def test_check_expired_time_and_num_both_exceeded(self):
data = UserData()
data.max_num_joins = 1
data.num_joins = 2
data.valid_until = time.time() - 10000
self._run_check_expired(data, True)
def test_may_join_other_object(self):
# should work with an independent object having the same attributes
data = UserData()
data.max_num_joins = 1
data.valid_until = time.time() + 10000
mgr, testuser = self._get_mgr_with_one_user_and_data(data)
result = mgr.may_join(UserIdentifier('foo', 'bar'))
self.assert_state_allowed(result)
def test_may_join_other_name_different_id_format(self):
# also reject when the device IDs are formatted differently
data = UserData()
data.max_num_joins = 1
data.valid_until = time.time() + 10000
user = UserIdentifier('foo', 'AB-C0')
mgr = self._get_mgr_with(user, data)
result = mgr.may_join(UserIdentifier('other', 'ab:c0'))
self.assert_state_blocked(result)
def test_data_state_string(self):
check_map = {
UserData.JOIN_STATE_WAITING: 'waiting',
UserData.JOIN_STATE_ALLOWED: 'allowed',
UserData.JOIN_STATE_BLOCKED: 'blocked'
}
for state, representation in check_map.items():
data = UserData()
data.join_state = state
self.assertIn(representation, data.state_string().lower())
def test_block_state(self):
user1 = UserIdentifier('someone', '123')
user1.user_data = UserData()
user1.user_data.join_state = UserData.JOIN_STATE_ALLOWED
user2 = UserIdentifier('someoneElse', 'deviceId1')
user2.user_data = UserData()
user2.user_data.join_state = UserData.JOIN_STATE_BLOCKED
self.mock_um.list_users.return_value = [user1, user2]
result = self._exec_list()
self.assertEqual(result.count('[blocked]'), 1)
def _block_user(self, user_id):
userdata = user_id.user_data
if userdata is None:
userdata = UserData()
user_id.user_data = userdata
userdata.join_state = UserData.JOIN_STATE_BLOCKED
self._user_manager.update(user_id)
message = self._auth_handler.on_host_deny(user_id)
return build_answer('User denied.', message)
def test_check_expired_time_and_num_one_exceeded(self):
# num exceeded
data = UserData()
data.max_num_joins = 1
data.num_joins = 2
data.valid_until = time.time() + 10000
self._run_check_expired(data, True)
# time exceeded
data = UserData()
data.max_num_joins = 1
data.num_joins = 0
data.valid_until = time.time() - 10000
self._run_check_expired(data, True)
def test_disassociate_blocked_on_deny(self, mock_fmt_mac, mock_utils):
# test with and without return value of the sudo_cmd call
for message in ['message', None]:
mock_fmt_mac.reset_mock()
mock_utils.reset_mock()
self._prepare_on_host_mocks(mock_fmt_mac,
mock_utils,
expected_msg=message)
mock_utils.disassociate_user.return_value = 'OK'
testuser = UserIdentifier('user', 'aabb')
testuser.user_data = UserData()
testuser.user_data.join_state = UserData.JOIN_STATE_BLOCKED
handler = FirewallAuthHandler()
result = handler.on_host_deny(testuser)
# ensure the script also gets called when UserData is given
self._assert_on_host_call(mock_fmt_mac,
mock_utils,
'/etc/radguestauth/fw_user_drop.sh',
result,
expected_msg=message)
# blocked user needs to be disassociated as well
mock_utils.disassociate_user.assert_called_once_with('aabb')
self.assertIn('OK', result)
def test_post_auth_timeout_no_valid_until(self, mock_usermgr, mock_chat,
mock_loader):
testuser = UserIdentifier('user', 'aabb')
testuser.user_data = UserData()
testuser.user_data.valid_until = None
testuser.user_data.max_num_joins = 10
mock_usermgr_obj = Mock()
mock_usermgr_obj.find.return_value = testuser
mock_usermgr.return_value = mock_usermgr_obj
mock_auth = self._get_auth_handler_mock(mock_loader)
expected_result = {'control:Test': 'val'}
mock_auth.on_post_auth.return_value = expected_result.copy()
gacore = self._init_and_start()
result = gacore.post_auth({
'User-Name': 'user',
'Calling-Station-Id': 'aabb'
})
mock_auth.on_post_auth.assert_called_once_with(
UserIdentifier('user', 'aabb'), ANY)
mock_usermgr_obj.find.assert_called_once_with('user')
# no timeout should be added without valid_until.
self.assertEqual(expected_result, result)
self.assertIsNone(result.get('reply:Session-Timeout'))
def setUp(self):
self.mock_um = Mock()
self.mock_auth = Mock()
self.cmd = ManageUserCommand(self.mock_um, self.mock_auth)
self.testuser = UserIdentifier('user', 'device', 'pw')
self.testdata = UserData()
self.testuser.user_data = self.testdata
self.mock_um.find.return_value = self.testuser
def test_may_join_other_name(self):
# reject other users having the same device ID
data = UserData()
data.max_num_joins = 1
data.valid_until = time.time() + 10000
mgr, testuser = self._get_mgr_with_one_user_and_data(data)
result = mgr.may_join(UserIdentifier('other', 'bar'))
self.assert_state_blocked(result)
# this should also apply if the stored user has no assigned data
# (i.e. no state)
mgr, testuser = self._get_mgr_with_one_user()
result = mgr.may_join(UserIdentifier('other', 'bar'))
self.assert_state_blocked(result)
def _prepare_timeout_user(self, mock_usermgr):
testuser = UserIdentifier('user', 'aabb')
testuser.user_data = UserData()
test_validity = 600
testuser.user_data.valid_until = time.time() + test_validity
mock_usermgr_obj = Mock()
mock_usermgr_obj.find.return_value = testuser
mock_usermgr.return_value = mock_usermgr_obj
return mock_usermgr_obj, test_validity
def _increment_num_join_helper(self, max_num_joins, num_joins, valid_until,
expected_num_joins):
data = UserData()
data.max_num_joins = max_num_joins
data.num_joins = num_joins
data.valid_until = valid_until
data.check_expired(True)
self.assertEqual(data.num_joins, expected_num_joins)
def test_str_representation(self):
# incrementally adds attributes and checks if they appear in str(item).
# The str representation is important for several chat commands.
identifier = UserIdentifier('foo', 'bar')
# str needs to work without password and data
self.assertIn('foo', str(identifier))
self.assertIn('bar', str(identifier))
identifier.password = '******'
self.assertIn('passw0rd!', str(identifier))
data = UserData()
state_str = data.state_string()
self.assertIn(state_str, str(data))
# this is 1970-01-01 00:01:40
data.valid_until = 100
data.num_joins = 42
data.max_num_joins = 1234
# keep some freedoms on the actual output
self.assertIn('1970', str(data))
self.assertIn('00:01:40', str(data))
self.assertIn('42', str(data))
self.assertIn('1234', str(data))
data_str = str(data)
identifier.user_data = data
self.assertIn(data_str, str(identifier))
def test_get_expired_users(self):
mgr, testuser1, testuser2 = self._get_mgr_with_two_users()
testuser2.user_data = UserData()
# set to very low timestamp to ensure expiration
testuser2.user_data.valid_until = 123
mgr.update(testuser2)
# both users should be in the list, but only testuser2 should
# be expired.
users = mgr.list_users()
expired_users = mgr.get_expired_users()
self.assertIn(testuser1, users)
self.assertIn(testuser2, users)
self.assertListEqual(expired_users, [testuser2])
# now update first user, should be expired as well then
testuser1.user_data = UserData()
testuser1.user_data.valid_until = 123
mgr.update(testuser1)
expired_users_updated = mgr.get_expired_users()
self.assertIn(testuser1, expired_users_updated)
self.assertIn(testuser2, expired_users_updated)
def test_user_id_equality(self):
"""
Checks if the equality of two UserIdentifier objects ignores the
password and data attributes. This is needed as UserIdentifier objects
without all attributes set are used e.g. for querying.
"""
identifier1 = UserIdentifier('foo', 'bar', 'pass')
identifier2 = UserIdentifier('foo', 'bar', 'word')
self.assertEqual(identifier1, identifier2)
identifier3 = UserIdentifier('foo', 'bar', 'word')
testdata = UserData()
testdata.max_num_joins = 12
identifier3.user_data = testdata
self.assertEqual(identifier1, identifier3)
self.assertEqual(identifier2, identifier3)
self.assertNotEqual(identifier1, UserIdentifier('foo', 'baz', 'pass'))
self.assertNotEqual(identifier1, UserIdentifier('fo0', 'bar', 'pass'))
self.assertNotEqual(identifier1, 'some other type')
def execute(self, argv):
if not self._user_manager.is_request_pending():
return 'No request pending.'
req = self._user_manager.get_request()
if not isinstance(req, UserIdentifier):
return 'Invalid request in UserManager'
req.user_data = UserData()
req.user_data.join_state = UserData.JOIN_STATE_BLOCKED
self._user_manager.update(req)
self._user_manager.finish_request()
message = self._auth_handler.on_host_deny(req)
return build_answer('User denied.', message)
def test_update_request(self):
mgr = UserManager()
testuser = UserIdentifier('foo', 'bar')
pw = mgr.generate_password()
mgr.add_request(testuser)
testdata = UserData()
testuser.user_data = testdata
testuser.password = pw
mgr.update(testuser)
mgr.finish_request()
# generate another password, which should not affect the stored one
mgr.generate_password()
found = mgr.find('foo')
self.assertEqual(found.name, testuser.name)
self.assertEqual(found.device_id, testuser.device_id)
self.assertEqual(found.password, pw)
self.assertEqual(found.user_data, testdata)
def test_may_join_blocked_user(self):
data = UserData()
data.max_num_joins = 1
data.num_joins = 2
valid_time = time.time() - 10000
data.valid_until = valid_time
data.join_state = UserData.JOIN_STATE_BLOCKED
mgr, testuser = self._get_mgr_with_one_user_and_data(data)
result = mgr.may_join(testuser)
self.assert_state_blocked(result)
# attributes should be unchanged
self.assertEqual(data.max_num_joins, 1)
self.assertEqual(data.num_joins, 2)
self.assertEqual(data.valid_until, valid_time)
def execute(self, argv):
if len(argv) not in [2, 3]:
return self.usage()
parsed = self._parse_modify(argv)
if not isinstance(parsed, tuple):
return parsed
if not self._user_manager.is_request_pending():
return 'No request pending.'
req = self._user_manager.get_request()
if not isinstance(req, UserIdentifier):
return 'Invalid request in UserManager'
req.user_data = UserData()
message = self._update_with_parse_tuple(req, parsed)
self._user_manager.finish_request()
return message
def test_check_expired_time_and_num_valid(self):
data = UserData()
data.max_num_joins = 1
data.valid_until = time.time() + 10000
self._run_check_expired(data, False)
def test_check_expired_time_exceeded(self):
data = UserData()
data.valid_until = time.time() - 10000
self._run_check_expired(data, True)
def test_check_expired_num_exceeded(self):
data = UserData()
data.max_num_joins = 10
data.num_joins = 11
self._run_check_expired(data, True)
def test_check_expired_time(self):
data = UserData()
data.valid_until = time.time() + 10000
self._run_check_expired(data, False)
def test_check_expired_num(self):
data = UserData()
data.max_num_joins = 10
self._run_check_expired(data, False)