IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
0451db9d3f6342038ba421c767ca002c83f6c1b2
freeipa/ipatests/test_ipaserver/test_otptoken_import.py

151 lines
5.7 KiB
Python
Raw Normal View History

Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
# Authors:
# Nathaniel McCallum <npmccallum@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
py3: ipa_otptoken_import: fix hex decoding codecs.decode() must be used instead of .decode() method https://pagure.io/freeipa/issue/4985 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-20 10:21:05 +02:00
import codecs
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
import os
ipatests: Take otptoken import test out of execution The issue reported in ticket [1] hasn't been solved yet. This patch prevents the test cases for OTP import being run. The change is intended as a *temporary* workaround until proper fix for the issue is introduced. [1] https://fedorahosted.org/freeipa/ticket/5192 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-08-17 09:06:24 +02:00
import pytest
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
from ipaserver.install.ipa_otptoken_import import PSKCDocument, ValidationError
OTP import: support hash names with HMAC- prefix Refactor convertHashName() method to accept hash names prefixed with HMAC- or any other prefix. Extending the method should be easier in future. Add tests proposed by Rob Crittenden to make sure we don't regress with expected behavior of convertHashName(). Fixes https://pagure.io/freeipa/issue/7146 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-09-14 17:31:57 +03:00
from ipaserver.install.ipa_otptoken_import import convertHashName
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
basename = os.path.join(os.path.dirname(__file__), "data")
Applied tier0 and tier1 marks on unit tests and xmlrpc tests Web UI tests were marked as tier1 tests. The tier system is intended to be used together with CI system to make sure the more complicated tests are being run only when all of the basic functionality is working. The system is using pytest's marker system. E.g. an invocation of all tier1 tests with listing will look like: $ py.test -v -m tier1 ipatests or in case of out of tree tests: $ ipa-run-tests -m tier1 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
2015-04-24 14:39:48 +02:00
@pytest.mark.tier1
Py3: Remove subclassing from object Python 2 had old style and new style classes. Python 3 has only new style classes. There is no point to subclass from object any more. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-26 11:59:50 +02:00
class test_otptoken_import:
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
def test_figure3(self):
doc = PSKCDocument(os.path.join(basename, "pskc-figure3.xml"))
assert doc.keyname is None
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'12345678', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokenvendor': u'Manufacturer',
'ipatokenserial': u'987654321',
Modernize number literals Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-15 16:38:06 +02:00
'ipatokenhotpcounter': 0,
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
'ipatokenotpdigits': 8,
'type': u'hotp',
})]
def test_figure4(self):
doc = PSKCDocument(os.path.join(basename, "pskc-figure4.xml"))
assert doc.keyname is None
try:
[(t.id, t.options) for t in doc.getKeyPackages()]
except ValidationError: # Referenced keys are not supported.
pass
else:
assert False
def test_figure5(self):
doc = PSKCDocument(os.path.join(basename, "pskc-figure5.xml"))
assert doc.keyname is None
try:
[(t.id, t.options) for t in doc.getKeyPackages()]
except ValidationError: # PIN Policy is not supported.
pass
else:
assert False
def test_figure6(self):
Migrate OTP import script to python-cryptography https://fedorahosted.org/freeipa/ticket/5192 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2015-08-31 10:46:19 -04:00
doc = PSKCDocument(os.path.join(basename, "pskc-figure6.xml"))
assert doc.keyname == 'Pre-shared-key'
py3: ipa_otptoken_import: fix hex decoding codecs.decode() must be used instead of .decode() method https://pagure.io/freeipa/issue/4985 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-20 10:21:05 +02:00
doc.setKey(codecs.decode('12345678901234567890123456789012', 'hex'))
Migrate OTP import script to python-cryptography https://fedorahosted.org/freeipa/ticket/5192 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2015-08-31 10:46:19 -04:00
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'12345678', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokenvendor': u'Manufacturer',
'ipatokenserial': u'987654321',
'ipatokenhotpcounter': 0,
'ipatokenotpdigits': 8,
'type': u'hotp'})]
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
def test_figure7(self):
Migrate OTP import script to python-cryptography https://fedorahosted.org/freeipa/ticket/5192 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2015-08-31 10:46:19 -04:00
doc = PSKCDocument(os.path.join(basename, "pskc-figure7.xml"))
assert doc.keyname == 'My Password 1'
py3: test_otptoken_import: fix bytes usage https://pagure.io/freeipa/issue/4985 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-20 10:41:28 +02:00
doc.setKey(b'qwerty')
Migrate OTP import script to python-cryptography https://fedorahosted.org/freeipa/ticket/5192 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2015-08-31 10:46:19 -04:00
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'123456', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokenvendor': u'TokenVendorAcme',
'ipatokenserial': u'987654321',
'ipatokenotpdigits': 8,
'type': u'hotp'})]
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
def test_figure8(self):
try:
Remove unused variables in tests This commit removes or marks unused variables as "expected to be unused" by using '_' prefix. Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-26 18:22:22 +02:00
PSKCDocument(os.path.join(basename, "pskc-figure8.xml"))
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
except NotImplementedError: # X.509 is not supported.
pass
else:
assert False
def test_invalid(self):
try:
Remove unused variables in tests This commit removes or marks unused variables as "expected to be unused" by using '_' prefix. Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-26 18:22:22 +02:00
PSKCDocument(os.path.join(basename, "pskc-invalid.xml"))
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
except ValueError: # File is invalid.
pass
else:
assert False
def test_mini(self):
try:
doc = PSKCDocument(os.path.join(basename, "pskc-mini.xml"))
Enable pylint expression-not-assigned check Enables check and fixes: ************* Module ipa-replica-conncheck install/tools/ipa-replica-conncheck:150: [W0106(expression-not-assigned), parse_options] Expression "(replica_group.add_option('-w', '--password', dest='password', sensitive=True, help='Password for the principal'), )" is assigned to nothing) ************* Module ipatests.test_xmlrpc.test_automount_plugin ipatests/test_xmlrpc/test_automount_plugin.py:437: [W0106(expression-not-assigned), test_automount_indirect.test_1a_automountmap_add_indirect] Expression "api.Command['automountmap_add_indirect'](self.locname, self.mapname, **self.map_kw)['result']" is assigned to nothing) ************* Module ipatests.test_ipaserver.test_otptoken_import ipatests/test_ipaserver/test_otptoken_import.py:128: [W0106(expression-not-assigned), test_otptoken_import.test_mini] Expression "[(t.id, t.options) for t in doc.getKeyPackages()]" is assigned to nothing) ************* Module ipatests.test_ipaserver.test_ldap ipatests/test_ipaserver/test_ldap.py:221: [W0106(expression-not-assigned), test_LDAPEntry.test_popitem] Expression "list(e) == []" is assigned to nothing) ************* Module ipa-client-install ipa-client/ipa-install/ipa-client-install:114: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-p', '--principal', dest='principal', help='principal to use to join the IPA realm'), )" is assigned to nothing) ipa-client/ipa-install/ipa-client-install:116: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-w', '--password', dest='password', sensitive=True, help='password to join the IPA realm (assumes bulk password unless principal is also set)'), )" is assigned to nothing) ipa-client/ipa-install/ipa-client-install:118: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-k', '--keytab', dest='keytab', help='path to backed up keytab from previous enrollment'), )" is assigned to nothing) ipa-client/ipa-install/ipa-client-install:120: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-W', dest='prompt_password', action='store_true', default=False, help='Prompt for a password to join the IPA realm'), )" is assigned to nothing) Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-17 00:33:57 +01:00
for t in doc.getKeyPackages():
t._PSKCKeyPackage__process()
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 11:06:16 -04:00
except ValidationError: # Unsupported token type.
pass
else:
assert False
def test_full(self):
Migrate OTP import script to python-cryptography https://fedorahosted.org/freeipa/ticket/5192 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2015-08-31 10:46:19 -04:00
doc = PSKCDocument(os.path.join(basename, "full.xml"))
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'KID1', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokennotafter': u'20060531000000Z',
'ipatokennotbefore': u'20060501000000Z',
'ipatokenserial': u'SerialNo-IssueNo',
'ipatokentotpclockoffset': 60000,
'ipatokenotpalgorithm': u'sha1',
'ipatokenvendor': u'iana.dummy',
'description': u'FriendlyName',
'ipatokentotptimestep': 200,
'ipatokenhotpcounter': 0,
'ipatokenmodel': u'Model',
'ipatokenotpdigits': 8,
'type': u'hotp',
})]
OTP import: support hash names with HMAC- prefix Refactor convertHashName() method to accept hash names prefixed with HMAC- or any other prefix. Extending the method should be easier in future. Add tests proposed by Rob Crittenden to make sure we don't regress with expected behavior of convertHashName(). Fixes https://pagure.io/freeipa/issue/7146 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-09-14 17:31:57 +03:00
def test_valid_tokens(self):
assert convertHashName('sha1') == u'sha1'
assert convertHashName('hmac-sha1') == u'sha1'
assert convertHashName('sha224') == u'sha224'
assert convertHashName('hmac-sha224') == u'sha224'
assert convertHashName('sha256') == u'sha256'
assert convertHashName('hmac-sha256') == u'sha256'
assert convertHashName('sha384') == u'sha384'
assert convertHashName('hmac-sha384') == u'sha384'
assert convertHashName('sha512') == u'sha512'
assert convertHashName('hmac-sha512') == u'sha512'
def test_invalid_tokens(self):
"""The conversion defaults to sha1 on unknown hashing"""
assert convertHashName('something-sha256') == u'sha1'
assert convertHashName('') == u'sha1'
assert convertHashName(None) == u'sha1'
Reference in New Issue Copy Permalink