test(#3701): add authd test when authd.pass is empty

* fix(#3701): minor changes

* feat(#3701): add empty password tests for authd

* style(#3701): fix indents and unnecessary quotes

* feat(#3701): finish new authd tests

* docs(#3701): changelog updated

* revert(#3701): testfile refactor reverted

* docs(#3701): add fixture description

* feat(#3701): add new test case

* fix(#3701): spaces filled password case is now xfail

* fix(#3701): password declared directly in the yaml

* docs(#3701): comment improvement

Co-authored-by: Seyla Dámaris Gomez <[email protected]>

* style(#3701): adapt test strucure

* docs(#3701): fix docstrings

* revert(#3701): remove yaml key validation inside test func

* fix(#3701): correct a typo and move constant to init

---------

Co-authored-by: Seyla Dámaris Gomez <[email protected]>

CHANGELOG.md

@@ -43,6 +43,7 @@ Release report: TBD
 
 ### Added
 
+- Add new integration test for `authd` to validate error when `authd.pass` is empty ([#3721](https:/wazuh/wazuh-qa/pull/3721)) \- (Framework + Tests)
 - Add new test to check missing fields in `cpe_helper.json` file ([#3766](https:/wazuh/wazuh-qa/pull/3766)) \- (Framework + Tests)
 - Add new test to check cpe_helper.json file ([#3731](https:/wazuh/wazuh-qa/pull/3731))
 - Add new tests analysid handling of invalid/empty rule signature IDs ([#3649]

deps/wazuh_testing/wazuh_testing/__init__.py

@@ -39,6 +39,7 @@
 API_LOG_FOLDER = os.path.join(WAZUH_PATH, 'logs', 'api')
 WAZUH_TESTING_PATH = os.path.dirname(os.path.abspath(__file__))
 WAZUH_TESTING_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
+DEFAULT_AUTHD_PASS_PATH = os.path.join(WAZUH_PATH, 'etc', 'authd.pass')
 
 
 # Daemons

deps/wazuh_testing/wazuh_testing/modules/authd/__init__.py

@@ -0,0 +1,8 @@
+'''
+copyright: Copyright (C) 2015-2023, Wazuh Inc.
+ Created by Wazuh, Inc. <[email protected]>.
+ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+'''
+
+# Variables
+AUTHD_PREFIX = r'.*wazuh-authd.*'

deps/wazuh_testing/wazuh_testing/modules/authd/event_monitor.py

@@ -0,0 +1,51 @@
+'''
+copyright: Copyright (C) 2015-2023, Wazuh Inc.
+ Created by Wazuh, Inc. <[email protected]>.
+ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+'''
+import re
+
+from wazuh_testing import T_30
+from wazuh_testing.modules.authd import AUTHD_PREFIX
+from wazuh_testing.tools import LOG_FILE_PATH
+from wazuh_testing.tools.monitoring import FileMonitor
+
+
+def make_authd_callback(pattern, prefix=AUTHD_PREFIX):
+ """Create a callback function from a text pattern.
+
+ It already contains the authd prefix.
+
+ Args:
+ pattern (str): String to match on the log.
+ prefix (str): regular expression used as prefix before the pattern.
+
+ Returns:
+ lambda: function that returns if there's a match in the file
+
+ Examples:
+ >>> callback_empty_pass_error = make_authd_callback("ERROR: Empty password provided.")
+ """
+ pattern = r'\s+'.join(pattern.split())
+ regex = re.compile(r'{}{}'.format(prefix, pattern))
+
+ return lambda line: regex.match(line) is not None
+
+
+def check_authd_event(file_monitor=None, callback='', error_message=None, update_position=True,
+ prefix=AUTHD_PREFIX, timeout=T_30, accum_results=1, file_to_monitor=LOG_FILE_PATH):
+ """Check if an authd event occurs.
+ Args:
+ file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+ callback (str): log regex to check in Wazuh log
+ error_message (str): error message to show in case of expected event does not occur
+ update_position (boolean): filter configuration parameter to search in Wazuh log
+ timeout (str): timeout to check the event in Wazuh log
+ accum_results (int): Accumulation of matches.
+ """
+ file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor
+ error_message = f"Could not find this event in {file_to_monitor}: {callback}" if not error_message \
+ else error_message
+
+ file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results,
+ callback=make_authd_callback(callback, prefix), error_message=error_message)

tests/integration/test_authd/data/configuration_template/config_authd_use_password_invalid.yaml

@@ -0,0 +1,29 @@
+- tags:
+ - authd
+ apply_to_modules:
+ - test_use_password_invalid
+ sections:
+ - section: auth
+ elements:
+ - disabled:
+ value: 'no'
+ - port:
+ value: 1515
+ - use_source_ip:
+ value: 'no'
+ - purge:
+ value: 'yes'
+ - use_password:
+ value: USE_PASSWORD
+ - limit_maxagents:
+ value: 'yes'
+ - ciphers:
+ value: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+ - ssl_verify_host:
+ value: 'no'
+ - ssl_manager_cert:
+ value: /var/ossec/etc/sslmanager.cert
+ - ssl_manager_key:
+ value: /var/ossec/etc/sslmanager.key
+ - ssl_auto_negotiate:
+ value: 'no'

tests/integration/test_authd/data/test_cases/cases_authd_use_password_invalid.yaml

@@ -0,0 +1,19 @@
+- name: Use empty password file.
+ description: Set the use_password tag with the value 'yes',
+ create the file authd.pass and keep it empty
+ making authd impossible to start.
+ configuration_parameters:
+ USE_PASSWORD: 'yes'
+ metadata:
+ error: Empty password provided.
+ password: ''
+
+- name: Use only spaces password.
+ description: Set the use_password tag with the value 'yes',
+ create the file authd.pass and fill it with only
+ spaces making authd impossible to start.
+ configuration_parameters:
+ USE_PASSWORD: 'yes'
+ metadata:
+ error: Invalid password provided.
+ password: ' '

tests/integration/test_authd/test_authd_use_password_invalid.py

@@ -0,0 +1,145 @@
+'''
+copyright: Copyright (C) 2015-2023, Wazuh Inc.
+
+ Created by Wazuh, Inc. <[email protected]>.
+
+ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: These tests will check invalid values in the authd.pass (for now just checks 'empty')
+ raises the expected error logs.
+
+components:
+ - authd
+
+suite: use_password
+
+targets:
+ - manager
+
+daemons:
+ - wazuh-authd
+
+os_platform:
+ - linux
+
+os_version:
+ - Arch Linux
+ - Amazon Linux 2
+ - Amazon Linux 1
+ - CentOS 8
+ - CentOS 7
+ - Debian Buster
+ - Red Hat 8
+ - Ubuntu Focal
+ - Ubuntu Bionic
+
+tags:
+ - enrollment
+ - authd
+'''
+
+import pytest
+
+import os
+
+from wazuh_testing.modules.authd import event_monitor as evm
+from wazuh_testing import DEFAULT_AUTHD_PASS_PATH
+from wazuh_testing.tools.file import write_file, delete_file
+from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template
+from wazuh_testing.tools.services import control_service
+
+
+# Reference paths
+TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
+CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template')
+TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases')
+
+# Marks
+pytestmark = [pytest.mark.server, pytest.mark.tier(level=1)]
+
+# Configuration and cases data
+test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_authd_use_password_invalid.yaml')
+configurations_path = os.path.join(CONFIGURATIONS_PATH, 'config_authd_use_password_invalid.yaml')
+
+# Test configurations
+params, metadata, case_ids = get_test_cases_data(test_cases_path)
+configuration = load_configuration_template(configurations_path, params, metadata)
+local_internal_options = {'authd.debug': '2'}
+
+
+# Fixture
+@pytest.fixture()
+def set_authd_pass(metadata: dict):
+ """Configure the file 'authd.pass' as needed for the test."""
+ # Write the content in the authd.pass file.
+ write_file(DEFAULT_AUTHD_PASS_PATH, metadata.get('password'))
+
+ yield
+
+ # Delete the file as by default it doesn't exist.
+ delete_file(DEFAULT_AUTHD_PASS_PATH)
+
+
+# Test
+@pytest.mark.parametrize('metadata, configuration', zip(metadata, configuration), ids=case_ids)
+def test_authd_use_password_invalid(metadata, configuration, truncate_monitored_files,
+ configure_local_internal_options_module, set_authd_pass,
+ set_wazuh_configuration, tear_down):
+ '''
+ description:
+ Checks the correct errors are raised when an invalid password value
+ is configured in the authd.pass file. This test expects the error log
+ to come from the cases yaml, this is done this way to handle easily
+ the different error logs that could be raised from different inputs.
+
+ wazuh_min_version:
+ 4.5.0
+
+ tier: 1
+
+ parameters:
+ - configuration:
+ type: dict
+ brief: Configuration loaded from `configuration_template`.
+ - metadata:
+ type: dict
+ brief: Test case metadata.
+ - set_wazuh_configuration:
+ type: fixture
+ brief: Set wazuh configuration.
+ - truncate_monitored_files:
+ type: fixture
+ brief: Truncate all the log files and json alerts files before and after the test execution.
+ - configure_local_internal_options_module:
+ type: fixture
+ brief: Configure the local internal options file.
+ - set_authd_pass:
+ type: fixture
+ brief: Configures the `authd.pass` file as needed.
+ - tear_down:
+ type: fixture
+ brief: Roll back the daemon and client.keys state after the test ends.
+
+ assertions:
+ - Error log 'Empty password provided.' is raised in ossec.log.
+ - wazuh-manager.service must not be able to restart.
+
+ input_description:
+ ./data/configuration_template/config_authd_use_password_invalid.yaml: Wazuh config needed for the tests.
+ ./data/test_cases/cases_authd_use_password_invalid.yaml: Values to be used and expected error.
+
+ expected_output:
+ - .*Empty password provided.
+ - .*Invalid password provided.
+ '''
+ if metadata.get('error') == 'Invalid password provided.':
+ pytest.xfail(reason="No password validation in authd.pass - Issue wazuh/wazuh#16282.")
+
+ # Verify wazuh-manager fails at restart.
+ with pytest.raises(ValueError):
+ control_service('restart')
+
+ # Verify the error log is raised.
+ evm.check_authd_event(callback=metadata.get('error'))