From 41a8c45c6b188646d6c6ac97bfaa2dffaffe1653 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 19 Sep 2020 21:57:08 +0200 Subject: smoketest: T2886: validate RADIUS configuration --- smoketest/scripts/cli/test_service_ssh.py | 2 +- smoketest/scripts/cli/test_system_login.py | 70 +++++++++++++++++++++++-- smoketest/scripts/system/test_kernel_options.py | 36 ------------- 3 files changed, 68 insertions(+), 40 deletions(-) delete mode 100755 smoketest/scripts/system/test_kernel_options.py (limited to 'smoketest') diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py index 1038b8775..79850fe44 100755 --- a/smoketest/scripts/cli/test_service_ssh.py +++ b/smoketest/scripts/cli/test_service_ssh.py @@ -27,7 +27,7 @@ base_path = ['service', 'ssh'] def get_config_value(key): tmp = read_file(SSHD_CONF) - tmp = re.findall(r'\n?{}\s+(.*)'.format(key), tmp) + tmp = re.findall(f'\n?{key}\s+(.*)', tmp) return tmp def is_service_running(): diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py index 3c4b1fa28..48ae78ccf 100755 --- a/smoketest/scripts/cli/test_system_login.py +++ b/smoketest/scripts/cli/test_system_login.py @@ -16,11 +16,15 @@ import os import re +import platform import unittest +from platform import release as kernel_version from subprocess import Popen, PIPE -from vyos.configsession import ConfigSession, ConfigSessionError -import vyos.util as util + +from vyos.configsession import ConfigSession +from vyos.util import cmd +from vyos.util import read_file base_path = ['system', 'login'] users = ['vyos1', 'vyos2'] @@ -37,7 +41,7 @@ class TestSystemLogin(unittest.TestCase): self.session.commit() del self.session - def test_user(self): + def test_local_user(self): """ Check if user can be created and we can SSH to localhost """ self.session.set(['service', 'ssh', 'port', '22']) @@ -63,5 +67,65 @@ class TestSystemLogin(unittest.TestCase): # b'Linux vyos 4.19.101-amd64-vyos #1 SMP Sun Feb 2 10:18:07 UTC 2020 x86_64 GNU/Linux\n' self.assertTrue(len(stdout) > 40) + def test_radius_kernel_features(self): + """ T2886: RADIUS requires some Kernel options to be present """ + kernel = platform.release() + kernel_config = read_file(f'/boot/config-{kernel}') + + # T2886 - RADIUS authentication - check for statically compiled + # options (=y) + for option in ['CONFIG_AUDIT', 'CONFIG_HAVE_ARCH_AUDITSYSCALL', + 'CONFIG_AUDITSYSCALL', 'CONFIG_AUDIT_WATCH', + 'CONFIG_AUDIT_TREE', 'CONFIG_AUDIT_ARCH']: + self.assertIn(f'{option}=y', kernel_config) + + def test_radius_config(self): + """ Verify generated RADIUS configuration files """ + + radius_key = 'VyOSsecretVyOS' + radius_server = '172.16.100.10' + radius_source = '127.0.0.1' + radius_port = '2000' + radius_timeout = '1' + + self.session.set(base_path + ['radius', 'server', radius_server, 'key', radius_key]) + self.session.set(base_path + ['radius', 'server', radius_server, 'port', radius_port]) + self.session.set(base_path + ['radius', 'server', radius_server, 'timeout', radius_timeout]) + self.session.set(base_path + ['radius', 'source-address', radius_source]) + + self.session.commit() + + # this file must be read with higher permissions + pam_radius_auth_conf = cmd('sudo cat /etc/pam_radius_auth.conf') + tmp = re.findall(r'\n?{}:{}\s+{}\s+{}\s+{}'.format(radius_server, + radius_port, radius_key, radius_timeout, + radius_source), pam_radius_auth_conf) + self.assertTrue(tmp) + + # required, static options + self.assertIn('priv-lvl 15', pam_radius_auth_conf) + self.assertIn('mapped_priv_user radius_priv_user', pam_radius_auth_conf) + + # PAM + pam_common_account = read_file('/etc/pam.d/common-account') + self.assertIn('pam_radius_auth.so', pam_common_account) + + pam_common_auth = read_file('/etc/pam.d/common-auth') + self.assertIn('pam_radius_auth.so', pam_common_auth) + + pam_common_session = read_file('/etc/pam.d/common-session') + self.assertIn('pam_radius_auth.so', pam_common_session) + + pam_common_session_noninteractive = read_file('/etc/pam.d/common-session-noninteractive') + self.assertIn('pam_radius_auth.so', pam_common_session_noninteractive) + + # NSS + nsswitch_conf = read_file('/etc/nsswitch.conf') + tmp = re.findall(r'passwd:\s+mapuid\s+files\s+mapname', nsswitch_conf) + self.assertTrue(tmp) + + tmp = re.findall(r'group:\s+mapname\s+files', nsswitch_conf) + self.assertTrue(tmp) + if __name__ == '__main__': unittest.main() diff --git a/smoketest/scripts/system/test_kernel_options.py b/smoketest/scripts/system/test_kernel_options.py deleted file mode 100755 index 8c96d96fb..000000000 --- a/smoketest/scripts/system/test_kernel_options.py +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import platform -import unittest - -kernel = platform.release() -with open(f'/boot/config-{kernel}') as f: - config = f.read() - -class TestKernelModules(unittest.TestCase): - - def test_radius_auth_t2886(self): - # T2886 - RADIUS authentication - check for statically compiled - # options (=y) - for option in ['CONFIG_AUDIT', 'CONFIG_HAVE_ARCH_AUDITSYSCALL', - 'CONFIG_AUDITSYSCALL', 'CONFIG_AUDIT_WATCH', - 'CONFIG_AUDIT_TREE', 'CONFIG_AUDIT_ARCH']: - self.assertIn(f'{option}=y', config) - -if __name__ == '__main__': - unittest.main() -- cgit v1.2.3