summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-09-19 21:57:08 +0200
committerChristian Poessinger <christian@poessinger.com>2020-09-19 21:57:22 +0200
commit41a8c45c6b188646d6c6ac97bfaa2dffaffe1653 (patch)
tree562005b7e2b100f54dbd3dbfe9887b61a3ce6880 /smoketest/scripts/cli
parentd1c9ee33f25e45cea0d01f9685f99c960ed4d7f8 (diff)
downloadvyos-1x-41a8c45c6b188646d6c6ac97bfaa2dffaffe1653.tar.gz
vyos-1x-41a8c45c6b188646d6c6ac97bfaa2dffaffe1653.zip
smoketest: T2886: validate RADIUS configuration
Diffstat (limited to 'smoketest/scripts/cli')
-rwxr-xr-xsmoketest/scripts/cli/test_service_ssh.py2
-rwxr-xr-xsmoketest/scripts/cli/test_system_login.py70
2 files changed, 68 insertions, 4 deletions
diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py
index 1038b8775..79850fe44 100755
--- a/smoketest/scripts/cli/test_service_ssh.py
+++ b/smoketest/scripts/cli/test_service_ssh.py
@@ -27,7 +27,7 @@ base_path = ['service', 'ssh']
def get_config_value(key):
tmp = read_file(SSHD_CONF)
- tmp = re.findall(r'\n?{}\s+(.*)'.format(key), tmp)
+ tmp = re.findall(f'\n?{key}\s+(.*)', tmp)
return tmp
def is_service_running():
diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py
index 3c4b1fa28..48ae78ccf 100755
--- a/smoketest/scripts/cli/test_system_login.py
+++ b/smoketest/scripts/cli/test_system_login.py
@@ -16,11 +16,15 @@
import os
import re
+import platform
import unittest
+from platform import release as kernel_version
from subprocess import Popen, PIPE
-from vyos.configsession import ConfigSession, ConfigSessionError
-import vyos.util as util
+
+from vyos.configsession import ConfigSession
+from vyos.util import cmd
+from vyos.util import read_file
base_path = ['system', 'login']
users = ['vyos1', 'vyos2']
@@ -37,7 +41,7 @@ class TestSystemLogin(unittest.TestCase):
self.session.commit()
del self.session
- def test_user(self):
+ def test_local_user(self):
""" Check if user can be created and we can SSH to localhost """
self.session.set(['service', 'ssh', 'port', '22'])
@@ -63,5 +67,65 @@ class TestSystemLogin(unittest.TestCase):
# b'Linux vyos 4.19.101-amd64-vyos #1 SMP Sun Feb 2 10:18:07 UTC 2020 x86_64 GNU/Linux\n'
self.assertTrue(len(stdout) > 40)
+ def test_radius_kernel_features(self):
+ """ T2886: RADIUS requires some Kernel options to be present """
+ kernel = platform.release()
+ kernel_config = read_file(f'/boot/config-{kernel}')
+
+ # T2886 - RADIUS authentication - check for statically compiled
+ # options (=y)
+ for option in ['CONFIG_AUDIT', 'CONFIG_HAVE_ARCH_AUDITSYSCALL',
+ 'CONFIG_AUDITSYSCALL', 'CONFIG_AUDIT_WATCH',
+ 'CONFIG_AUDIT_TREE', 'CONFIG_AUDIT_ARCH']:
+ self.assertIn(f'{option}=y', kernel_config)
+
+ def test_radius_config(self):
+ """ Verify generated RADIUS configuration files """
+
+ radius_key = 'VyOSsecretVyOS'
+ radius_server = '172.16.100.10'
+ radius_source = '127.0.0.1'
+ radius_port = '2000'
+ radius_timeout = '1'
+
+ self.session.set(base_path + ['radius', 'server', radius_server, 'key', radius_key])
+ self.session.set(base_path + ['radius', 'server', radius_server, 'port', radius_port])
+ self.session.set(base_path + ['radius', 'server', radius_server, 'timeout', radius_timeout])
+ self.session.set(base_path + ['radius', 'source-address', radius_source])
+
+ self.session.commit()
+
+ # this file must be read with higher permissions
+ pam_radius_auth_conf = cmd('sudo cat /etc/pam_radius_auth.conf')
+ tmp = re.findall(r'\n?{}:{}\s+{}\s+{}\s+{}'.format(radius_server,
+ radius_port, radius_key, radius_timeout,
+ radius_source), pam_radius_auth_conf)
+ self.assertTrue(tmp)
+
+ # required, static options
+ self.assertIn('priv-lvl 15', pam_radius_auth_conf)
+ self.assertIn('mapped_priv_user radius_priv_user', pam_radius_auth_conf)
+
+ # PAM
+ pam_common_account = read_file('/etc/pam.d/common-account')
+ self.assertIn('pam_radius_auth.so', pam_common_account)
+
+ pam_common_auth = read_file('/etc/pam.d/common-auth')
+ self.assertIn('pam_radius_auth.so', pam_common_auth)
+
+ pam_common_session = read_file('/etc/pam.d/common-session')
+ self.assertIn('pam_radius_auth.so', pam_common_session)
+
+ pam_common_session_noninteractive = read_file('/etc/pam.d/common-session-noninteractive')
+ self.assertIn('pam_radius_auth.so', pam_common_session_noninteractive)
+
+ # NSS
+ nsswitch_conf = read_file('/etc/nsswitch.conf')
+ tmp = re.findall(r'passwd:\s+mapuid\s+files\s+mapname', nsswitch_conf)
+ self.assertTrue(tmp)
+
+ tmp = re.findall(r'group:\s+mapname\s+files', nsswitch_conf)
+ self.assertTrue(tmp)
+
if __name__ == '__main__':
unittest.main()