diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2015-04-28 10:52:55 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2015-05-06 16:00:24 -0400 |
| commit | 9cbeccde3151029d70bedb0579482e10a5cbab7b (patch) | |
| tree | 4fcf1cdbda21c7d173405240f5e4a1e9b6e467e1 /tests/testgssapi.py | |
| parent | e6a3656ab71faea8669af50ceeaf4d9a91fe0142 (diff) | |
| download | ipsilon.git-9cbeccde3151029d70bedb0579482e10a5cbab7b.tar.gz ipsilon.git-9cbeccde3151029d70bedb0579482e10a5cbab7b.tar.xz ipsilon.git-9cbeccde3151029d70bedb0579482e10a5cbab7b.zip | |
Configure a KDC, add test for GSSAPI/Kerberos
Using nss_wrappers so we can control host names we can
setup a KDC and test GSSAPI, including fallback to
forms-based auth.
This also means that fetch_page() needs to handle 401
a bit better, so it can re-try a failed authentication or
fall back to forms-based auth.
Note for posterity: if gss_localname() fails this is likely
due to using the wrong krb5.conf in Apache, so pass in all
environment variables.
The KDC setup code was based heavily on the tests in the
gssproxy project.
https://fedorahosted.org/ipsilon/ticket/116
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'tests/testgssapi.py')
| -rwxr-xr-x | tests/testgssapi.py | 192 |
1 files changed, 192 insertions, 0 deletions
diff --git a/tests/testgssapi.py b/tests/testgssapi.py new file mode 100755 index 0000000..ce0a14f --- /dev/null +++ b/tests/testgssapi.py @@ -0,0 +1,192 @@ +#!/usr/bin/python +# Copyright (C) 2015 Ipsilon Project Contributors + + +from helpers.common import IpsilonTestBase # pylint: disable=relative-import +from helpers.common import WRAP_HOSTNAME # pylint: disable=relative-import +from helpers.http import HttpSessions # pylint: disable=relative-import +import os +import pwd +import sys +from string import Template + +idp_g = {'TEMPLATES': '${TESTDIR}/templates/install', + 'CONFDIR': '${TESTDIR}/etc', + 'DATADIR': '${TESTDIR}/lib', + 'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d', + 'STATICDIR': '${ROOTDIR}', + 'BINDIR': '${ROOTDIR}/ipsilon', + 'WSGI_SOCKET_PREFIX': '${TESTDIR}/${NAME}/logs/wsgi'} + + +idp_a = {'hostname': '${ADDRESS}:${PORT}', + 'admin_user': '${TEST_USER}', + 'system_user': '${TEST_USER}', + 'instance': '${NAME}', + 'secure': 'no', + 'testauth': 'yes', + 'pam': 'no', + 'gssapi': 'yes', + 'ipa': 'no', + 'gssapi_httpd_keytab': '${TESTDIR}/${HTTP_KTNAME}', + 'server_debugging': 'True'} + + +sp_g = {'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d', + 'SAML2_TEMPLATE': '${TESTDIR}/templates/install/saml2/sp.conf', + 'SAML2_CONFFILE': '${TESTDIR}/${NAME}/conf.d/ipsilon-saml.conf', + 'SAML2_HTTPDIR': '${TESTDIR}/${NAME}/saml2'} + + +sp_a = {'hostname': '${ADDRESS}:${PORT}', + 'saml_idp_metadata': + 'http://%s:45080/idp1/saml2/metadata' % WRAP_HOSTNAME, + 'saml_secure_setup': 'False', + 'saml_auth': '/sp', + 'httpd_user': '${TEST_USER}'} + +sp2_g = {'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d', + 'SAML2_TEMPLATE': '${TESTDIR}/templates/install/saml2/sp.conf', + 'SAML2_CONFFILE': '${TESTDIR}/${NAME}/conf.d/ipsilon-saml.conf', + 'SAML2_HTTPDIR': '${TESTDIR}/${NAME}/saml2'} + +sp2_a = {'hostname': '${ADDRESS}:${PORT}', + 'saml_idp_url': 'http://idp.ipsilon.dev:45080/idp1', + 'admin_user': '${TEST_USER}', + 'admin_password': '${TESTDIR}/pw.txt', + 'saml_sp_name': 'sp2', + 'saml_secure_setup': 'False', + 'saml_auth': '/sp', + 'httpd_user': '${TEST_USER}'} + + +def fixup_sp_httpd(httpdir): + location = """ + +Alias /sp ${HTTPDIR}/sp + +<Directory ${HTTPDIR}/sp> + Require all granted +</Directory> +""" + index = """WORKS!""" + + t = Template(location) + text = t.substitute({'HTTPDIR': httpdir}) + with open(httpdir + '/conf.d/ipsilon-saml.conf', 'a') as f: + f.write(text) + + os.mkdir(httpdir + '/sp') + with open(httpdir + '/sp/index.html', 'w') as f: + f.write(index) + + +class IpsilonTest(IpsilonTestBase): + + def __init__(self): + super(IpsilonTest, self).__init__('testgssapi', __file__) + + def setup_servers(self, env=None): + os.mkdir("%s/ccaches" % self.testdir) + + print "Installing KDC server" + kdcenv = self.setup_kdc(env) + + print "Creating principals and keytabs" + self.setup_keys(kdcenv) + + print "Getting a TGT" + self.kinit_keytab(kdcenv) + + print "Installing IDP server" + name = 'idp1' + addr = 'idp.ipsilon.dev' + port = '45080' + env.update(kdcenv) + idp = self.generate_profile(idp_g, idp_a, name, addr, port) + conf = self.setup_idp_server(idp, name, addr, port, env) + + print "Starting IDP's httpd server" + self.start_http_server(conf, env) + + print "Installing first SP server" + name = 'sp1' + addr = '127.0.0.11' + port = '45081' + sp = self.generate_profile(sp_g, sp_a, name, addr, port) + conf = self.setup_sp_server(sp, name, addr, port, env) + fixup_sp_httpd(os.path.dirname(conf)) + + print "Starting first SP's httpd server" + self.start_http_server(conf, env) + + print "Installing second SP server" + name = 'sp2' + addr = '127.0.0.11' + port = '45082' + sp = self.generate_profile(sp2_g, sp2_a, name, addr, port) + with open(os.path.dirname(sp) + '/pw.txt', 'a') as f: + f.write('ipsilon') + conf = self.setup_sp_server(sp, name, addr, port, env) + os.remove(os.path.dirname(sp) + '/pw.txt') + fixup_sp_httpd(os.path.dirname(conf)) + + print "Starting second SP's httpd server" + self.start_http_server(conf, env) + +if __name__ == '__main__': + + idpname = 'idp1' + sp1name = 'sp1' + sp2name = 'sp2' + user = pwd.getpwuid(os.getuid())[0] + + testdir = os.environ['TESTDIR'] + + krb5conf = os.path.join(testdir, 'krb5.conf') + kenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', + 'KRB5_CONFIG': krb5conf, + 'KRB5CCNAME': 'FILE:' + os.path.join(testdir, 'ccaches/user')} + + for key in kenv: + os.environ[key] = kenv[key] + + sess = HttpSessions() + sess.add_server(idpname, 'http://%s:45080' % WRAP_HOSTNAME, user, + 'ipsilon') + sess.add_server(sp1name, 'http://127.0.0.11:45081') + sess.add_server(sp2name, 'http://127.0.0.11:45082') + + print "testgssapi: Authenticate to IDP ...", + try: + sess.auth_to_idp(idpname, krb=True) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + print " SUCCESS" + + print "testgssapi: Add first SP Metadata to IDP ...", + try: + sess.add_sp_metadata(idpname, sp1name) + except Exception, e: # pylint: disable=broad-except + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + print " SUCCESS" + + print "testgssapi: Access first SP Protected Area ...", + try: + page = sess.fetch_page(idpname, 'http://127.0.0.11:45081/sp/') + page.expected_value('text()', 'WORKS!') + except ValueError, e: + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + print " SUCCESS" + + print "testgssapi: Access second SP Protected Area ...", + try: + page = sess.fetch_page(idpname, 'http://127.0.0.11:45082/sp/') + page.expected_value('text()', 'WORKS!') + except ValueError, e: + print >> sys.stderr, " ERROR: %s" % repr(e) + sys.exit(1) + print " SUCCESS" |