123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 |
- # -*- coding: utf-8 -*-
- '''
- tests.integration.shell.auth
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '''
- # Import Python libs
- from __future__ import absolute_import, print_function, unicode_literals
- import logging
- try:
- import pwd
- import grp
- except ImportError:
- pwd, grp = None, None
- import random
- # Import Salt Testing libs
- from tests.support.case import ShellCase
- from tests.support.unit import skipIf
- from tests.support.helpers import destructiveTest, skip_if_not_root
- # Import Salt libs
- import salt.utils.platform
- from salt.utils.pycrypto import gen_hash
- # Import 3rd-party libs
- from salt.ext.six.moves import range # pylint: disable=import-error,redefined-builtin
- log = logging.getLogger(__name__)
- def gen_password():
- '''
- generate a password and hash it
- '''
- alphabet = ('abcdefghijklmnopqrstuvwxyz'
- '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ')
- password = ''
- # generate password
- for _ in range(20):
- next_index = random.randrange(len(alphabet))
- password += alphabet[next_index]
- # hash the password
- hashed_pwd = gen_hash('salt', password, 'sha512')
- return (password, hashed_pwd)
- @skip_if_not_root
- @skipIf(pwd is None, 'Skip if no pwd module exists')
- @destructiveTest
- class AuthTest(ShellCase):
- '''
- Test auth mechanisms
- '''
- _call_binary_ = 'salt'
- userA = 'saltdev'
- userB = 'saltadm'
- group = 'saltops'
- def setUp(self):
- for user in (self.userA, self.userB):
- try:
- if salt.utils.platform.is_darwin() and user not in str(self.run_call('user.list_users')):
- # workaround for https://github.com/saltstack/salt-jenkins/issues/504
- raise KeyError
- pwd.getpwnam(user)
- except KeyError:
- self.run_call('user.add {0} createhome=False'.format(user))
- # only put userB into the group for the group auth test
- try:
- if salt.utils.platform.is_darwin() and self.group not in str(self.run_call('group.info {0}'.format(self.group))):
- # workaround for https://github.com/saltstack/salt-jenkins/issues/504
- raise KeyError
- grp.getgrnam(self.group)
- except KeyError:
- self.run_call('group.add {0}'.format(self.group))
- self.run_call('user.chgroups {0} {1} True'.format(self.userB, self.group))
- def tearDown(self):
- for user in (self.userA, self.userB):
- try:
- pwd.getpwnam(user)
- except KeyError:
- pass
- else:
- self.run_call('user.delete {0}'.format(user))
- try:
- grp.getgrnam(self.group)
- except KeyError:
- pass
- else:
- self.run_call('group.delete {0}'.format(self.group))
- def test_pam_auth_valid_user(self):
- '''
- test that pam auth mechanism works with a valid user
- '''
- password, hashed_pwd = gen_password()
- # set user password
- set_pw_cmd = "shadow.set_password {0} '{1}'".format(
- self.userA,
- password if salt.utils.platform.is_darwin() else hashed_pwd
- )
- self.run_call(set_pw_cmd)
- # test user auth against pam
- cmd = ('-a pam "*" test.ping '
- '--username {0} --password {1}'.format(self.userA, password))
- resp = self.run_salt(cmd)
- log.debug('resp = %s', resp)
- self.assertTrue(
- 'minion:' in resp
- )
- def test_pam_auth_invalid_user(self):
- '''
- test pam auth mechanism errors for an invalid user
- '''
- cmd = ('-a pam "*" test.ping '
- '--username nouser --password {0}'.format('abcd1234'))
- resp = self.run_salt(cmd)
- self.assertTrue(
- 'Authentication error occurred.' in ''.join(resp)
- )
- def test_pam_auth_valid_group(self):
- '''
- test that pam auth mechanism works for a valid group
- '''
- password, hashed_pwd = gen_password()
- # set user password
- set_pw_cmd = "shadow.set_password {0} '{1}'".format(
- self.userB,
- password if salt.utils.platform.is_darwin() else hashed_pwd
- )
- self.run_call(set_pw_cmd)
- # test group auth against pam: saltadm is not configured in
- # external_auth, but saltops is and saldadm is a member of saltops
- cmd = ('-a pam "*" test.ping '
- '--username {0} --password {1}'.format(self.userB, password))
- resp = self.run_salt(cmd)
- self.assertTrue(
- 'minion:' in resp
- )
|