-
Notifications
You must be signed in to change notification settings - Fork 32
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test(#3701): add authd test when authd.pass is empty
* fix(#3701): minor changes * feat(#3701): add empty password tests for authd * style(#3701): fix indents and unnecessary quotes * feat(#3701): finish new authd tests * docs(#3701): changelog updated * revert(#3701): testfile refactor reverted * docs(#3701): add fixture description * feat(#3701): add new test case * fix(#3701): spaces filled password case is now xfail * fix(#3701): password declared directly in the yaml * docs(#3701): comment improvement Co-authored-by: Seyla Dámaris Gomez <[email protected]> * style(#3701): adapt test strucure * docs(#3701): fix docstrings * revert(#3701): remove yaml key validation inside test func * fix(#3701): correct a typo and move constant to init --------- Co-authored-by: Seyla Dámaris Gomez <[email protected]>
- Loading branch information
Showing
7 changed files
with
254 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
''' | ||
copyright: Copyright (C) 2015-2023, Wazuh Inc. | ||
Created by Wazuh, Inc. <[email protected]>. | ||
This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 | ||
''' | ||
|
||
# Variables | ||
AUTHD_PREFIX = r'.*wazuh-authd.*' |
51 changes: 51 additions & 0 deletions
51
deps/wazuh_testing/wazuh_testing/modules/authd/event_monitor.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
''' | ||
copyright: Copyright (C) 2015-2023, Wazuh Inc. | ||
Created by Wazuh, Inc. <[email protected]>. | ||
This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 | ||
''' | ||
import re | ||
|
||
from wazuh_testing import T_30 | ||
from wazuh_testing.modules.authd import AUTHD_PREFIX | ||
from wazuh_testing.tools import LOG_FILE_PATH | ||
from wazuh_testing.tools.monitoring import FileMonitor | ||
|
||
|
||
def make_authd_callback(pattern, prefix=AUTHD_PREFIX): | ||
"""Create a callback function from a text pattern. | ||
It already contains the authd prefix. | ||
Args: | ||
pattern (str): String to match on the log. | ||
prefix (str): regular expression used as prefix before the pattern. | ||
Returns: | ||
lambda: function that returns if there's a match in the file | ||
Examples: | ||
>>> callback_empty_pass_error = make_authd_callback("ERROR: Empty password provided.") | ||
""" | ||
pattern = r'\s+'.join(pattern.split()) | ||
regex = re.compile(r'{}{}'.format(prefix, pattern)) | ||
|
||
return lambda line: regex.match(line) is not None | ||
|
||
|
||
def check_authd_event(file_monitor=None, callback='', error_message=None, update_position=True, | ||
prefix=AUTHD_PREFIX, timeout=T_30, accum_results=1, file_to_monitor=LOG_FILE_PATH): | ||
"""Check if an authd event occurs. | ||
Args: | ||
file_monitor (FileMonitor): FileMonitor object to monitor the file content. | ||
callback (str): log regex to check in Wazuh log | ||
error_message (str): error message to show in case of expected event does not occur | ||
update_position (boolean): filter configuration parameter to search in Wazuh log | ||
timeout (str): timeout to check the event in Wazuh log | ||
accum_results (int): Accumulation of matches. | ||
""" | ||
file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor | ||
error_message = f"Could not find this event in {file_to_monitor}: {callback}" if not error_message \ | ||
else error_message | ||
|
||
file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, | ||
callback=make_authd_callback(callback, prefix), error_message=error_message) |
29 changes: 29 additions & 0 deletions
29
...integration/test_authd/data/configuration_template/config_authd_use_password_invalid.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
- tags: | ||
- authd | ||
apply_to_modules: | ||
- test_use_password_invalid | ||
sections: | ||
- section: auth | ||
elements: | ||
- disabled: | ||
value: 'no' | ||
- port: | ||
value: 1515 | ||
- use_source_ip: | ||
value: 'no' | ||
- purge: | ||
value: 'yes' | ||
- use_password: | ||
value: USE_PASSWORD | ||
- limit_maxagents: | ||
value: 'yes' | ||
- ciphers: | ||
value: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH | ||
- ssl_verify_host: | ||
value: 'no' | ||
- ssl_manager_cert: | ||
value: /var/ossec/etc/sslmanager.cert | ||
- ssl_manager_key: | ||
value: /var/ossec/etc/sslmanager.key | ||
- ssl_auto_negotiate: | ||
value: 'no' |
19 changes: 19 additions & 0 deletions
19
tests/integration/test_authd/data/test_cases/cases_authd_use_password_invalid.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
- name: Use empty password file. | ||
description: Set the use_password tag with the value 'yes', | ||
create the file authd.pass and keep it empty | ||
making authd impossible to start. | ||
configuration_parameters: | ||
USE_PASSWORD: 'yes' | ||
metadata: | ||
error: Empty password provided. | ||
password: '' | ||
|
||
- name: Use only spaces password. | ||
description: Set the use_password tag with the value 'yes', | ||
create the file authd.pass and fill it with only | ||
spaces making authd impossible to start. | ||
configuration_parameters: | ||
USE_PASSWORD: 'yes' | ||
metadata: | ||
error: Invalid password provided. | ||
password: ' ' |
145 changes: 145 additions & 0 deletions
145
tests/integration/test_authd/test_authd_use_password_invalid.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
''' | ||
copyright: Copyright (C) 2015-2023, Wazuh Inc. | ||
Created by Wazuh, Inc. <[email protected]>. | ||
This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 | ||
type: integration | ||
brief: These tests will check invalid values in the authd.pass (for now just checks 'empty') | ||
raises the expected error logs. | ||
components: | ||
- authd | ||
suite: use_password | ||
targets: | ||
- manager | ||
daemons: | ||
- wazuh-authd | ||
os_platform: | ||
- linux | ||
os_version: | ||
- Arch Linux | ||
- Amazon Linux 2 | ||
- Amazon Linux 1 | ||
- CentOS 8 | ||
- CentOS 7 | ||
- Debian Buster | ||
- Red Hat 8 | ||
- Ubuntu Focal | ||
- Ubuntu Bionic | ||
tags: | ||
- enrollment | ||
- authd | ||
''' | ||
|
||
import pytest | ||
|
||
import os | ||
|
||
from wazuh_testing.modules.authd import event_monitor as evm | ||
from wazuh_testing import DEFAULT_AUTHD_PASS_PATH | ||
from wazuh_testing.tools.file import write_file, delete_file | ||
from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template | ||
from wazuh_testing.tools.services import control_service | ||
|
||
|
||
# Reference paths | ||
TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') | ||
CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') | ||
TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') | ||
|
||
# Marks | ||
pytestmark = [pytest.mark.server, pytest.mark.tier(level=1)] | ||
|
||
# Configuration and cases data | ||
test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_authd_use_password_invalid.yaml') | ||
configurations_path = os.path.join(CONFIGURATIONS_PATH, 'config_authd_use_password_invalid.yaml') | ||
|
||
# Test configurations | ||
params, metadata, case_ids = get_test_cases_data(test_cases_path) | ||
configuration = load_configuration_template(configurations_path, params, metadata) | ||
local_internal_options = {'authd.debug': '2'} | ||
|
||
|
||
# Fixture | ||
@pytest.fixture() | ||
def set_authd_pass(metadata: dict): | ||
"""Configure the file 'authd.pass' as needed for the test.""" | ||
# Write the content in the authd.pass file. | ||
write_file(DEFAULT_AUTHD_PASS_PATH, metadata.get('password')) | ||
|
||
yield | ||
|
||
# Delete the file as by default it doesn't exist. | ||
delete_file(DEFAULT_AUTHD_PASS_PATH) | ||
|
||
|
||
# Test | ||
@pytest.mark.parametrize('metadata, configuration', zip(metadata, configuration), ids=case_ids) | ||
def test_authd_use_password_invalid(metadata, configuration, truncate_monitored_files, | ||
configure_local_internal_options_module, set_authd_pass, | ||
set_wazuh_configuration, tear_down): | ||
''' | ||
description: | ||
Checks the correct errors are raised when an invalid password value | ||
is configured in the authd.pass file. This test expects the error log | ||
to come from the cases yaml, this is done this way to handle easily | ||
the different error logs that could be raised from different inputs. | ||
wazuh_min_version: | ||
4.5.0 | ||
tier: 1 | ||
parameters: | ||
- configuration: | ||
type: dict | ||
brief: Configuration loaded from `configuration_template`. | ||
- metadata: | ||
type: dict | ||
brief: Test case metadata. | ||
- set_wazuh_configuration: | ||
type: fixture | ||
brief: Set wazuh configuration. | ||
- truncate_monitored_files: | ||
type: fixture | ||
brief: Truncate all the log files and json alerts files before and after the test execution. | ||
- configure_local_internal_options_module: | ||
type: fixture | ||
brief: Configure the local internal options file. | ||
- set_authd_pass: | ||
type: fixture | ||
brief: Configures the `authd.pass` file as needed. | ||
- tear_down: | ||
type: fixture | ||
brief: Roll back the daemon and client.keys state after the test ends. | ||
assertions: | ||
- Error log 'Empty password provided.' is raised in ossec.log. | ||
- wazuh-manager.service must not be able to restart. | ||
input_description: | ||
./data/configuration_template/config_authd_use_password_invalid.yaml: Wazuh config needed for the tests. | ||
./data/test_cases/cases_authd_use_password_invalid.yaml: Values to be used and expected error. | ||
expected_output: | ||
- .*Empty password provided. | ||
- .*Invalid password provided. | ||
''' | ||
if metadata.get('error') == 'Invalid password provided.': | ||
pytest.xfail(reason="No password validation in authd.pass - Issue wazuh/wazuh#16282.") | ||
|
||
# Verify wazuh-manager fails at restart. | ||
with pytest.raises(ValueError): | ||
control_service('restart') | ||
|
||
# Verify the error log is raised. | ||
evm.check_authd_event(callback=metadata.get('error')) |