lauri/certidude
1
0
Fork 0
mirror of https://github.com/laurivosandi/certidude synced 2025-10-31 01:19:11 +00:00
Code Issues Activity

tests: Preliminary tests for Kerberos/LDAP auth

Browse Source
This commit is contained in:
Lauri Võsandi
2017-05-07 19:11:24 +00:00
parent 60a0f2ba7c
commit 71e77154d7
10 changed files with 228 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@@ -14,7 +14,7 @@ install:
- echo "127.0.0.1 www.example.lan www" | sudo tee -a /etc/hosts
- sudo mkdir -p /etc/systemd/system
- sudo pip install -r requirements.txt
- sudo pip install codecov pytest-cov
- sudo pip install codecov pytest-cov requests-kerberos
- sudo pip install -e .
script:
- sudo find /home/ -type d -exec chmod 755 {} \; # Allow certidude serve to read templates

6
certidude/api/__init__.py
View File

@@ -212,6 +212,12 @@ def certidude_app(log_handlers=[]):
# Add sink for serving static files
app.add_sink(StaticResource(os.path.join(__file__, "..", "..", "static")))
def log_exceptions(ex, req, resp, params):
logger.debug("Caught exception: %s" % ex)
raise ex
app.add_error_handler(Exception, log_exceptions)
# Set up log handlers
if config.LOGGING_BACKEND == "sql":
from certidude.mysqllog import LogHandler

21
certidude/api/request.py
View File

@@ -29,7 +29,7 @@ class RequestListResource(object):
"""
Validate and parse certificate signing request
"""
reason = "No reason"
reasons = []
body = req.stream.read(req.content_length)
csr = x509.load_pem_x509_csr(body, default_backend())
try:
@@ -79,7 +79,7 @@ class RequestListResource(object):
renewal_signature = b64decode(renewal_header)
except TypeError, ValueError:
logger.error("Renewal failed, bad signature supplied for %s", common_name.value)
reason = "Renewal failed, bad signature supplied"
reasons.append("Renewal failed, bad signature supplied")
else:
try:
verifier = cert.public_key().verifier(
@@ -95,15 +95,15 @@ class RequestListResource(object):
verifier.verify()
except InvalidSignature:
logger.error("Renewal failed, invalid signature supplied for %s", common_name.value)
reason = "Renewal failed, invalid signature supplied"
reasons.append("Renewal failed, invalid signature supplied")
else:
# At this point renewal signature was valid but we need to perform some extra checks
if datetime.utcnow() > cert.not_valid_after:
logger.error("Renewal failed, current certificate for %s has expired", common_name.value)
reason = "Renewal failed, current certificate expired"
reasons.append("Renewal failed, current certificate expired")
elif not config.CERTIFICATE_RENEWAL_ALLOWED:
logger.error("Renewal requested for %s, but not allowed by authority settings", common_name.value)
reason = "Renewal requested, but not allowed by authority settings"
reasons.append("Renewal requested, but not allowed by authority settings")
else:
resp.set_header("Content-Type", "application/x-x509-user-cert")
_, resp.body = authority._sign(csr, body, overwrite=True)
@@ -117,7 +117,6 @@ class RequestListResource(object):
"""
if req.get_param_as_bool("autosign"):
if "." not in common_name.value:
reason = "Autosign failed, IP address not whitelisted"
for subnet in config.AUTOSIGN_SUBNETS:
if req.context.get("remote_addr") in subnet:
try:
@@ -128,16 +127,18 @@ class RequestListResource(object):
except EnvironmentError:
logger.info("Autosign for %s from %s failed, signed certificate already exists",
common_name.value, req.context.get("remote_addr"))
reason = "Autosign failed, signed certificate already exists"
reasons.append("Autosign failed, signed certificate already exists")
break
else:
reasons.append("Autosign failed, IP address not whitelisted")
else:
reason = "Autosign failed, only client certificates allowed to be signed automatically"
reasons.append("Autosign failed, only client certificates allowed to be signed automatically")
# Attempt to save the request otherwise
try:
csr = authority.store_request(body)
except errors.RequestExists:
reason = "Same request already uploaded exists"
reasons.append("Same request already uploaded exists")
# We should still redirect client to long poll URL below
except errors.DuplicateCommonNameError:
# TODO: Certificate renewal
@@ -161,7 +162,7 @@ class RequestListResource(object):
else:
# Request was accepted, but not processed
resp.status = falcon.HTTP_202
resp.body = reason
resp.body = ". ".join(reasons)
class RequestDetailResource(object):

58
certidude/auth.py
View File

@@ -1,5 +1,6 @@
import click
import gssapi
import falcon
import logging
import os
@@ -12,25 +13,12 @@ from certidude import config, const
logger = logging.getLogger("api")
if "kerberos" in config.AUTHENTICATION_BACKENDS:
import gssapi
os.environ["KRB5_KTNAME"] = config.KERBEROS_KEYTAB
server_creds = gssapi.creds.Credentials(
usage='accept',
name=gssapi.names.Name('HTTP/%s'% (socket.gethostname())))
click.echo("Accepting requests only for realm: %s" % const.DOMAIN)
os.environ["KRB5_KTNAME"] = config.KERBEROS_KEYTAB
def authenticate(optional=False):
import falcon
def wrapper(func):
def kerberos_authenticate(resource, req, resp, *args, **kwargs):
# If LDAP enabled and device is not Kerberos capable fall
# back to LDAP bind authentication
if "ldap" in config.AUTHENTICATION_BACKENDS:
if "Android" in req.user_agent or "iPhone" in req.user_agent:
return ldap_authenticate(resource, req, resp, *args, **kwargs)
# Try pre-emptive authentication
if not req.auth:
if optional:
@@ -43,9 +31,22 @@ def authenticate(optional=False):
"No Kerberos ticket offered, are you sure you've logged in with domain user account?",
["Negotiate"])
server_creds = gssapi.creds.Credentials(
usage='accept',
name=gssapi.names.Name('HTTP/%s'% const.FQDN))
context = gssapi.sec_contexts.SecurityContext(creds=server_creds)
if not req.auth.startswith("Negotiate "):
raise falcon.HTTPBadRequest("Bad request", "Bad header: %s" % req.auth)
token = ''.join(req.auth.split()[1:])
context.step(b64decode(token))
try:
context.step(b64decode(token))
except TypeError: # base64 errors
raise falcon.HTTPBadRequest("Bad request", "Malformed token")
username, domain = str(context.initiator_name).split("@")
if domain.lower() != const.DOMAIN.lower():
@@ -82,7 +83,7 @@ def authenticate(optional=False):
("Basic",))
if not req.auth.startswith("Basic "):
raise falcon.HTTPForbidden("Forbidden", "Bad header: %s" % req.auth)
raise falcon.HTTPBadRequest("Bad request", "Bad header: %s" % req.auth)
from base64 import b64decode
basic, token = req.auth.split(" ", 1)
@@ -127,7 +128,7 @@ def authenticate(optional=False):
raise falcon.HTTPUnauthorized("Forbidden", "Please authenticate", ("Basic",))
if not req.auth.startswith("Basic "):
raise falcon.HTTPForbidden("Forbidden", "Bad header: %s" % req.auth)
raise falcon.HTTPBadRequest("Bad request", "Bad header: %s" % req.auth)
basic, token = req.auth.split(" ", 1)
user, passwd = b64decode(token).split(":", 1)
@@ -142,14 +143,21 @@ def authenticate(optional=False):
req.context["user"] = User.objects.get(user)
return func(resource, req, resp, *args, **kwargs)
if "kerberos" in config.AUTHENTICATION_BACKENDS:
return kerberos_authenticate
elif config.AUTHENTICATION_BACKENDS == {"pam"}:
return pam_authenticate
elif config.AUTHENTICATION_BACKENDS == {"ldap"}:
return ldap_authenticate
else:
raise NotImplementedError("Authentication backend %s not supported" % config.AUTHENTICATION_BACKENDS)
def wrapped(*args, **kwargs):
# If LDAP enabled and device is not Kerberos capable fall
# back to LDAP bind authentication
if "ldap" in config.AUTHENTICATION_BACKENDS:
if "Android" in req.user_agent or "iPhone" in req.user_agent:
return ldap_authenticate(resource, req, resp, *args, **kwargs)
if "kerberos" in config.AUTHENTICATION_BACKENDS:
return kerberos_authenticate(*args, **kwargs)
elif config.AUTHENTICATION_BACKENDS == {"pam"}:
return pam_authenticate(*args, **kwargs)
elif config.AUTHENTICATION_BACKENDS == {"ldap"}:
return ldap_authenticate(*args, **kwargs)
else:
raise NotImplementedError("Authentication backend %s not supported" % config.AUTHENTICATION_BACKENDS)
return wrapped
return wrapper

29
certidude/authority.py
View File

@@ -134,11 +134,10 @@ def revoke(common_name):
push.publish("certificate-revoked", common_name)
# Publish CRL for long polls
if config.LONG_POLL_PUBLISH:
url = config.LONG_POLL_PUBLISH % "crl"
click.echo("Publishing CRL at %s ..." % url)
requests.post(url, data=export_crl(),
headers={"User-Agent": "Certidude API", "Content-Type": "application/x-pem-file"})
url = config.LONG_POLL_PUBLISH % "crl"
click.echo("Publishing CRL at %s ..." % url)
requests.post(url, data=export_crl(),
headers={"User-Agent": "Certidude API", "Content-Type": "application/x-pem-file"})
attach_cert = buf, "application/x-pem-file", common_name + ".crt"
mailer.send("certificate-revoked.md",
@@ -220,10 +219,9 @@ def delete_request(common_name):
push.publish("request-deleted", common_name)
# Write empty certificate to long-polling URL
if config.LONG_POLL_PUBLISH:
requests.delete(
config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest(),
headers={"User-Agent": "Certidude API"})
requests.delete(
config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest(),
headers={"User-Agent": "Certidude API"})
def generate_ovpn_bundle(common_name, owner=None):
# Construct private key
@@ -370,13 +368,10 @@ def _sign(csr, buf, overwrite=False):
else: # New keypair
mailer.send("certificate-signed.md", **locals())
if config.LONG_POLL_PUBLISH:
url = config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest()
click.echo("Publishing certificate at %s ..." % url)
requests.post(url, data=cert_buf,
headers={"User-Agent": "Certidude API", "Content-Type": "application/x-x509-user-cert"})
if config.EVENT_SOURCE_PUBLISH: # TODO: handle renewal
push.publish("request-signed", common_name.value)
url = config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest()
click.echo("Publishing certificate at %s ..." % url)
requests.post(url, data=cert_buf,
headers={"User-Agent": "Certidude API", "Content-Type": "application/x-x509-user-cert"})
push.publish("request-signed", common_name.value)
return cert, cert_buf

38
certidude/cli.py
View File

@@ -728,8 +728,9 @@ def certidude_setup_openvpn_networkmanager(authority, remote, common_name, **pat
@fqdn_required
def certidude_setup_authority(username, kerberos_keytab, nginx_config, country, state, locality, organization, organizational_unit, common_name, directory, authority_lifetime, push_server, outbox, server_flags):
# Install only rarely changing stuff from OS package management
apt("python-setproctitle cython python-dev libkrb5-dev libldap2-dev libffi-dev libssl-dev")
apt("python-mimeparse python-markdown python-xattr python-jinja2 python-cffi python-openssl software-properties-common")
apt("python-setproctitle cython python-dev libkrb5-dev libffi-dev libssl-dev")
apt("python-mimeparse python-markdown python-xattr python-jinja2 python-cffi")
apt("python-ldap python-openssl software-properties-common libsasl2-modules-gssapi-mit")
pip("gssapi falcon cryptography humanize ipaddress simplepam humanize requests")
click.echo("Software dependencies installed")
@@ -1086,10 +1087,11 @@ def certidude_cron():
@click.command("serve", help="Run server")
@click.option("-e", "--exit-handler", default=False, is_flag=True, help="Install /api/exit/ handler")
@click.option("-p", "--port", default=80, help="Listen port")
@click.option("-l", "--listen", default="0.0.0.0", help="Listen address")
@click.option("-f", "--fork", default=False, is_flag=True, help="Fork to background")
def certidude_serve(port, listen, fork):
def certidude_serve(port, listen, fork, exit_handler):
from setproctitle import setproctitle
from certidude.signer import SignServer
from certidude import authority, const
@@ -1177,16 +1179,13 @@ def certidude_serve(port, listen, fork):
click.echo("Serving API at %s:%d" % (listen, port))
from wsgiref.simple_server import make_server, WSGIServer
from SocketServer import ForkingMixIn
from certidude.api import certidude_app
class ThreadingWSGIServer(ForkingMixIn, WSGIServer):
pass
click.echo("Listening on %s:%d" % (listen, port))
app = certidude_app(log_handlers)
httpd = make_server(listen, port, app, ThreadingWSGIServer)
httpd = make_server(listen, port, app, WSGIServer)
"""
@@ -1198,9 +1197,8 @@ def certidude_serve(port, listen, fork):
if os.path.exists("/etc/cron.hourly/certidude"):
os.system("/etc/cron.hourly/certidude")
if config.EVENT_SOURCE_PUBLISH:
from certidude.push import EventSourceLogHandler
log_handlers.append(EventSourceLogHandler())
from certidude.push import EventSourceLogHandler
log_handlers.append(EventSourceLogHandler())
for j in logging.Logger.manager.loggerDict.values():
if isinstance(j, logging.Logger): # PlaceHolder is what?
@@ -1222,14 +1220,18 @@ def certidude_serve(port, listen, fork):
logger.debug("Started Certidude at %s", const.FQDN)
drop_privileges()
def quit_handler(*args, **kwargs):
click.echo("Shutting down HTTP server...")
raise KeyboardInterrupt
signal.signal(signal.SIGHUP, quit_handler)
try:
httpd.serve_forever()
except KeyboardInterrupt:
click.echo("Caught Ctrl-C, server stopped")
class ExitResource():
"""
Provide way to gracefully shutdown server
"""
def on_get(self, req, resp):
assert httpd._BaseServer__shutdown_request == False
httpd._BaseServer__shutdown_request = True
if exit_handler:
app.add_route("/api/exit/", ExitResource())
httpd.serve_forever()
@click.command("yubikey", help="Set up Yubikey as client authentication token")

21
certidude/config.py
View File

@@ -73,19 +73,14 @@ LONG_POLL_SUBSCRIBE = cp.get("push", "long poll subscribe")
LOGGING_BACKEND = cp.get("logging", "backend")
if "whitelist" == AUTHORIZATION_BACKEND:
USERS_WHITELIST = set([j for j in cp.get("authorization", "users whitelist").split(" ") if j])
ADMINS_WHITELIST = set([j for j in cp.get("authorization", "admins whitelist").split(" ") if j])
elif "posix" == AUTHORIZATION_BACKEND:
USERS_GROUP = cp.get("authorization", "posix user group")
ADMIN_GROUP = cp.get("authorization", "posix admin group")
elif "ldap" == AUTHORIZATION_BACKEND:
LDAP_USER_FILTER = cp.get("authorization", "ldap user filter")
LDAP_ADMIN_FILTER = cp.get("authorization", "ldap admin filter")
if "%s" not in LDAP_USER_FILTER: raise ValueError("No placeholder %s for username in 'ldap user filter'")
if "%s" not in LDAP_ADMIN_FILTER: raise ValueError("No placeholder %s for username in 'ldap admin filter'")
else:
raise NotImplementedError("Unknown authorization backend '%s'" % AUTHORIZATION_BACKEND)
USERS_WHITELIST = set([j for j in cp.get("authorization", "user whitelist").split(" ") if j])
ADMINS_WHITELIST = set([j for j in cp.get("authorization", "admin whitelist").split(" ") if j])
USERS_GROUP = cp.get("authorization", "posix user group")
ADMIN_GROUP = cp.get("authorization", "posix admin group")
LDAP_USER_FILTER = cp.get("authorization", "ldap user filter")
LDAP_ADMIN_FILTER = cp.get("authorization", "ldap admin filter")
if "%s" not in LDAP_USER_FILTER: raise ValueError("No placeholder %s for username in 'ldap user filter'")
if "%s" not in LDAP_ADMIN_FILTER: raise ValueError("No placeholder %s for username in 'ldap admin filter'")
TAG_TYPES = [j.split("/", 1) + [cp.get("tagging", j)] for j in cp.options("tagging")]

3
certidude/push.py
View File

@@ -13,9 +13,6 @@ def publish(event_type, event_data):
"""
assert event_type, "No event type specified"
assert event_data, "No event data specified"
if not config.EVENT_SOURCE_PUBLISH:
# Push server disabled
return
if not isinstance(event_data, basestring):
from certidude.decorators import MyEncoder

12
certidude/templates/server/server.conf
View File

@@ -9,7 +9,7 @@ backends = pam
;backends = ldap
;backends = kerberos ldap
;backends = kerberos pam
ldap uri = ldaps://dc1.example.com
ldap uri = ldaps://dc.example.lan
kerberos keytab = FILE:{{ kerberos_keytab }}
[accounts]
@@ -23,8 +23,8 @@ kerberos keytab = FILE:{{ kerberos_keytab }}
backend = posix
;backend = ldap
ldap gssapi credential cache = /run/certidude/krb5cc
ldap uri = ldap://dc1.example.com
ldap base = {% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %}
ldap uri = ldap://dc.example.lan
ldap base = {% if base %}{{ base }}{% else %}dc=example,dc=lan{% endif %}
[authorization]
# The authorization backend specifies how the users are authorized.
@@ -38,7 +38,11 @@ posix admin group = sudo
;backend = ldap
ldap computer filter = (&(objectclass=user)(objectclass=computer)(samaccountname=%s))
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %})(samaccountname=%s))
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{% if base %}{{ base }}{% else %}dc=example,dc=lan{% endif %})(samaccountname=%s))
;backend = whitelist
user whitelist =
admin whitelist =
# Users are allowed to log in from user subnets
user subnets = 0.0.0.0/0

144
tests/test_cli.py
View File

@@ -93,6 +93,7 @@ def clean_server():
except OSError:
pass
if os.path.exists("/var/lib/certidude/ca.example.lan"):
shutil.rmtree("/var/lib/certidude/ca.example.lan")
if os.path.exists("/etc/certidude/server.conf"):
@@ -126,10 +127,25 @@ def clean_server():
if os.path.exists("/etc/openvpn/keys"):
shutil.rmtree("/etc/openvpn/keys")
# System packages
os.system("apt purge -y nginx libnginx-mod-nchan openvpn strongswan")
os.system("apt-get -y autoremove")
# Stop samba
if os.path.exists("/run/samba/samba.pid"):
with open("/run/samba/samba.pid") as fh:
try:
os.kill(int(fh.read()), 15)
except OSError:
pass
if os.path.exists("/etc/krb5.conf"):
os.unlink("/etc/krb5.conf")
if os.path.exists("/etc/krb5.keytab"):
os.unlink("/etc/krb5.keytab")
if os.path.exists("/etc/certidude/server.keytab"):
os.unlink("/etc/certidude/server.keytab")
if os.path.exists("/var/lib/samba/"):
shutil.rmtree("/var/lib/samba")
os.makedirs("/var/lib/samba")
# Restore initial resolv.conf
shutil.copyfile("/etc/resolv.conf.orig", "/etc/resolv.conf")
def test_cli_setup_authority():
import os
@@ -137,9 +153,30 @@ def test_cli_setup_authority():
assert os.getuid() == 0, "Run tests as root in a clean VM or container"
if not os.path.exists("/etc/resolv.conf.orig"):
shutil.copyfile("/etc/resolv.conf", "/etc/resolv.conf.orig")
clean_server()
clean_client()
# Bootstrap domain controller here,
# Samba startup takes some time
os.system("apt install -y samba krb5-user winbind")
if os.path.exists("/etc/samba/smb.conf"):
os.unlink("/etc/samba/smb.conf")
os.system("samba-tool domain provision --server-role=dc --domain=EXAMPLE --realm=EXAMPLE.LAN --host-name=ca")
os.system("samba-tool user add userbot S4l4k4l4 --given-name='User' --surname='Bot'")
os.system("samba-tool user add adminbot S4l4k4l4 --given-name='Admin' --surname='Bot'")
os.system("samba-tool user setpassword administrator --newpassword=S4l4k4l4")
os.symlink("/var/lib/samba/private/secrets.keytab", "/etc/krb5.keytab")
os.chmod("/var/lib/samba/private/secrets.keytab", 0644) # To allow access to certidude server
os.symlink("/var/lib/samba/private/krb5.conf", "/etc/krb5.conf")
with open("/etc/resolv.conf", "w") as fh:
fh.write("nameserver 127.0.0.1\nsearch example.lan\n")
# TODO: dig -t srv perhaps?
os.system("samba")
from certidude.cli import entry_point as cli
from certidude import const
@@ -156,7 +193,7 @@ def test_cli_setup_authority():
assert os.system("nginx -t") == 0, "invalid nginx configuration"
assert os.path.exists("/run/nginx.pid"), "nginx wasn't started up properly"
from certidude import config, authority
from certidude import config, authority, auth, user
assert authority.ca_cert.serial_number >= 0x100000000000000000000000000000000000000
assert authority.ca_cert.serial_number <= 0xfffffffffffffffffffffffffffffffffffffff
assert authority.ca_cert.not_valid_before < datetime.now()
@@ -182,7 +219,7 @@ def test_cli_setup_authority():
server_pid = os.fork()
if not server_pid:
# Fork to prevent umask, setuid, setgid side effects
result = runner.invoke(cli, ['serve', '-p', '8080', '-l', '127.0.1.1'])
result = runner.invoke(cli, ['serve', '-p', '8080', '-l', '127.0.1.1', '-e'])
assert not result.exception, result.output
return
@@ -519,15 +556,13 @@ def test_cli_setup_authority():
# Test session API call
r = client().simulate_get("/api/", headers={"Authorization":usertoken})
assert r.status_code == 200
r = client().simulate_get("/api/", headers={"Authorization":admintoken})
assert r.status_code == 200
r = client().simulate_get("/api/", headers={"Accept":"text/plain", "Authorization":admintoken})
assert r.status_code == 415 # invalid media type
r = client().simulate_get("/api/")
assert r.status_code == 401
assert "Please authenticate" in r.text
# Test token mech
@@ -568,9 +603,14 @@ def test_cli_setup_authority():
# Beyond this point don't use client()
const.STORAGE_PATH = "/tmp/"
#############
### nginx ###
#############
# In this case nginx is set up as web server with TLS certificates
# generated by certidude.
clean_client()
result = runner.invoke(cli, ["setup", "nginx", "-cn", "www", "ca.example.lan"])
@@ -612,11 +652,15 @@ def test_cli_setup_authority():
# Test nginx setup
assert os.system("nginx -t") == 0, "Generated nginx config was invalid"
# TODO: test client verification with curl
###############
### OpenVPN ###
###############
# First OpenVPN server is set up
clean_client()
if not os.path.exists("/etc/openvpn/keys"):
@@ -651,7 +695,8 @@ def test_cli_setup_authority():
assert os.path.exists("/tmp/ca.example.lan/server_cert.pem")
assert os.path.exists("/etc/openvpn/site-to-client.conf")
# Reset config
# Secondly OpenVPN client is set up
os.unlink("/etc/certidude/client.conf")
os.unlink("/etc/certidude/services.conf")
@@ -669,8 +714,9 @@ def test_cli_setup_authority():
assert "Writing certificate to:" in result.output, result.output
assert os.path.exists("/etc/openvpn/client-to-site.conf")
# TODO: Check that tunnel interfaces came up, perhaps try to ping?
# TODO: assert key, req, cert paths were included correctly in OpenVPN config
# TODO: test client verification with curl
###############
### IPSec ###
@@ -755,6 +801,74 @@ def test_cli_setup_authority():
####################################
### Switch to Kerberos/LDAP auth ###
####################################
# Shut down current instance
requests.get("http://ca.example.lan/api/exit")
requests.get("http://ca.example.lan/api/")
os.waitpid(server_pid, 0)
# Hacks, note that CA is domain controller
assert os.system("kdestroy") == 0
assert not os.path.exists("/tmp/krb5cc_0")
assert os.system("echo S4l4k4l4 | kinit administrator") == 0
assert os.path.exists("/tmp/krb5cc_0")
os.system("sed -e 's/CA/CA\\nkerberos method = system keytab/' -i /etc/samba/smb.conf ")
# Create service principals
spn_pid = os.fork()
if not spn_pid:
assert os.getuid() == 0 and os.getgid() == 0
os.environ["KRB5_KTNAME"] = "FILE:/etc/certidude/server.keytab"
assert os.system("net ads keytab add HTTP -k") == 0
assert os.path.exists("/etc/certidude/server.keytab")
os.system("chown root:certidude /etc/certidude/server.keytab")
os.system("chmod 640 /etc/certidude/server.keytab")
return
else:
os.waitpid(spn_pid, 0)
os.system("sed -e 's/ldap uri = ldaps:.*/ldap uri = ldaps:\\/\\/ca.example.lan/g' -i /etc/certidude/server.conf")
os.system("sed -e 's/ldap uri = ldap:.*/ldap uri = ldap:\\/\\/ca.example.lan/g' -i /etc/certidude/server.conf")
os.system("sed -e 's/backends = pam/backends = kerberos/g' -i /etc/certidude/server.conf")
os.system("sed -e 's/backend = posix/backend = ldap/g' -i /etc/certidude/server.conf")
os.system("/etc/cron.hourly/certidude") # Update server credential cache
result = runner.invoke(cli, ['users'])
assert not result.exception, result.output
# TODO: assert "Administrator@example.lan" in result.output
server_pid = os.fork() # Fork to prevent environment contamination
if not server_pid:
# Apply /etc/certidude/server.conf changes
reload(config)
reload(user)
reload(auth)
assert isinstance(user.User.objects, user.ActiveDirectoryUserManager), user.User.objects
result = runner.invoke(cli, ['serve', '-p', '8080', '-l', '127.0.1.1', '-e'])
assert not result.exception, result.output
return
sleep(1) # Wait for serve to start up
# TODO: pip install requests-kerberos
from requests_kerberos import HTTPKerberosAuth, OPTIONAL
auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL, force_preemptive=True)
# Test session API call
r = requests.get("http://ca.example.lan/api/")
assert r.status_code == 401, r.text
assert "No Kerberos ticket offered" in r.text, r.text
r = requests.get("http://ca.example.lan/api/", headers={"Authorization": "Negotiate blerrgh"})
assert r.status_code == 400, r.text
r = requests.get("http://ca.example.lan/api/", auth=auth)
assert r.status_code == 200, r.text
###################
### Final tests ###
###################
@@ -783,18 +897,18 @@ def test_cli_setup_authority():
assert authority.signer_exec("exit") == "ok"
# Shut down server
with open("/run/certidude/server.pid") as fh:
os.kill(int(fh.read()), 1)
requests.get("http://ca.example.lan/api/exit")
os.waitpid(server_pid, 0)
# Note: STORAGE_PATH was mangled above, hence it's /tmp not /var/lib/certidude
assert open("/etc/apparmor.d/local/usr.lib.ipsec.charon").read() == "/tmp/** r,\n"
assert len(inbox) == 0, inbox # Make sure all messages were checked
os.waitpid(server_pid, 0)
os.system("service nginx stop")
os.system("service openvpn stop")
os.system("ipsec stop")
clean_server()
if __name__ == "__main__":
test_cli_setup_authority()