def testFilter(self):
"""
User logs in, opens an authenticated connection, and
closes the connection. Make sure that MySQL records the connection,
only once, with the right parameters.
"""
client = self.user.createClientWithCerts()
time_before = int(time())
timestamp_before = datetime_before()
# Open allowed port
testAllowPort(self, self.iptables, client)
# Query DB
if not POSTGRESQL:
timestamp_field = "timestamp, "
else:
timestamp_field = ""
sql = \
"SELECT username, user_id, client_os, client_app, " \
"tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol, " \
"%sstart_timestamp, end_timestamp, oob_prefix " \
"FROM %s WHERE oob_time_sec >= %s AND state=1;" \
% (timestamp_field, DB_PACKET_TABLE, time_before)
# Do the query
for when in retry(timeout=QUERY_TIMEOUT):
cursor = self.query(sql)
if cursor.rowcount:
break
# Read result
row = self.fetchone(cursor)
timestamp_after = datetime_after()
self.assertEqual(cursor.rowcount, 1)
if POSTGRESQL:
(username, user_id, client_os, client_app, tcp_dport, ip_saddr,
ip_daddr, oob_time_sec, ip_protocol, start_timestamp,
end_timestamp, oob_prefix) = row
else:
(username, user_id, client_os, client_app, tcp_dport, ip_saddr,
ip_daddr, oob_time_sec, ip_protocol, timestamp, start_timestamp,
end_timestamp, oob_prefix) = row
# Check values
self.assertEqual(username, client.username)
self.assertEqual(user_id, self.user.uid)
self.assertEqual(client_os, CLIENT_OS)
self.assertEqual(client_app, CLIENT_APP)
self.assertEqual(tcp_dport, VALID_PORT)
self.assertEqual(IP(ip_saddr), client.ip)
self.assert_(timestamp_before <= datetime.fromtimestamp(oob_time_sec)
<= timestamp_after)
if not POSTGRESQL:
self.assert_(timestamp
and timestamp_before <= timestamp <= timestamp_after)
self.assertEqual(ip_protocol, 6)
self.assertEqual(oob_prefix, OOB_PREFIX)
def testOutdevOk(self):
self.acls.addAclFull("outdev test", self.host, VALID_PORT, self.users[0].gid, outdev = IFACE)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def testInvalidOS(self):
self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, OS=OS_NAME+"xxx")
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host, allow=False)
self.acls.desinstall()
def testValidApplication(self):
self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, App=APPLICATION)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def testFilter(self):
"""
User logs in, opens an authenticated connection, and
closes the connection. Make sure that MySQL records the connection,
only once, with the right parameters.
"""
client = self.user.createClientWithCerts()
time_before = int(time())
timestamp_before = datetime_before()
# Open allowed port
testAllowPort(self, self.iptables, client)
# Query DB
if not POSTGRESQL:
timestamp_field = "timestamp, "
else:
timestamp_field = ""
sql = \
"SELECT username, user_id, client_os, client_app, " \
"tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol, " \
"%sstart_timestamp, end_timestamp, oob_prefix " \
"FROM %s WHERE oob_time_sec >= %s AND state=1;" \
% (timestamp_field, DB_PACKET_TABLE, time_before)
# Do the query
for when in retry(timeout=QUERY_TIMEOUT):
cursor = self.query(sql)
if cursor.rowcount:
break
# Read result
row = self.fetchone(cursor)
timestamp_after = datetime_after()
self.assertEqual(cursor.rowcount, 1)
if POSTGRESQL:
(username, user_id, client_os, client_app,
tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol,
start_timestamp, end_timestamp, oob_prefix) = row
else:
(username, user_id, client_os, client_app,
tcp_dport, ip_saddr, ip_daddr, oob_time_sec, ip_protocol,
timestamp, start_timestamp, end_timestamp, oob_prefix) = row
# Check values
self.assertEqual(username, client.username)
self.assertEqual(user_id, self.user.uid)
self.assertEqual(client_os, CLIENT_OS)
self.assertEqual(client_app, CLIENT_APP)
self.assertEqual(tcp_dport, VALID_PORT)
self.assertEqual(IP(ip_saddr), client.ip)
self.assert_(timestamp_before <= datetime.fromtimestamp(oob_time_sec) <= timestamp_after)
if not POSTGRESQL:
self.assert_(timestamp and timestamp_before <= timestamp <= timestamp_after)
self.assertEqual(ip_protocol, 6)
self.assertEqual(oob_prefix, OOB_PREFIX)
def testFilterByUser(self):
self.acls.addAclPerUid("Web user", self.host, VALID_PORT, self.users[0].uid)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
testDisallowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def testPeriodAccept(self):
self.acls.desinstall()
self.acls = PlaintextAcl()
if time.localtime().tm_hour < 12:
period = "0-12"
else:
period = "12-24"
self.acls.addAcl("web", VALID_PORT, self.users[0].gid, 1, period=period)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client)
self.acls.desinstall()
def testPeriodAccept(self):
self.acls.desinstall()
self.acls = PlaintextAcl()
if time.localtime().tm_hour < 12:
period = "0-12"
else:
period = "12-24"
self.acls.addAcl("web",
VALID_PORT,
self.users[0].gid,
1,
period=period)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client)
self.acls.desinstall()
