mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-05 22:03:01 -06:00
dd296eec13
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
207 lines
7.6 KiB
Python
207 lines
7.6 KiB
Python
# Authors:
|
|
# Pavel Zuna <pzuna@redhat.com>
|
|
# Alexander Bokovoy <abokovoy@redhat.com>
|
|
#
|
|
# Copyright (C) 2009-2011 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
"""
|
|
Test the `ipalib/plugins/hbactest.py` module.
|
|
"""
|
|
|
|
from xmlrpc_test import XMLRPC_test, assert_attr_equal
|
|
from ipalib import api
|
|
from ipalib import errors
|
|
from types import NoneType
|
|
|
|
# Test strategy:
|
|
# 1. Create few allow rules: with user categories, with explicit users, with user groups, with groups, with services
|
|
# 2. Create users for test
|
|
# 3. Run detailed and non-detailed tests for explicitly specified rules, check expected result
|
|
#
|
|
class test_hbactest(XMLRPC_test):
|
|
"""
|
|
Test the `hbactest` plugin.
|
|
"""
|
|
rule_names = [u'testing_rule1234_%d' % (d) for d in [1,2,3,4]]
|
|
rule_type = u'allow'
|
|
rule_service = u'ssh'
|
|
rule_descs = [u'description %d' % (d) for d in [1,2,3,4]]
|
|
|
|
test_user = u'hbacrule_test_user'
|
|
test_group = u'hbacrule_test_group'
|
|
test_host = u'hbacrule._test_host'
|
|
test_hostgroup = u'hbacrule_test_hostgroup'
|
|
test_sourcehost = u'hbacrule._test_src_host'
|
|
test_sourcehostgroup = u'hbacrule_test_src_hostgroup'
|
|
test_service = u'ssh'
|
|
|
|
def test_0_hbactest_addrules(self):
|
|
"""
|
|
Prepare data by adding test HBAC rules using `xmlrpc.hbacrule_add'.
|
|
"""
|
|
|
|
self.failsafe_add(api.Object.user,
|
|
self.test_user, givenname=u'first', sn=u'last'
|
|
)
|
|
self.failsafe_add(api.Object.group,
|
|
self.test_group, description=u'description'
|
|
)
|
|
self.failsafe_add(api.Object.host,
|
|
self.test_host, force=True
|
|
)
|
|
self.failsafe_add(api.Object.hostgroup,
|
|
self.test_hostgroup, description=u'description'
|
|
)
|
|
self.failsafe_add(api.Object.host,
|
|
self.test_sourcehost, force=True
|
|
)
|
|
self.failsafe_add(api.Object.hostgroup,
|
|
self.test_sourcehostgroup, description=u'desc'
|
|
)
|
|
self.failsafe_add(api.Object.hbacsvc,
|
|
self.test_service, description=u'desc', force=True
|
|
)
|
|
|
|
for i in [0,1,2,3]:
|
|
api.Command['hbacrule_add'](
|
|
self.rule_names[i], accessruletype=self.rule_type, description=self.rule_descs[i],
|
|
)
|
|
|
|
ret = api.Command['hbacrule_add_user'](
|
|
self.rule_names[i], user=self.test_user, group=self.test_group
|
|
)
|
|
|
|
ret = api.Command['hbacrule_add_host'](
|
|
self.rule_names[i], host=self.test_host, hostgroup=self.test_hostgroup
|
|
)
|
|
|
|
ret = api.Command['hbacrule_add_sourcehost'](
|
|
self.rule_names[i], host=self.test_sourcehost, hostgroup=self.test_sourcehostgroup
|
|
)
|
|
|
|
ret = api.Command['hbacrule_add_service'](
|
|
self.rule_names[i], hbacsvc=self.test_service
|
|
)
|
|
|
|
if i & 1:
|
|
ret = api.Command['hbacrule_disable'](self.rule_names[i])
|
|
|
|
def test_a_hbactest_check_rules_detail(self):
|
|
"""
|
|
Test 'ipa hbactest --rules' (explicit IPA rules, detailed output)
|
|
"""
|
|
ret = api.Command['hbactest'](
|
|
user=self.test_user,
|
|
sourcehost=self.test_sourcehost,
|
|
targethost=self.test_host,
|
|
service=self.test_service,
|
|
rules=self.rule_names
|
|
)
|
|
assert ret['value'] == True
|
|
assert type(ret['error']) == NoneType
|
|
for i in [0,1,2,3]:
|
|
assert self.rule_names[i] in ret['matched']
|
|
|
|
def test_b_hbactest_check_rules_nodetail(self):
|
|
"""
|
|
Test 'ipa hbactest --rules --nodetail' (explicit IPA rules, no detailed output)
|
|
"""
|
|
ret = api.Command['hbactest'](
|
|
user=self.test_user,
|
|
sourcehost=self.test_sourcehost,
|
|
targethost=self.test_host,
|
|
service=self.test_service,
|
|
rules=self.rule_names,
|
|
nodetail=True
|
|
)
|
|
assert ret['value'] == True
|
|
assert ret['error'] == None
|
|
assert ret['matched'] == None
|
|
assert ret['notmatched'] == None
|
|
|
|
def test_c_hbactest_check_rules_enabled_detail(self):
|
|
"""
|
|
Test 'ipa hbactest --enabled' (all enabled IPA rules, detailed output)
|
|
"""
|
|
ret = api.Command['hbactest'](
|
|
user=self.test_user,
|
|
sourcehost=self.test_sourcehost,
|
|
targethost=self.test_host,
|
|
service=self.test_service,
|
|
enabled=True
|
|
)
|
|
# --enabled will try to work with _all_ enabled rules in IPA database
|
|
# It means we could have matched something else (unlikely but possible)
|
|
# Thus, check that our two enabled rules are in matched, nothing more
|
|
for i in [0,2]:
|
|
assert self.rule_names[i] in ret['matched']
|
|
|
|
def test_d_hbactest_check_rules_disabled_detail(self):
|
|
"""
|
|
Test 'ipa hbactest --disabled' (all disabled IPA rules, detailed output)
|
|
"""
|
|
ret = api.Command['hbactest'](
|
|
user=self.test_user,
|
|
sourcehost=self.test_sourcehost,
|
|
targethost=self.test_host,
|
|
service=self.test_service,
|
|
disabled=True
|
|
)
|
|
# --disabled will try to work with _all_ disabled rules in IPA database
|
|
# It means we could have matched something else (unlikely but possible)
|
|
# Thus, check that our two disabled rules are in matched, nothing more
|
|
for i in [1,3]:
|
|
assert self.rule_names[i] in ret['matched']
|
|
|
|
def test_e_hbactest_check_non_existing_rule_detail(self):
|
|
"""
|
|
Test running 'ipa hbactest' with non-existing rule in --rules
|
|
"""
|
|
ret = api.Command['hbactest'](
|
|
user=self.test_user,
|
|
sourcehost=self.test_sourcehost,
|
|
targethost=self.test_host,
|
|
service=self.test_service,
|
|
rules=[u'%s_1x1' % (rule) for rule in self.rule_names],
|
|
nodetail=True
|
|
)
|
|
|
|
assert ret['value'] == False
|
|
assert ret['matched'] == None
|
|
assert ret['notmatched'] == None
|
|
for rule in self.rule_names:
|
|
assert u'%s_1x1' % (rule) in ret['error']
|
|
|
|
def test_f_hbactest_clear_testing_data(self):
|
|
"""
|
|
Clear data for HBAC test plugin testing.
|
|
"""
|
|
for i in [0,1,2,3]:
|
|
api.Command['hbacrule_remove_host'](self.rule_names[i], host=self.test_host)
|
|
api.Command['hbacrule_remove_host'](self.rule_names[i], hostgroup=self.test_hostgroup)
|
|
api.Command['hbacrule_remove_sourcehost'](self.rule_names[i], host=self.test_sourcehost)
|
|
api.Command['hbacrule_remove_sourcehost'](self.rule_names[i], hostgroup=self.test_sourcehostgroup)
|
|
api.Command['hbacrule_del'](self.rule_names[i])
|
|
|
|
api.Command['user_del'](self.test_user)
|
|
api.Command['group_del'](self.test_group)
|
|
api.Command['host_del'](self.test_host)
|
|
api.Command['hostgroup_del'](self.test_hostgroup)
|
|
api.Command['host_del'](self.test_sourcehost)
|
|
api.Command['hostgroup_del'](self.test_sourcehostgroup)
|
|
api.Command['hbacsvc_del'](self.test_service)
|
|
|