Configure a KDC, add test for GSSAPI/Kerberos

Using nss_wrappers so we can control host names we can setup a KDC and test GSSAPI, including fallback to forms-based auth. This also means that fetch_page() needs to handle 401 a bit better, so it can re-try a failed authentication or fall back to forms-based auth. Note for posterity: if gss_localname() fails this is likely due to using the wrong krb5.conf in Apache, so pass in all environment variables. The KDC setup code was based heavily on the tests in the gssproxy project. https://fedorahosted.org/ipsilon/ticket/116 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
author: Rob Crittenden <rcritten@redhat.com> 2015-04-28 10:52:55 -0400
committer: Simo Sorce <simo@redhat.com> 2015-05-07 10:44:45 -0400
commit: b34a4553cf8c60453fbef245d7d844a30339c734 (patch)
tree: 8125ac3a49605a61ee9d5e16896af1a96e41820d /tests/testgssapi.py
parent: aa5dc3b417db962a075a092d0d3528010c1059f7 (diff)
download: ipsilon-b34a4553cf8c60453fbef245d7d844a30339c734.tar.gz
ipsilon-b34a4553cf8c60453fbef245d7d844a30339c734.tar.xz
ipsilon-b34a4553cf8c60453fbef245d7d844a30339c734.zip
1 files changed, 192 insertions, 0 deletions
diff --git a/tests/testgssapi.py b/tests/testgssapi.py
new file mode 100755
index 0000000..ce0a14f
--- /dev/null
+++ b/tests/testgssapi.py
@@ -0,0 +1,192 @@
+#!/usr/bin/python
+# Copyright (C) 2015 Ipsilon Project Contributors
+
+
+from helpers.common import IpsilonTestBase  # pylint: disable=relative-import
+from helpers.common import WRAP_HOSTNAME  # pylint: disable=relative-import
+from helpers.http import HttpSessions  # pylint: disable=relative-import
+import os
+import pwd
+import sys
+from string import Template
+
+idp_g = {'TEMPLATES': '${TESTDIR}/templates/install',
+         'CONFDIR': '${TESTDIR}/etc',
+         'DATADIR': '${TESTDIR}/lib',
+         'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d',
+         'STATICDIR': '${ROOTDIR}',
+         'BINDIR': '${ROOTDIR}/ipsilon',
+         'WSGI_SOCKET_PREFIX': '${TESTDIR}/${NAME}/logs/wsgi'}
+
+
+idp_a = {'hostname': '${ADDRESS}:${PORT}',
+         'admin_user': '${TEST_USER}',
+         'system_user': '${TEST_USER}',
+         'instance': '${NAME}',
+         'secure': 'no',
+         'testauth': 'yes',
+         'pam': 'no',
+         'gssapi': 'yes',
+         'ipa': 'no',
+         'gssapi_httpd_keytab': '${TESTDIR}/${HTTP_KTNAME}',
+         'server_debugging': 'True'}
+
+
+sp_g = {'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d',
+        'SAML2_TEMPLATE': '${TESTDIR}/templates/install/saml2/sp.conf',
+        'SAML2_CONFFILE': '${TESTDIR}/${NAME}/conf.d/ipsilon-saml.conf',
+        'SAML2_HTTPDIR': '${TESTDIR}/${NAME}/saml2'}
+
+
+sp_a = {'hostname': '${ADDRESS}:${PORT}',
+        'saml_idp_metadata':
+            'http://%s:45080/idp1/saml2/metadata' % WRAP_HOSTNAME,
+        'saml_secure_setup': 'False',
+        'saml_auth': '/sp',
+        'httpd_user': '${TEST_USER}'}
+
+sp2_g = {'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d',
+         'SAML2_TEMPLATE': '${TESTDIR}/templates/install/saml2/sp.conf',
+         'SAML2_CONFFILE': '${TESTDIR}/${NAME}/conf.d/ipsilon-saml.conf',
+         'SAML2_HTTPDIR': '${TESTDIR}/${NAME}/saml2'}
+
+sp2_a = {'hostname': '${ADDRESS}:${PORT}',
+         'saml_idp_url': 'http://idp.ipsilon.dev:45080/idp1',
+         'admin_user': '${TEST_USER}',
+         'admin_password': '${TESTDIR}/pw.txt',
+         'saml_sp_name': 'sp2',
+         'saml_secure_setup': 'False',
+         'saml_auth': '/sp',
+         'httpd_user': '${TEST_USER}'}
+
+
+def fixup_sp_httpd(httpdir):
+    location = """
+
+Alias /sp ${HTTPDIR}/sp
+
+<Directory ${HTTPDIR}/sp>
+    Require all granted
+</Directory>
+"""
+    index = """WORKS!"""
+
+    t = Template(location)
+    text = t.substitute({'HTTPDIR': httpdir})
+    with open(httpdir + '/conf.d/ipsilon-saml.conf', 'a') as f:
+        f.write(text)
+
+    os.mkdir(httpdir + '/sp')
+    with open(httpdir + '/sp/index.html', 'w') as f:
+        f.write(index)
+
+
+class IpsilonTest(IpsilonTestBase):
+
+    def __init__(self):
+        super(IpsilonTest, self).__init__('testgssapi', __file__)
+
+    def setup_servers(self, env=None):
+        os.mkdir("%s/ccaches" % self.testdir)
+
+        print "Installing KDC server"
+        kdcenv = self.setup_kdc(env)
+
+        print "Creating principals and keytabs"
+        self.setup_keys(kdcenv)
+
+        print "Getting a TGT"
+        self.kinit_keytab(kdcenv)
+
+        print "Installing IDP server"
+        name = 'idp1'
+        addr = 'idp.ipsilon.dev'
+        port = '45080'
+        env.update(kdcenv)
+        idp = self.generate_profile(idp_g, idp_a, name, addr, port)
+        conf = self.setup_idp_server(idp, name, addr, port, env)
+
+        print "Starting IDP's httpd server"
+        self.start_http_server(conf, env)
+
+        print "Installing first SP server"
+        name = 'sp1'
+        addr = '127.0.0.11'
+        port = '45081'
+        sp = self.generate_profile(sp_g, sp_a, name, addr, port)
+        conf = self.setup_sp_server(sp, name, addr, port, env)
+        fixup_sp_httpd(os.path.dirname(conf))
+
+        print "Starting first SP's httpd server"
+        self.start_http_server(conf, env)
+
+        print "Installing second SP server"
+        name = 'sp2'
+        addr = '127.0.0.11'
+        port = '45082'
+        sp = self.generate_profile(sp2_g, sp2_a, name, addr, port)
+        with open(os.path.dirname(sp) + '/pw.txt', 'a') as f:
+            f.write('ipsilon')
+        conf = self.setup_sp_server(sp, name, addr, port, env)
+        os.remove(os.path.dirname(sp) + '/pw.txt')
+        fixup_sp_httpd(os.path.dirname(conf))
+
+        print "Starting second SP's httpd server"
+        self.start_http_server(conf, env)
+
+if __name__ == '__main__':
+
+    idpname = 'idp1'
+    sp1name = 'sp1'
+    sp2name = 'sp2'
+    user = pwd.getpwuid(os.getuid())[0]
+
+    testdir = os.environ['TESTDIR']
+
+    krb5conf = os.path.join(testdir, 'krb5.conf')
+    kenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin',
+            'KRB5_CONFIG': krb5conf,
+            'KRB5CCNAME': 'FILE:' + os.path.join(testdir, 'ccaches/user')}
+
+    for key in kenv:
+        os.environ[key] = kenv[key]
+
+    sess = HttpSessions()
+    sess.add_server(idpname, 'http://%s:45080' % WRAP_HOSTNAME, user,
+                    'ipsilon')
+    sess.add_server(sp1name, 'http://127.0.0.11:45081')
+    sess.add_server(sp2name, 'http://127.0.0.11:45082')
+
+    print "testgssapi: Authenticate to IDP ...",
+    try:
+        sess.auth_to_idp(idpname, krb=True)
+    except Exception, e:  # pylint: disable=broad-except
+        print >> sys.stderr, " ERROR: %s" % repr(e)
+        sys.exit(1)
+    print " SUCCESS"
+
+    print "testgssapi: Add first SP Metadata to IDP ...",
+    try:
+        sess.add_sp_metadata(idpname, sp1name)
+    except Exception, e:  # pylint: disable=broad-except
+        print >> sys.stderr, " ERROR: %s" % repr(e)
+        sys.exit(1)
+    print " SUCCESS"
+
+    print "testgssapi: Access first SP Protected Area ...",
+    try:
+        page = sess.fetch_page(idpname, 'http://127.0.0.11:45081/sp/')
+        page.expected_value('text()', 'WORKS!')
+    except ValueError, e:
+        print >> sys.stderr, " ERROR: %s" % repr(e)
+        sys.exit(1)
+    print " SUCCESS"
+
+    print "testgssapi: Access second SP Protected Area ...",
+    try:
+        page = sess.fetch_page(idpname, 'http://127.0.0.11:45082/sp/')
+        page.expected_value('text()', 'WORKS!')
+    except ValueError, e:
+        print >> sys.stderr, " ERROR: %s" % repr(e)
+        sys.exit(1)
+    print " SUCCESS"
author	Rob Crittenden <rcritten@redhat.com>	2015-04-28 10:52:55 -0400
committer	Simo Sorce <simo@redhat.com>	2015-05-07 10:44:45 -0400
commit	b34a4553cf8c60453fbef245d7d844a30339c734 (patch)
tree	8125ac3a49605a61ee9d5e16896af1a96e41820d /tests/testgssapi.py
parent	aa5dc3b417db962a075a092d0d3528010c1059f7 (diff)
download	ipsilon-b34a4553cf8c60453fbef245d7d844a30339c734.tar.gz ipsilon-b34a4553cf8c60453fbef245d7d844a30339c734.tar.xz ipsilon-b34a4553cf8c60453fbef245d7d844a30339c734.zip