Skip to content

Commit

Permalink
Create tests for suffix
Browse files Browse the repository at this point in the history
  • Loading branch information
Matthew Baxa committed Sep 23, 2014
1 parent 4c1ac67 commit 2b49644
Show file tree
Hide file tree
Showing 9 changed files with 202 additions and 10 deletions.
4 changes: 2 additions & 2 deletions tests/Makefile.am
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@
TESTS_ENVIRONMENT = env BUILDDIR=$(abs_top_builddir) $(PYTHON) $(top_srcdir)/tests/cram.py

# Preserve ordering; login_duo-0.t does some setup
TESTS = login_duo-0.t login_duo-1.t login_duo-2.t login_duo-3.t login_duo-4.t
TESTS = login_duo-0.t login_duo-1.t login_duo-2.t login_duo-3.t login_duo-4.t login_duo-5.t
TESTS += groups-0.t mocklogin_duo-0.t
PAM_TESTS = pam_duo-0.t pam_duo-1.t pam_duo-2.t pam_duo-3.t pam_duo-4.t
PAM_TESTS = pam_duo-0.t pam_duo-1.t pam_duo-2.t pam_duo-3.t pam_duo-4.t pam_duo-5.t

check_LTLIBRARIES = libgroups_preload.la
libgroups_preload_la_SOURCES = groups_preload.c
Expand Down
8 changes: 8 additions & 0 deletions tests/confs/mockduo_autopush_suffix.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[duo]
ikey = DIXYZV6YM8IFYVWBINCA
skey = yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo
host = localhost:4443
cafile = certs/mockduo-ca.pem
autopush = yes
prompts = 1
suffix = @test.com
7 changes: 7 additions & 0 deletions tests/confs/mockduo_badkeys_failsecure_suffix.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[duo]
ikey = foo
skey = bar
host = localhost:4443
cafile = certs/mockduo-ca.pem
failmode = secure
suffix = @test.com
6 changes: 6 additions & 0 deletions tests/confs/mockduo_badkeys_suffix.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[duo]
ikey = foo
skey = bar
host = localhost:4443
cafile = certs/mockduo-ca.pem
suffix = @test.com
7 changes: 7 additions & 0 deletions tests/confs/mockduo_failsecure_suffix.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[duo]
ikey = DIXYZV6YM8IFYVWBINCA
skey = yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo
host = localhost:4443
cafile = certs/mockduo-ca.pem
failmode = secure
suffix = @test.com
6 changes: 6 additions & 0 deletions tests/confs/mockduo_suffix.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[duo]
ikey = DIXYZV6YM8IFYVWBINCA
skey = yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo
host = localhost:4443
cafile = certs/mockduo-ca.pem
suffix = @test.com
82 changes: 82 additions & 0 deletions tests/login_duo-5.t
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
mockduo with valid cert and suffix

$ cd ${TESTDIR}
$ python mockduo.py certs/mockduo.pem >/dev/null 2>&1 &
$ MOCKPID=$!
$ trap 'exec kill $MOCKPID >/dev/null 2>&1' EXIT
$ sleep 1

HTTP server errors
$ for http_code in 400 401 402 403 404 500 501 502 503 504; do ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo_suffix.conf -f $http_code true; done
[4] Aborted Duo login for '400': HTTP 400
[4] Failsafe Duo login for '401': Invalid ikey or skey
[4] Aborted Duo login for '402': HTTP 402
[4] Aborted Duo login for '403': HTTP 403
[4] Aborted Duo login for '404': HTTP 404
[4] Failsafe Duo login for '500': HTTP 500
[4] Failsafe Duo login for '501': HTTP 501
[4] Failsafe Duo login for '502': HTTP 502
[4] Failsafe Duo login for '503': HTTP 503
[4] Failsafe Duo login for '504': HTTP 504
$ for http_code in 400 401 402 403 404 500 501 502 503 504; do ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo_failsecure_suffix.conf -f $http_code true; done
[4] Aborted Duo login for '400': HTTP 400
[3] Error in Duo login for '401': Invalid ikey or skey
[4] Aborted Duo login for '402': HTTP 402
[4] Aborted Duo login for '403': HTTP 403
[4] Aborted Duo login for '404': HTTP 404
[3] Error in Duo login for '500': HTTP 500
[3] Error in Duo login for '501': HTTP 501
[3] Error in Duo login for '502': HTTP 502
[3] Error in Duo login for '503': HTTP 503
[3] Error in Duo login for '504': HTTP 504
[1]

$ for http_code in 400 401 402 403 404 500 501 502 503 504; do ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo_autopush_suffix.conf -f $http_code true; done
[4] Aborted Duo login for '400': HTTP 400
[4] Failsafe Duo login for '401': Invalid ikey or skey
[4] Aborted Duo login for '402': HTTP 402
[4] Aborted Duo login for '403': HTTP 403
[4] Aborted Duo login for '404': HTTP 404
[4] Failsafe Duo login for '500': HTTP 500
[4] Failsafe Duo login for '501': HTTP 501
[4] Failsafe Duo login for '502': HTTP 502
[4] Failsafe Duo login for '503': HTTP 503
[4] Failsafe Duo login for '504': HTTP 504

With bad keys
$ ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo_badkeys_suffix.conf -f whatever true
[4] Failsafe Duo login for 'whatever': Invalid ikey or skey
$ ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo_badkeys_failsecure_suffix.conf -f whatever true
[3] Error in Duo login for 'whatever': Invalid ikey or skey
[1]

Preauth states
$ for user in preauth-ok-missing_response preauth-fail-missing_response preauth-bad-stat preauth-fail preauth-deny preauth-allow preauth-allow-bad_response; do ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo_suffix.conf -f $user true; done
[4] Failsafe Duo login for 'preauth-ok-missing_response': BSON missing valid 'response'
[4] Failsafe Duo login for 'preauth-fail-missing_response': BSON missing valid 'code'
[4] Failsafe Duo login for 'preauth-bad-stat'
[4] Failsafe Duo login for 'preauth-fail': BSON missing valid 'response'
[4] Aborted Duo login for 'preauth-deny': you suck
[4] Skipped Duo login for 'preauth-allow': you rock
[4] Failsafe Duo login for 'preauth-allow-bad_response': BSON missing valid 'status'
$ for user in preauth-ok-missing_response preauth-fail-missing_response preauth-bad-stat preauth-fail preauth-deny preauth-allow preauth-allow-bad_response; do ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo_failsecure_suffix.conf -f $user true; done
[3] Error in Duo login for 'preauth-ok-missing_response': BSON missing valid 'response'
[3] Error in Duo login for 'preauth-fail-missing_response': BSON missing valid 'code'
[3] Error in Duo login for 'preauth-bad-stat'
[3] Error in Duo login for 'preauth-fail': BSON missing valid 'response'
[4] Aborted Duo login for 'preauth-deny': you suck
[4] Skipped Duo login for 'preauth-allow': you rock
[3] Error in Duo login for 'preauth-allow-bad_response': BSON missing valid 'status'
[1]

Test manually-set hosts
$ for host in 1.2.3.4 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:AAA.BBB.CCC.DDD nowhere "%s" "!@#$%^&*()_+<>{}|;'"; do ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo_suffix.conf -f preauth-allow -h $host true; done
[4] Skipped Duo login for 'preauth-allow' from 1.2.3.4: you rock
[4] Skipped Duo login for 'preauth-allow' from XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:AAA.BBB.CCC.DDD: you rock
[4] Skipped Duo login for 'preauth-allow' from nowhere: you rock
[4] Skipped Duo login for 'preauth-allow' from %s: you rock
[4] Skipped Duo login for 'preauth-allow' from !@#$%^&*()_+<>{}|;': you rock

Test SSH-set host
$ env SSH_CONNECTION="1.2.3.4 64903 127.0.0.1 22" ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo.conf -f preauth-allow true
[4] Skipped Duo login for 'preauth-allow' from 1.2.3.4: you rock
25 changes: 17 additions & 8 deletions tests/mockduo.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
import sys
import time
import urllib
import re

IKEY = 'DIXYZV6YM8IFYVWBINCA'
SKEY = 'yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo'
Expand Down Expand Up @@ -119,24 +120,32 @@ def do_POST(self):
return self._send(401)

try:
return self._send(int(self.args['user']))
user = re.search('^(\d+)', self.args['user'])
return self._send(int(user.group(0)))
except:
ret = { 'stat': 'OK' }

if self.path == '/rest/v1/preauth.bson':
if self.args['user'] == 'preauth-ok-missing_response':
if ((self.args['user'] == 'preauth-ok-missing_response') or
(self.args['user'] == '[email protected]')):
pass
elif self.args['user'] == 'preauth-fail-missing_response':
elif ((self.args['user'] == 'preauth-fail-missing_response') or
(self.args['user'] == '[email protected]')):
ret['stat'] = 'FAIL'
elif self.args['user'] == 'preauth-bad-stat':
elif ((self.args['user'] == 'preauth-bad-stat') or
(self.args['user'] == '[email protected]')):
ret['stat'] = 'FFFFUUUU'
elif self.args['user'] == 'preauth-fail':
elif ((self.args['user'] == 'preauth-fail') or
(self.args['user'] == '[email protected]')):
d = { 'stat': 'FAIL', 'code': 666, 'message': 'you fail' }
elif self.args['user'] == 'preauth-deny':
elif ((self.args['user'] == 'preauth-deny') or
(self.args['user'] == '[email protected]')):
ret['response'] = { 'result': 'deny', 'status': 'you suck' }
elif self.args['user'] == 'preauth-allow':
elif ((self.args['user'] == 'preauth-allow') or
(self.args['user'] == '[email protected]')):
ret['response'] = { 'result': 'allow', 'status': 'you rock' }
elif self.args['user'] == 'preauth-allow-bad_response':
elif ((self.args['user'] == 'preauth-allow-bad_response') or
(self.args['user'] == '[email protected]')):
ret['response'] = { 'result': 'allow', 'xxx': 'you rock' }
else:
ret['response'] = {
Expand Down
67 changes: 67 additions & 0 deletions tests/pam_duo-5.t
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
mockduo with valid cert and suffix

$ cd ${TESTDIR}
$ python mockduo.py certs/mockduo.pem >/dev/null 2>&1 &
$ MOCKPID=$!
$ trap 'exec kill $MOCKPID >/dev/null 2>&1' EXIT
$ sleep 1

HTTP server errors
$ for http_code in 400 401 402 403 404 500 501 502 503 504; do ./testpam.py -d -c confs/mockduo_suffix.conf -f $http_code true; done
[4] Aborted Duo login for '400': HTTP 400
[4] Failsafe Duo login for '401': Invalid ikey or skey
[4] Aborted Duo login for '402': HTTP 402
[4] Aborted Duo login for '403': HTTP 403
[4] Aborted Duo login for '404': HTTP 404
[4] Failsafe Duo login for '500': HTTP 500
[4] Failsafe Duo login for '501': HTTP 501
[4] Failsafe Duo login for '502': HTTP 502
[4] Failsafe Duo login for '503': HTTP 503
[4] Failsafe Duo login for '504': HTTP 504
$ for http_code in 400 401 402 403 404 500 501 502 503 504; do ./testpam.py -d -c confs/mockduo_failsecure_suffix.conf -f $http_code true; done
[4] Aborted Duo login for '400': HTTP 400
[3] Error in Duo login for '401': Invalid ikey or skey
[4] Aborted Duo login for '402': HTTP 402
[4] Aborted Duo login for '403': HTTP 403
[4] Aborted Duo login for '404': HTTP 404
[3] Error in Duo login for '500': HTTP 500
[3] Error in Duo login for '501': HTTP 501
[3] Error in Duo login for '502': HTTP 502
[3] Error in Duo login for '503': HTTP 503
[3] Error in Duo login for '504': HTTP 504
[1]

With bad keys
$ ./testpam.py -d -c confs/mockduo_badkeys_suffix.conf -f whatever true
[4] Failsafe Duo login for 'whatever': Invalid ikey or skey
$ ./testpam.py -d -c confs/mockduo_badkeys_failsecure_suffix.conf -f whatever true
[3] Error in Duo login for 'whatever': Invalid ikey or skey
[1]

Preauth states
$ for user in preauth-ok-missing_response preauth-fail-missing_response preauth-bad-stat preauth-fail preauth-deny preauth-allow preauth-allow-bad_response; do ./testpam.py -d -c confs/mockduo_suffix.conf -f $user true; done
[4] Failsafe Duo login for 'preauth-ok-missing_response': BSON missing valid 'response'
[4] Failsafe Duo login for 'preauth-fail-missing_response': BSON missing valid 'code'
[4] Failsafe Duo login for 'preauth-bad-stat'
[4] Failsafe Duo login for 'preauth-fail': BSON missing valid 'response'
[4] Aborted Duo login for 'preauth-deny': you suck
[4] Skipped Duo login for 'preauth-allow': you rock
[4] Failsafe Duo login for 'preauth-allow-bad_response': BSON missing valid 'status'
$ for user in preauth-ok-missing_response preauth-fail-missing_response preauth-bad-stat preauth-fail preauth-deny preauth-allow preauth-allow-bad_response; do ./testpam.py -d -c confs/mockduo_failsecure_suffix.conf -f $user true; done
[3] Error in Duo login for 'preauth-ok-missing_response': BSON missing valid 'response'
[3] Error in Duo login for 'preauth-fail-missing_response': BSON missing valid 'code'
[3] Error in Duo login for 'preauth-bad-stat'
[3] Error in Duo login for 'preauth-fail': BSON missing valid 'response'
[4] Aborted Duo login for 'preauth-deny': you suck
[4] Skipped Duo login for 'preauth-allow': you rock
[3] Error in Duo login for 'preauth-allow-bad_response': BSON missing valid 'status'
[1]

Test manually-set hosts
$ for host in 1.2.3.4 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:AAA.BBB.CCC.DDD nowhere "%s" "!@#$%^&*()_+<>{}|;'"; do ./testpam.py -d -c confs/mockduo_suffix.conf -f preauth-allow -h $host true; done
[4] Skipped Duo login for 'preauth-allow' from 1.2.3.4: you rock
[4] Skipped Duo login for 'preauth-allow' from XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:AAA.BBB.CCC.DDD: you rock
[4] Skipped Duo login for 'preauth-allow' from nowhere: you rock
[4] Skipped Duo login for 'preauth-allow' from %s: you rock
[4] Skipped Duo login for 'preauth-allow' from !@#$%^&*()_+<>{}|;': you rock

0 comments on commit 2b49644

Please sign in to comment.