Merge pull request #4 from jborean93/iis-integration-tests

Iis integration tests
rachelsanders · Aug 26, 2016 · fbe4c7f · fbe4c7f
2 parents 59c6473 + c787d0c
commit fbe4c7f
Show file tree

Hide file tree

Showing 7 changed files with 344 additions and 5 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -15,7 +15,8 @@ install:
 
 # command to run tests
 script:
-  - py.test --cov ntlm3 --cov-report term-missing test
+  # Ignoring test_iis.py as it requires a windows host, this is run in appveyor instead
+  - py.test --cov ntlm3 --cov-report term-missing test --ignore test/integration/test_iis.py
 
 after_success:
   - coveralls

diff --git a/CHANGES.md b/CHANGES.md
@@ -27,10 +27,11 @@ Initial public offering.
 * Moved code to separate classes to help cleanup the code
 * Added support for channel_bindings (CBT) when supplying a certificate hash
 * Added support for MIC data for authenticate messages
-* Preliminary support for signing and sealing of messages. Needs to be done outside of auth messages and tested more thoroughly
+* Added support for signing and sealing of messages. Actual message structure is done outside of python-ntlm3 in the app level but this can still encrypt whatever message is sent through.
 * Removed some methods that weren't being used at all (most were starting to implement these features above but weren't there)
 * More comments on each methods relating back to the MS-NLMP document pack on NTLM authentication for easier maintenance
 * Created target_info.py to handle AV_PAIRS and putting it in the target info
 * Renaming of some variables to match more closely with the Microsoft documentation, makes it easier to understand what is happening
 * Rewriting of tests to accommodate these new changes and to cover the new cases
+* Added better itegration test in Appveyor to test a connection to a local IIS server configured to only allow NTLM authentication
 * The methods `create_NTLM_NEGOTIATE_MESSAGE`, `parse_NTLM_CHALLENGE_MESSAGE`, `create_NTLM_AUTHENTICATE_MESSAGE` will no longer be supported in future version. They do not support NTLMv2 auth and are only left for compatibility
diff --git a/README.md b/README.md
@@ -19,7 +19,7 @@ Features
 * Set the The NTLM Compatibility level when sending messages
 * Channel Binding Tokens support, need to pass in the SHA256 hash of the certificate for it to work
 * Support for MIC to enhance the integrity of the messages
-* (To be Tested) Support for session security with signing and sealing messages after authentication happens
+* Support for session security with signing and sealing of message contents
 
 Installation
 ------------
@@ -114,7 +114,11 @@ authenticate_message = ntlm_context.create_authenticate_message(user_name, passw
 
 #### Signing/Sealing
 
-All version of NTLM supports signing (integrity) and sealing (confidentiality) of message content. This function can add these improvements to a message that is sent and received from the server. While it does encrypt the data if supported by the server it is only done with RC4 with a 128-bit key which is not very secure and on older systems this key length could be 56 or 40 bit. This functionality while tested and conforms with the Microsoft documentation has yet to be fully tested in an integrated environment. Once again this has not been thoroughly tested and has only passed unit tests and their expections.
+All version of NTLM supports signing (integrity) and sealing (confidentiality) of message content. This function can add these improvements to a message that is sent and received from the server. While it does encrypt the data if supported by the server it is only done with RC4 with a 128-bit key which is not very secure and on older systems this key length could be 56 or 40 bit.
+
+The methods in session_security are similar to the GSS_WrapEx() and GSS_UnwrapEx() where it will take in the message body that is sent to the server and wrap (encrypt) and return both the encrypted value and the signature. Unwrap does the inverse where it verifies the signature and unwraps (decrypt) the data and return the plaintext value.
+
+The format of the message is dependent on the protocol that you are using and is not part of python-ntlm3's scope.
 
 ```python
 import socket
@@ -164,7 +168,6 @@ Please use the Ntlm class in ntlm.py in the future as this brings supports for N
 Backlog
 -------
 * Remove the old ntlm.py code that has been left there for compatibility in the next major version release. This does not support NTLMv2 auth
-* Fully test out signing and sealing of messages over the wire with another library
 * Automatically get windows version if running on windows, use default if not that case
 * Add param when initialising the ntlm context to throw an exception and cancel auth if the server doesn't support 128-bit keys for sealing
 * Add param when initialising the ntlm context to not send the MIC structure for older servers

diff --git a/appveyor.yml b/appveyor.yml
@@ -63,6 +63,11 @@ install:
 
 build: false  # Not a C# project, build stuff at the test step instead.
 
+before_test:
+  # Sets up 2 IIS sites to use in the integration tests only run on windows.
+  # This will actually test out NTLM authentication with a real client and not just documentation exmaples
+  - PowerShell appveyor\setup_iis.ps1
+
 test_script:
   - "%CMD_IN_ENV% py.test test"
 
@@ -76,5 +81,8 @@ artifacts:
 matrix:
   fast_finish: true
 
+services:
+  - iis
+
 #on_success:
 #  - TODO: upload the content of dist/*.whl to a public wheelhouse
diff --git a/appveyor/setup_iis.ps1 b/appveyor/setup_iis.ps1
@@ -0,0 +1,64 @@
+# Script to install an IIS website with windows authentication only as well as setting up a local admin account
+# Authors: Jordan Borean
+# License: CC0 1.0 Universal: http://creativecommons.org/publicdomain/zero/1.0/
+
+function SetupUser() {
+    $computername = $env:computername
+    $username = 'User'
+    $password = 'Password01'
+    $desc = 'Automatically created local admin account'
+
+    $computer = [ADSI]"WinNT://$computername,computer"
+    $user = $computer.Create("user", $username)
+    $user.SetPassword($password)
+    $user.Setinfo()
+    $user.description = $desc
+    $user.setinfo()
+    $user.UserFlags = 65536
+    $user.SetInfo()
+    $group = [ADSI]("WinNT://$computername/administrators,group")
+    $group.add("WinNT://$username,user")
+}
+
+function SetupIIS () {
+    Import-Module WebAdministration
+
+    $cert = New-SelfSignedCertificate -DnsName ("127.0.0.1") -CertStoreLocation cert:\LocalMachine\My
+    $rootStore = Get-Item cert:\LocalMachine\Root
+    $rootStore.Open("ReadWrite")
+    $rootStore.Add($cert)
+    $rootStore.Close();
+
+    New-Item C:\temp -Type Directory -Force
+    New-Item C:\temp\iisroot -Type Directory -Force
+    New-Item C:\temp\iisroot\contents.txt -Type File -Force -Value "contents"
+
+    $iisExec = "C:\Windows\System32\inetsrv\appcmd.exe"
+
+    Start-Process -FilePath $iisExec -ArgumentList "add site /name:""Site1"" /id:11 /physicalPath:""C:\temp\iisroot"" /bindings:http/*:81:" -Wait
+    Start-Process -FilePath $iisExec -ArgumentList "set config ""Site1"" -section:system.webServer/security/authentication/anonymousAuthentication /enabled:""False"" /commit:apphost" -Wait
+    Start-Process -FilePath $iisExec -ArgumentList "set config ""Site1"" -section:system.webServer/security/authentication/windowsAuthentication /enabled:""True"" /commit:apphost" -Wait
+    Start-Process -FilePath $iisExec -ArgumentList "set config ""Site1"" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:""Require"" /extendedProtection.flags:""None"" /commit:apphost" -Wait
+    Start-Process -FilePath $iisExec -ArgumentList "stop site /site.name:""Site1"" " -Wait
+    Start-Process -FilePath $iisExec -ArgumentList "start site /site.name:""Site1"" " -Wait
+
+    Start-Process -FilePath $iisExec -ArgumentList "add site /name:""Site2"" /id:12 /physicalPath:""C:\temp\iisroot"" /bindings:http/*:82:" -Wait
+    Start-Process -FilePath $iisExec -ArgumentList "set config ""Site2"" -section:system.webServer/security/authentication/anonymousAuthentication /enabled:""False"" /commit:apphost" -Wait
+    Start-Process -FilePath $iisExec -ArgumentList "set config ""Site2"" -section:system.webServer/security/authentication/windowsAuthentication /enabled:""True"" /commit:apphost" -Wait
+    Start-Process -FilePath $iisExec -ArgumentList "set config ""Site2"" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:""None"" /extendedProtection.flags:""None"" /commit:apphost" -Wait
+    Start-Process -FilePath $iisExec -ArgumentList "stop site /site.name:""Site2"" " -Wait
+    Start-Process -FilePath $iisExec -ArgumentList "start site /site.name:""Site2"" " -Wait
+
+    Set-Location IIS:\SslBindings
+    New-WebBinding -Name "Site1" -IP "*" -Port 441 -Protocol https
+    New-WebBinding -Name "Site2" -IP "*" -Port 442 -Protocol https
+    $cert | New-Item 0.0.0.0!441
+    $cert | New-Item 0.0.0.0!442
+}
+
+function main () {
+    SetupUser
+    SetupIIS
+}
+
+main
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -4,5 +4,6 @@ httpretty
 flake8
 mock
 wheel
+requests
 six
 unittest2