def setUp(self):
logger = logging.getLogger()
logger.level = logging.DEBUG
self.log_file = tempfile.NamedTemporaryFile()
logger.addHandler(logging.FileHandler(self.log_file.name))
self.eap_output_queue = Queue()
self.radius_output_queue = Queue()
self.timer_scheduler = FakeTimerScheduler()
self.src_mac = MacAddress.from_string("00:12:34:56:78:90")
log_prefix = "chewie.SM - port: %s, client: %s" % (self.src_mac,
self.PORT_ID_MAC)
self.sm = FullEAPStateMachine(self.eap_output_queue,
self.radius_output_queue, self.src_mac,
self.timer_scheduler, self.auth_handler,
self.failure_handler,
self.logoff_handler, log_prefix)
# find ways to inject these - overriding consts isn't ideal
self.MAX_RETRANSMITS = 3
self.sm.MAX_RETRANS = self.MAX_RETRANSMITS
self.sm.DEFAULT_TIMEOUT = 0.1
self.sm.port_enabled = True
self.sm.eap_restart = True
self.auth_counter = 0
self.failure_counter = 0
self.logoff_counter = 0
def setUp(self):
logger = logging.getLogger()
logger.level = logging.DEBUG
self.log_file = tempfile.NamedTemporaryFile()
logger.addHandler(logging.FileHandler(self.log_file.name))
logger.addHandler(logging.StreamHandler(sys.stdout))
self.chewie = Chewie('lo', logger, auth_handler, failure_handler,
logoff_handler, '127.0.0.1', 1812, 'SECRET',
'44:44:44:44:44:44')
self.fake_scheduler = FakeTimerScheduler()
self.chewie.timer_scheduler = self.fake_scheduler
global FROM_SUPPLICANT # pylint: disable=global-statement
global TO_SUPPLICANT # pylint: disable=global-statement
global FROM_RADIUS # pylint: disable=global-statement
global TO_RADIUS # pylint: disable=global-statement
global FROM_SUPPLICANT_ACTIVITY # pylint: disable=global-statement
FROM_SUPPLICANT = Queue()
FROM_SUPPLICANT_ACTIVITY = Queue()
TO_SUPPLICANT = Queue()
FROM_RADIUS = Queue()
TO_RADIUS = Queue()
def setUp(self):
self.logger = logging.getLogger()
self.logger.level = logging.DEBUG
self.log_file = tempfile.NamedTemporaryFile()
self.logger.addHandler(logging.FileHandler(self.log_file.name))
self.logger.addHandler(logging.StreamHandler(sys.stdout))
self.fake_scheduler = FakeTimerScheduler()
self.timer_scheduler = self.fake_scheduler
self.managed_port = None
self.eap_output_messages = Queue() # pylint: disable=global-statement
self.radius_output_messages = Queue() # pylint: disable=global-statement
class FullStateMachineStartTestCase(unittest.TestCase):
# TODO tests could be more thorough, and test that
# the correct packet (type/content) has been put in its respective queue.
# Would also be nice to check that the states are correctly transitioned through,
# and not just the final resting spot. Not sure how to do that - maybe parse the log??
PORT_ID_MAC = MacAddress.from_string("00:00:00:00:00:01")
def setUp(self):
logger = logging.getLogger()
logger.level = logging.DEBUG
self.log_file = tempfile.NamedTemporaryFile()
logger.addHandler(logging.FileHandler(self.log_file.name))
self.eap_output_queue = Queue()
self.radius_output_queue = Queue()
self.timer_scheduler = FakeTimerScheduler()
self.src_mac = MacAddress.from_string("00:12:34:56:78:90")
log_prefix = "chewie.SM - port: %s, client: %s" % (self.src_mac,
self.PORT_ID_MAC)
self.sm = FullEAPStateMachine(self.eap_output_queue,
self.radius_output_queue, self.src_mac,
self.timer_scheduler, self.auth_handler,
self.failure_handler,
self.logoff_handler, log_prefix)
# find ways to inject these - overriding consts isn't ideal
self.MAX_RETRANSMITS = 3
self.sm.MAX_RETRANS = self.MAX_RETRANSMITS
self.sm.DEFAULT_TIMEOUT = 0.1
self.sm.port_enabled = True
self.sm.eap_restart = True
self.auth_counter = 0
self.failure_counter = 0
self.logoff_counter = 0
def tearDown(self):
with open(self.log_file.name) as log:
self.assertNotIn(
'aaaEapResp is true. but data is false. This should never happen',
log.read())
def auth_handler(self, client_mac, port_id_mac, *args, **kwargs): # pylint: disable=unused-argument
self.auth_counter += 1
print('Successful auth from MAC %s' % str(client_mac))
def failure_handler(self, client_mac, port_id_mac): # pylint: disable=unused-argument
self.failure_counter += 1
print('failure from MAC %s' % str(client_mac))
def logoff_handler(self, client_mac, port_id_mac): # pylint: disable=unused-argument
self.logoff_counter += 1
print('logoff from MAC %s' % str(client_mac))
@check_counters
def test_eap_start(self):
# input EAPStart packet.
# output EAPIdentityRequest on eap_output_q
message = EapolStartMessage(self.src_mac)
self.sm.event(EventMessageReceived(message, self.PORT_ID_MAC))
self.assertEqual(self.sm.state, self.sm.IDLE)
self.assertEqual(self.eap_output_queue.qsize(), 1)
output = self.eap_output_queue.get_nowait()[0]
self.assertIsInstance(output, IdentityMessage)
self.assertEqual(self.radius_output_queue.qsize(), 0)
return output # Used by test_identity_response
@check_counters
def test_eap_restart(self):
self.test_eap_start()
message = EapolStartMessage(self.src_mac)
self.sm.event(EventMessageReceived(message, self.PORT_ID_MAC))
self.assertEqual(self.sm.state, self.sm.IDLE)
self.assertEqual(self.eap_output_queue.qsize(), 1)
output = self.eap_output_queue.get_nowait()[0]
self.assertIsInstance(output, IdentityMessage)
self.assertEqual(self.radius_output_queue.qsize(), 0)
@check_counters
def test_no_radius_state_attribute_after_restart(self):
"""The RADIUS State Attribute is returned by the RADIUS server,
and MUST be sent back in the next RADIUS Message.
Unless the authentication process has been restarted or its a new one.
Here we restart part way through another."""
self.test_md5_challenge_request()
self.assertEqual(self.sm.radius_state_attribute.data(),
b'random state')
self.test_eap_restart()
self.assertIsNone(self.sm.radius_state_attribute)
@check_counters
def test_timeout_failure_from_max_retransmits(self):
"""Go to timeout failure from exceeding max retransmits (also tests retransmitting)"""
output0 = self.test_eap_start()
old_radius_count = self.radius_output_queue.qsize()
self.timer_scheduler.run_jobs()
output1 = self.eap_output_queue.get_nowait()[0]
output2 = self.eap_output_queue.get_nowait()[0]
output3 = self.eap_output_queue.get_nowait()[0]
self.assertIsInstance(output0, IdentityMessage)
self.assertIsInstance(output1, IdentityMessage)
self.assertEqual(output0, output1)
self.assertEqual(output0, output2)
self.assertEqual(output0, output3)
self.assertEqual(self.radius_output_queue.qsize(), 0)
self.assertEqual(self.sm.state, self.sm.TIMEOUT_FAILURE)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(old_radius_count, self.radius_output_queue.qsize())
@check_counters(expected_auth_counter=1)
def test_auth_success_after_timeout_failure2_from_max_retransmits(self):
self.test_timeout_failure2_from_max_retransmits()
self.eap_output_queue.queue.clear()
self.test_success2()
@check_counters(expected_auth_counter=1)
def test_auth_success_after_timeout_failure2_from_aaa_timeout(self):
self.test_timeout_failure2_from_aaa_timeout()
self.test_success2()
@check_counters(expected_auth_counter=1)
def test_auth_success_after_timeout_failure_after_max_retransmits(self):
self.test_timeout_failure_from_max_retransmits()
self.test_success2()
@check_counters()
def test_leave_timeout_failure2_with_identiy_response(self):
self.test_timeout_failure2_from_max_retransmits()
start_eap_q_size = self.eap_output_queue.qsize()
start_radius_q_size = self.radius_output_queue.qsize()
message = IdentityMessage(self.src_mac, 25, Eap.RESPONSE, "host1user")
self.sm.event(EventMessageReceived(message, self.PORT_ID_MAC))
self.assertEqual(self.sm.state, self.sm.AAA_IDLE)
self.assertEqual(self.eap_output_queue.qsize(), start_eap_q_size + 0)
self.assertEqual(self.radius_output_queue.qsize(),
start_radius_q_size + 1)
self.assertIsInstance(self.radius_output_queue.get_nowait()[0],
IdentityMessage)
@check_counters
def test_timeout_failure2_from_aaa_timeout(self):
"""no response from AAA server equals timeout_failure2"""
self.test_md5_challenge_response()
old_eap_count = self.eap_output_queue.qsize()
old_radius_count = self.radius_output_queue.qsize()
self.timer_scheduler.run_jobs()
self.assertEqual(self.sm.state, self.sm.TIMEOUT_FAILURE2)
self.assertEqual(old_eap_count, self.eap_output_queue.qsize())
self.assertEqual(old_radius_count, self.radius_output_queue.qsize())
@check_counters
def test_timeout_failure2_from_max_retransmits(self):
"""If client does not respond when in passthrough mode,
send again and again until max retransmit counter is reached."""
self.test_md5_challenge_request()
self.assertEqual(self.eap_output_queue.qsize(), 0)
old_radius_count = self.radius_output_queue.qsize()
self.timer_scheduler.run_jobs()
self.assertEqual(self.sm.state, self.sm.TIMEOUT_FAILURE2)
self.assertEqual(self.MAX_RETRANSMITS, self.eap_output_queue.qsize())
self.assertEqual(old_radius_count, self.radius_output_queue.qsize())
@check_counters(expected_auth_counter=1)
def test_disabled_state(self):
"""move to disabled and then from disabled"""
self.test_success2()
# move to disabled. e.g. link down.
self.sm.event(EventPortStatusChange(False))
self.assertEqual(self.sm.state, self.sm.DISABLED)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 0)
self.assertEqual(self.auth_counter, 1)
# don't transition to initialize (still not enabled)
message = EapolStartMessage(self.src_mac)
self.sm.event(EventMessageReceived(message, self.PORT_ID_MAC))
self.assertEqual(self.sm.state, self.sm.DISABLED)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 0)
# port is enabled again
self.sm.event(EventPortStatusChange(True))
self.assertEqual(self.sm.state, self.sm.IDLE)
self.assertEqual(self.eap_output_queue.qsize(), 1)
self.assertEqual(self.radius_output_queue.qsize(), 0)
@check_counters
def test_identity_response(self):
_id = self.test_eap_start().message_id
# input EapIdentityResponse
# output EapIdentityResponse on radius_output_q
message = IdentityMessage(self.src_mac, _id, Eap.RESPONSE, "host1user")
self.sm.event(EventMessageReceived(message, self.PORT_ID_MAC))
self.assertEqual(self.sm.state, self.sm.AAA_IDLE)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 1)
self.assertIsInstance(self.radius_output_queue.get_nowait()[0],
IdentityMessage)
@check_counters
def test_md5_challenge_request(self):
self.test_identity_response()
eap_message = Md5ChallengeMessage(
self.src_mac, 2, Eap.REQUEST,
bytes.fromhex("74d3db089b727d9cc5774599e4a32a29"), b"host1user")
self.sm.event(
EventRadiusMessageReceived(eap_message,
State.create(b"random state")))
self.assertEqual(self.sm.state, self.sm.IDLE2)
self.assertEqual(self.eap_output_queue.qsize(), 1)
output = self.eap_output_queue.get_nowait()[0]
self.assertIsInstance(output, Md5ChallengeMessage)
self.assertEqual(self.radius_output_queue.qsize(), 0)
return output
@check_counters
def test_md5_challenge_response(self):
self.test_md5_challenge_request()
message = Md5ChallengeMessage(
self.src_mac, 2, Eap.RESPONSE,
bytes.fromhex("3a535f0ee8c6b34fe714aa7dad9a0e15"), b"host1user")
self.sm.event(EventMessageReceived(message, self.PORT_ID_MAC))
self.assertEqual(self.sm.state, self.sm.AAA_IDLE)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 1)
self.assertIsInstance(self.radius_output_queue.get_nowait()[0],
Md5ChallengeMessage)
@check_counters(expected_auth_counter=1)
def test_success2(self):
self.test_md5_challenge_response()
message = SuccessMessage(self.src_mac, 3)
self.sm.event(EventRadiusMessageReceived(message, None))
self.assertEqual(self.sm.state, self.sm.SUCCESS2)
self.assertEqual(self.eap_output_queue.qsize(), 1)
self.assertIsInstance(self.eap_output_queue.get_nowait()[0],
SuccessMessage)
self.assertEqual(self.radius_output_queue.qsize(), 0)
@check_counters(expected_auth_counter=2)
def test_two_success2(self):
self.test_success2()
expiry_job = self.sm.session_timeout_job
self.assertFalse(expiry_job.cancelled())
self.test_success2()
self.assertTrue(expiry_job.cancelled())
expiry_job = self.sm.session_timeout_job
self.assertFalse(expiry_job.cancelled())
@check_counters(expected_auth_counter=2, expected_logoff_counter=1)
def test_logoff2(self):
"""Test logoff from success2 state."""
self.test_success2()
# test the second logon expires the firsts session timeout event.
expiry_job = self.sm.session_timeout_job
self.assertFalse(expiry_job.cancelled())
message = EapolLogoffMessage(self.src_mac)
self.sm.event(EventRadiusMessageReceived(message, self.PORT_ID_MAC))
self.assertTrue(expiry_job.cancelled())
self.assertEqual(self.sm.state, self.sm.LOGOFF2)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 0)
self.test_success2()
@check_counters
def test_logoff_from_idle2(self):
"""Test logoff from middle of authentication. should be ignored"""
self.test_md5_challenge_request()
message = EapolLogoffMessage(self.src_mac)
self.sm.event(EventRadiusMessageReceived(message, self.PORT_ID_MAC))
# should be in same state as when test_md5_challenge_request returned.
self.assertEqual(self.sm.state, self.sm.IDLE2)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 0)
@check_counters(expected_failure_counter=1)
def test_failure2(self):
self.test_md5_challenge_response()
message = FailureMessage(self.src_mac, 3)
self.sm.event(EventRadiusMessageReceived(message, None))
self.assertEqual(self.sm.state, self.sm.FAILURE2)
self.assertEqual(self.eap_output_queue.qsize(), 1)
self.assertIsInstance(self.eap_output_queue.get_nowait()[0],
FailureMessage)
self.assertEqual(self.radius_output_queue.qsize(), 0)
@check_counters
def test_discard2(self):
request = self.test_md5_challenge_request()
message = Md5ChallengeMessage(
self.src_mac, request.message_id + 10, Eap.RESPONSE,
bytes.fromhex("3a535f0ee8c6b34fe714aa7dad9a0e15"), b"host1user")
self.sm.event(EventMessageReceived(message, self.PORT_ID_MAC))
self.assertEqual(self.sm.state, self.sm.IDLE2)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 0)
@check_counters
def test_discard(self):
message = self.test_eap_start()
# Make a message that will be discarded (id here is not sequential)
message = IdentityMessage(self.src_mac, message.message_id + 10,
Eap.RESPONSE, "host1user")
self.sm.event(EventMessageReceived(message, self.PORT_ID_MAC))
self.assertEqual(self.sm.state, self.sm.IDLE)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 0)
@check_counters
def test_ttls_request(self):
self.test_md5_challenge_request()
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 0)
message = LegacyNakMessage(self.src_mac, 2, Eap.RESPONSE, 21)
self.sm.event(EventMessageReceived(message, self.PORT_ID_MAC))
self.assertEqual(self.sm.state, self.sm.AAA_IDLE)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 1)
message = TtlsMessage(self.src_mac, 3, Eap.REQUEST, 0x20, b'')
self.sm.event(
EventRadiusMessageReceived(message,
State.create(b"more random state")))
self.assertEqual(self.sm.state, self.sm.IDLE2)
self.assertEqual(self.eap_output_queue.qsize(), 1)
self.assertEqual(self.radius_output_queue.qsize(), 1)
message = TtlsMessage(
self.src_mac, 3, Eap.RESPONSE, 0x00,
bytes.fromhex(
'16030101280100012403032c36dbf8ee16b94b28efdb8c5603e07823f9b716557b5ef2624b026daea115760000aac030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a400a200a0009e00670040003f003e0033003200310030009a0099009800970045004400430042c031c02dc029c025c00ec004009c003c002f00960041c011c007c00cc00200050004c012c008001600130010000dc00dc003000a00ff01000051000b000403000102000a001c001a00170019001c001b0018001a0016000e000d000b000c0009000a000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101'
))
self.sm.event(EventMessageReceived(message, self.PORT_ID_MAC))
self.assertEqual(self.sm.state, self.sm.AAA_IDLE)
self.assertEqual(self.eap_output_queue.qsize(), 1)
self.assertEqual(self.radius_output_queue.qsize(), 2)
message = TtlsMessage(
self.src_mac, 4, Eap.REQUEST, 0x00,
bytes.fromhex(
'160303003e0200003a03036bf75d277e59b04228197af91c1c32c78beb8a708193ab3ac23a9aed30f5390c00c030000012ff01000100000b000403000102000f00010116030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3138303630353033353134345a170d3138303830343033353134345a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100cf5456d7e6142383101cf79275f6396e2c9b3f7cb2878d35e5ecc6f47ee11ef20bc8a8b3217a89351c55856e5cd5eed2d10037c9bcce89fbdf927e4cc4f069863acbac4accee7e80f2105ad80d837fa50a931c5b41d03c993f5e338cfd8e69e23818360053501c34c08132ec3d6e14df89ff29c5cec5c7a87d48c4afdcf9d3f8290050be5b903ba6a2a5ce2eb79c922cae70869618c75923059f9a8d62144e8ecdaf0a9f02886afa0e73e3d68037ea9fdca2bdd0f0785e05f5ac88031010c105575dbb09eb4f307547622120ee384ab454376de8e14e0afea02f1211801b6c932324ef6dba7abf3f48f8e3e84716c40b59041ec936cb273d684b22aa1c9d24e10203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010054fdcdabdc3a153dc167d6b210d1b324ecfac0e3b8d385704463a7f8ebf46e2e6952f249f4436ec66760868860e5ed50b519ec14628179472c312f507bc9349971d21f8f2b7d6b329b02fab448bd90fd4ce4dfbc78f23a8c4eed74d5589f4c3bd11b552535b8ab8a1a6ab9d1dfda21f247a93354702c12fdde1113cb8dd0e46e2a3a94547c9871df2a88943751d8276dc43f7f6aed921f43f6a33f9beba804c3d2b5781d754abe36ba58461798be8585b8b24b5c4a26d1e0905eb5bbae6e139b06728406bfe31baa27852252c7b4711c35ec9a41945488ef8c79a8a201351189e65baed66300528b45dfbcad233cd045336d5b35331ee76360b58583884eb0aa0004e8308204e4308203cca003020102020900de5bbe2e4d41d7fd300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3138303630353033353134345a170d3138303830343033353134345a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009b2190c32456e96ad8d08c6577839dcaf819f98a104bad079330714b7c12c765861c9a2e74eb0aec87a64eb58caa781f543eb2971db6b9e3b662952213aaf806fbb38c7a7fa46135c14a2e0e0a158162c2414e3c3f835bf4b80007c03df51746a04715dada1fb9fb155d479da9c34e40f192c65f64b16d4c742e66cbdc748ce0763cd45b7a88ff7d99d66449676a07116651394107c2ab5d654ad9a0315b78a2342a26790629fbe1e19a734e5e2eab933f3cef3e81c4413443988c8ccd9bc35b7ba3c6ec5571f4089ab07e401b2f21131316d4f8333782acc76d661f8440287c8e0a122200d9067b6b5d2af4cd5ab23f69cd689652c813fdd04f4f83544b4d450203010001a382013730820133301d0603551d0e0416041473fd7fcd4adc85cbfd85734c722335e7472b8df03081c80603551d230481c03081bd801473fd7fcd4adc85cbfd85734c722335e7472b8df0a18199a48196308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479820900de5bbe2e4d41d7fd300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100139e9c2b1e9bf30c6567759ffb57af9f031a59b6a8adb1702a55de2e51f2286715ef1399ebdc593d38db3ad4794c3e78037d3de5612cba33cefc5b830c3a2118bfc0572d201c07105b7c0ef5bb64225d959afef6a4527a88d1e5fd552fd16775a5c90802d11ad793da157441f7a181f85a2908ebcb87a86960c6d3ae631019bc73f850bc5be494a97084ccaea1cc13c44a4fdf0ef123c067b688e47a4d223c15fd56798051ff4912c721f15c96061ef683b1ade02b5449b06184f59d4218f2287d35cfa0a3a4f65e40c8750d0c70dc00d65a8981e0a2cf6961b1355c10d399ce583a426e211b0feef37da67a57bbbc81d912d5379668cfdc3666bacf5e9d9c7d160303014d0c0001490300174104b275c284c5c067b9c3104305ba6704b4b0e083f0e285d9b205a8d7307e503907478f314679d084a0f1ccbc3ceaa6b6d56c588654d223fd16514bba463c5f8d7006010100bca760ef9aab5f1cf9239bab7d0bbf585e12f9c6440b9dd36affc87ff8f334b0dbea94686edbcff9143bd40a5136b065d5599742665fa27d5ec5e86898b7c8cc2c375d190646c644df7911f41a12a7219f667527cfc4ba99b684fb763a01f4dc361a891906e3ade0c6e787c096f868726a5aafafb76ce71ce896b50015c9db89e9c3d13c90e90b5d82a1327941404298c1e358cbc7bbbf8e4fe2e1ecafbcbddfbe0b1a7d3f0769306f16f3ed4972b14b8af0f51761053754ec73a1a41b294fe0d00a9281e3d9c0175651d2bbaf28df32a25bfbae85983a3935891f0a955b636b3540cde3aba4ec20d62988a81a608b450e87b3eefcb66f50cf3104a4b367122d16030300040e000000'
))
self.sm.event(
EventRadiusMessageReceived(
message, State.create(b"some more random state")))
self.assertEqual(self.sm.state, self.sm.IDLE2)
self.assertEqual(self.eap_output_queue.qsize(), 2)
self.assertEqual(self.radius_output_queue.qsize(), 2)
@check_counters(expected_auth_counter=1, expected_logoff_counter=1)
def test_deauth_timer(self):
self.sm.DEFAULT_SESSION_TIMEOUT = 2
self.test_success2()
self.timer_scheduler.run_jobs()
self.assertEqual(self.sm.state, self.sm.LOGOFF2)
@check_counters(expected_auth_counter=2, expected_logoff_counter=0)
def test_port_flap(self):
"""Test logoff from success2 state."""
self.test_success2()
# Put port down
self.sm.event(EventPortStatusChange(False))
self.sm.event(EventPortStatusChange(True))
self.assertEqual(self.sm.state, self.sm.NO_STATE)
self.assertFalse(self.sm.aaa_success)
self.assertFalse(self.sm.eap_success)
self.assertEqual(self.eap_output_queue.qsize(), 0)
self.assertEqual(self.radius_output_queue.qsize(), 0)
self.test_success2()
class ChewieTestCase(unittest.TestCase):
"""Main chewie.py test class"""
no_radius_replies = []
header = "0000000000010242ac17006f888e"
sup_replies_success = [
bytes.fromhex(header + "01000009027400090175736572"),
bytes.fromhex(header +
"010000160275001604103abcadc86714b2d75d09dd7ff53edf6b")
]
radius_replies_success = [
bytes.fromhex(
"0b000050066300262c8ee8a33f43ad4e837e63c54f180175001604101a16a3baa37a0238f33384f6c"
"11067425012a3bf83bea0eeb69645088527dc491eed18126aa866456add628e3a55a4737872cad6"
),
bytes.fromhex(
"02010032ec22830bb2fbde37f635e91690410b334"
"f060375000450129a08d246ec3da2f371ec4ff16eed9310010675736572")
]
radius_replies_success_mab = [
bytes.fromhex(
"02000034187d6f5dc540a24efa738d2ba242ac5c50128f4b859e01a85b919b848421d0d369"
"ad010e303234326163313730303666")
]
radius_replies_failure_mab = [
bytes.fromhex(
"030000340b0a0f4ec71ebd0573180eb45161c2b7010e303234326163313730303666"
)
]
sup_replies_logoff = [
bytes.fromhex(header + "01000009027400090175736572"),
bytes.fromhex(header +
"010000160275001604103abcadc86714b2d75d09dd7ff53edf6b"),
bytes.fromhex("0000000000010242ac17006f888e01020000")
]
# packet id (0x84 is incorrect)
sup_replies_failure_message_id = [
bytes.fromhex(header + "01000009028400090175736572"),
bytes.fromhex(header + "01000009029400090175736572"),
bytes.fromhex(header + "01000009026400090175736572"),
bytes.fromhex(header + "01000009025400090175736572")
]
# the first response has correct code, second is wrong and will be dropped by radius
sup_replies_failure2_response_code = [
bytes.fromhex(header + "01000009027400090175736572"),
bytes.fromhex(header + "01000009037400090175736572")
]
def setUp(self):
logger = logging.getLogger()
logger.level = logging.DEBUG
self.log_file = tempfile.NamedTemporaryFile()
logger.addHandler(logging.FileHandler(self.log_file.name))
logger.addHandler(logging.StreamHandler(sys.stdout))
self.chewie = Chewie('lo', logger, auth_handler, failure_handler,
logoff_handler, '127.0.0.1', 1812, 'SECRET',
'44:44:44:44:44:44')
self.fake_scheduler = FakeTimerScheduler()
self.chewie.timer_scheduler = self.fake_scheduler
global FROM_SUPPLICANT # pylint: disable=global-statement
global TO_SUPPLICANT # pylint: disable=global-statement
global FROM_RADIUS # pylint: disable=global-statement
global TO_RADIUS # pylint: disable=global-statement
global FROM_SUPPLICANT_ACTIVITY # pylint: disable=global-statement
FROM_SUPPLICANT = Queue()
FROM_SUPPLICANT_ACTIVITY = Queue()
TO_SUPPLICANT = Queue()
FROM_RADIUS = Queue()
TO_RADIUS = Queue()
def tearDown(self):
self.chewie.shutdown()
def test_get_state_machine(self):
"""Tests Chewie.get_state_machine()"""
self.assertEqual(len(self.chewie.state_machines), 0)
# creates the state_machine if it doesn't exist
state_machine = self.chewie.get_state_machine(
'12:34:56:78:9a:bc',
# pylint: disable=invalid-name
'00:00:00:00:00:01')
self.assertEqual(len(self.chewie.state_machines), 1)
self.assertIs(
state_machine,
self.chewie.get_state_machine('12:34:56:78:9a:bc',
'00:00:00:00:00:01'))
self.assertIsNot(
state_machine,
self.chewie.get_state_machine('12:34:56:78:9a:bc',
'00:00:00:00:00:02'))
self.assertIsNot(
state_machine,
self.chewie.get_state_machine('ab:cd:ef:12:34:56',
'00:00:00:00:00:01'))
# 2 ports
self.assertEqual(len(self.chewie.state_machines), 2)
# port 1 has 2 macs
self.assertEqual(len(self.chewie.state_machines['00:00:00:00:00:01']),
2)
# port 2 has 1 mac
self.assertEqual(len(self.chewie.state_machines['00:00:00:00:00:02']),
1)
# TODO Stop Test from touching internal get_state_machine_from_radius_packet
def test_get_state_machine_by_packet_id(self):
"""Tests Chewie.get_state_machine_by_packet_id()"""
self.chewie.radius_lifecycle.packet_id_to_mac[56] = {
'src_mac': '12:34:56:78:9a:bc',
'port_id': '00:00:00:00:00:01'
}
state_machine = self.chewie.get_state_machine(
'12:34:56:78:9a:bc',
# pylint: disable=invalid-name
'00:00:00:00:00:01')
self.assertIs(self.chewie._get_state_machine_from_radius_packet_id(56),
state_machine)
with self.assertRaises(KeyError):
self.chewie._get_state_machine_from_radius_packet_id(20)
@patch_things
@setup_generators(sup_replies_success, radius_replies_success)
def test_success_dot1x(self):
"""Test success api"""
FROM_SUPPLICANT.put_nowait(
bytes.fromhex("0000000000010242ac17006f888e01010000"))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
eventlet.sleep(1)
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
FullEAPStateMachine.SUCCESS2)
@patch_things
@setup_generators(sup_replies_success, radius_replies_success)
def test_chewie_identity_response_dot1x(self):
"""test port status api and that identity request is sent after port up"""
global TO_SUPPLICANT
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
eventlet.sleep(1)
self.chewie.port_down("00:00:00:00:00:01")
self.chewie.port_up("00:00:00:00:00:01")
while not self.fake_scheduler.jobs:
eventlet.sleep(SHORT_SLEEP)
self.fake_scheduler.run_jobs(num_jobs=1)
# check preemptive sent directly after port up
out_packet = TO_SUPPLICANT.get()
self.assertEqual(
out_packet,
bytes.fromhex('0180C2000003000000000001888e010000050167000501'))
# Send a response to the request
FROM_SUPPLICANT.put_nowait(
bytes.fromhex("0000000000010242ac17006f888e010000050167000501"))
eventlet.sleep(2)
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
FullEAPStateMachine.AAA_IDLE)
@patch_things
def test_port_status_changes(self):
"""test port status api and that identity request is sent after port up"""
global TO_SUPPLICANT
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
eventlet.sleep(1)
self.chewie.port_down("00:00:00:00:00:01")
self.chewie.port_up("00:00:00:00:00:01")
while not self.fake_scheduler.jobs:
eventlet.sleep(SHORT_SLEEP)
self.fake_scheduler.run_jobs(num_jobs=1)
# check preemptive sent directly after port up
out_packet = TO_SUPPLICANT.get()
self.assertEqual(
out_packet,
bytes.fromhex('0180C2000003000000000001888e010000050167000501'))
# check there is a new job in the queue for sending the next id request.
# This will keep adding jobs forever.
self.assertEqual(len(self.fake_scheduler.jobs), 1)
self.assertEqual(self.fake_scheduler.jobs[0].function.__name__,
ManagedPort.send_preemptive_identity_request.__name__)
@patch_things
def test_delete_state_on_port_down(self):
"""test port status api and that identity request is sent after port up"""
self.test_chewie_identity_response_dot1x()
self.chewie.port_down("00:00:00:00:00:01")
self.assertIsNone(self.chewie.state_machines.get("00:00:00:00:00:01"),
"Not Removing state machines on port_down")
@patch_things
@setup_generators(sup_replies_logoff, radius_replies_success)
def test_logoff_dot1x(self):
"""Test logoff"""
self.chewie.get_state_machine(
MacAddress.from_string('02:42:ac:17:00:6f'),
MacAddress.from_string('00:00:00:00:00:01'))
FROM_SUPPLICANT.put_nowait(
bytes.fromhex("0000000000010242ac17006f888e01010000"))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
eventlet.sleep(SHORT_SLEEP)
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
FullEAPStateMachine.LOGOFF2)
@patch_things
@setup_generators(sup_replies_failure_message_id, no_radius_replies)
def test_failure_message_id_dot1x(self):
"""Test incorrect message id results in timeout_failure"""
# TODO not convinced this is transitioning through the correct states.
# (should be discarding all packets)
# But end result is correct (both packets sent/received, and end state)
# self.chewie.get_state_machine(MacAddress.from_string('02:42:ac:17:00:6f'),
self.chewie.get_state_machine(
MacAddress.from_string('02:42:ac:17:00:6f'),
MacAddress.from_string('00:00:00:00:00:01')).DEFAULT_TIMEOUT = 0.5
FROM_SUPPLICANT.put_nowait(
bytes.fromhex("0000000000010242ac17006f888e01010000"))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
while not self.fake_scheduler.jobs:
eventlet.sleep(SHORT_SLEEP)
self.fake_scheduler.run_jobs()
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
FullEAPStateMachine.TIMEOUT_FAILURE)
@patch_things
@setup_generators(sup_replies_failure2_response_code, no_radius_replies)
def test_failure2_resp_code_dot1x(self):
"""Test incorrect eap.code results in timeout_failure2. RADIUS Server drops it.
It is up to the supplicant to send another request - this supplicant doesnt"""
self.chewie.get_state_machine(
MacAddress.from_string('02:42:ac:17:00:6f'),
MacAddress.from_string('00:00:00:00:00:01')).DEFAULT_TIMEOUT = 0.5
FROM_SUPPLICANT.put_nowait(
bytes.fromhex("0000000000010242ac17006f888e01010000"))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
while not self.fake_scheduler.jobs:
eventlet.sleep(SHORT_SLEEP)
self.fake_scheduler.run_jobs()
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
FullEAPStateMachine.TIMEOUT_FAILURE2)
@patch_things
def test_mab_receive(self):
"""Test ETH Receive Ability of MAB Functionality"""
mab_sm = self.chewie.get_state_machine(
MacAddress.from_string('02:42:ac:17:00:6f'),
MacAddress.from_string('00:00:00:00:00:01'), -2)
mab_sm.DEFAULT_TIMEOUT = 0.5
FROM_SUPPLICANT_ACTIVITY.put_nowait(
bytes.fromhex(
"0000000000010242ac17006f08004500001c0001000040117cce7f0000017f0000010044004300080155"
))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
eventlet.sleep(SHORT_SLEEP)
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
MacAuthenticationBypassStateMachine.AAA_IDLE)
@patch_things
@setup_generators(None, radius_replies_success_mab)
def test_mab_success_auth(self):
"""Test Successful MAB Attempt"""
mab_sm = self.chewie.get_state_machine(
MacAddress.from_string('02:42:ac:17:00:6f'),
MacAddress.from_string('00:00:00:00:00:01'), -2)
mab_sm.DEFAULT_TIMEOUT = 0.5
FROM_SUPPLICANT_ACTIVITY.put_nowait(
bytes.fromhex(
"0000000000010242ac17006f08004500001c0001000040117cce7f0000017f0000010044004300080155"
))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
eventlet.sleep(SHORT_SLEEP)
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
MacAuthenticationBypassStateMachine.AAA_SUCCESS)
@patch_things
@setup_generators(None, radius_replies_failure_mab)
def test_mab_failure_auth(self):
"""Test unsuccessful MAB Attempt"""
mab_sm = self.chewie.get_state_machine(
MacAddress.from_string('02:42:ac:17:00:6f'),
MacAddress.from_string('00:00:00:00:00:01'), -2)
mab_sm.DEFAULT_TIMEOUT = 0.5
FROM_SUPPLICANT_ACTIVITY.put_nowait(
bytes.fromhex(
"0000000000010242ac17006f08004500001c0001000040117cce7f0000017f0000010044004300080155"
))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
eventlet.sleep(SHORT_SLEEP)
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
MacAuthenticationBypassStateMachine.AAA_FAILURE)
@patch_things
@setup_generators(sup_replies_success, radius_replies_success)
def test_smoke_test_clients(self):
"""Test success api"""
FROM_SUPPLICANT.put_nowait(
bytes.fromhex("0000000000010242ac17006f888e01010000"))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
eventlet.sleep(1)
self.assertIsNotNone(self.chewie.clients)
self.assertEqual(len(self.chewie.clients), 1)
class ChewieTestCase(unittest.TestCase):
"""Main chewie.py test class"""
no_radius_replies = []
header = "0000000000010242ac17006f888e"
sup_replies_success = [
bytes.fromhex(header + "01000009027400090175736572"),
bytes.fromhex(header +
"010000160275001604103abcadc86714b2d75d09dd7ff53edf6b")
]
radius_replies_success = [
bytes.fromhex(
"0b000050066300262c8ee8a33f43ad4e837e63c54f180175001604101a16a3baa37a0238f33384f6c11067425012a3bf83bea0eeb69645088527dc491eed18126aa866456add628e3a55a4737872cad6"
),
bytes.fromhex(
"02010032ec22830bb2fbde37f635e91690410b334f060375000450129a08d246ec3da2f371ec4ff16eed9310010675736572"
)
]
sup_replies_logoff = [
bytes.fromhex(header + "01000009027400090175736572"),
bytes.fromhex(header +
"010000160275001604103abcadc86714b2d75d09dd7ff53edf6b"),
bytes.fromhex("0000000000010242ac17006f888e01020000")
]
# packet id (0x84 is incorrect)
sup_replies_failure_message_id = [
bytes.fromhex(header + "01000009028400090175736572"),
bytes.fromhex(header + "01000009029400090175736572"),
bytes.fromhex(header + "01000009026400090175736572"),
bytes.fromhex(header + "01000009025400090175736572")
]
# the first response has correct code, second is wrong and will be dropped by radius
sup_replies_failure2_response_code = [
bytes.fromhex(header + "01000009027400090175736572"),
bytes.fromhex(header + "01000009037400090175736572")
]
def setUp(self):
logger = logging.getLogger()
logger.level = logging.DEBUG
self.log_file = tempfile.NamedTemporaryFile()
logger.addHandler(logging.FileHandler(self.log_file.name))
logger.addHandler(logging.StreamHandler(sys.stdout))
self.chewie = Chewie('lo', logger, auth_handler, failure_handler,
logoff_handler, '127.0.0.1', 1812, 'SECRET',
'44:44:44:44:44:44')
self.fake_scheduler = FakeTimerScheduler()
self.chewie.timer_scheduler = self.fake_scheduler
global FROM_SUPPLICANT # pylint: disable=global-statement
global TO_SUPPLICANT # pylint: disable=global-statement
global FROM_RADIUS # pylint: disable=global-statement
global TO_RADIUS # pylint: disable=global-statement
FROM_SUPPLICANT = Queue()
TO_SUPPLICANT = Queue()
FROM_RADIUS = Queue()
TO_RADIUS = Queue()
def tearDown(self):
self.chewie.shutdown()
def test_get_state_machine(self):
"""Tests Chewie.get_state_machine()"""
self.assertEqual(len(self.chewie.state_machines), 0)
# creates the state_machine if it doesn't exist
state_machine = self.chewie.get_state_machine(
'12:34:56:78:9a:bc', # pylint: disable=invalid-name
'00:00:00:00:00:01')
self.assertEqual(len(self.chewie.state_machines), 1)
self.assertIs(
state_machine,
self.chewie.get_state_machine('12:34:56:78:9a:bc',
'00:00:00:00:00:01'))
self.assertIsNot(
state_machine,
self.chewie.get_state_machine('12:34:56:78:9a:bc',
'00:00:00:00:00:02'))
self.assertIsNot(
state_machine,
self.chewie.get_state_machine('ab:cd:ef:12:34:56',
'00:00:00:00:00:01'))
# 2 ports
self.assertEqual(len(self.chewie.state_machines), 2)
# port 1 has 2 macs
self.assertEqual(len(self.chewie.state_machines['00:00:00:00:00:01']),
2)
# port 2 has 1 mac
self.assertEqual(len(self.chewie.state_machines['00:00:00:00:00:02']),
1)
def test_get_state_machine_by_packet_id(self):
"""Tests Chewie.get_state_machine_by_packet_id()"""
self.chewie.radius_lifecycle.packet_id_to_mac[56] = {
'src_mac': '12:34:56:78:9a:bc',
'port_id': '00:00:00:00:00:01'
}
state_machine = self.chewie.get_state_machine(
'12:34:56:78:9a:bc', # pylint: disable=invalid-name
'00:00:00:00:00:01')
self.assertIs(self.chewie.get_state_machine_from_radius_packet_id(56),
state_machine)
with self.assertRaises(KeyError):
self.chewie.get_state_machine_from_radius_packet_id(20)
@patch_things
@setup_generators(sup_replies_success, radius_replies_success)
def test_success_dot1x(self):
"""Test success api"""
FROM_SUPPLICANT.put_nowait(
bytes.fromhex("0000000000010242ac17006f888e01010000"))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
eventlet.sleep(1)
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
FullEAPStateMachine.SUCCESS2)
def test_port_status_changes(self):
"""test port status api"""
# TODO what can actually be checked here?
# the state machine tests already check the statemachine
# could check that the preemptive identity request packet is sent. (once implemented)
# for now just check api works under python version.
self.chewie.port_down("00:00:00:00:00:01")
self.chewie.port_up("00:00:00:00:00:01")
self.chewie.port_down("00:00:00:00:00:01")
@patch_things
@setup_generators(sup_replies_logoff, radius_replies_success)
def test_logoff_dot1x(self):
"""Test logoff"""
self.chewie.get_state_machine(
MacAddress.from_string('02:42:ac:17:00:6f'),
MacAddress.from_string('00:00:00:00:00:01'))
FROM_SUPPLICANT.put_nowait(
bytes.fromhex("0000000000010242ac17006f888e01010000"))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
eventlet.sleep(0.1)
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
FullEAPStateMachine.LOGOFF2)
@patch_things
@setup_generators(sup_replies_failure_message_id, no_radius_replies)
def test_failure_message_id_dot1x(self):
"""Test incorrect message id results in timeout_failure"""
# TODO not convinced this is transitioning through the correct states.
# (should be discarding all packets)
# But end result is correct (both packets sent/received, and end state)self.chewie.get_state_machine(MacAddress.from_string('02:42:ac:17:00:6f'),
self.chewie.get_state_machine(
MacAddress.from_string('02:42:ac:17:00:6f'),
MacAddress.from_string('00:00:00:00:00:01')).DEFAULT_TIMEOUT = 0.5
FROM_SUPPLICANT.put_nowait(
bytes.fromhex("0000000000010242ac17006f888e01010000"))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
while not self.fake_scheduler.jobs:
eventlet.sleep(0.1)
self.fake_scheduler.run_jobs()
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
FullEAPStateMachine.TIMEOUT_FAILURE)
@patch_things
@setup_generators(sup_replies_failure2_response_code, no_radius_replies)
def test_failure2_resp_code_dot1x(self):
"""Test incorrect eap.code results in timeout_failure2. RADIUS Server drops it.
It is up to the supplicant to send another request - this supplicant doesnt"""
self.chewie.get_state_machine(
MacAddress.from_string('02:42:ac:17:00:6f'),
MacAddress.from_string('00:00:00:00:00:01')).DEFAULT_TIMEOUT = 0.5
FROM_SUPPLICANT.put_nowait(
bytes.fromhex("0000000000010242ac17006f888e01010000"))
pool = eventlet.GreenPool()
pool.spawn(self.chewie.run)
while not self.fake_scheduler.jobs:
eventlet.sleep(0.1)
self.fake_scheduler.run_jobs()
self.assertEqual(
self.chewie.get_state_machine('02:42:ac:17:00:6f',
'00:00:00:00:00:01').state,
FullEAPStateMachine.TIMEOUT_FAILURE2)