diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:46 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:46 +0000 |
commit | 50b37d4a27d3295a29afca2286f1a5a086142cec (patch) | |
tree | 9212f763934ee090ef72d823f559f52ce387f268 /src/tests/auth | |
parent | Initial commit. (diff) | |
download | freeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.tar.xz freeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.zip |
Adding upstream version 3.2.1+dfsg.upstream/3.2.1+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | src/tests/auth/all.mk | 119 | ||||
-rw-r--r-- | src/tests/auth/chap | 3 | ||||
-rw-r--r-- | src/tests/auth/chap.attrs | 4 | ||||
-rw-r--r-- | src/tests/auth/chap_header | 7 | ||||
-rw-r--r-- | src/tests/auth/chap_header.attrs | 4 | ||||
-rw-r--r-- | src/tests/auth/digest | 3 | ||||
-rw-r--r-- | src/tests/auth/digest.attrs | 25 | ||||
-rw-r--r-- | src/tests/auth/md5_password | 7 | ||||
-rw-r--r-- | src/tests/auth/md5_password.attrs | 4 | ||||
-rw-r--r-- | src/tests/auth/password_with_header | 7 | ||||
-rw-r--r-- | src/tests/auth/password_with_header.attrs | 4 | ||||
-rw-r--r-- | src/tests/auth/password_without_header | 7 | ||||
-rw-r--r-- | src/tests/auth/password_without_header.attrs | 4 | ||||
-rw-r--r-- | src/tests/auth/radiusd.conf | 50 | ||||
-rw-r--r-- | src/tests/auth/user_password | 3 | ||||
-rw-r--r-- | src/tests/auth/user_password.attrs | 4 | ||||
-rw-r--r-- | src/tests/auth/wimax | 3 | ||||
-rw-r--r-- | src/tests/auth/wimax.attrs | 30 |
18 files changed, 288 insertions, 0 deletions
diff --git a/src/tests/auth/all.mk b/src/tests/auth/all.mk new file mode 100644 index 0000000..284033f --- /dev/null +++ b/src/tests/auth/all.mk @@ -0,0 +1,119 @@ +# +# Unit tests for authentication +# + +# +# The test files are files without extensions. +# The list is unordered. The order is added in the next step by looking +# at precursors. +# +AUTH_FILES := $(filter-out %.conf %.md %.attrs %.mk %~ %.rej,$(subst $(DIR)/,,$(wildcard $(DIR)/*))) + +# +# Create the output directory +# +.PHONY: $(BUILD_DIR)/tests/auth +$(BUILD_DIR)/tests/auth: + @mkdir -p $@ + +# +# Find which input files are needed by the tests +# strip out the ones which exist +# move the filenames to the build directory. +# +AUTH_EXISTS := $(addprefix $(DIR)/,$(addsuffix .attrs,$(AUTH_FILES))) +AUTH_NEEDS := $(filter-out $(wildcard $(AUTH_EXISTS)),$(AUTH_EXISTS)) +AUTH := $(subst $(DIR),$(BUILD_DIR)/tests/auth,$(AUTH_NEEDS)) + +AUTH_HAS := $(filter $(wildcard $(AUTH_EXISTS)),$(AUTH_EXISTS)) +AUTH_COPY := $(subst $(DIR),$(BUILD_DIR)/tests/auth,$(AUTH_NEEDS)) + +# +# For each file, look for precursor test. +# Ensure that each test depends on its precursors. +# +-include $(BUILD_DIR)/tests/auth/depends.mk + +$(BUILD_DIR)/tests/auth/depends.mk: $(addprefix $(DIR)/,$(AUTH_FILES)) | $(BUILD_DIR)/tests/auth + @rm -f $@ + @for x in $^; do \ + y=`grep 'PRE: ' $$x | sed 's/.*://;s/ / /g;s, , $(BUILD_DIR)/tests/auth/,g'`; \ + if [ "$$y" != "" ]; then \ + z=`echo $$x | sed 's,src/,$(BUILD_DIR)/',`; \ + echo "$$z: $$y" >> $@; \ + echo "" >> $@; \ + fi \ + done +# +# These ones get copied over from the default input +# +$(AUTH): $(DIR)/default-input.attrs | $(BUILD_DIR)/tests/auth + @cp $< $@ + +# +# These ones get copied over from their original files +# +$(BUILD_DIR)/tests/auth/%.attrs: $(DIR)/%.attrs | $(BUILD_DIR)/tests/auth + @cp $< $@ + +# +# Don't auto-remove the files copied by the rule just above. +# It's unnecessary, and it clutters the output with crap. +# +.PRECIOUS: $(BUILD_DIR)/tests/auth/%.attrs raddb/mods-enabled/wimax + +AUTH_MODULES := $(shell grep -- mods-enabled src/tests/auth/radiusd.conf | sed 's,.*/,,') +AUTH_RADDB := $(addprefix raddb/mods-enabled/,$(AUTH_MODULES)) +AUTH_LIBS := $(addsuffix .la,$(addprefix rlm_,$(AUTH_MODULES))) + +# +# Files in the output dir depend on the unit tests +# +# src/tests/auth/FOO unlang for the test +# src/tests/auth/FOO.attrs input RADIUS and output filter +# build/tests/auth/FOO updated if the test succeeds +# build/tests/auth/FOO.log debug output for the test +# +# Auto-depend on modules via $(shell grep INCLUDE $(DIR)/radiusd.conf | grep mods-enabled | sed 's/.*}/raddb/')) +# +# If the test fails, then look for ERROR in the input. No error +# means it's unexpected, so we die. +# +# Otherwise, check the log file for a parse error which matches the +# ERROR line in the input. +# +$(BUILD_DIR)/tests/auth/%: $(DIR)/% $(BUILD_DIR)/tests/auth/%.attrs $(TESTBINDIR)/unittest | $(BUILD_DIR)/tests/auth $(AUTH_RADDB) $(AUTH_LIBS) build.raddb + @echo UNIT-TEST $(notdir $@) + @if ! TESTDIR=$(notdir $@) $(TESTBIN)/unittest -D share -d src/tests/auth/ -i $@.attrs -f $@.attrs -xxx > $@.log 2>&1; then \ + if ! grep ERROR $< 2>&1 > /dev/null; then \ + cat $@.log; \ + echo "# $@.log"; \ + echo "TESTDIR=$(notdir $@) $(TESTBIN)/unittest -D share -d src/tests/auth/ -i $@.attrs -f $@.attrs -xxx > $@.log 2>&1"; \ + exit 1; \ + fi; \ + FOUND=$$(grep ^$< $@.log | head -1 | sed 's/:.*//;s/.*\[//;s/\].*//'); \ + EXPECTED=$$(grep -n ERROR $< | sed 's/:.*//'); \ + if [ "$$EXPECTED" != "$$FOUND" ]; then \ + cat $@.log; \ + echo "# $@.log"; \ + echo "TESTDIR=$(notdir $@) $(TESTBIN)/unittest -D share -d src/tests/auth/ -i $@.attrs -f $@.attrs -xxx > $@.log 2>&1"; \ + exit 1; \ + fi \ + fi + @touch $@ + +# +# Get all of the unit test output files +# +TESTS.AUTH_FILES := $(addprefix $(BUILD_DIR)/tests/auth/,$(AUTH_FILES)) + +# +# Depend on the output files, and create the directory first. +# +tests.auth: $(TESTS.AUTH_FILES) + +$(TESTS.AUTH_FILES): $(TESTS.KEYWORDS_FILES) + +.PHONY: clean.tests.auth +clean.tests.auth: + @rm -rf $(BUILD_DIR)/tests/auth/ diff --git a/src/tests/auth/chap b/src/tests/auth/chap new file mode 100644 index 0000000..648546a --- /dev/null +++ b/src/tests/auth/chap @@ -0,0 +1,3 @@ +# +# Password is already set in radiusd.conf +# diff --git a/src/tests/auth/chap.attrs b/src/tests/auth/chap.attrs new file mode 100644 index 0000000..04df463 --- /dev/null +++ b/src/tests/auth/chap.attrs @@ -0,0 +1,4 @@ +User-Name = "bob", +CHAP-Password := "hello" + +Response-Packet-Type == Access-Accept diff --git a/src/tests/auth/chap_header b/src/tests/auth/chap_header new file mode 100644 index 0000000..13c3c9b --- /dev/null +++ b/src/tests/auth/chap_header @@ -0,0 +1,7 @@ +# +# over-ride password set in radiusd.conf +# +update control { + Cleartext-Password -= 'hello' + Password-With-Header := 'oracle01' +} diff --git a/src/tests/auth/chap_header.attrs b/src/tests/auth/chap_header.attrs new file mode 100644 index 0000000..9f815c7 --- /dev/null +++ b/src/tests/auth/chap_header.attrs @@ -0,0 +1,4 @@ +User-Name = "bob" +CHAP-Password = 'oracle01' + +Response-Packet-Type == Access-Accept diff --git a/src/tests/auth/digest b/src/tests/auth/digest new file mode 100644 index 0000000..4858977 --- /dev/null +++ b/src/tests/auth/digest @@ -0,0 +1,3 @@ +update control { + Cleartext-Password := "zanzibar" +} diff --git a/src/tests/auth/digest.attrs b/src/tests/auth/digest.attrs new file mode 100644 index 0000000..2d32aa0 --- /dev/null +++ b/src/tests/auth/digest.attrs @@ -0,0 +1,25 @@ +# +# http://ftp6.us.freebsd.org/pub/rfc/internet-drafts/draft-smith-sipping-auth-examples-01.txt +# +# 3.5.2 +# +# +# In the "users" file: bob Cleartext-Password := "zanzibar" +# +# TESTS 1 +# +User-Name = "bob", +Digest-Response = "bdbeebb2da6adb6bca02599c2239e192" +Digest-Realm = "biloxi.com", +Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093", +Digest-Method = "INVITE", +Digest-URI = "sip:bob@biloxi.com", +Digest-Algorithm = "MD5", +Digest-User-Name = "bob", +Digest-QOP = "auth-int", +Digest-Nonce-Count = "00000001", +Digest-CNonce = "0a4f113b", +Digest-Body-Digest = "c1ed018b8ec4a3b170c0921f5b564e48", +Message-Authenticator = "" + +Response-Packet-Type == Access-Accept diff --git a/src/tests/auth/md5_password b/src/tests/auth/md5_password new file mode 100644 index 0000000..4376056 --- /dev/null +++ b/src/tests/auth/md5_password @@ -0,0 +1,7 @@ +# +# over-ride password set in radiusd.conf +# +update control { + Cleartext-Password -= ANY + Password-With-Header := '{md5}5d41402abc4b2a76b9719d911017c592' +} diff --git a/src/tests/auth/md5_password.attrs b/src/tests/auth/md5_password.attrs new file mode 100644 index 0000000..65b967b --- /dev/null +++ b/src/tests/auth/md5_password.attrs @@ -0,0 +1,4 @@ +User-Name = "bob" +User-Password = "hello" + +Response-Packet-Type == Access-Accept diff --git a/src/tests/auth/password_with_header b/src/tests/auth/password_with_header new file mode 100644 index 0000000..08993ab --- /dev/null +++ b/src/tests/auth/password_with_header @@ -0,0 +1,7 @@ +# +# over-ride password set in radiusd.conf +# +update control { + Cleartext-Password -= 'hello' + Password-With-Header := '{clear}hello' +} diff --git a/src/tests/auth/password_with_header.attrs b/src/tests/auth/password_with_header.attrs new file mode 100644 index 0000000..65b967b --- /dev/null +++ b/src/tests/auth/password_with_header.attrs @@ -0,0 +1,4 @@ +User-Name = "bob" +User-Password = "hello" + +Response-Packet-Type == Access-Accept diff --git a/src/tests/auth/password_without_header b/src/tests/auth/password_without_header new file mode 100644 index 0000000..6fab6b3 --- /dev/null +++ b/src/tests/auth/password_without_header @@ -0,0 +1,7 @@ +# +# over-ride password set in radiusd.conf +# +update control { + Cleartext-Password -= 'hello' + Password-With-Header := 'hello' +} diff --git a/src/tests/auth/password_without_header.attrs b/src/tests/auth/password_without_header.attrs new file mode 100644 index 0000000..65b967b --- /dev/null +++ b/src/tests/auth/password_without_header.attrs @@ -0,0 +1,4 @@ +User-Name = "bob" +User-Password = "hello" + +Response-Packet-Type == Access-Accept diff --git a/src/tests/auth/radiusd.conf b/src/tests/auth/radiusd.conf new file mode 100644 index 0000000..2d822e7 --- /dev/null +++ b/src/tests/auth/radiusd.conf @@ -0,0 +1,50 @@ +# +# Minimal radiusd.conf for testing keywords +# + +raddb = raddb +testdir = src/tests/auth + +modconfdir = ${raddb}/mods-config + +# Only for testing! +# Setting this on a production system is a BAD IDEA. +security { + allow_vulnerable_openssl = yes +} + +modules { + $INCLUDE ${raddb}/mods-enabled/always + + $INCLUDE ${raddb}/mods-enabled/pap + + $INCLUDE ${raddb}/mods-enabled/chap + + $INCLUDE ${raddb}/mods-enabled/expr + + $INCLUDE ${raddb}/mods-enabled/digest +} + +server default { + authorize { + update control { + Cleartext-Password := 'hello' + } + + # + # Include the test file specified by the + # KEYWORD environment variable. + # + $INCLUDE ${testdir}/$ENV{TESTDIR} + + digest + chap + pap + } + + authenticate { + digest + pap + chap + } +} diff --git a/src/tests/auth/user_password b/src/tests/auth/user_password new file mode 100644 index 0000000..648546a --- /dev/null +++ b/src/tests/auth/user_password @@ -0,0 +1,3 @@ +# +# Password is already set in radiusd.conf +# diff --git a/src/tests/auth/user_password.attrs b/src/tests/auth/user_password.attrs new file mode 100644 index 0000000..65b967b --- /dev/null +++ b/src/tests/auth/user_password.attrs @@ -0,0 +1,4 @@ +User-Name = "bob" +User-Password = "hello" + +Response-Packet-Type == Access-Accept diff --git a/src/tests/auth/wimax b/src/tests/auth/wimax new file mode 100644 index 0000000..648546a --- /dev/null +++ b/src/tests/auth/wimax @@ -0,0 +1,3 @@ +# +# Password is already set in radiusd.conf +# diff --git a/src/tests/auth/wimax.attrs b/src/tests/auth/wimax.attrs new file mode 100644 index 0000000..38ec09a --- /dev/null +++ b/src/tests/auth/wimax.attrs @@ -0,0 +1,30 @@ +# +# Tests for WiMAX attributes +# +# TESTS 1 +# +User-Name = "bob" +User-Password = "hello" +WiMAX-GMT-Timezone-offset = -1 +WiMAX-AAA-Session-Id = 0x01020304 +WiMAX-hHA-IP-MIP4 = 192.0.2.1 +# +# Manually encoded capability +# +WiMAX-Capability = 0x01ff45454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545040301 +# +# Automatically encoded capability +# +WiMAX-Accounting-Capabilities = 2 +WiMAX-Release = "1.0" +WiMAX-Packet-Data-Flow-Id = 1 +# +# Long string +# +WiMAX-Hotline-Indicator = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxaaaaaaaaaabbbbbbbbbbcccccccccc123" +WiMAX-Service-Data-Flow-Id = 2 +WiMAX-hHA-IP-MIP4 = 192.0.2.2 + + +# and the response +Response-Packet-Type == Access-Accept |