From 15ae064f55824f474307af7b5afa1d425f52ed9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Tue, 25 Apr 2017 21:47:41 +0300 Subject: [PATCH] Preliminary tests for auth --- certidude/auth.py | 4 +++- certidude/user.py | 7 +++++++ tests/test_cli.py | 42 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 1 deletion(-) diff --git a/certidude/auth.py b/certidude/auth.py index 5b5d15e..40f88b5 100644 --- a/certidude/auth.py +++ b/certidude/auth.py @@ -1,5 +1,6 @@ import click +import falcon import logging import os import re @@ -133,7 +134,8 @@ def authenticate(optional=False): import simplepam if not simplepam.authenticate(user, passwd, "sshd"): - logger.critical(u"Basic authentication failed for user %s from %s", + logger.critical(u"Basic authentication failed for user %s from %s, " + "are you sure server process has read access to /etc/shadow?", repr(user), req.context.get("remote_addr")) raise falcon.HTTPUnauthorized("Forbidden", "Invalid password", ("Basic",)) diff --git a/certidude/user.py b/certidude/user.py index e33f2da..6232a4c 100644 --- a/certidude/user.py +++ b/certidude/user.py @@ -60,6 +60,13 @@ class PosixUserManager(object): _, _, gid, members = grp.getgrnam(config.ADMIN_GROUP) return user.name in members + def all(self): + _, _, gid, members = grp.getgrnam(config.USERS_GROUP) + for username in members: + yield self.get(username) + for user in self.filter_admins(): # TODO: dedup + yield user + class DirectoryConnection(object): def __enter__(self): diff --git a/tests/test_cli.py b/tests/test_cli.py index e7f7548..50bce54 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -1,5 +1,7 @@ import os import requests +import subprocess +import pwd from falcon import testing from click.testing import CliRunner from certidude.cli import entry_point as cli @@ -43,6 +45,39 @@ def test_cli_setup_authority(): assert authority.ca_cert.not_valid_before < datetime.now() assert authority.ca_cert.not_valid_after > datetime.now() + timedelta(days=7000) + try: + pwd.getpwnam("userbot") + except KeyError: + # useradd userbot -G users -p '$1$PBkf5waA$n9EV6WJ7PS6lyGWkgeTPf1' + cmd = "useradd", "userbot", "-G", "users", "-p", "$1$PBkf5waA$n9EV6WJ7PS6lyGWkgeTPf1" # bot + subprocess.call(cmd) + + try: + pwd.getpwnam("adminbot") + except KeyError: + # Note: on Fedora use group 'wheel' instead of 'sudo' + # useradd adminbot -G sudo -p '$1$PBkf5waA$n9EV6WJ7PS6lyGWkgeTPf1' + cmd = "useradd", "adminbot", "-G", "sudo", "-p", "$1$PBkf5waA$n9EV6WJ7PS6lyGWkgeTPf1" # bot + subprocess.call(cmd) + + usertoken = "Basic dXNlcmJvdDpib3Q=" + admintoken = "Basic YWRtaW5ib3Q6Ym90" + + result = runner.invoke(cli, ['users']) + assert not result.exception + + + # Test session API call + r = client().simulate_get("/api/", headers={"Authorization":usertoken}) + assert r.status_code == 200 + + r = client().simulate_get("/api/", headers={"Authorization":admintoken}) + assert r.status_code == 200 + + r = client().simulate_get("/api/") + assert r.status_code == 401 + + # Try starting up forked server result = runner.invoke(cli, ['serve', '-f', '-p', '8080']) assert not result.exception @@ -172,6 +207,13 @@ def test_cli_setup_authority(): r = client().simulate_get("/api/signed/test2/tag/") assert r.status_code == 401 + r = client().simulate_get("/api/signed/test2/tag/", headers={"Authorization":usertoken}) + assert r.status_code == 403 + + r = client().simulate_get("/api/signed/test2/tag/", headers={"Authorization":admintoken}) + assert r.status_code == 200 + + # Revoke all valid ones result = runner.invoke(cli, ['revoke', 'test2']) assert not result.exception