freeipa/ipatests/test_xmlrpc/test_hbactest_plugin.py

218 lines
7.8 KiB
Python
Raw Normal View History

Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
# Authors:
# Pavel Zuna <pzuna@redhat.com>
# Alexander Bokovoy <abokovoy@redhat.com>
#
# Copyright (C) 2009-2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Test the `ipalib/plugins/hbactest.py` module.
"""
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, assert_attr_equal
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
from ipalib import api
from ipalib import errors
from types import NoneType
from nose.tools import raises
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
# Test strategy:
# 1. Create few allow rules: with user categories, with explicit users, with user groups, with groups, with services
# 2. Create users for test
# 3. Run detailed and non-detailed tests for explicitly specified rules, check expected result
#
class test_hbactest(XMLRPC_test):
"""
Test the `hbactest` plugin.
"""
rule_names = [u'testing_rule1234_%d' % (d) for d in [1,2,3,4]]
rule_type = u'allow'
rule_service = u'ssh'
rule_descs = [u'description %d' % (d) for d in [1,2,3,4]]
test_user = u'hbacrule_test_user'
test_group = u'hbacrule_test_group'
test_host = u'hbacrule.testhost'
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
test_hostgroup = u'hbacrule_test_hostgroup'
test_sourcehost = u'hbacrule.testsrchost'
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
test_sourcehostgroup = u'hbacrule_test_src_hostgroup'
test_service = u'ssh'
# Auxiliary funcion for checking existence of warning for specified rule
def check_rule_presence(self,rule_name,warnings):
for warning in warnings:
if rule_name in warning:
return True
return False
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
def test_0_hbactest_addrules(self):
"""
Prepare data by adding test HBAC rules using `xmlrpc.hbacrule_add'.
"""
self.failsafe_add(api.Object.user,
self.test_user, givenname=u'first', sn=u'last'
)
self.failsafe_add(api.Object.group,
self.test_group, description=u'description'
)
self.failsafe_add(api.Object.host,
self.test_host, force=True
)
self.failsafe_add(api.Object.hostgroup,
self.test_hostgroup, description=u'description'
)
self.failsafe_add(api.Object.host,
self.test_sourcehost, force=True
)
self.failsafe_add(api.Object.hostgroup,
self.test_sourcehostgroup, description=u'desc'
)
self.failsafe_add(api.Object.hbacsvc,
self.test_service, description=u'desc'
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
)
for i in [0,1,2,3]:
api.Command['hbacrule_add'](
self.rule_names[i], accessruletype=self.rule_type, description=self.rule_descs[i],
)
ret = api.Command['hbacrule_add_user'](
self.rule_names[i], user=self.test_user, group=self.test_group
)
ret = api.Command['hbacrule_add_host'](
self.rule_names[i], host=self.test_host, hostgroup=self.test_hostgroup
)
ret = api.Command['hbacrule_add_service'](
self.rule_names[i], hbacsvc=self.test_service
)
if i & 1:
ret = api.Command['hbacrule_disable'](self.rule_names[i])
def test_a_hbactest_check_rules_detail(self):
"""
Test 'ipa hbactest --rules' (explicit IPA rules, detailed output)
"""
ret = api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
service=self.test_service,
rules=self.rule_names
)
assert ret['value'] == True
assert type(ret['error']) == NoneType
for i in [0,1,2,3]:
assert self.rule_names[i] in ret['matched']
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
def test_b_hbactest_check_rules_nodetail(self):
"""
Test 'ipa hbactest --rules --nodetail' (explicit IPA rules, no detailed output)
"""
ret = api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
service=self.test_service,
rules=self.rule_names,
nodetail=True
)
assert ret['value'] == True
assert ret['error'] == None
assert ret['matched'] == None
assert ret['notmatched'] == None
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
def test_c_hbactest_check_rules_enabled_detail(self):
"""
Test 'ipa hbactest --enabled' (all enabled IPA rules, detailed output)
"""
ret = api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
service=self.test_service,
enabled=True
)
# --enabled will try to work with _all_ enabled rules in IPA database
# It means we could have matched something else (unlikely but possible)
# Thus, check that our two enabled rules are in matched, nothing more
for i in [0,2]:
assert self.rule_names[i] in ret['matched']
def test_d_hbactest_check_rules_disabled_detail(self):
"""
Test 'ipa hbactest --disabled' (all disabled IPA rules, detailed output)
"""
ret = api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
service=self.test_service,
disabled=True
)
# --disabled will try to work with _all_ disabled rules in IPA database
# It means we could have matched something else (unlikely but possible)
# Thus, check that our two disabled rules are in matched, nothing more
for i in [1,3]:
assert self.rule_names[i] in ret['matched']
def test_e_hbactest_check_non_existing_rule_detail(self):
"""
Test running 'ipa hbactest' with non-existing rule in --rules
"""
ret = api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
service=self.test_service,
rules=[u'%s_1x1' % (rule) for rule in self.rule_names],
nodetail=True
)
assert ret['value'] == False
assert ret['matched'] == None
assert ret['notmatched'] == None
for rule in self.rule_names:
assert u'%s_1x1' % (rule) in ret['error']
@raises(errors.ValidationError)
def test_f_hbactest_check_sourcehost_option_is_deprecated(self):
"""
Test running 'ipa hbactest' with --srchost option raises ValidationError
"""
api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
sourcehost=self.test_sourcehost,
service=self.test_service,
rules=[u'%s_1x1' % rule for rule in self.rule_names],
nodetail=True
)
def test_g_hbactest_clear_testing_data(self):
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
"""
Clear data for HBAC test plugin testing.
"""
for i in [0,1,2,3]:
api.Command['hbacrule_remove_host'](self.rule_names[i], host=self.test_host)
api.Command['hbacrule_remove_host'](self.rule_names[i], hostgroup=self.test_hostgroup)
api.Command['hbacrule_del'](self.rule_names[i])
api.Command['user_del'](self.test_user)
api.Command['group_del'](self.test_group)
api.Command['host_del'](self.test_host)
api.Command['hostgroup_del'](self.test_hostgroup)
api.Command['host_del'](self.test_sourcehost)
api.Command['hostgroup_del'](self.test_sourcehostgroup)
api.Command['hbacsvc_del'](self.test_service)