def setUp(self):
self.port = VALID_PORT
self.mark = 1
self.shift = 8
config = NuauthConf()
# Userdb
self.user = PlaintextUser("guest", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("port",
self.port,
self.user.gid,
flags=(self.mark << self.shift))
self.acls.install(config)
# Load nuauth
config["nuauth_finalize_packet_module"] = '"mark_flag"'
config["mark_flag_mark_shift"] = 0
config["mark_flag_flag_shift"] = self.shift
config["mark_flag_nbits"] = 16
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw(["-m"])
self.client = self.user.createClientWithCerts()
def setUp(self):
# Load nuauth
nuconfig = NuauthConf()
self.nuauth = Nuauth(nuconfig)
# Create client
self.client = createClientWithCerts()
def setUp(self):
startNufw(["-s"])
config = NuauthConf()
config["nuauth_log_users"] = '9'
config["mysql_prefix_version"] = '1'
if POSTGRESQL:
config.need_restart = True
self.conn = pgdb.connect(host=DB_SERVER,
user=DB_USER,
password=DB_PASSWORD,
database=DB_DBNAME)
config["nuauth_user_logs_module"] = '"pgsql"'
config["nuauth_user_session_logs_module"] = '"pgsql"'
else:
self.conn = MySQLdb.Connect(host=DB_SERVER,
user=DB_USER,
passwd=DB_PASSWORD,
db=DB_DBNAME)
config["nuauth_user_logs_module"] = '"mysql"'
config["nuauth_user_session_logs_module"] = '"mysql"'
self.users = USERDB
self.user = self.users[0]
self.acls = PlaintextAcl()
self.acls.addAcl("web",
VALID_PORT,
self.user.gid,
log_prefix=LOG_PREFIX)
self.users.install(config)
self.acls.install(config)
self.nuauth = Nuauth(config)
self.start_time = int(time() - 1.1)
def testBlacklistAuthNOK(self):
self.config["nuauth_tls_auth_by_cert"] = 0
self.config["session_authtype_blacklist_groups"] = "\"42\""
self.nuauth = Nuauth(self.config)
self.client = self.user.createClientWithCerts()
self.assert_(not connectClient(self.client))
def testSASLAuthNOK(self):
self.config["nuauth_tls_auth_by_cert"] = 0
self.config["session_authtype_sasl_groups"] = "\"123\""
self.nuauth = Nuauth(self.config)
self.client = self.user.createClientWithCerts()
self.assert_(not connectClient(self.client))
def testDrop(self):
self.config["nuauth_reject_after_timeout"] = "0"
self.config["nuauth_reject_authenticated_drop"] = "0"
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testPortFailure(self, self.iptables, client, VALID_PORT, ETIMEDOUT)
client.stop()
def testRejectAuthenticated(self):
self.config["nuauth_reject_after_timeout"] = 0
self.config["nuauth_reject_authenticated_drop"] = 1
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testPortFailure(self, self.iptables, client, VALID_PORT, ECONNREFUSED)
client.stop()
def testCertAuthGroupNOK(self):
self.config["nuauth_tls_auth_by_cert"] = "2"
self.config["session_authtype_ssl_groups"] = "\"100\""
self.nuauth = Nuauth(self.config)
# Client
self.client = self.user.createClientWithCerts()
self.client.password = "******" % self.user.password
self.assert_(not connectClient(self.client))
def startNuauth(self, dict_args=None):
self.cacert = abspath(config.get("test_cert", "cacert"))
self.nuconfig = NuauthConf()
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[key] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def testOutdevOk(self):
self.acls.addAclFull("outdev test", self.host, VALID_PORT, self.users[0].gid, outdev = IFACE)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def testInvalidOS(self):
self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, OS=OS_NAME+"xxx")
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host, allow=False)
self.acls.desinstall()
def testValidApplication(self):
self.acls.addAclFull("application", self.host, VALID_PORT, self.users[0].gid, App=APPLICATION)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def setUp(self):
self.iptables = Iptables()
self.iptables.command(
'-A OUTPUT -p tcp --sport %u -d %s --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE'
% (VALID_PORT, HOST))
config = NuauthConf()
self.nuauth = Nuauth(config)
self.nufw = startNufw()
def setUp(self):
self.iptables = Iptables()
self.port = VALID_PORT
self.host = HOST
self.cacert = config.get("test_cert", "cacert")
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_auth_by_cert"] = "0"
self.nuauth = Nuauth(self.nuconfig)
def testFilterByUser(self):
self.acls.addAclPerUid("Web user", self.host, VALID_PORT, self.users[0].uid)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client, self.host)
testDisallowPort(self, self.iptables, client, self.host)
self.acls.desinstall()
def startNuauth(self, dict_args=None):
self.nuconfig = NuauthConf()
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(
config.get("test_cert", "crl"))
if dict_args is None:
dict_args = dict()
for key in dict_args.keys():
self.nuconfig[key] = dict_args[key]
self.nuauth = Nuauth(self.nuconfig)
def setUp(self):
# Prepare our new scripts
self.script_up = ReplaceFile(SCRIPT_UP, SCRIPT % "UP", MODE)
self.script_down = ReplaceFile(SCRIPT_DOWN, SCRIPT % "DOWN", MODE)
self.script_up.install()
self.script_down.install()
# Create nuauth
config = NuauthConf()
config["nuauth_user_session_logs_module"] = '"script"'
self.nuauth = Nuauth(config)
def testLoginNormal(self):
# Change login policy to 0
self.config["nuauth_single_ip_client_limit"] = 0
self.config["nuauth_single_user_client_limit"] = 0
self.nuauth = Nuauth(self.config)
# Test user1
client1 = self.userA.createClientWithCerts()
self.assert_(connectClient(client1))
# Test user2
client2 = self.userB.createClientWithCerts()
self.assert_(connectClient(client2))
client1.stop()
client2.stop()
def testLoginIP(self):
# Change login policy to 1 login/IP
self.config["nuauth_single_ip_client_limit"] = 1
self.config["nuauth_single_user_client_limit"] = 0
self.nuauth = Nuauth(self.config)
# Different users can't log from same IP
# Test user1
client1 = self.userA.createClientWithCerts()
self.assert_(connectClient(client1))
# Test user2
client2 = self.userB.createClientWithCerts()
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
def testLoginOne(self):
# Change login policy to 1 login/user
self.config["nuauth_single_ip_client_limit"] = 0
self.config["nuauth_single_user_client_limit"] = 1
self.nuauth = Nuauth(self.config)
# User can't log twice
# Test user1
client1 = self.userA.createClientWithCerts()
self.assert_(connectClient(client1))
# Test user1
client2 = self.userA.createClientWithCerts()
self.assert_(not connectClient(client2))
client1.stop()
client2.stop()
def testPeriodAccept(self):
self.acls.desinstall()
self.acls = PlaintextAcl()
if time.localtime().tm_hour < 12:
period = "0-12"
else:
period = "12-24"
self.acls.addAcl("web",
VALID_PORT,
self.users[0].gid,
1,
period=period)
self.acls.install(self.config)
self.nuauth = Nuauth(self.config)
user = self.users[0]
client = user.createClientWithCerts()
testAllowPort(self, self.iptables, client)
self.acls.desinstall()
def setUp(self):
self.expiration = DURATION
self.host = HOST
# Setup session_expire library
nuconfig = NuauthConf()
nuconfig['nuauth_user_session_modify_module'] = '"session_expire"'
nuconfig['nuauth_session_duration'] = str(self.expiration)
# Install temporary user database
self.userdb = PlaintextUserDB()
self.userdb.addUser(PlaintextUser(USERNAME, PASSWORD, 42, 42))
self.userdb.install(nuconfig)
self.acls = PlaintextAcl()
# Start nuauth
self.nuauth = Nuauth(nuconfig)
# Create client
self.client = createClientWithCerts()
def setUp(self):
self.nuconfig = NuauthConf()
cacert = config.get("test_cert", "cacert")
# Userdb
self.user = PlaintextUser("user", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(self.nuconfig)
# Server
self.nuconfig["plaintext_userfile"] = '"%s"' % self.userdb.filename
self.nuconfig["nuauth_tls_auth_by_cert"] = "2"
self.nuconfig["nuauth_tls_request_cert"] = "2"
self.nuconfig["nuauth_tls_cacert"] = '"%s"' % cacert
self.nuconfig["nuauth_tls_key"] = '"%s"' % config.get(
"test_cert", "nuauth_key")
self.nuconfig["nuauth_tls_cert"] = '"%s"' % config.get(
"test_cert", "nuauth_cert")
self.nuauth = Nuauth(self.nuconfig)
def setUp(self):
self.port = VALID_PORT
config = NuauthConf()
# Userdb
self.user = PlaintextUser("visiteur", "nopassword", 42, 42)
self.userdb = PlaintextUserDB()
self.userdb.addUser(self.user)
self.userdb.install(config)
self.acls = PlaintextAcl()
self.acls.addAcl("web", self.port, self.user.gid)
self.acls.install(config)
# Load nuauth
config["nuauth_do_ip_authentication"] = '1'
config["nuauth_ip_authentication_module"] = '"ipauth_guest"'
config["ipauth_guest_username"] = '******' % self.user.login
self.nuauth = Nuauth(config)
self.iptables = Iptables()
self.nufw = startNufw()
def setUp(self):
self.dst_host = socket.gethostbyname(HOST)
self.config = NuauthConf()
self.acls = PlaintextAcl()
self.acls.addAclFull("web", self.dst_host, VALID_PORT, USERDB[0].gid, 1, period='10 secs' )
self.acls.install(self.config)
self.period = PlainPeriodXML()
self.period.addPeriod(Period("10 secs", duration = 10))
self.period.install(self.config)
self.users = USERDB
self.users.install(self.config)
self.nuauth = Nuauth(self.config)
self.nufw = startNufw()
self.iptables = Iptables()
self.iptables.flush()
self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 --syn -m state --state NEW -j NFQUEUE' % self.dst_host)
self.iptables.command('-I OUTPUT -d %s -p tcp --dport 80 ! --syn -m state --state NEW -j DROP' % self.dst_host)
def testRejectTimedout(self):
self.config["nuauth_reject_after_timeout"] = "1"
self.config["nuauth_reject_authenticated_drop"] = "0"
self.nuauth = Nuauth(self.config)
testPortFailure(self, self.iptables, None, VALID_PORT, ECONNREFUSED)
def setUp(self):
config = NuauthConf()
self.users = USERDB
self.users.install(config)
self.nuauth = Nuauth(config)
def setUp(self):
# Start nuauth with our config
nuconfig = NuauthConf()
nuconfig["nuauth_user_check_module"] = '"system"'
self.nuauth = Nuauth(nuconfig)
def setUp(self):
self.cacert = config.get("test_cert", "cacert")
nuconfig = NuauthConf()
nuconfig["nuauth_tls_auth_by_cert"] = "0"
nuconfig["nuauth_tls_request_cert"] = "0"
self.nuauth = Nuauth(nuconfig)
def setUp(self):
config = getNuauthConf()
config["nuauth_tls_request_cert"] = "0"
config["nuauth_user_logs_module"] = '"syslog"'
config["nuauth_user_session_logs_module"] = '"syslog"'
self.nuauth = Nuauth(config)
