diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2011-07-22 16:30:44 +0300 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-07-28 18:01:44 -0400 |
commit | dd296eec13e3b436b0c608fdddd53089ed5c78e5 (patch) | |
tree | 5e8a1fafd5691ce7b8dcba9e145590f289ac283a /tests | |
parent | 442973edc5bffc1e215c22327369f66df7aeec08 (diff) | |
download | freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.tar.gz freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.tar.xz freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.zip |
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/test_xmlrpc/test_hbactest_plugin.py | 206 |
1 files changed, 206 insertions, 0 deletions
diff --git a/tests/test_xmlrpc/test_hbactest_plugin.py b/tests/test_xmlrpc/test_hbactest_plugin.py new file mode 100644 index 000000000..37e3ad80a --- /dev/null +++ b/tests/test_xmlrpc/test_hbactest_plugin.py @@ -0,0 +1,206 @@ +# Authors: +# Pavel Zuna <pzuna@redhat.com> +# Alexander Bokovoy <abokovoy@redhat.com> +# +# Copyright (C) 2009-2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +""" +Test the `ipalib/plugins/hbactest.py` module. +""" + +from xmlrpc_test import XMLRPC_test, assert_attr_equal +from ipalib import api +from ipalib import errors +from types import NoneType + +# Test strategy: +# 1. Create few allow rules: with user categories, with explicit users, with user groups, with groups, with services +# 2. Create users for test +# 3. Run detailed and non-detailed tests for explicitly specified rules, check expected result +# +class test_hbactest(XMLRPC_test): + """ + Test the `hbactest` plugin. + """ + rule_names = [u'testing_rule1234_%d' % (d) for d in [1,2,3,4]] + rule_type = u'allow' + rule_service = u'ssh' + rule_descs = [u'description %d' % (d) for d in [1,2,3,4]] + + test_user = u'hbacrule_test_user' + test_group = u'hbacrule_test_group' + test_host = u'hbacrule._test_host' + test_hostgroup = u'hbacrule_test_hostgroup' + test_sourcehost = u'hbacrule._test_src_host' + test_sourcehostgroup = u'hbacrule_test_src_hostgroup' + test_service = u'ssh' + + def test_0_hbactest_addrules(self): + """ + Prepare data by adding test HBAC rules using `xmlrpc.hbacrule_add'. + """ + + self.failsafe_add(api.Object.user, + self.test_user, givenname=u'first', sn=u'last' + ) + self.failsafe_add(api.Object.group, + self.test_group, description=u'description' + ) + self.failsafe_add(api.Object.host, + self.test_host, force=True + ) + self.failsafe_add(api.Object.hostgroup, + self.test_hostgroup, description=u'description' + ) + self.failsafe_add(api.Object.host, + self.test_sourcehost, force=True + ) + self.failsafe_add(api.Object.hostgroup, + self.test_sourcehostgroup, description=u'desc' + ) + self.failsafe_add(api.Object.hbacsvc, + self.test_service, description=u'desc', force=True + ) + + for i in [0,1,2,3]: + api.Command['hbacrule_add']( + self.rule_names[i], accessruletype=self.rule_type, description=self.rule_descs[i], + ) + + ret = api.Command['hbacrule_add_user']( + self.rule_names[i], user=self.test_user, group=self.test_group + ) + + ret = api.Command['hbacrule_add_host']( + self.rule_names[i], host=self.test_host, hostgroup=self.test_hostgroup + ) + + ret = api.Command['hbacrule_add_sourcehost']( + self.rule_names[i], host=self.test_sourcehost, hostgroup=self.test_sourcehostgroup + ) + + ret = api.Command['hbacrule_add_service']( + self.rule_names[i], hbacsvc=self.test_service + ) + + if i & 1: + ret = api.Command['hbacrule_disable'](self.rule_names[i]) + + def test_a_hbactest_check_rules_detail(self): + """ + Test 'ipa hbactest --rules' (explicit IPA rules, detailed output) + """ + ret = api.Command['hbactest']( + user=self.test_user, + sourcehost=self.test_sourcehost, + targethost=self.test_host, + service=self.test_service, + rules=self.rule_names + ) + assert ret['value'] == True + assert type(ret['error']) == NoneType + for i in [0,1,2,3]: + assert self.rule_names[i] in ret['matched'] + + def test_b_hbactest_check_rules_nodetail(self): + """ + Test 'ipa hbactest --rules --nodetail' (explicit IPA rules, no detailed output) + """ + ret = api.Command['hbactest']( + user=self.test_user, + sourcehost=self.test_sourcehost, + targethost=self.test_host, + service=self.test_service, + rules=self.rule_names, + nodetail=True + ) + assert ret['value'] == True + assert ret['error'] == None + assert ret['matched'] == None + assert ret['notmatched'] == None + + def test_c_hbactest_check_rules_enabled_detail(self): + """ + Test 'ipa hbactest --enabled' (all enabled IPA rules, detailed output) + """ + ret = api.Command['hbactest']( + user=self.test_user, + sourcehost=self.test_sourcehost, + targethost=self.test_host, + service=self.test_service, + enabled=True + ) + # --enabled will try to work with _all_ enabled rules in IPA database + # It means we could have matched something else (unlikely but possible) + # Thus, check that our two enabled rules are in matched, nothing more + for i in [0,2]: + assert self.rule_names[i] in ret['matched'] + + def test_d_hbactest_check_rules_disabled_detail(self): + """ + Test 'ipa hbactest --disabled' (all disabled IPA rules, detailed output) + """ + ret = api.Command['hbactest']( + user=self.test_user, + sourcehost=self.test_sourcehost, + targethost=self.test_host, + service=self.test_service, + disabled=True + ) + # --disabled will try to work with _all_ disabled rules in IPA database + # It means we could have matched something else (unlikely but possible) + # Thus, check that our two disabled rules are in matched, nothing more + for i in [1,3]: + assert self.rule_names[i] in ret['matched'] + + def test_e_hbactest_check_non_existing_rule_detail(self): + """ + Test running 'ipa hbactest' with non-existing rule in --rules + """ + ret = api.Command['hbactest']( + user=self.test_user, + sourcehost=self.test_sourcehost, + targethost=self.test_host, + service=self.test_service, + rules=[u'%s_1x1' % (rule) for rule in self.rule_names], + nodetail=True + ) + + assert ret['value'] == False + assert ret['matched'] == None + assert ret['notmatched'] == None + for rule in self.rule_names: + assert u'%s_1x1' % (rule) in ret['error'] + + def test_f_hbactest_clear_testing_data(self): + """ + Clear data for HBAC test plugin testing. + """ + for i in [0,1,2,3]: + api.Command['hbacrule_remove_host'](self.rule_names[i], host=self.test_host) + api.Command['hbacrule_remove_host'](self.rule_names[i], hostgroup=self.test_hostgroup) + api.Command['hbacrule_remove_sourcehost'](self.rule_names[i], host=self.test_sourcehost) + api.Command['hbacrule_remove_sourcehost'](self.rule_names[i], hostgroup=self.test_sourcehostgroup) + api.Command['hbacrule_del'](self.rule_names[i]) + + api.Command['user_del'](self.test_user) + api.Command['group_del'](self.test_group) + api.Command['host_del'](self.test_host) + api.Command['hostgroup_del'](self.test_hostgroup) + api.Command['host_del'](self.test_sourcehost) + api.Command['hostgroup_del'](self.test_sourcehostgroup) + api.Command['hbacsvc_del'](self.test_service) + |