Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2014 Open Networking Laboratory |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | package org.onosproject.aaa; |
| 17 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 18 | import java.net.InetAddress; |
| 19 | import java.net.UnknownHostException; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 20 | |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 21 | import org.junit.After; |
| 22 | import org.junit.Before; |
| 23 | import org.junit.Test; |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 24 | import org.onlab.packet.BasePacket; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 25 | import org.onlab.packet.DeserializationException; |
| 26 | import org.onlab.packet.EAP; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 27 | import org.onlab.packet.Ethernet; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 28 | import org.onlab.packet.IpAddress; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 29 | import org.onlab.packet.RADIUS; |
| 30 | import org.onlab.packet.RADIUSAttribute; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 31 | import org.onosproject.core.CoreServiceAdapter; |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 32 | import org.onosproject.net.config.Config; |
| 33 | import org.onosproject.net.config.NetworkConfigRegistryAdapter; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 34 | |
| 35 | import com.google.common.base.Charsets; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 36 | |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 37 | import static org.hamcrest.Matchers.is; |
| 38 | import static org.hamcrest.Matchers.notNullValue; |
| 39 | import static org.junit.Assert.assertThat; |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 40 | |
| 41 | /** |
| 42 | * Set of tests of the ONOS application component. |
| 43 | */ |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 44 | public class AAATest extends AAATestBase { |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 45 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 46 | static final String BAD_IP_ADDRESS = "198.51.100.0"; |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 47 | |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 48 | private AAA aaa; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 49 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 50 | class AAAWithoutRadiusServer extends AAA { |
| 51 | protected void sendRADIUSPacket(RADIUS radiusPacket) { |
| 52 | savePacket(radiusPacket); |
| 53 | } |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 54 | } |
| 55 | |
| 56 | /** |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 57 | * Mocks the AAAConfig class to force usage of an unroutable address for the |
| 58 | * RADIUS server. |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 59 | */ |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 60 | static class MockAAAConfig extends AAAConfig { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 61 | @Override |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 62 | public InetAddress radiusIp() { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 63 | try { |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 64 | return InetAddress.getByName(BAD_IP_ADDRESS); |
| 65 | } catch (UnknownHostException ex) { |
| 66 | // can't happen |
| 67 | throw new IllegalStateException(ex); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 68 | } |
| 69 | } |
| 70 | } |
| 71 | |
| 72 | /** |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 73 | * Mocks the network config registry. |
| 74 | */ |
| 75 | @SuppressWarnings("unchecked") |
| 76 | private static final class TestNetworkConfigRegistry |
| 77 | extends NetworkConfigRegistryAdapter { |
| 78 | @Override |
| 79 | public <S, C extends Config<S>> C getConfig(S subject, Class<C> configClass) { |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 80 | AAAConfig aaaConfig = new MockAAAConfig(); |
| 81 | return (C) aaaConfig; |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 82 | } |
| 83 | } |
| 84 | |
| 85 | /** |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 86 | * Constructs an Ethernet packet containing a RADIUS challenge |
| 87 | * packet. |
| 88 | * |
| 89 | * @param challengeCode code to use in challenge packet |
| 90 | * @param challengeType type to use in challenge packet |
| 91 | * @return Ethernet packet |
| 92 | */ |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 93 | private RADIUS constructRADIUSCodeAccessChallengePacket(byte challengeCode, byte challengeType) { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 94 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 95 | String challenge = "12345678901234567"; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 96 | |
| 97 | EAP eap = new EAP(challengeType, (byte) 1, challengeType, |
| 98 | challenge.getBytes(Charsets.US_ASCII)); |
| 99 | eap.setIdentifier((byte) 1); |
| 100 | |
| 101 | RADIUS radius = new RADIUS(); |
| 102 | radius.setCode(challengeCode); |
| 103 | |
| 104 | radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE, |
| 105 | challenge.getBytes(Charsets.US_ASCII)); |
| 106 | |
| 107 | radius.setPayload(eap); |
| 108 | radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE, |
| 109 | eap.serialize()); |
| 110 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 111 | return radius; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 112 | } |
| 113 | |
| 114 | /** |
| 115 | * Sets up the services required by the AAA application. |
| 116 | */ |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 117 | @Before |
| 118 | public void setUp() { |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 119 | aaa = new AAAWithoutRadiusServer(); |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 120 | aaa.netCfgService = new TestNetworkConfigRegistry(); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 121 | aaa.coreService = new CoreServiceAdapter(); |
| 122 | aaa.packetService = new MockPacketService(); |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 123 | aaa.activate(); |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 124 | } |
| 125 | |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 126 | /** |
| 127 | * Tears down the AAA application. |
| 128 | */ |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 129 | @After |
| 130 | public void tearDown() { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 131 | aaa.deactivate(); |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 132 | } |
| 133 | |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 134 | /** |
| 135 | * Extracts the RADIUS packet from a packet sent by the supplicant. |
| 136 | * |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 137 | * @param radius RADIUS packet sent by the supplicant |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 138 | * @throws DeserializationException if deserialization of the packet contents |
| 139 | * fails. |
| 140 | */ |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 141 | private void checkRADIUSPacketFromSupplicant(RADIUS radius) |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 142 | throws DeserializationException { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 143 | assertThat(radius, notNullValue()); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 144 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 145 | EAP eap = radius.decapsulateMessage(); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 146 | assertThat(eap, notNullValue()); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 147 | } |
| 148 | |
| 149 | /** |
| 150 | * Fetches the sent packet at the given index. The requested packet |
| 151 | * must be the last packet on the list. |
| 152 | * |
| 153 | * @param index index into sent packets array |
| 154 | * @return packet |
| 155 | */ |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 156 | private BasePacket fetchPacket(int index) { |
| 157 | BasePacket packet = savedPackets.get(index); |
| 158 | assertThat(packet, notNullValue()); |
| 159 | return packet; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 160 | } |
| 161 | |
| 162 | /** |
| 163 | * Tests the authentication path through the AAA application. |
| 164 | * |
| 165 | * @throws DeserializationException if packed deserialization fails. |
| 166 | */ |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 167 | @Test |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 168 | public void testAuthentication() throws Exception { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 169 | |
| 170 | // (1) Supplicant start up |
| 171 | |
| 172 | Ethernet startPacket = constructSupplicantStartPacket(); |
| 173 | sendPacket(startPacket); |
| 174 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 175 | Ethernet responsePacket = (Ethernet) fetchPacket(0); |
| 176 | checkRadiusPacket(aaa, responsePacket, EAP.ATTR_IDENTITY); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 177 | |
| 178 | // (2) Supplicant identify |
| 179 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 180 | Ethernet identifyPacket = constructSupplicantIdentifyPacket(null, EAP.ATTR_IDENTITY, (byte) 1, null); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 181 | sendPacket(identifyPacket); |
| 182 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 183 | RADIUS radiusIdentifyPacket = (RADIUS) fetchPacket(1); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 184 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 185 | checkRADIUSPacketFromSupplicant(radiusIdentifyPacket); |
| 186 | |
| 187 | assertThat(radiusIdentifyPacket.getCode(), is(RADIUS.RADIUS_CODE_ACCESS_REQUEST)); |
| 188 | assertThat(new String(radiusIdentifyPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME).getValue()), |
| 189 | is("testuser")); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 190 | |
| 191 | IpAddress nasIp = |
| 192 | IpAddress.valueOf(IpAddress.Version.INET, |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 193 | radiusIdentifyPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP) |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 194 | .getValue()); |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 195 | assertThat(nasIp.toString(), is(aaa.nasIpAddress.getHostAddress())); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 196 | |
| 197 | // State machine should have been created by now |
| 198 | |
| 199 | StateMachine stateMachine = |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 200 | StateMachine.lookupStateMachineBySessionId(SESSION_ID); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 201 | assertThat(stateMachine, notNullValue()); |
| 202 | assertThat(stateMachine.state(), is(StateMachine.STATE_PENDING)); |
| 203 | |
| 204 | // (3) RADIUS MD5 challenge |
| 205 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 206 | RADIUS radiusCodeAccessChallengePacket = |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 207 | constructRADIUSCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_CHALLENGE, EAP.ATTR_MD5); |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 208 | aaa.radiusListener.handleRadiusPacket(radiusCodeAccessChallengePacket); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 209 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 210 | Ethernet radiusChallengeMD5Packet = (Ethernet) fetchPacket(2); |
| 211 | checkRadiusPacket(aaa, radiusChallengeMD5Packet, EAP.ATTR_MD5); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 212 | |
| 213 | // (4) Supplicant MD5 response |
| 214 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 215 | Ethernet md5RadiusPacket = |
| 216 | constructSupplicantIdentifyPacket(stateMachine, |
| 217 | EAP.ATTR_MD5, |
| 218 | stateMachine.challengeIdentifier(), |
| 219 | radiusChallengeMD5Packet); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 220 | sendPacket(md5RadiusPacket); |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 221 | |
| 222 | RADIUS responseMd5RadiusPacket = (RADIUS) fetchPacket(3); |
| 223 | |
| 224 | checkRADIUSPacketFromSupplicant(responseMd5RadiusPacket); |
| 225 | assertThat(responseMd5RadiusPacket.getIdentifier(), is((byte) 0)); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 226 | assertThat(responseMd5RadiusPacket.getCode(), is(RADIUS.RADIUS_CODE_ACCESS_REQUEST)); |
| 227 | |
| 228 | // State machine should be in pending state |
| 229 | |
| 230 | assertThat(stateMachine, notNullValue()); |
| 231 | assertThat(stateMachine.state(), is(StateMachine.STATE_PENDING)); |
| 232 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 233 | // (5) RADIUS Success |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 234 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 235 | RADIUS successPacket = |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 236 | constructRADIUSCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_ACCEPT, EAP.SUCCESS); |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 237 | aaa.radiusListener.handleRadiusPacket((successPacket)); |
| 238 | Ethernet supplicantSuccessPacket = (Ethernet) fetchPacket(4); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 239 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 240 | checkRadiusPacket(aaa, supplicantSuccessPacket, EAP.SUCCESS); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 241 | |
| 242 | // State machine should be in authorized state |
| 243 | |
| 244 | assertThat(stateMachine, notNullValue()); |
| 245 | assertThat(stateMachine.state(), is(StateMachine.STATE_AUTHORIZED)); |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 246 | |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 247 | } |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 248 | |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 249 | /** |
| 250 | * Tests the default configuration. |
| 251 | */ |
| 252 | @Test |
| 253 | public void testConfig() { |
| 254 | assertThat(aaa.nasIpAddress.getHostAddress(), is(AAAConfig.DEFAULT_NAS_IP)); |
| 255 | assertThat(aaa.nasMacAddress, is(AAAConfig.DEFAULT_NAS_MAC)); |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame^] | 256 | assertThat(aaa.radiusIpAddress.getHostAddress(), is(BAD_IP_ADDRESS)); |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 257 | assertThat(aaa.radiusMacAddress, is(AAAConfig.DEFAULT_RADIUS_MAC)); |
| 258 | } |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 259 | } |