Exemplo n.º 1
0
    def setUp(self):
        self.port = VALID_PORT
        self.mark = 1
        self.shift = 8
        config = NuauthConf()

        # Userdb
        self.user = PlaintextUser("guest", "nopassword", 42, 42)
        self.userdb = PlaintextUserDB()
        self.userdb.addUser(self.user)
        self.userdb.install(config)

        self.acls = PlaintextAcl()
        self.acls.addAcl("port",
                         self.port,
                         self.user.gid,
                         flags=(self.mark << self.shift))
        self.acls.install(config)

        # Load nuauth
        config["nuauth_finalize_packet_module"] = '"mark_flag"'
        config["mark_flag_mark_shift"] = 0
        config["mark_flag_flag_shift"] = self.shift
        config["mark_flag_nbits"] = 16

        self.nuauth = Nuauth(config)
        self.iptables = Iptables()
        self.nufw = startNufw(["-m"])
        self.client = self.user.createClientWithCerts()
Exemplo n.º 2
0
class TestClientAuth(TestCase):
    def setUp(self):
        self.port = VALID_PORT
        config = NuauthConf()

        # Userdb
        self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
        self.userdb = PlaintextUserDB()
        self.userdb.addUser(self.user)
        self.userdb.install(config)

        self.acls = PlaintextAcl()
        self.acls.addAcl("web", self.port, self.user.gid)
        self.acls.install(config)

        # Load nuauth
        config["nuauth_do_ip_authentication"] = '1'
        config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
        config["ipauth_guest_username"] = '******' % self.user.login
        self.nuauth = Nuauth(config)
        self.iptables = Iptables()
        self.nufw = startNufw()

    def tearDown(self):
        self.acls.desinstall()
        self.userdb.desinstall()
        self.nuauth.stop()
        self.iptables.flush()

    def testValid(self):
        self.iptables.filterTcp(self.port)
        self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
Exemplo n.º 3
0
class TestClientAuth(TestCase):
    def setUp(self):
        self.port = VALID_PORT
        config = NuauthConf()

        # Userdb
        self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
        self.userdb = PlaintextUserDB()
        self.userdb.addUser(self.user)
        self.userdb.install(config)

        self.acls = PlaintextAcl()
        self.acls.addAcl("web", self.port, self.user.gid)
        self.acls.install(config)

        # Load nuauth
        config["nuauth_do_ip_authentication"] = '1'
        config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
        config["ipauth_guest_username"] = '******' % self.user.login
        self.nuauth = Nuauth(config)
        self.iptables = Iptables()
        self.nufw = startNufw()

    def tearDown(self):
        self.acls.desinstall()
        self.userdb.desinstall()
        self.nuauth.stop()
        self.iptables.flush()

    def testValid(self):
        self.iptables.filterTcp(self.port)
        self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)
Exemplo n.º 4
0
    def setUp(self):
        self.iptables = Iptables()
        self.iptables.command(
            '-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE'
            % (VALID_PORT, HOST))
        config = NuauthConf()

        self.nuauth = Nuauth(config)
        self.nufw = startNufw()
Exemplo n.º 5
0
    def setUp(self):
        self.iptables = Iptables()
        self.port = VALID_PORT
        self.host = HOST
        self.cacert = config.get("test_cert", "cacert")

        self.nuconfig = NuauthConf()
        self.nuconfig["nuauth_tls_auth_by_cert"] = "0"
        self.nuauth = Nuauth(self.nuconfig)
Exemplo n.º 6
0
    def setUp(self):
        self.iptables = Iptables()
        self.users = USERDB
        self.host = HOST
        self.config = NuauthConf()
        self.acls = self.func_acls()

        # Start nuauth with new config
        self.users.install(self.config)
        self.nufw = startNufw(["-s"])
Exemplo n.º 7
0
    def setUp(self):
        self.iptables = Iptables()
        self.users = USERDB
        self.config = NuauthConf()
        self.config["xml_defs_periodfile"] = '"%s"' % os.path.abspath(
            "../conf/periods.xml")
        self.acls = PlaintextAcl()

        # Start nuauth with new config
        self.users.install(self.config)
        self.nufw = startNufw(["-s"])
Exemplo n.º 8
0
    def setUp(self):
        self.iptables = Iptables()
        self.users = USERDB
        self.acls = PlaintextAcl()
        self.acls.addAcl("web", VALID_PORT, self.users[0].gid + 1)
        self.config = NuauthConf()
        self.config["nuauth_packet_timeout"] = "1"

        self.users.install(self.config)
        self.acls.install(self.config)
        self.nufw = startNufw(["-s"])
Exemplo n.º 9
0
class TestPlaintextAcl(TestCase):
    def setUp(self):
        self.iptables = Iptables()
        self.users = USERDB
        self.config = NuauthConf()
        self.config["xml_defs_periodfile"] = '"%s"' % os.path.abspath("../conf/periods.xml")
        self.acls = PlaintextAcl()

        # Start nuauth with new config
        self.users.install(self.config)
        self.nufw = startNufw(["-s"])

    def tearDown(self):
        # Restore user DB and nuauth config
        self.users.desinstall()
        self.acls.desinstall()
        self.nuauth.stop()
        self.iptables.flush()

    def testPeriodDrop(self):
        self.acls.desinstall()
        self.acls = PlaintextAcl()
        if time.localtime().tm_hour >= 12:
                period = "0-12"
        else:
                period = "12-24"
        self.acls.addAcl("web", VALID_PORT, self.users[0].gid, 1, period=period )
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)

        user = self.users[0]
        client = user.createClientWithCerts()
        testPort(self, self.iptables, client, VALID_PORT, False)

        self.acls.desinstall()

    def testPeriodAccept(self):
        self.acls.desinstall()
        self.acls = PlaintextAcl()
        if time.localtime().tm_hour < 12:
                period = "0-12"
        else:
                period = "12-24"
        self.acls.addAcl("web", VALID_PORT, self.users[0].gid, 1, period=period)
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)

        user = self.users[0]
        client = user.createClientWithCerts()
        testAllowPort(self, self.iptables, client)

        self.acls.desinstall()
Exemplo n.º 10
0
class TestSYNACKignore(TestCase):
    def setUp(self):
        self.iptables = Iptables()
        self.iptables.command('-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE' % (VALID_PORT, HOST))
        config = NuauthConf()

        self.nuauth = Nuauth(config)
        self.nufw = startNufw()

    def tearDown(self):
        self.nuauth.stop()
        self.iptables.flush()

    def testsynack(self):
        # Create socket
        self.assertEqual(connectTcp(HOST, VALID_PORT, TIMEOUT), True)
Exemplo n.º 11
0
    def setUp(self):
        self.port = VALID_PORT
        self.mark = 1
        self.shift = 8
        config = NuauthConf()

        # Userdb
        self.user = PlaintextUser("guest", "nopassword", 42, 42)
        self.userdb = PlaintextUserDB()
        self.userdb.addUser(self.user)
        self.userdb.install(config)

        self.acls = PlaintextAcl()
        self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift))
        self.acls.install(config)

        # Load nuauth
        config["nuauth_finalize_packet_module"] = '"mark_flag"'
        config["mark_flag_mark_shift"] = 0
        config["mark_flag_flag_shift"] = self.shift
        config["mark_flag_nbits"] = 16

        self.nuauth = Nuauth(config)
        self.iptables = Iptables()
        self.nufw = startNufw(["-m"])
        self.client = self.user.createClientWithCerts()
Exemplo n.º 12
0
    def setUp(self):
        self.iptables = Iptables()
        self.iptables.command('-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE' % (VALID_PORT, HOST))
        config = NuauthConf()

        self.nuauth = Nuauth(config)
        self.nufw = startNufw()
Exemplo n.º 13
0
class TestSYNACKignore(TestCase):
    def setUp(self):
        self.iptables = Iptables()
        self.iptables.command(
            '-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE'
            % (VALID_PORT, HOST))
        config = NuauthConf()

        self.nuauth = Nuauth(config)
        self.nufw = startNufw()

    def tearDown(self):
        self.nuauth.stop()
        self.iptables.flush()

    def testsynack(self):
        # Create socket
        self.assertEqual(connectTcp(HOST, VALID_PORT, TIMEOUT), True)
Exemplo n.º 14
0
class TestICMPReject(TestCase):
    def setUp(self):
        self.iptables = Iptables()
        self.users = USERDB
        self.acls = PlaintextAcl()
        self.acls.addAcl("web", VALID_PORT, self.users[0].gid + 1)
        self.config = NuauthConf()
        self.config["nuauth_packet_timeout"] = "1"

        self.users.install(self.config)
        self.acls.install(self.config)
        self.nufw = startNufw(["-s"])

    def tearDown(self):
        # Restore user DB and nuauth config
        self.users.desinstall()
        self.acls.desinstall()
        self.nuauth.stop()
        self.iptables.flush()

    def testDrop(self):
        self.config["nuauth_reject_after_timeout"] = "0"
        self.config["nuauth_reject_authenticated_drop"] = "0"
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testPortFailure(self, self.iptables, client, VALID_PORT, ETIMEDOUT)
        client.stop()

    def testRejectTimedout(self):
        self.config["nuauth_reject_after_timeout"] = "1"
        self.config["nuauth_reject_authenticated_drop"] = "0"
        self.nuauth = Nuauth(self.config)
        testPortFailure(self, self.iptables, None, VALID_PORT, ECONNREFUSED)

    def testRejectAuthenticated(self):
        self.config["nuauth_reject_after_timeout"] = 0
        self.config["nuauth_reject_authenticated_drop"] = 1
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testPortFailure(self, self.iptables, client, VALID_PORT, ECONNREFUSED)
        client.stop()
Exemplo n.º 15
0
    def setUp(self):
        self.iptables = Iptables()
        self.users = USERDB
        self.config = NuauthConf()
        self.config["xml_defs_periodfile"] = '"%s"' % os.path.abspath("../conf/periods.xml")
        self.acls = PlaintextAcl()

        # Start nuauth with new config
        self.users.install(self.config)
        self.nufw = startNufw(["-s"])
Exemplo n.º 16
0
class TestICMPReject(TestCase):
    def setUp(self):
        self.iptables = Iptables()
        self.users = USERDB
        self.acls = PlaintextAcl()
        self.acls.addAcl("web", VALID_PORT, self.users[0].gid+1)
        self.config = NuauthConf()
        self.config["nuauth_packet_timeout"] = "1"

        self.users.install(self.config)
        self.acls.install(self.config)
        self.nufw = startNufw(["-s"])

    def tearDown(self):
        # Restore user DB and nuauth config
        self.users.desinstall()
        self.acls.desinstall()
        self.nuauth.stop()
        self.iptables.flush()

    def testDrop(self):
        self.config["nuauth_reject_after_timeout"] = "0"
        self.config["nuauth_reject_authenticated_drop"] = "0"
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testPortFailure(self, self.iptables, client, VALID_PORT, ETIMEDOUT)
        client.stop()

    def testRejectTimedout(self):
        self.config["nuauth_reject_after_timeout"] = "1"
        self.config["nuauth_reject_authenticated_drop"] = "0"
        self.nuauth = Nuauth(self.config)
        testPortFailure(self, self.iptables, None, VALID_PORT, ECONNREFUSED)

    def testRejectAuthenticated(self):
        self.config["nuauth_reject_after_timeout"] = 0
        self.config["nuauth_reject_authenticated_drop"] = 1
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testPortFailure(self, self.iptables, client, VALID_PORT, ECONNREFUSED)
        client.stop()
Exemplo n.º 17
0
    def setUp(self):
        self.iptables = Iptables()
        self.users = USERDB
        self.acls = PlaintextAcl()
        self.acls.addAcl("web", VALID_PORT, self.users[0].gid+1)
        self.config = NuauthConf()
        self.config["nuauth_packet_timeout"] = "1"

        self.users.install(self.config)
        self.acls.install(self.config)
        self.nufw = startNufw(["-s"])
Exemplo n.º 18
0
    def setUp(self):
        self.port = VALID_PORT
        config = NuauthConf()

        # Userdb
        self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
        self.userdb = PlaintextUserDB()
        self.userdb.addUser(self.user)
        self.userdb.install(config)

        self.acls = PlaintextAcl()
        self.acls.addAcl("web", self.port, self.user.gid)
        self.acls.install(config)

        # Load nuauth
        config["nuauth_do_ip_authentication"] = '1'
        config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
        config["ipauth_guest_username"] = '******' % self.user.login
        self.nuauth = Nuauth(config)
        self.iptables = Iptables()
        self.nufw = startNufw()
Exemplo n.º 19
0
    def setUp(self):
        self.dst_host = socket.gethostbyname(HOST)

        self.config = NuauthConf()
        self.acls = PlaintextAcl()
        self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period='10 secs' )
        self.acls.install(self.config)

        self.period = PlainPeriodXML()
        self.period.addPeriod(Period("10 secs", duration = 10))
        self.period.install(self.config)

        self.users = USERDB
        self.users.install(self.config)
        self.nuauth = Nuauth(self.config)
        self.nufw = startNufw()

        self.iptables = Iptables()
        self.iptables.flush()
        self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE' % self.dst_host)
        self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP' % self.dst_host)
Exemplo n.º 20
0
class TestConntrack(TestCase):
    def setUp(self):
        self.dst_host = socket.gethostbyname(HOST)

        self.config = NuauthConf()
        self.acls = PlaintextAcl()
        self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period='10 secs' )
        self.acls.install(self.config)

        self.period = PlainPeriodXML()
        self.period.addPeriod(Period("10 secs", duration = 10))
        self.period.install(self.config)

        self.users = USERDB
        self.users.install(self.config)
        self.nuauth = Nuauth(self.config)
        self.nufw = startNufw()

        self.iptables = Iptables()
        self.iptables.flush()
        self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE' % self.dst_host)
        self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP' % self.dst_host)

    def tearDown(self):
        self.nuauth.stop()
        self.users.desinstall()
        self.acls.desinstall()
        self.period.desinstall()

    def testConnShutdown(self):
        user = USERDB[0]
        client = user.createClient()
        self.assert_(connectClient(client))

        start = time.time()
        conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        conn.connect((self.dst_host, VALID_PORT))

        src_port = conn.getsockname()[1]

        ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
        ## Check that only one connection is opened to
        self.assert_(ct_before == 1)

        ## The connection should be killed 10 seconds after being opened
        time.sleep(15)

        ## Check that only one connection is opened to
        ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
        self.assert_(ct_after == 0)

        conn.close()
        client.stop()
Exemplo n.º 21
0
class TestConntrack(TestCase):
    def setUp(self):
        self.dst_host = socket.gethostbyname(HOST)

        self.config = NuauthConf()
        self.acls = PlaintextAcl()
        self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period="10 secs")
        self.acls.install(self.config)

        self.period = PlainPeriodXML()
        self.period.addPeriod(Period("10 secs", duration=10))
        self.period.install(self.config)

        self.users = USERDB
        self.users.install(self.config)
        self.nuauth = Nuauth(self.config)
        self.nufw = startNufw()

        self.iptables = Iptables()
        self.iptables.flush()
        self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE" % self.dst_host)
        self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP" % self.dst_host)

    def tearDown(self):
        self.nuauth.stop()
        self.users.desinstall()
        self.acls.desinstall()
        self.period.desinstall()

    def testConnShutdown(self):
        user = USERDB[0]
        client = user.createClient()
        self.assert_(connectClient(client))

        start = time.time()
        conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        conn.connect((self.dst_host, VALID_PORT))

        src_port = conn.getsockname()[1]

        ct_before = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
        ## Check that only one connection is opened to
        self.assert_(ct_before == 1)

        ## The connection should be killed 10 seconds after being opened
        time.sleep(15)

        ## Check that only one connection is opened to
        ct_after = len(get_conntrack_conn(src_port, self.dst_host, VALID_PORT))
        self.assert_(ct_after == 0)

        conn.close()
        client.stop()
Exemplo n.º 22
0
class TestClientAuth(TestCase):
    def setUp(self):
        self.port = VALID_PORT
        self.mark = 1
        self.shift = 8
        config = NuauthConf()

        # Userdb
        self.user = PlaintextUser("guest", "nopassword", 42, 42)
        self.userdb = PlaintextUserDB()
        self.userdb.addUser(self.user)
        self.userdb.install(config)

        self.acls = PlaintextAcl()
        self.acls.addAcl("port",
                         self.port,
                         self.user.gid,
                         flags=(self.mark << self.shift))
        self.acls.install(config)

        # Load nuauth
        config["nuauth_finalize_packet_module"] = '"mark_flag"'
        config["mark_flag_mark_shift"] = 0
        config["mark_flag_flag_shift"] = self.shift
        config["mark_flag_nbits"] = 16

        self.nuauth = Nuauth(config)
        self.iptables = Iptables()
        self.nufw = startNufw(["-m"])
        self.client = self.user.createClientWithCerts()

    def tearDown(self):
        self.acls.desinstall()
        self.userdb.desinstall()
        self.client.stop()
        self.nuauth.stop()
        self.iptables.flush()

    def testValid(self):
        # Connect client and filter port
        self.assert_(connectClient(self.client))
        self.iptables.filterTcp(self.port)

        # Test connection without QoS (accept)
        self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)

        # Test connection with QoS (drop)
        self.iptables.command(
            "-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark)
        self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
Exemplo n.º 23
0
    def setUp(self):
        self.dst_host = socket.gethostbyname(HOST)

        self.config = NuauthConf()
        self.acls = PlaintextAcl()
        self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period="10 secs")
        self.acls.install(self.config)

        self.period = PlainPeriodXML()
        self.period.addPeriod(Period("10 secs", duration=10))
        self.period.install(self.config)

        self.users = USERDB
        self.users.install(self.config)
        self.nuauth = Nuauth(self.config)
        self.nufw = startNufw()

        self.iptables = Iptables()
        self.iptables.flush()
        self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE" % self.dst_host)
        self.iptables.command("-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP" % self.dst_host)
Exemplo n.º 24
0
    def setUp(self):
        self.port = VALID_PORT
        config = NuauthConf()

        # Userdb
        self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
        self.userdb = PlaintextUserDB()
        self.userdb.addUser(self.user)
        self.userdb.install(config)

        self.acls = PlaintextAcl()
        self.acls.addAcl("web", self.port, self.user.gid)
        self.acls.install(config)

        # Load nuauth
        config["nuauth_do_ip_authentication"] = '1'
        config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
        config["ipauth_guest_username"] = '******' % self.user.login
        self.nuauth = Nuauth(config)
        self.iptables = Iptables()
        self.nufw = startNufw()
Exemplo n.º 25
0
class TestClientAuth(TestCase):
    def setUp(self):
        self.port = VALID_PORT
        self.mark = 1
        self.shift = 8
        config = NuauthConf()

        # Userdb
        self.user = PlaintextUser("guest", "nopassword", 42, 42)
        self.userdb = PlaintextUserDB()
        self.userdb.addUser(self.user)
        self.userdb.install(config)

        self.acls = PlaintextAcl()
        self.acls.addAcl("port", self.port, self.user.gid, flags=(self.mark << self.shift))
        self.acls.install(config)

        # Load nuauth
        config["nuauth_finalize_packet_module"] = '"mark_flag"'
        config["mark_flag_mark_shift"] = 0
        config["mark_flag_flag_shift"] = self.shift
        config["mark_flag_nbits"] = 16

        self.nuauth = Nuauth(config)
        self.iptables = Iptables()
        self.nufw = startNufw(["-m"])
        self.client = self.user.createClientWithCerts()

    def tearDown(self):
        self.acls.desinstall()
        self.userdb.desinstall()
        self.client.stop()
        self.nuauth.stop()
        self.iptables.flush()

    def testValid(self):
        # Connect client and filter port
        self.assert_(connectClient(self.client))
        self.iptables.filterTcp(self.port)

        # Test connection without QoS (accept)
        self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), True)

        # Test connection with QoS (drop)
        self.iptables.command("-A POSTROUTING -t mangle -m mark --mark %s -j DROP" % self.mark)
        self.assertEqual(connectTcp(HOST, self.port, TIMEOUT), False)
Exemplo n.º 26
0
class TestAcl(object):
    def setUp(self):
        self.iptables = Iptables()
        self.users = USERDB
        self.host = HOST
        self.config = NuauthConf()
        self.acls = self.func_acls()

        # Start nuauth with new config
        self.users.install(self.config)
        self.nufw = startNufw(["-s"])

    def tearDown(self):
        # Restore user DB and nuauth config
        self.users.desinstall()
        self.nuauth.stop()
        self.iptables.flush()
        self.acls.desinstall()

    def testFilterByGroup(self):
        self.acls.addAclFull("Web group", self.host, VALID_PORT, self.users[0].gid)
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testAllowPort(self, self.iptables, client, self.host)
        testDisallowPort(self, self.iptables, client, self.host)
        self.acls.desinstall()

    def testFilterByUser(self):
        self.acls.addAclPerUid("Web user", self.host, VALID_PORT, self.users[0].uid)
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testAllowPort(self, self.iptables, client, self.host)
        testDisallowPort(self, self.iptables, client, self.host)
        self.acls.desinstall()

    def testValidApplication(self):
        self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, App=APPLICATION)
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testAllowPort(self, self.iptables, client, self.host)
        self.acls.desinstall()

    def testInvalidApplication(self):
        self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, App=APPLICATION+"xxx")
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testAllowPort(self, self.iptables, client, self.host, allow=False)
        self.acls.desinstall()

    def testValidOS(self):
        self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, OS=OS_FULL)
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testAllowPort(self, self.iptables, client, self.host)
        self.acls.desinstall()

    def testInvalidOS(self):
        self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, OS=OS_NAME+"xxx")
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testAllowPort(self, self.iptables, client, self.host, allow=False)
        self.acls.desinstall()

    def testOutdevOk(self):
        self.acls.addAclFull("outdev test", self.host, VALID_PORT, self.users[0].gid, outdev = IFACE)
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testAllowPort(self, self.iptables, client, self.host)
        self.acls.desinstall()

    def testOutdevNOK(self):
        self.acls.addAclFull("outdev test", self.host, VALID_PORT, self.users[0].gid, outdev = "bad0")
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)
        user = self.users[0]
        client = user.createClientWithCerts()
        testAllowPort(self, self.iptables, client, self.host, allow=False)
        self.acls.desinstall()
Exemplo n.º 27
0
class TestTLSNufw(TestCase):
    def setUp(self):
        self.iptables = Iptables()
        self.port = VALID_PORT
        self.host = HOST
        self.cacert = abspath(config.get("test_cert", "cacert"))

    def startNuauth(self, dict_args=None):
        self.nuconfig = NuauthConf()
        self.nuconfig["nuauth_tls_request_cert"] = "2"
        self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl"))
        if dict_args is None:
            dict_args = dict()
        for key in dict_args.keys():
            self.nuconfig[key] = dict_args[key]
        self.nuauth = Nuauth(self.nuconfig)

    def tearDown(self):
        self.nuauth.stop()
        self.nuconfig.desinstall()
        self.iptables.flush()

    def connectNuauthNufw(self):
        # Open TCP connection just to connect nufw to nuauth
        self.iptables.filterTcp(self.port)
        connectTcp(HOST, self.port, 0.100)

        # nufw side
        # "TLS connection to nuauth can NOT be restored"

    def testNufwValidCert(self):
        self.startNuauth()
        self.nufw = startNufw()
        self.connectNuauthNufw()

        self.assert_(self.nufw_connection_is_established())

        self.nufw.stop()
        self.nuauth.stop()

    def testNufwFQDNCheck(self):
        self.startNuauth()

        self.nufw = startNufw(["-d", "127.0.0.1"])
        self.connectNuauthNufw()
        self.assert_(not self.nufw_connection_is_established())
        self.nufw.stop()

        self.nufw = startNufw(["-d", "nuauth.inl.fr"])
        self.connectNuauthNufw()
        self.assert_(self.nufw_connection_is_established())
        self.nufw.stop()

        self.nuauth.stop()

    def testNufwIgnoreFQDNCheck(self):
        self.startNuauth()

        self.nufw = startNufw(["-d", "127.0.0.1"])
        self.connectNuauthNufw()
        self.assert_(not self.nufw_connection_is_established())
        self.nufw.stop()

        self.nufw = startNufw(["-d", "127.0.0.1", "-N"])
        self.connectNuauthNufw()
        self.assert_(self.nufw_connection_is_established())
        self.nufw.stop()

        self.nuauth.stop()

    def get_tls_cert_invalid(self):
        for line in self.nufw.readlines(total_timeout=TIMEOUT):
            if line.lower().find("certificate verification failed") >= 0:
                return True
        return False

    def testNufwInvalidCA(self):
        self.startNuauth()
        invalid_cacert = config.get("test_cert", "invalid_cacert")
        self.nufw = startNufw(["-a", invalid_cacert])
        self.connectNuauthNufw()

        self.assert_(self.get_tls_cert_invalid())
        self.nufw.stop()
        self.nuauth.stop()

    # If NuFW does not run under the strict mode, the provided certificates in svn
    # will be accepted and the client will be able to authenticate and then be
    # accepted by the firewall. This is what we want to check here
    def testNotStrictMode(self):

        self.startNuauth()
        self.nufw = startNufw(["-s"])
        self.connectNuauthNufw()

        self.assert_(self.nufw_connection_is_established())

        self.nufw.stop()
        self.nuauth.stop()

    def testStrictMode(self):

        self.startNuauth()
        self.nufw = startNufw()
        self.connectNuauthNufw()

        self.assert_(self.nufw_connection_is_established())

        self.nufw.stop()
        self.nuauth.stop()

    def nufw_connection_is_established(self):
        if self.nufw.is_connected_to_nuauth:
            return True
        for line in self.nufw.readlines(total_timeout=TIMEOUT):
            if line.lower().find("tls connection to nuauth established") >= 0:
                return True
            if line.lower().find("tls connection to nuauth restored") >= 0:
                return True
        return False
Exemplo n.º 28
0
 def setUp(self):
     self.iptables = Iptables()
     self.port = VALID_PORT
     self.host = HOST
     self.cacert = abspath(config.get("test_cert", "cacert"))
Exemplo n.º 29
0
 def setUp(self):
     self.iptables = Iptables()
     self.port = VALID_PORT
     self.host = HOST
     self.cacert = abspath(config.get("test_cert", "cacert"))
Exemplo n.º 30
0
class TestTLSNufw(TestCase):
    def setUp(self):
        self.iptables = Iptables()
        self.port = VALID_PORT
        self.host = HOST
        self.cacert = abspath(config.get("test_cert", "cacert"))

    def startNuauth(self, dict_args=None):
        self.nuconfig = NuauthConf()
        self.nuconfig["nuauth_tls_request_cert"] = "2"
        self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(
            config.get("test_cert", "crl"))
        if dict_args is None:
            dict_args = dict()
        for key in dict_args.keys():
            self.nuconfig[key] = dict_args[key]
        self.nuauth = Nuauth(self.nuconfig)

    def tearDown(self):
        self.nuauth.stop()
        self.nuconfig.desinstall()
        self.iptables.flush()

    def connectNuauthNufw(self):
        # Open TCP connection just to connect nufw to nuauth
        self.iptables.filterTcp(self.port)
        connectTcp(HOST, self.port, 0.100)

        # nufw side
        # "TLS connection to nuauth can NOT be restored"

    def testNufwValidCert(self):
        self.startNuauth()
        self.nufw = startNufw()
        self.connectNuauthNufw()

        self.assert_(self.nufw_connection_is_established())

        self.nufw.stop()
        self.nuauth.stop()

    def testNufwFQDNCheck(self):
        self.startNuauth()

        self.nufw = startNufw(["-d", "127.0.0.1"])
        self.connectNuauthNufw()
        self.assert_(not self.nufw_connection_is_established())
        self.nufw.stop()

        self.nufw = startNufw(["-d", "nuauth.inl.fr"])
        self.connectNuauthNufw()
        self.assert_(self.nufw_connection_is_established())
        self.nufw.stop()

        self.nuauth.stop()

    def testNufwIgnoreFQDNCheck(self):
        self.startNuauth()

        self.nufw = startNufw(["-d", "127.0.0.1"])
        self.connectNuauthNufw()
        self.assert_(not self.nufw_connection_is_established())
        self.nufw.stop()

        self.nufw = startNufw(["-d", "127.0.0.1", "-N"])
        self.connectNuauthNufw()
        self.assert_(self.nufw_connection_is_established())
        self.nufw.stop()

        self.nuauth.stop()

    def get_tls_cert_invalid(self):
        for line in self.nufw.readlines(total_timeout=TIMEOUT):
            if line.lower().find('certificate verification failed') >= 0:
                return True
        return False

    def testNufwInvalidCA(self):
        self.startNuauth()
        invalid_cacert = config.get("test_cert", "invalid_cacert")
        self.nufw = startNufw(["-a", invalid_cacert])
        self.connectNuauthNufw()

        self.assert_(self.get_tls_cert_invalid())
        self.nufw.stop()
        self.nuauth.stop()

    # If NuFW does not run under the strict mode, the provided certificates in svn
    # will be accepted and the client will be able to authenticate and then be
    # accepted by the firewall. This is what we want to check here
    def testNotStrictMode(self):

        self.startNuauth()
        self.nufw = startNufw(["-s"])
        self.connectNuauthNufw()

        self.assert_(self.nufw_connection_is_established())

        self.nufw.stop()
        self.nuauth.stop()

    def testStrictMode(self):

        self.startNuauth()
        self.nufw = startNufw()
        self.connectNuauthNufw()

        self.assert_(self.nufw_connection_is_established())

        self.nufw.stop()
        self.nuauth.stop()

    def nufw_connection_is_established(self):
        if self.nufw.is_connected_to_nuauth:
            return True
        for line in self.nufw.readlines(total_timeout=TIMEOUT):
            if line.lower().find("tls connection to nuauth established") >= 0:
                return True
            if line.lower().find("tls connection to nuauth restored") >= 0:
                return True
        return False
Exemplo n.º 31
0
 def setUp(self):
     self.iptables = Iptables()
     MysqlLog.setUp(self)
Exemplo n.º 32
0
class TestPlaintextAcl(TestCase):
    def setUp(self):
        self.iptables = Iptables()
        self.users = USERDB
        self.config = NuauthConf()
        self.config["xml_defs_periodfile"] = '"%s"' % os.path.abspath(
            "../conf/periods.xml")
        self.acls = PlaintextAcl()

        # Start nuauth with new config
        self.users.install(self.config)
        self.nufw = startNufw(["-s"])

    def tearDown(self):
        # Restore user DB and nuauth config
        self.users.desinstall()
        self.acls.desinstall()
        self.nuauth.stop()
        self.iptables.flush()

    def testPeriodDrop(self):
        self.acls.desinstall()
        self.acls = PlaintextAcl()
        if time.localtime().tm_hour >= 12:
            period = "0-12"
        else:
            period = "12-24"
        self.acls.addAcl("web",
                         VALID_PORT,
                         self.users[0].gid,
                         1,
                         period=period)
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)

        user = self.users[0]
        client = user.createClientWithCerts()
        testPort(self, self.iptables, client, VALID_PORT, False)

        self.acls.desinstall()

    def testPeriodAccept(self):
        self.acls.desinstall()
        self.acls = PlaintextAcl()
        if time.localtime().tm_hour < 12:
            period = "0-12"
        else:
            period = "12-24"
        self.acls.addAcl("web",
                         VALID_PORT,
                         self.users[0].gid,
                         1,
                         period=period)
        self.acls.install(self.config)
        self.nuauth = Nuauth(self.config)

        user = self.users[0]
        client = user.createClientWithCerts()
        testAllowPort(self, self.iptables, client)

        self.acls.desinstall()
Exemplo n.º 33
0
class TestClientCert(TestCase):
    def setUp(self):
        self.iptables = Iptables()
        self.port = VALID_PORT
        self.host = HOST
        self.cacert = config.get("test_cert", "cacert")

        self.nuconfig = NuauthConf()
        self.nuconfig["nuauth_tls_auth_by_cert"] = "0"
        self.nuauth = Nuauth(self.nuconfig)

    def tearDown(self):
        self.nuauth.stop()
        self.nuconfig.desinstall()
        self.iptables.flush()

    def connectNuauthNufw(self):
        # Open TCP connection just to connect nufw to nuauth
        self.iptables.filterTcp(self.port)
        connectTcp(HOST, self.port, 0.100)

        # nufw side
        # "TLS connection to nuauth can NOT be restored"

    def testValidCert(self):
        self.nufw = startNufw()
        self.connectNuauthNufw()

        self.assert_(self.nufw_connection_is_established())

        self.nufw.stop()

    def get_tls_cert_invalid(self):
        for line in self.nufw.readlines(total_timeout=TIMEOUT):
            if line.lower().find('certificate verification failed') >= 0:
                return True
        return False

    def testInvalidCert(self):
        invalid_cacert = config.get("test_cert", "invalid_cacert")
        self.nufw = startNufw(["-a", invalid_cacert])
        self.connectNuauthNufw()

        self.assert_(self.get_tls_cert_invalid())
        self.nufw.stop()

    # If NuFW does not run under the strict mode, the provided certificates in svn
    # will be accepted and the client will be able to authenticate and then be
    # accepted by the firewall. This is what we want to check here
    def testNotStrictMode(self):

        self.nufw = startNufw(["-s"])
        self.connectNuauthNufw()

        self.assert_(self.nufw_connection_is_established())

        self.nufw.stop()

    def testStrictMode(self):

        self.nufw = startNufw(["-d","127.0.0.1"])
        self.connectNuauthNufw()

        self.assert_(not self.nufw_connection_is_established())

        self.nufw.stop()

    def nufw_connection_is_established(self):
        if self.nufw.is_connected_to_nuauth:
            return True
        for line in self.nufw.readlines(total_timeout=TIMEOUT):
            if line.lower().find("tls connection to nuauth established") >= 0:
                return True
            if line.lower().find("tls connection to nuauth restored") >= 0:
                return True
        return False
Exemplo n.º 34
0
class MysqlLogPacket(MysqlLog):
    def setUp(self):
        self.iptables = Iptables()
        MysqlLog.setUp(self)

    def tearDown(self):
        MysqlLog.tearDown(self)
        self.iptables.flush()

    def testFilter(self):
        """
        User logs in, opens an authenticated connection, and
        closes the connection. Make sure that MySQL records the connection,
        only once, with the right parameters.
        """

        client = self.user.createClientWithCerts()
        time_before = int(time())
        timestamp_before = datetime_before()

        # Open allowed port
        testAllowPort(self, self.iptables, client)

        # Query DB
        if not POSTGRESQL:
            timestamp_field = "timestamp, "
        else:
            timestamp_field = ""
        sql = \
            "SELECT username, user_id, client_os, client_app, " \
            "tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol, " \
            "%sstart_timestamp, end_timestamp, oob_prefix " \
            "FROM %s WHERE oob_time_sec >= %s AND state=1;" \
            % (timestamp_field, DB_PACKET_TABLE, time_before)

        # Do the query
        for when in retry(timeout=QUERY_TIMEOUT):
            cursor = self.query(sql)
            if cursor.rowcount:
                break

        # Read result
        row = self.fetchone(cursor)
        timestamp_after = datetime_after()
        self.assertEqual(cursor.rowcount, 1)
        if POSTGRESQL:
            (username, user_id, client_os, client_app,
             tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol,
             start_timestamp, end_timestamp, oob_prefix) = row
        else:
            (username, user_id, client_os, client_app,
             tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol,
             timestamp, start_timestamp, end_timestamp, oob_prefix) = row

        # Check values
        self.assertEqual(username, client.username)
        self.assertEqual(user_id, self.user.uid)
        self.assertEqual(client_os, CLIENT_OS)
        self.assertEqual(client_app, CLIENT_APP)
        self.assertEqual(tcp_dport, VALID_PORT)
        self.assertEqual(IP(ip_saddr), client.ip)
        self.assert_(timestamp_before <= datetime.fromtimestamp(oob_time_sec) <= timestamp_after)
        if not POSTGRESQL:
            self.assert_(timestamp and timestamp_before <= timestamp <= timestamp_after)
        self.assertEqual(ip_protocol, 6)
        self.assertEqual(oob_prefix, OOB_PREFIX)
Exemplo n.º 35
0
class MysqlLogPacket(MysqlLog):
    def setUp(self):
        self.iptables = Iptables()
        MysqlLog.setUp(self)

    def tearDown(self):
        MysqlLog.tearDown(self)
        self.iptables.flush()

    def testFilter(self):
        """
        User logs in, opens an authenticated connection, and
        closes the connection. Make sure that MySQL records the connection,
        only once, with the right parameters.
        """

        client = self.user.createClientWithCerts()
        time_before = int(time())
        timestamp_before = datetime_before()

        # Open allowed port
        testAllowPort(self, self.iptables, client)

        # Query DB
        if not POSTGRESQL:
            timestamp_field = "timestamp, "
        else:
            timestamp_field = ""
        sql = \
            "SELECT username, user_id, client_os, client_app, " \
            "tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol, " \
            "%sstart_timestamp, end_timestamp, oob_prefix " \
            "FROM %s WHERE oob_time_sec >= %s AND state=1;" \
            % (timestamp_field, DB_PACKET_TABLE, time_before)

        # Do the query
        for when in retry(timeout=QUERY_TIMEOUT):
            cursor = self.query(sql)
            if cursor.rowcount:
                break

        # Read result
        row = self.fetchone(cursor)
        timestamp_after = datetime_after()
        self.assertEqual(cursor.rowcount, 1)
        if POSTGRESQL:
            (username, user_id, client_os, client_app, tcp_dport, ip_saddr,
             ip_daddr, oob_time_sec, ip_protocol, start_timestamp,
             end_timestamp, oob_prefix) = row
        else:
            (username, user_id, client_os, client_app, tcp_dport, ip_saddr,
             ip_daddr, oob_time_sec, ip_protocol, timestamp, start_timestamp,
             end_timestamp, oob_prefix) = row

        # Check values
        self.assertEqual(username, client.username)
        self.assertEqual(user_id, self.user.uid)
        self.assertEqual(client_os, CLIENT_OS)
        self.assertEqual(client_app, CLIENT_APP)
        self.assertEqual(tcp_dport, VALID_PORT)
        self.assertEqual(IP(ip_saddr), client.ip)
        self.assert_(timestamp_before <= datetime.fromtimestamp(oob_time_sec)
                     <= timestamp_after)
        if not POSTGRESQL:
            self.assert_(timestamp
                         and timestamp_before <= timestamp <= timestamp_after)
        self.assertEqual(ip_protocol, 6)
        self.assertEqual(oob_prefix, OOB_PREFIX)
Exemplo n.º 36
0
 def setUp(self):
     self.iptables = Iptables()
     MysqlLog.setUp(self)