Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 1 | /* |
Brian O'Connor | 4e33be2 | 2017-08-03 22:45:46 -0700 | [diff] [blame] | 2 | * Copyright 2015-present Open Networking Foundation |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
alshabib | 6d52745 | 2016-06-01 18:00:47 -0700 | [diff] [blame] | 16 | package org.opencord.aaa; |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 17 | |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 18 | import com.google.common.base.Charsets; |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 19 | import org.junit.After; |
| 20 | import org.junit.Before; |
| 21 | import org.junit.Test; |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 22 | import org.onlab.packet.BasePacket; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 23 | import org.onlab.packet.DeserializationException; |
| 24 | import org.onlab.packet.EAP; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 25 | import org.onlab.packet.Ethernet; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 26 | import org.onlab.packet.IpAddress; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 27 | import org.onlab.packet.RADIUS; |
| 28 | import org.onlab.packet.RADIUSAttribute; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 29 | import org.onosproject.core.CoreServiceAdapter; |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 30 | import org.onosproject.net.config.Config; |
| 31 | import org.onosproject.net.config.NetworkConfigRegistryAdapter; |
Amit Ghosh | c9ac1e5 | 2017-07-28 12:31:18 +0100 | [diff] [blame] | 32 | import org.onosproject.net.packet.InboundPacket; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 33 | |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 34 | import java.net.InetAddress; |
| 35 | import java.net.UnknownHostException; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 36 | |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 37 | import static org.hamcrest.Matchers.is; |
| 38 | import static org.hamcrest.Matchers.notNullValue; |
| 39 | import static org.junit.Assert.assertThat; |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 40 | |
| 41 | /** |
| 42 | * Set of tests of the ONOS application component. |
| 43 | */ |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 44 | public class AaaManagerTest extends AaaTestBase { |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 45 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 46 | static final String BAD_IP_ADDRESS = "198.51.100.0"; |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 47 | |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 48 | private AaaManager aaaManager; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 49 | |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 50 | class AaaManagerWithoutRadiusServer extends AaaManager { |
Amit Ghosh | c9ac1e5 | 2017-07-28 12:31:18 +0100 | [diff] [blame] | 51 | protected void sendRadiusPacket(RADIUS radiusPacket, InboundPacket inPkt) { |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 52 | savePacket(radiusPacket); |
| 53 | } |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 54 | } |
| 55 | |
| 56 | /** |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 57 | * Mocks the AAAConfig class to force usage of an unroutable address for the |
| 58 | * RADIUS server. |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 59 | */ |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 60 | static class MockAaaConfig extends AaaConfig { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 61 | @Override |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 62 | public InetAddress radiusIp() { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 63 | try { |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 64 | return InetAddress.getByName(BAD_IP_ADDRESS); |
| 65 | } catch (UnknownHostException ex) { |
| 66 | // can't happen |
| 67 | throw new IllegalStateException(ex); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 68 | } |
| 69 | } |
| 70 | } |
| 71 | |
| 72 | /** |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 73 | * Mocks the network config registry. |
| 74 | */ |
| 75 | @SuppressWarnings("unchecked") |
| 76 | private static final class TestNetworkConfigRegistry |
| 77 | extends NetworkConfigRegistryAdapter { |
| 78 | @Override |
| 79 | public <S, C extends Config<S>> C getConfig(S subject, Class<C> configClass) { |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 80 | AaaConfig aaaConfig = new MockAaaConfig(); |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 81 | return (C) aaaConfig; |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 82 | } |
| 83 | } |
| 84 | |
| 85 | /** |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 86 | * Constructs an Ethernet packet containing a RADIUS challenge |
| 87 | * packet. |
| 88 | * |
| 89 | * @param challengeCode code to use in challenge packet |
| 90 | * @param challengeType type to use in challenge packet |
| 91 | * @return Ethernet packet |
| 92 | */ |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 93 | private RADIUS constructRadiusCodeAccessChallengePacket(byte challengeCode, byte challengeType) { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 94 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 95 | String challenge = "12345678901234567"; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 96 | |
| 97 | EAP eap = new EAP(challengeType, (byte) 1, challengeType, |
| 98 | challenge.getBytes(Charsets.US_ASCII)); |
| 99 | eap.setIdentifier((byte) 1); |
| 100 | |
| 101 | RADIUS radius = new RADIUS(); |
| 102 | radius.setCode(challengeCode); |
| 103 | |
| 104 | radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE, |
| 105 | challenge.getBytes(Charsets.US_ASCII)); |
| 106 | |
| 107 | radius.setPayload(eap); |
| 108 | radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE, |
| 109 | eap.serialize()); |
| 110 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 111 | return radius; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 112 | } |
| 113 | |
| 114 | /** |
| 115 | * Sets up the services required by the AAA application. |
| 116 | */ |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 117 | @Before |
| 118 | public void setUp() { |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 119 | aaaManager = new AaaManagerWithoutRadiusServer(); |
| 120 | aaaManager.netCfgService = new TestNetworkConfigRegistry(); |
| 121 | aaaManager.coreService = new CoreServiceAdapter(); |
| 122 | aaaManager.packetService = new MockPacketService(); |
Amit Ghosh | 3f8ee43 | 2017-09-21 15:49:37 +0100 | [diff] [blame] | 123 | aaaManager.deviceService = new TestDeviceService(); |
| 124 | aaaManager.subsService = new MockSubService(); |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 125 | aaaManager.activate(); |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 126 | } |
| 127 | |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 128 | /** |
| 129 | * Tears down the AAA application. |
| 130 | */ |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 131 | @After |
| 132 | public void tearDown() { |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 133 | aaaManager.deactivate(); |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 134 | } |
| 135 | |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 136 | /** |
| 137 | * Extracts the RADIUS packet from a packet sent by the supplicant. |
| 138 | * |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 139 | * @param radius RADIUS packet sent by the supplicant |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 140 | * @throws DeserializationException if deserialization of the packet contents |
| 141 | * fails. |
| 142 | */ |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 143 | private void checkRadiusPacketFromSupplicant(RADIUS radius) |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 144 | throws DeserializationException { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 145 | assertThat(radius, notNullValue()); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 146 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 147 | EAP eap = radius.decapsulateMessage(); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 148 | assertThat(eap, notNullValue()); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 149 | } |
| 150 | |
| 151 | /** |
| 152 | * Fetches the sent packet at the given index. The requested packet |
| 153 | * must be the last packet on the list. |
| 154 | * |
| 155 | * @param index index into sent packets array |
| 156 | * @return packet |
| 157 | */ |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 158 | private BasePacket fetchPacket(int index) { |
| 159 | BasePacket packet = savedPackets.get(index); |
| 160 | assertThat(packet, notNullValue()); |
| 161 | return packet; |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 162 | } |
| 163 | |
| 164 | /** |
| 165 | * Tests the authentication path through the AAA application. |
| 166 | * |
| 167 | * @throws DeserializationException if packed deserialization fails. |
| 168 | */ |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 169 | @Test |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 170 | public void testAuthentication() throws Exception { |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 171 | |
| 172 | // (1) Supplicant start up |
| 173 | |
| 174 | Ethernet startPacket = constructSupplicantStartPacket(); |
| 175 | sendPacket(startPacket); |
| 176 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 177 | Ethernet responsePacket = (Ethernet) fetchPacket(0); |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 178 | checkRadiusPacket(aaaManager, responsePacket, EAP.ATTR_IDENTITY); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 179 | |
| 180 | // (2) Supplicant identify |
| 181 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 182 | Ethernet identifyPacket = constructSupplicantIdentifyPacket(null, EAP.ATTR_IDENTITY, (byte) 1, null); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 183 | sendPacket(identifyPacket); |
| 184 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 185 | RADIUS radiusIdentifyPacket = (RADIUS) fetchPacket(1); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 186 | |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 187 | checkRadiusPacketFromSupplicant(radiusIdentifyPacket); |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 188 | |
| 189 | assertThat(radiusIdentifyPacket.getCode(), is(RADIUS.RADIUS_CODE_ACCESS_REQUEST)); |
| 190 | assertThat(new String(radiusIdentifyPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME).getValue()), |
| 191 | is("testuser")); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 192 | |
| 193 | IpAddress nasIp = |
| 194 | IpAddress.valueOf(IpAddress.Version.INET, |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 195 | radiusIdentifyPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP) |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 196 | .getValue()); |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 197 | assertThat(nasIp.toString(), is(aaaManager.nasIpAddress.getHostAddress())); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 198 | |
| 199 | // State machine should have been created by now |
| 200 | |
| 201 | StateMachine stateMachine = |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 202 | StateMachine.lookupStateMachineBySessionId(SESSION_ID); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 203 | assertThat(stateMachine, notNullValue()); |
| 204 | assertThat(stateMachine.state(), is(StateMachine.STATE_PENDING)); |
| 205 | |
| 206 | // (3) RADIUS MD5 challenge |
| 207 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 208 | RADIUS radiusCodeAccessChallengePacket = |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 209 | constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_CHALLENGE, EAP.ATTR_MD5); |
Amit Ghosh | c9ac1e5 | 2017-07-28 12:31:18 +0100 | [diff] [blame] | 210 | aaaManager.handleRadiusPacket(radiusCodeAccessChallengePacket); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 211 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 212 | Ethernet radiusChallengeMD5Packet = (Ethernet) fetchPacket(2); |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 213 | checkRadiusPacket(aaaManager, radiusChallengeMD5Packet, EAP.ATTR_MD5); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 214 | |
| 215 | // (4) Supplicant MD5 response |
| 216 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 217 | Ethernet md5RadiusPacket = |
| 218 | constructSupplicantIdentifyPacket(stateMachine, |
| 219 | EAP.ATTR_MD5, |
| 220 | stateMachine.challengeIdentifier(), |
| 221 | radiusChallengeMD5Packet); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 222 | sendPacket(md5RadiusPacket); |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 223 | |
| 224 | RADIUS responseMd5RadiusPacket = (RADIUS) fetchPacket(3); |
| 225 | |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 226 | checkRadiusPacketFromSupplicant(responseMd5RadiusPacket); |
Amit Ghosh | c9ac1e5 | 2017-07-28 12:31:18 +0100 | [diff] [blame] | 227 | assertThat(responseMd5RadiusPacket.getIdentifier(), is((byte) 3)); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 228 | assertThat(responseMd5RadiusPacket.getCode(), is(RADIUS.RADIUS_CODE_ACCESS_REQUEST)); |
| 229 | |
| 230 | // State machine should be in pending state |
| 231 | |
| 232 | assertThat(stateMachine, notNullValue()); |
| 233 | assertThat(stateMachine.state(), is(StateMachine.STATE_PENDING)); |
| 234 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 235 | // (5) RADIUS Success |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 236 | |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 237 | RADIUS successPacket = |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 238 | constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_ACCEPT, EAP.SUCCESS); |
Amit Ghosh | c9ac1e5 | 2017-07-28 12:31:18 +0100 | [diff] [blame] | 239 | aaaManager.handleRadiusPacket((successPacket)); |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 240 | Ethernet supplicantSuccessPacket = (Ethernet) fetchPacket(4); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 241 | |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 242 | checkRadiusPacket(aaaManager, supplicantSuccessPacket, EAP.SUCCESS); |
Ray Milkey | ea36645 | 2015-09-30 10:56:43 -0700 | [diff] [blame] | 243 | |
| 244 | // State machine should be in authorized state |
| 245 | |
| 246 | assertThat(stateMachine, notNullValue()); |
| 247 | assertThat(stateMachine.state(), is(StateMachine.STATE_AUTHORIZED)); |
Ray Milkey | 967776a | 2015-10-07 14:37:17 -0700 | [diff] [blame] | 248 | |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 249 | } |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 250 | |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 251 | /** |
| 252 | * Tests the default configuration. |
| 253 | */ |
| 254 | @Test |
| 255 | public void testConfig() { |
Jonathan Hart | 092dfb2 | 2015-11-16 23:05:21 -0800 | [diff] [blame] | 256 | assertThat(aaaManager.nasIpAddress.getHostAddress(), is(AaaConfig.DEFAULT_NAS_IP)); |
| 257 | assertThat(aaaManager.nasMacAddress, is(AaaConfig.DEFAULT_NAS_MAC)); |
| 258 | assertThat(aaaManager.radiusIpAddress.getHostAddress(), is(BAD_IP_ADDRESS)); |
| 259 | assertThat(aaaManager.radiusMacAddress, is(AaaConfig.DEFAULT_RADIUS_MAC)); |
Ray Milkey | fcb623d | 2015-10-01 16:48:18 -0700 | [diff] [blame] | 260 | } |
Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 261 | } |