class TestClientCertAuth(TestCase): def setUp(self): self.nuconfig = NuauthConf() cacert = config.get("test_cert", "cacert") # Userdb self.user = PlaintextUser("user", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(self.nuconfig) # Server self.nuconfig["plaintext_userfile"] = '"%s"' % self.userdb.filename self.nuconfig["nuauth_tls_auth_by_cert"] = "2" self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_cacert"] = '"%s"' % cacert self.nuconfig["nuauth_tls_key"] = '"%s"' % config.get( "test_cert", "nuauth_key") self.nuconfig["nuauth_tls_cert"] = '"%s"' % config.get( "test_cert", "nuauth_cert") self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.client.stop() self.nuauth.stop() self.userdb.desinstall() self.nuconfig.desinstall() def testValidCert(self): # Client cacert = config.get("test_cert", "cacert") cert = config.get("test_cert", "user_cert") key = config.get("test_cert", "user_key") args = ["-C", cert, "-K", key, "-A", cacert] self.client = self.user.createClient(more_args=args) self.client.password = "******" % self.user.password self.assert_(connectClient(self.client)) def testInvalidCert(self): # Expired certificate cacert = config.get("test_cert", "cacert") cert = config.get("test_cert", "user_invalid_cert") key = config.get("test_cert", "user_invalid_key") args = ["-C", cert, "-K", key, "-A", cacert] self.client = self.user.createClient(more_args=args) self.client.password = "******" % self.user.password self.assert_(not connectClient(self.client))
class TestClientCertAuth(TestCase): def setUp(self): self.nuconfig = NuauthConf() cacert = config.get("test_cert", "cacert") # Userdb self.user = PlaintextUser("user", "nopassword", 42, 42) self.userdb = PlaintextUserDB() self.userdb.addUser(self.user) self.userdb.install(self.nuconfig) # Server self.nuconfig["plaintext_userfile"] = '"%s"' % self.userdb.filename self.nuconfig["nuauth_tls_auth_by_cert"] = "2" self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_cacert"] = '"%s"' % cacert self.nuconfig["nuauth_tls_key"] = '"%s"' % config.get("test_cert", "nuauth_key") self.nuconfig["nuauth_tls_cert"] = '"%s"' % config.get("test_cert", "nuauth_cert") self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.client.stop() self.nuauth.stop() self.userdb.desinstall() self.nuconfig.desinstall() def testValidCert(self): # Client cacert = config.get("test_cert", "cacert") cert = config.get("test_cert", "user_cert") key = config.get("test_cert", "user_key") args = ["-C", cert, "-K", key, "-A", cacert] self.client = self.user.createClient(more_args=args) self.client.password = "******" % self.user.password self.assert_(connectClient(self.client)) def testInvalidCert(self): # Expired certificate cacert = config.get("test_cert", "cacert") cert = config.get("test_cert", "user_invalid_cert") key = config.get("test_cert", "user_invalid_key") args = ["-C", cert, "-K", key, "-A", cacert] self.client = self.user.createClient(more_args=args) self.client.password = "******" % self.user.password self.assert_(not connectClient(self.client))
class TestTLSNufw(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = abspath(config.get("test_cert", "cacert")) def startNuauth(self, dict_args=None): self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath( config.get("test_cert", "crl")) if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[key] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testNufwValidCert(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "nuauth.inl.fr"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwIgnoreFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "127.0.0.1", "-N"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find('certificate verification failed') >= 0: return True return False def testNufwInvalidCA(self): self.startNuauth() invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() self.nuauth.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.startNuauth() self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testStrictMode(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False
class TestClientCert(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = config.get("test_cert", "cacert") self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_auth_by_cert"] = "0" self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testValidCert(self): self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find('certificate verification failed') >= 0: return True return False def testInvalidCert(self): invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() def testStrictMode(self): self.nufw = startNufw(["-d","127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False
class TestTLSNufw(TestCase): def setUp(self): self.iptables = Iptables() self.port = VALID_PORT self.host = HOST self.cacert = abspath(config.get("test_cert", "cacert")) def startNuauth(self, dict_args=None): self.nuconfig = NuauthConf() self.nuconfig["nuauth_tls_request_cert"] = "2" self.nuconfig["nuauth_tls_crl"] = '"%s"' % abspath(config.get("test_cert", "crl")) if dict_args is None: dict_args = dict() for key in dict_args.keys(): self.nuconfig[key] = dict_args[key] self.nuauth = Nuauth(self.nuconfig) def tearDown(self): self.nuauth.stop() self.nuconfig.desinstall() self.iptables.flush() def connectNuauthNufw(self): # Open TCP connection just to connect nufw to nuauth self.iptables.filterTcp(self.port) connectTcp(HOST, self.port, 0.100) # nufw side # "TLS connection to nuauth can NOT be restored" def testNufwValidCert(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "nuauth.inl.fr"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testNufwIgnoreFQDNCheck(self): self.startNuauth() self.nufw = startNufw(["-d", "127.0.0.1"]) self.connectNuauthNufw() self.assert_(not self.nufw_connection_is_established()) self.nufw.stop() self.nufw = startNufw(["-d", "127.0.0.1", "-N"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def get_tls_cert_invalid(self): for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("certificate verification failed") >= 0: return True return False def testNufwInvalidCA(self): self.startNuauth() invalid_cacert = config.get("test_cert", "invalid_cacert") self.nufw = startNufw(["-a", invalid_cacert]) self.connectNuauthNufw() self.assert_(self.get_tls_cert_invalid()) self.nufw.stop() self.nuauth.stop() # If NuFW does not run under the strict mode, the provided certificates in svn # will be accepted and the client will be able to authenticate and then be # accepted by the firewall. This is what we want to check here def testNotStrictMode(self): self.startNuauth() self.nufw = startNufw(["-s"]) self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def testStrictMode(self): self.startNuauth() self.nufw = startNufw() self.connectNuauthNufw() self.assert_(self.nufw_connection_is_established()) self.nufw.stop() self.nuauth.stop() def nufw_connection_is_established(self): if self.nufw.is_connected_to_nuauth: return True for line in self.nufw.readlines(total_timeout=TIMEOUT): if line.lower().find("tls connection to nuauth established") >= 0: return True if line.lower().find("tls connection to nuauth restored") >= 0: return True return False