
self.config["nuauth_single_ip_client_limit"] = 1
self.config["nuauth_single_user_client_limit"] = 0
self.nuauth = Nuauth(self.config)
# Different users can't log from same IP
# Test user1
client1 = self.userA.createClientWithCerts()
self.assert_(connectClient(client1))
# Test user2
client2 = self.userB.createClientWithCerts()
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
def testCertAuthGroupNOK(self):
self.config["nuauth_tls_auth_by_cert"] = "2"
self.config["session_authtype_ssl_groups"] = "\"100\""
self.nuauth = Nuauth(self.config)
# Client
self.client = self.user.createClientWithCerts()
self.client.password = "******" % self.user.password
self.assert_(not connectClient(self.client))
def testCertAuthGroupNOK(self):
self.config["nuauth_tls_auth_by_cert"] = "2"
self.config["session_authtype_ssl_groups"] = '"100"'
self.nuauth = Nuauth(self.config)
# Client
self.client = self.user.createClientWithCerts()
self.client.password = "******" % self.user.password
self.assert_(not connectClient(self.client))
def testClientInvalidCRL(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
self.startNuauth(args)
invalid_crl = abspath(config.get("test_cert", "invalid_crl"))
client = createClient(more_args=["-H","nuauth.inl.fr","-A",self.cacert,"-R",invalid_crl])
self.assert_(not connectClient(client))
client.stop()
self.stopNuauth()
def testNuauthRevoked(self):
args = dict()
args["nuauth_tls_key"] = '"%s"' % abspath(config.get("test_cert", "user_revoked_key"))
args["nuauth_tls_cert"] = '"%s"' % abspath(config.get("test_cert", "user_revoked_cert"))
self.startNuauth(args)
self.client = createClient(more_args=["-H","nuauth.inl.fr","-A",self.cacert,"-R",abspath("./pki/crl.pem")])
self.assert_(not connectClient(self.client))
self.client.stop()
self.stopNuauth()
def testPort(testcase, iptables, client, port, ok, host=HOST):
# Enable iptables filtering
iptables.filterTcp(VALID_PORT)
# Connect user
if client:
testcase.assert_(connectClient(client))
# Create socket
testcase.assertEqual(connectTcp(host, port, TIMEOUT), ok)
def testPort(testcase, iptables, client, port, ok, host=HOST):
# Enable iptables filtering
iptables.filterTcp(VALID_PORT)
# Connect user
if client:
testcase.assert_(connectClient(client))
# Create socket
testcase.assertEqual(connectTcp(host, port, TIMEOUT), ok)
def testPortFailure(testcase, iptables, client, port, err):
# Enable iptables filtering
iptables.filterTcp(VALID_PORT)
# Connect user
if client:
testcase.assert_(connectClient(client))
# Create socket
testcase.assertEqual(connectTcpFail(HOST, port, TIMEOUT), err)
def testClientValidCert(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
self.startNuauth(args)
tls_cert = abspath(config.get("test_cert", "user_cert"))
tls_key = abspath(config.get("test_cert", "user_key"))
client = createClient(more_args=["-A", self.cacert,"-C",tls_cert,"-K",tls_key])
self.assert_(connectClient(client))
client.stop()
self.stopNuauth()
def testPortFailure(testcase, iptables, client, port, err):
# Enable iptables filtering
iptables.filterTcp(VALID_PORT)
# Connect user
if client:
testcase.assert_(connectClient(client))
# Create socket
testcase.assertEqual(connectTcpFail(HOST, port, TIMEOUT), err)
def testLogin(self):
# Client login
client = createClientWithCerts()
self.assert_(connectClient(client))
# Check log output
self.assert_(self.findLog("[nuauth] User %s connect on " % client.username))
# Client logout
client.stop()
self.assert_(self.findLog("[nuauth] User %s disconnect on " % client.username))
def testClientInvalidCRL(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
self.startNuauth(args)
invalid_crl = abspath(config.get("test_cert", "invalid_crl"))
client = createClient(more_args=[
"-H", "nuauth.inl.fr", "-A", self.cacert, "-R", invalid_crl
])
self.assert_(not connectClient(client))
client.stop()
self.stopNuauth()
def testInvalidCert(self):
# Expired certificate
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_invalid_cert")
key = config.get("test_cert", "user_invalid_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(not connectClient(self.client))
def testInvalidCert(self):
# Expired certificate
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_invalid_cert")
key = config.get("test_cert", "user_invalid_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(not connectClient(self.client))
def testValidCert(self):
# Client
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_cert")
key = config.get("test_cert", "user_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(connectClient(self.client))
def testClientValidCert(self):
args = dict()
args["nuauth_tls_request_cert"] = "2"
self.startNuauth(args)
tls_cert = abspath(config.get("test_cert", "user_cert"))
tls_key = abspath(config.get("test_cert", "user_key"))
client = createClient(
more_args=["-A", self.cacert, "-C", tls_cert, "-K", tls_key])
self.assert_(connectClient(client))
client.stop()
self.stopNuauth()
def testValidCert(self):
# Client
cacert = config.get("test_cert", "cacert")
cert = config.get("test_cert", "user_cert")
key = config.get("test_cert", "user_key")
args = ["-C", cert, "-K", key, "-A", cacert]
self.client = self.user.createClient(more_args=args)
self.client.password = "******" % self.user.password
self.assert_(connectClient(self.client))
def testValid(self):
# Connect client and filter port
self.assert_(connectClient(self.client))
self.iptables.filterTcp(self.port)
# Test connection without QoS (accept)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
# Test connection with QoS (drop)
self.iptables.command("-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
def testNuauthInvalidCA(self):
cacert = abspath(config.get("test_cert", "invalid_cacert"))
args = dict()
args["nuauth_tls_cacert"] = "'%s'" % cacert
# we must disable CRL for this one, else nuauth fails with an
# error (CRL is not issued by CA)
args["nuauth_tls_crl"] = None
self.startNuauth(args)
self.client = createClientWithCerts()
self.assert_(not connectClient(self.client))
self.client.stop()
self.stopNuauth()
def testValid(self):
# Connect client and filter port
self.assert_(connectClient(self.client))
self.iptables.filterTcp(self.port)
# Test connection without QoS (accept)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
# Test connection with QoS (drop)
self.iptables.command(
"-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark)
self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
def testLogin(self):
# Client login
client = createClientWithCerts()
self.assert_(connectClient(client))
# Check log output
self.assert_(
self.findLog("[nuauth] User %s connect on " % client.username))
# Client logout
client.stop()
self.assert_(
self.findLog("[nuauth] User %s disconnect on " % client.username))
def testLogin(self):
# Client login
client = createClientWithCerts()
self.assert_(connectClient(client))
# Check log output
match = "SCRIPT UP COUNT=2 TEXT >>>%s %s<<<" \
% (client.username, client.ip)
self.assert_(self.checkScript(match))
# Client logout
client.stop()
match = "SCRIPT DOWN COUNT=2 TEXT >>>%s %s<<<" \
% (client.username, client.ip)
self.assert_(self.checkScript(match))
def testLogin(self):
# Client login
client = createClientWithCerts()
self.assert_(connectClient(client))
# Check log output
match = "SCRIPT UP COUNT=2 TEXT >>>%s %s<<<" \
% (client.username, client.ip)
self.assert_(self.checkScript(match))
# Client logout
client.stop()
match = "SCRIPT DOWN COUNT=2 TEXT >>>%s %s<<<" \
% (client.username, client.ip)
self.assert_(self.checkScript(match))
def testConnShutdown(self):
user = USERDB[0]
client = user.createClient()
self.assert_(connectClient(client))
start = time.time()
conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn.connect((self.dst_host, VALID_PORT))
src_port = conn.getsockname()[1]
ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
## Check that only one connection is opened to
self.assert_(ct_before == 1)
## The connection should be killed 10 seconds after being opened
time.sleep(15)
## Check that only one connection is opened to
ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
self.assert_(ct_after == 0)
conn.close()
client.stop()
def testConnShutdown(self):
user = USERDB[0]
client = user.createClient()
self.assert_(connectClient(client))
start = time.time()
conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn.connect((self.dst_host, VALID_PORT))
src_port = conn.getsockname()[1]
ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
## Check that only one connection is opened to
self.assert_(ct_before == 1)
## The connection should be killed 10 seconds after being opened
time.sleep(15)
## Check that only one connection is opened to
ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
self.assert_(ct_after == 0)
conn.close()
client.stop()
def testInvalidPass(self):
user = USERDB[1]
client = createClientWithCerts(user.login, user.password+"x")
self.assert_(not connectClient(client))
client.stop()
def testInvalidLogin(self):
user = USERDB[0]
client = createClientWithCerts(user.login+"x", user.password)
self.assert_(not connectClient(client))
client.stop()
def testUser2(self):
user = USERDB[1]
client = user.createClientWithCerts()
self.assert_(connectClient(client))
client.stop()
def testExpire(self):
self.assert_(connectClient(self.client))
sleep(self.expiration + DELAY)
self.assert_(self.get_session_not_connected())
def testInvalidPass(self):
self.client.password = "******" % PASSWORD
self.assert_(not connectClient(self.client))
def testClientValidCA(self):
self.startNuauth()
client = createClient(more_args=["-A", self.cacert])
self.assert_(connectClient(client))
client.stop()
self.stopNuauth()
def testInvalidPass(self):
self.client.password = "******" % PASSWORD
self.assert_(not connectClient(self.client))
