IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-25 16:31:08 -06:00
Code Issues Packages Projects Releases Wiki Activity
49b29591aa
freeipa/ipatests/test_ipaserver/test_otptoken_import.py

159 lines
5.6 KiB
Python
Raw Normal View History

Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
# Authors:
# Nathaniel McCallum <npmccallum@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
ipatests: Take otptoken import test out of execution The issue reported in ticket [1] hasn't been solved yet. This patch prevents the test cases for OTP import being run. The change is intended as a *temporary* workaround until proper fix for the issue is introduced. [1] https://fedorahosted.org/freeipa/ticket/5192 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-08-17 02:06:24 -05:00
import pytest
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
from nss import nss
Re-initialize NSS database after otptoken plugin tests OTP token tests do not properly reinitialize the NSS db, thus making subsequent xmlrpc tests fail on SSL cert validation. Make sure NSS db is re-initalized in the teardown method. https://fedorahosted.org/freeipa/ticket/4748 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-11-20 11:37:57 -06:00
from ipalib.x509 import initialize_nss_database
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
from ipaserver.install.ipa_otptoken_import import PSKCDocument, ValidationError
basename = os.path.join(os.path.dirname(__file__), "data")
ipatests: Take otptoken import test out of execution The issue reported in ticket [1] hasn't been solved yet. This patch prevents the test cases for OTP import being run. The change is intended as a *temporary* workaround until proper fix for the issue is introduced. [1] https://fedorahosted.org/freeipa/ticket/5192 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-08-17 02:06:24 -05:00
@pytest.mark.skipif(True, reason="Causes NSS errors. Ticket 5192")
Applied tier0 and tier1 marks on unit tests and xmlrpc tests Web UI tests were marked as tier1 tests. The tier system is intended to be used together with CI system to make sure the more complicated tests are being run only when all of the basic functionality is working. The system is using pytest's marker system. E.g. an invocation of all tier1 tests with listing will look like: $ py.test -v -m tier1 ipatests or in case of out of tree tests: $ ipa-run-tests -m tier1 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
2015-04-24 07:39:48 -05:00
@pytest.mark.tier1
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
class test_otptoken_import(object):
Re-initialize NSS database after otptoken plugin tests OTP token tests do not properly reinitialize the NSS db, thus making subsequent xmlrpc tests fail on SSL cert validation. Make sure NSS db is re-initalized in the teardown method. https://fedorahosted.org/freeipa/ticket/4748 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-11-20 11:37:57 -06:00
def teardown(self):
initialize_nss_database()
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
def test_figure3(self):
doc = PSKCDocument(os.path.join(basename, "pskc-figure3.xml"))
assert doc.keyname is None
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'12345678', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokenvendor': u'Manufacturer',
'ipatokenserial': u'987654321',
Modernize number literals Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-15 09:38:06 -05:00
'ipatokenhotpcounter': 0,
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
'ipatokenotpdigits': 8,
'type': u'hotp',
})]
def test_figure4(self):
doc = PSKCDocument(os.path.join(basename, "pskc-figure4.xml"))
assert doc.keyname is None
try:
[(t.id, t.options) for t in doc.getKeyPackages()]
except ValidationError: # Referenced keys are not supported.
pass
else:
assert False
def test_figure5(self):
doc = PSKCDocument(os.path.join(basename, "pskc-figure5.xml"))
assert doc.keyname is None
try:
[(t.id, t.options) for t in doc.getKeyPackages()]
except ValidationError: # PIN Policy is not supported.
pass
else:
assert False
def test_figure6(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-figure6.xml"))
assert doc.keyname == 'Pre-shared-key'
doc.setKey('12345678901234567890123456789012'.decode('hex'))
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'12345678', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokenvendor': u'Manufacturer',
'ipatokenserial': u'987654321',
Modernize number literals Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-15 09:38:06 -05:00
'ipatokenhotpcounter': 0,
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
'ipatokenotpdigits': 8,
'type': u'hotp'})]
finally:
nss.nss_shutdown()
def test_figure7(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-figure7.xml"))
assert doc.keyname == 'My Password 1'
doc.setKey('qwerty')
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'123456', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokenvendor': u'TokenVendorAcme',
'ipatokenserial': u'987654321',
'ipatokenotpdigits': 8,
'type': u'hotp'})]
finally:
nss.nss_shutdown()
def test_figure8(self):
nss.nss_init_nodb()
try:
Remove unused variables in tests This commit removes or marks unused variables as "expected to be unused" by using '_' prefix. Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-26 11:22:22 -05:00
PSKCDocument(os.path.join(basename, "pskc-figure8.xml"))
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
except NotImplementedError: # X.509 is not supported.
pass
else:
assert False
finally:
nss.nss_shutdown()
def test_invalid(self):
nss.nss_init_nodb()
try:
Remove unused variables in tests This commit removes or marks unused variables as "expected to be unused" by using '_' prefix. Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-26 11:22:22 -05:00
PSKCDocument(os.path.join(basename, "pskc-invalid.xml"))
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
except ValueError: # File is invalid.
pass
else:
assert False
finally:
nss.nss_shutdown()
def test_mini(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-mini.xml"))
Enable pylint expression-not-assigned check Enables check and fixes: ************* Module ipa-replica-conncheck install/tools/ipa-replica-conncheck:150: [W0106(expression-not-assigned), parse_options] Expression "(replica_group.add_option('-w', '--password', dest='password', sensitive=True, help='Password for the principal'), )" is assigned to nothing) ************* Module ipatests.test_xmlrpc.test_automount_plugin ipatests/test_xmlrpc/test_automount_plugin.py:437: [W0106(expression-not-assigned), test_automount_indirect.test_1a_automountmap_add_indirect] Expression "api.Command['automountmap_add_indirect'](self.locname, self.mapname, **self.map_kw)['result']" is assigned to nothing) ************* Module ipatests.test_ipaserver.test_otptoken_import ipatests/test_ipaserver/test_otptoken_import.py:128: [W0106(expression-not-assigned), test_otptoken_import.test_mini] Expression "[(t.id, t.options) for t in doc.getKeyPackages()]" is assigned to nothing) ************* Module ipatests.test_ipaserver.test_ldap ipatests/test_ipaserver/test_ldap.py:221: [W0106(expression-not-assigned), test_LDAPEntry.test_popitem] Expression "list(e) == []" is assigned to nothing) ************* Module ipa-client-install ipa-client/ipa-install/ipa-client-install:114: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-p', '--principal', dest='principal', help='principal to use to join the IPA realm'), )" is assigned to nothing) ipa-client/ipa-install/ipa-client-install:116: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-w', '--password', dest='password', sensitive=True, help='password to join the IPA realm (assumes bulk password unless principal is also set)'), )" is assigned to nothing) ipa-client/ipa-install/ipa-client-install:118: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-k', '--keytab', dest='keytab', help='path to backed up keytab from previous enrollment'), )" is assigned to nothing) ipa-client/ipa-install/ipa-client-install:120: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-W', dest='prompt_password', action='store_true', default=False, help='Prompt for a password to join the IPA realm'), )" is assigned to nothing) Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-16 17:33:57 -06:00
for t in doc.getKeyPackages():
t._PSKCKeyPackage__process()
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
except ValidationError: # Unsupported token type.
pass
else:
assert False
finally:
nss.nss_shutdown()
def test_full(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "full.xml"))
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'KID1', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokennotafter': u'20060531000000Z',
'ipatokennotbefore': u'20060501000000Z',
'ipatokenserial': u'SerialNo-IssueNo',
'ipatokentotpclockoffset': 60000,
'ipatokenotpalgorithm': u'sha1',
'ipatokenvendor': u'iana.dummy',
'description': u'FriendlyName',
'ipatokentotptimestep': 200,
Modernize number literals Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-15 09:38:06 -05:00
'ipatokenhotpcounter': 0,
Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-08 10:06:16 -05:00
'ipatokenmodel': u'Model',
'ipatokenotpdigits': 8,
'type': u'hotp',
})]
finally:
nss.nss_shutdown()
Reference in New Issue Copy Permalink