def test_040_blockflag_url_subdomain_no_substring(self):
"""verify that t.untangle.com block rule DOES NOT block test.untangle.com ( it should block foo.t.untangle.com though )"""
self.block_url_list_add("t.untangle.com")
# this test URL should NOT be blocked
result = remote_control.run_command("wget -q -O - http://test.untangle.com/test/testPage1.html 2>&1 | grep -q text123")
self.block_url_list_clear()
assert (result == 0)
found = self.check_events("test.untangle.com", "/test/testPage1.html", False)
assert( found )
def test_055_intfNonWan(self):
rules_clear()
# specify TCP so the DNS UDP session doesn't get blocked (if it happens to be inbound)
rule_append(
create_rule_dual_condition("DST_INTF", "non_wan", "PROTOCOL",
"tcp"))
result = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
assert (result == 0)
def initialSetUp(self):
global app,md5StdNum, appSSL, appSSLData, canRelay
# download eicar and trojan files before installing virus blocker
self.ftpUserName, self.ftpPassword = global_functions.get_live_account_info("ftp")
remote_control.run_command("rm -f /tmp/eicar /tmp/std_022_ftpVirusBlocked_file /tmp/temp_022_ftpVirusPassSite_file")
result = remote_control.run_command("wget --user="******" --password='******' -q -O /tmp/eicar http://test.untangle.com/virus/eicar.com")
assert (result == 0)
result = remote_control.run_command("wget --user="******" --password='******' -q -O /tmp/std_022_ftpVirusBlocked_file ftp://" + global_functions.ftpServer + "/virus/fedexvirus.zip")
assert (result == 0)
md5StdNum = remote_control.run_command("\"md5sum /tmp/std_022_ftpVirusBlocked_file | awk '{print $1}'\"", stdout=True)
self.md5StdNum = md5StdNum
# print "md5StdNum <%s>" % md5StdNum
assert (result == 0)
try:
canRelay = global_functions.send_test_email(mailhost=testsiteIP)
except Exception,e:
canRelay = False
def test_037_blockflag_url_glob_question_mark_only_one_char(self):
"""verify that a block list glob ? matches ONLY single character (but not two or more)"""
self.block_url_list_add("metalo?t.com/test/testP?.html")
# this test URL should NOT be blocked
result = remote_control.run_command("wget -q -O - http://test.untangle.com/test/testPage1.html 2>&1 | grep -q text123")
self.block_url_list_clear()
assert (result == 0)
found = self.check_events("test.untangle.com", "/test/testPage1.html", False)
assert( found )
def test_026_protoRule_Pandora(self):
pre_count = global_functions.get_app_metric_value(app, "pass")
touchProtoRule("Pandora", False, False)
result1 = remote_control.run_command(
"wget --no-check-certificate -q -O /dev/null -4 -t 2 --timeout=5 https://pandora.com/"
)
touchProtoRule("Pandora", True, True)
result2 = remote_control.run_command(
"wget --no-check-certificate -q -O /dev/null -4 -t 2 --timeout=5 https://pandora.com/"
)
touchProtoRule("Pandora", False, False)
assert (result1 == 0)
assert (result2 != 0)
# Check to see if the faceplate counters have incremented.
post_count = global_functions.get_app_metric_value(app, "pass")
assert (pre_count < post_count)
def test_032_logicRule_Block_Gmail_by_Category(self):
nukeLogicRules()
appendLogicRule(
create2ConditionRule("PROTOCOL", "TCP",
"APPLICATION_CONTROL_CATEGORY", "Mail"))
result = remote_control.run_command(
"wget --no-check-certificate -q -O /dev/null -4 -t 2 --timeout=5 https://mail.google.com/"
)
assert (result != 0)
def test_102_clientPenaltyBox2(self):
rules_clear()
global_functions.host_tags_add("penalty-box")
rule_append(create_rule_single_condition("CLIENT_IN_PENALTY_BOX",
None))
result = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
assert (result != 0)
global_functions.host_tags_clear()
def timeOfClientOff(timediff=60):
# Check the time differential betwen the Untangle and client is less than 1 min.
client_time = int(remote_control.run_command("date +%s", stdout=True))
local_time = int(time.time())
diff_time = abs(client_time - local_time)
if diff_time > timediff:
return True
else:
return False
def test_052_intfWrongIntf(self):
rules_clear()
rule_append(
create_rule_single_condition(
"DST_INTF",
int(remote_control.interfaceExternal) + 1))
result = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
assert (result == 0)
def test_020_checkIgnoreCertificate(self):
if findRule('Ignore Dropbox'):
result = remote_control.run_command(
'echo -n | openssl s_client -connect www.dropbox.com:443 -servername www.dropbox.com 2>/dev/null | grep -q \'%s\''
% (dropboxIssuer))
assert (result == 0)
else:
raise unittest2.SkipTest(
'SSL Inspector does not have Ignore Dropbox rule')
def test_042_addressCidrDst(self):
rules_clear()
rule_append(
create_rule_single_condition("DST_ADDR",
testsiteIP + "/31",
blocked=True))
result = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
assert (result != 0)
def test_141_clientUsernameUnauthenticated(self):
# make sure no username is known for this IP
global_functions.host_username_clear()
rules_clear()
rule_append(
create_rule_single_condition("USERNAME", "[unauthenticated]"))
result = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
assert (result != 0)
def test_033_addressComma(self):
rules_clear()
rule_append(
create_rule_single_condition(
"SRC_ADDR",
"4.3.2.1, " + remote_control.clientIP + ", 1.2.3.4/31"))
result = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
assert (result != 0)
def test_143_clientUsernameMultiple(self):
username = remote_control.get_hostname()
global_functions.host_username_set(username)
rules_clear()
rule_append(
create_rule_single_condition("USERNAME", username + ",foobar"))
result1 = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
rules_clear()
rule_append(
create_rule_single_condition("USERNAME", "foobar," + username))
result2 = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
global_functions.host_username_clear()
assert (result1 != 0)
assert (result2 != 0)
def get_web_request_results(self,
url="http://test.untangle.com",
expected=None,
extra_options=""):
app_name = self.app.getAppName()
if ("https" in url):
extra_options += "--no-check-certificate "
if ((expected == None)
or (("monitor" in app_name) and (expected == "blockpage"))):
result = remote_control.run_command(
"wget -q -O /dev/null -4 -t 2 --timeout=5 " + extra_options +
" " + url)
else:
print "wget -4 -t 2 -q -O - " + extra_options + url + " 2>&1 | grep -q " + expected
result = remote_control.run_command("wget -q -4 -t 2 -O - " +
extra_options + " " + url +
" 2>&1 | grep -q " + expected)
return result
def test_111_hostQuotaAttainment(self):
rules_clear()
rule_append(
create_rule_single_condition("HOST_QUOTA_ATTAINMENT",
"<1.3",
blocked=True))
result = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
assert (result != 0)
def test_565_pass_url_overrides_block_with_sni(self):
"""verify that the pass list still overrides the block with SNI"""
self.block_url_list_add("untangle.com")
self.pass_url_list_add("test.untangle.com")
# this test URL should NOT be blocked
result = remote_control.run_command("wget -q -4 -t 2 --timeout=8 --no-check-certificate -O - https://test.untangle.com/test/testPage1.html 2>&1 | grep -q text123")
self.block_url_list_clear()
self.pass_url_list_clear()
assert (result == 0)
def test_101_email_admin_override_custom_report(self):
"""
1. Use reportuser
2. Reportuser overrides admin user address.
3. Custom report with test not in default.
"""
if (not can_relay):
raise unittest2.SkipTest('Unable to relay through ' + global_functions.testServerHost)
if remote_control.quickTestsOnly:
raise unittest2.SkipTest('Skipping a time consuming test')
# Create settings to receive test_email_address
configure_mail_relay()
# add administrator
adminsettings = uvmContext.adminManager().getSettings()
orig_adminsettings = copy.deepcopy(adminsettings)
adminsettings['users']['list'].append(create_admin_user(useremail=test_email_address))
uvmContext.adminManager().setSettings(adminsettings)
settings = app.getSettings()
# add custom template with a test not in daily reports
settings["emailTemplates"]["list"] = settings["emailTemplates"]["list"][:1]
settings["emailTemplates"]["list"].append(create_email_template())
# add report user with test_email_address
settings["reportsUsers"]["list"] = settings["reportsUsers"]["list"][:1]
settings["reportsUsers"]["list"].append(create_reports_user(profile_email=test_email_address, email_template_id=2))
app.setSettings(settings)
# send email
subprocess.call([global_functions.get_prefix()+"/usr/share/untangle/bin/reports-generate-fixed-reports.py"],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
# look for email
email_found = fetch_email( "/tmp/test_101_email_admin_override_custom_report_file", test_email_address )
if email_found:
email_context_found1 = remote_control.run_command("grep -i 'Custom Report' /tmp/test_101_email_admin_override_custom_report_file 2>&1", stdout=True)
email_context_found2 = remote_control.run_command("grep -i 'Administration-VWuRol5uWw' /tmp/test_101_email_admin_override_custom_report_file 2>&1", stdout=True)
# restore
uvmContext.adminManager().setSettings(orig_adminsettings)
assert(email_found)
assert((email_context_found1) and (email_context_found2))
def find_name_in_host_table (hostname='test'):
"""
Find name in host table
"""
# Test for username in session
found_test_session = False
remote_control.run_command("nohup netcat -d -4 test.untangle.com 80 >/dev/null 2>&1", stdout=False, nowait=True)
time.sleep(2) # since we launched netcat in background, give it a second to establish connection
host_list = uvmContext.hostTable().getHosts()
session_list = host_list['list']
# find session generated with netcat in session table.
for i in range(len(session_list)):
print(session_list[i])
# print("------------------------------")
if (session_list[i]['address'] == remote_control.clientIP) and (session_list[i]['username'] == hostname):
found_test_session = True
break
remote_control.run_command("pkill netcat")
return found_test_session
def test_052_cookieDisabled(self):
"""
User has a cookie but cookies have been disabled
"""
global app, appData
# variable for local test
capture_file_name = "/tmp/capture_test_052.out"
cookieExistsResults = remote_control.run_command("test -e " +
savedCookieFileName)
if (cookieExistsResults == 1):
raise unittest2.SkipTest(
'Cookie file %s was was not create in test_051_captivePortalCookie_timeout'
% savedCookieFileName)
# Create Internal NIC capture rule with basic login page
appData['captureRules']['list'] = []
appData['captureRules']['list'].append(createCaptureNonWanNicRule(1))
appData['authenticationType'] = "LOCAL_DIRECTORY"
appData['pageType'] = "BASIC_LOGIN"
appData['sessionCookiesEnabled'] = False
appData['sessionCookiesTimeout'] = 10
appData['userTimeout'] = 3600
app.setSettings(appData)
# # check if local directory login and password
appid = str(app.getAppSettings()["id"])
result = remote_control.run_command(
"wget -O " + capture_file_name + " \'" +
global_functions.get_http_url() +
"/capture/handler.py/index?nonce=9abd7f2eb5ecd82b&method=GET&appid="
+ appid + "&host=test.untangle.com&uri=/\' --load-cookies " +
savedCookieFileName)
assert (result == 0)
remote_control.run_command("rm " + savedCookieFileName)
search = remote_control.run_command("grep -q 'Hi!' " +
capture_file_name)
assert (search == 1)
foundUsername = findNameInHostTable(localUserName)
assert (foundUsername == False)
def test_703_ruleOrderReverse(self):
rules_clear()
rule_append(create_rule_single_condition("DST_PORT", "80"))
rule_append(
create_rule_single_condition("SRC_ADDR",
remote_control.clientIP,
blocked=False))
result = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
assert (result != 0)
def get_public_ip_address(base_URL="test.untangle.com",extra_options="",localcall=False):
timeout = 4
result = ""
while result == "" and timeout > 0:
timeout -= 1
if localcall:
result = subprocess.check_output("wget --timeout=4 " + extra_options + " -q -O - \"$@\" test.untangle.com/cgi-bin/myipaddress.py", shell=True)
else:
result = remote_control.run_command("wget --timeout=4 " + extra_options + " -q -O - \"$@\" " + base_URL + "/cgi-bin/myipaddress.py",stdout=True)
return result
def test_043_addressDstComma(self):
rules_clear()
rule_append(
create_rule_single_condition("DST_ADDR",
"1.2.3.4/31," + testsiteIP +
",5.6.7.8",
blocked=True))
result = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
assert (result != 0)
def test_132_hostHostname(self):
global_functions.host_hostname_set(remote_control.get_hostname())
rules_clear()
rule_append(
create_rule_single_condition("HOST_HOSTNAME",
remote_control.get_hostname()))
result = remote_control.run_command(
"wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/")
global_functions.host_hostname_clear()
assert (result != 0)
def test_110_eventlog_smtpSSLVirus(self):
if platform.machine().startswith('arm'):
raise unittest2.SkipTest("local scanner not available on ARM")
if (not canRelay):
raise unittest2.SkipTest('Unable to relay through ' + testsiteIP)
startTime = datetime.now()
fname = sys._getframe().f_code.co_name
# download the email script
result = remote_control.run_command(
"wget -q -O /tmp/email_script.py http://" + testsite +
"/test/email_script.py")
assert (result == 0)
result = remote_control.run_command("chmod 775 /tmp/email_script.py")
assert (result == 0)
# Turn on SSL Inspector
appSSLData['processEncryptedMailTraffic'] = True
appSSLData['ignoreRules']['list'].insert(0, createSSLInspectRule("25"))
appSSL.setSettings(appSSLData)
appSSL.start()
# email the file
result = remote_control.run_command(
"/tmp/email_script.py --server=%s [email protected] [email protected] --subject='%s' --body='body' --file=/tmp/eicar --starttls"
% (testsiteIP, fname),
nowait=False)
appSSL.stop()
assert (result == 0)
events = global_functions.get_events(self.displayName(),
'Infected Email Events', None, 1)
# print(events['list'][0])
assert (events != None)
found = global_functions.check_events(events.get('list'),
5,
"addr",
"*****@*****.**",
"subject",
str(fname),
's_server_addr',
testsiteIP,
self.shortName() + '_clean',
False,
min_date=startTime)
assert (found)
def test_020_createVPNTunnel(self):
result = subprocess.call("wget -o /dev/null -t 1 --timeout=3 " +
vpnTunnelFile + " -O /tmp/config.zip",
shell=True)
if (result != 0):
raise unittest2.SkipTest("Unable to download VPN file: " +
vpnTunnelFile)
currentWanIP = remote_control.run_command(
"wget --timeout=4 -q -O - \"$@\" test.untangle.com/cgi-bin/myipaddress.py",
stdout=True)
if (currentWanIP == ""):
raise unittest2.SkipTest("Unable to get WAN IP")
print "Original WAN IP: " + currentWanIP
app.importTunnelConfig("/tmp/config.zip", "Untangle", 200)
appData = app.getSettings()
appData['rules']['list'].append(setUpTunnelRule())
appData['tunnels']['list'].append(setUpTunnelProfile())
app.setSettings(appData)
# wait for vpn tunnel to form
timeout = 60
connected = False
while (not connected and timeout > 0):
newWanIP = remote_control.run_command(
"wget --timeout=4 -q -O - \"$@\" test.untangle.com/cgi-bin/myipaddress.py",
stdout=True)
if (currentWanIP != newWanIP):
listOfConnections = app.getTunnelStatusList()
connectStatus = listOfConnections['list'][0]['stateInfo']
connected = True
else:
time.sleep(1)
timeout -= 1
# remove the added tunnel
appData['rules']['list'][:] = []
appData['tunnels']['list'][:] = []
app.setSettings(appData)
# If VPN tunnel has failed to connect, fail the test,
assert (connected)
assert (connectStatus == "CONNECTED")
def test_061_rule_condition_response_content_type_inverse(self):
"""verify that HTTP_CONTENT_TYPE does not overmatch"""
self.rules_clear()
self.rule_add("HTTP_CONTENT_TYPE","text/plain")
# this test URL should NOT be blocked (its text/html not text/plain)
result = remote_control.run_command("wget -q -O - http://test.untangle.com/test/test.html 2>&1 | grep -q text123")
self.rules_clear()
assert (result == 0)
found = self.check_events("test.untangle.com", "/test/test.html", False)
assert( found )
def test_072_rule_condition_request_file_extension_anchored(self):
"""verify that HTTP_REQUEST_FILE_EXTENSION does not overmatch by assuming a ."""
self.rules_clear()
self.rule_add("HTTP_REQUEST_FILE_EXTENSION","tml") # not this should only block ".tml" not ".html"
# this test URL should NOT be blocked (its text/html not text/plain)
result = remote_control.run_command("wget -q -O - http://test.untangle.com/test/test.html 2>&1 | grep -q text123")
self.rules_clear()
assert (result == 0)
found = self.check_events("test.untangle.com", "/test/test.html", False)
assert( found )
def test_030_restartNetworkVerifyIpsecTunnel(self):
# save a setting in networking and test ipsec tunnel is set connected.
global tunnelUp
if (not tunnelUp):
raise unittest2.SkipTest(
"Test test_020_createIpsecTunnel success required ")
netsettings = uvmContext.networkManager().getNetworkSettings()
uvmContext.networkManager().setNetworkSettings(netsettings)
time.sleep(10) # wait for networking to restart
ipsecHostLANResult = remote_control.run_command(
"wget -q -O /dev/null --no-check-certificate -4 -t 2 --timeout=5 https://%s/"
% ipsecHostLANIP)
ipsecPcLanResult = remote_control.run_command("ping -c 1 %s" %
ipsecPcLANIP)
# delete tunnel
nukeIPSecTunnels()
tunnelUp = False
assert (ipsecHostLANResult == 0)
assert (ipsecPcLanResult == 0)
def test_052_pass_url_overrides_rule_content_type(self):
"""verify that an entry in the pass list overrides a blocked category"""
self.rules_clear()
self.rule_add("HTTP_CONTENT_TYPE","text/plain")
self.pass_url_list_add("test.untangle.com/test/")
# this test URL should NOT be blocked
result = remote_control.run_command("wget -q -O - http://test.untangle.com/test/test.txt 2>&1 | grep -q text123")
self.block_url_list_clear()
self.pass_url_list_clear()
assert (result == 0)
