From dd296eec13e3b436b0c608fdddd53089ed5c78e5 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 22 Jul 2011 16:30:44 +0300 Subject: Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output. --- tests/test_xmlrpc/test_hbactest_plugin.py | 206 ++++++++++++++++++++++++++++++ 1 file changed, 206 insertions(+) create mode 100644 tests/test_xmlrpc/test_hbactest_plugin.py (limited to 'tests') diff --git a/tests/test_xmlrpc/test_hbactest_plugin.py b/tests/test_xmlrpc/test_hbactest_plugin.py new file mode 100644 index 000000000..37e3ad80a --- /dev/null +++ b/tests/test_xmlrpc/test_hbactest_plugin.py @@ -0,0 +1,206 @@ +# Authors: +# Pavel Zuna +# Alexander Bokovoy +# +# Copyright (C) 2009-2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +""" +Test the `ipalib/plugins/hbactest.py` module. +""" + +from xmlrpc_test import XMLRPC_test, assert_attr_equal +from ipalib import api +from ipalib import errors +from types import NoneType + +# Test strategy: +# 1. Create few allow rules: with user categories, with explicit users, with user groups, with groups, with services +# 2. Create users for test +# 3. Run detailed and non-detailed tests for explicitly specified rules, check expected result +# +class test_hbactest(XMLRPC_test): + """ + Test the `hbactest` plugin. + """ + rule_names = [u'testing_rule1234_%d' % (d) for d in [1,2,3,4]] + rule_type = u'allow' + rule_service = u'ssh' + rule_descs = [u'description %d' % (d) for d in [1,2,3,4]] + + test_user = u'hbacrule_test_user' + test_group = u'hbacrule_test_group' + test_host = u'hbacrule._test_host' + test_hostgroup = u'hbacrule_test_hostgroup' + test_sourcehost = u'hbacrule._test_src_host' + test_sourcehostgroup = u'hbacrule_test_src_hostgroup' + test_service = u'ssh' + + def test_0_hbactest_addrules(self): + """ + Prepare data by adding test HBAC rules using `xmlrpc.hbacrule_add'. + """ + + self.failsafe_add(api.Object.user, + self.test_user, givenname=u'first', sn=u'last' + ) + self.failsafe_add(api.Object.group, + self.test_group, description=u'description' + ) + self.failsafe_add(api.Object.host, + self.test_host, force=True + ) + self.failsafe_add(api.Object.hostgroup, + self.test_hostgroup, description=u'description' + ) + self.failsafe_add(api.Object.host, + self.test_sourcehost, force=True + ) + self.failsafe_add(api.Object.hostgroup, + self.test_sourcehostgroup, description=u'desc' + ) + self.failsafe_add(api.Object.hbacsvc, + self.test_service, description=u'desc', force=True + ) + + for i in [0,1,2,3]: + api.Command['hbacrule_add']( + self.rule_names[i], accessruletype=self.rule_type, description=self.rule_descs[i], + ) + + ret = api.Command['hbacrule_add_user']( + self.rule_names[i], user=self.test_user, group=self.test_group + ) + + ret = api.Command['hbacrule_add_host']( + self.rule_names[i], host=self.test_host, hostgroup=self.test_hostgroup + ) + + ret = api.Command['hbacrule_add_sourcehost']( + self.rule_names[i], host=self.test_sourcehost, hostgroup=self.test_sourcehostgroup + ) + + ret = api.Command['hbacrule_add_service']( + self.rule_names[i], hbacsvc=self.test_service + ) + + if i & 1: + ret = api.Command['hbacrule_disable'](self.rule_names[i]) + + def test_a_hbactest_check_rules_detail(self): + """ + Test 'ipa hbactest --rules' (explicit IPA rules, detailed output) + """ + ret = api.Command['hbactest']( + user=self.test_user, + sourcehost=self.test_sourcehost, + targethost=self.test_host, + service=self.test_service, + rules=self.rule_names + ) + assert ret['value'] == True + assert type(ret['error']) == NoneType + for i in [0,1,2,3]: + assert self.rule_names[i] in ret['matched'] + + def test_b_hbactest_check_rules_nodetail(self): + """ + Test 'ipa hbactest --rules --nodetail' (explicit IPA rules, no detailed output) + """ + ret = api.Command['hbactest']( + user=self.test_user, + sourcehost=self.test_sourcehost, + targethost=self.test_host, + service=self.test_service, + rules=self.rule_names, + nodetail=True + ) + assert ret['value'] == True + assert ret['error'] == None + assert ret['matched'] == None + assert ret['notmatched'] == None + + def test_c_hbactest_check_rules_enabled_detail(self): + """ + Test 'ipa hbactest --enabled' (all enabled IPA rules, detailed output) + """ + ret = api.Command['hbactest']( + user=self.test_user, + sourcehost=self.test_sourcehost, + targethost=self.test_host, + service=self.test_service, + enabled=True + ) + # --enabled will try to work with _all_ enabled rules in IPA database + # It means we could have matched something else (unlikely but possible) + # Thus, check that our two enabled rules are in matched, nothing more + for i in [0,2]: + assert self.rule_names[i] in ret['matched'] + + def test_d_hbactest_check_rules_disabled_detail(self): + """ + Test 'ipa hbactest --disabled' (all disabled IPA rules, detailed output) + """ + ret = api.Command['hbactest']( + user=self.test_user, + sourcehost=self.test_sourcehost, + targethost=self.test_host, + service=self.test_service, + disabled=True + ) + # --disabled will try to work with _all_ disabled rules in IPA database + # It means we could have matched something else (unlikely but possible) + # Thus, check that our two disabled rules are in matched, nothing more + for i in [1,3]: + assert self.rule_names[i] in ret['matched'] + + def test_e_hbactest_check_non_existing_rule_detail(self): + """ + Test running 'ipa hbactest' with non-existing rule in --rules + """ + ret = api.Command['hbactest']( + user=self.test_user, + sourcehost=self.test_sourcehost, + targethost=self.test_host, + service=self.test_service, + rules=[u'%s_1x1' % (rule) for rule in self.rule_names], + nodetail=True + ) + + assert ret['value'] == False + assert ret['matched'] == None + assert ret['notmatched'] == None + for rule in self.rule_names: + assert u'%s_1x1' % (rule) in ret['error'] + + def test_f_hbactest_clear_testing_data(self): + """ + Clear data for HBAC test plugin testing. + """ + for i in [0,1,2,3]: + api.Command['hbacrule_remove_host'](self.rule_names[i], host=self.test_host) + api.Command['hbacrule_remove_host'](self.rule_names[i], hostgroup=self.test_hostgroup) + api.Command['hbacrule_remove_sourcehost'](self.rule_names[i], host=self.test_sourcehost) + api.Command['hbacrule_remove_sourcehost'](self.rule_names[i], hostgroup=self.test_sourcehostgroup) + api.Command['hbacrule_del'](self.rule_names[i]) + + api.Command['user_del'](self.test_user) + api.Command['group_del'](self.test_group) + api.Command['host_del'](self.test_host) + api.Command['hostgroup_del'](self.test_hostgroup) + api.Command['host_del'](self.test_sourcehost) + api.Command['hostgroup_del'](self.test_sourcehostgroup) + api.Command['hbacsvc_del'](self.test_service) + -- cgit