diff --git a/configure.ac b/configure.ac index c3fae5b8..5ae82764 100644 --- a/configure.ac +++ b/configure.ac @@ -197,6 +197,23 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([ LIBS="$oldlibs" fi +AC_ARG_WITH(all-tests, + AS_HELP_STRING([--with-all-tests], [do not include tests which require code in the server]), + all_tests=$withval, + all_tests=no) + +if test "$all_tests" != no;then +PKG_CHECK_MODULES([CWRAP], [uid_wrapper, socket_wrapper], have_cwrap=yes, have_cwrap=no) +else +have_cwrap=no +fi + +if test "$have_cwrap" != no;then + AC_DEFINE([HAVE_CWRAP], 1, [Enable testing with cwrap]) +fi + +AM_CONDITIONAL(HAVE_CWRAP, test "x$have_cwrap" != xno) + AC_ARG_WITH(radius, AS_HELP_STRING([--without-radius], [do not include Radius support]), test_for_radius=$withval, @@ -494,6 +511,7 @@ Summary of build options: Install prefix: ${prefix} Compiler: ${CC} CFlags: ${CFLAGS} + CWrap testing: ${have_cwrap} PAM auth backend: ${pam_enabled} Radius auth backend: ${radius_enabled} diff --git a/src/common/system.c b/src/common/system.c index 3228606a..252dc248 100644 --- a/src/common/system.c +++ b/src/common/system.c @@ -28,6 +28,7 @@ #include #include +#include /* getenv */ #include #include @@ -61,6 +62,25 @@ SIGHANDLER_T ocsignal(int signum, SIGHANDLER_T handler) return old_action.sa_handler; } +#ifdef HAVE_CWRAP +static unsigned uid_wrapper_enabled(void) +{ + static unsigned int cval = -1; + const char *p; + + if (cval == -1) { + p = getenv("UID_WRAPPER"); + if (p != NULL && p[0] == '1') + cval = 1; + else + cval = 0; + } + return cval; +} +#else +# define uid_wrapper_enabled() 0 +#endif + /* Checks whether the peer in a socket has the expected @uid and @gid. * Returns zero on success. */ @@ -95,6 +115,10 @@ int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, ui if (pid) *pid = cr.pid; + /* To enable testing we use uid_wrapper. That unfortunately cannot handle + * this credential checking, so we disable credential checking when using it */ + if (uid_wrapper_enabled() != 0) return 0; + if (cr.uid != 0 && (cr.uid != uid || cr.gid != gid)) { syslog(LOG_ERR, "%s: received unauthorized request from pid %u and uid %u", @@ -124,6 +148,10 @@ int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, ui syslog(LOG_DEBUG, "%s: received request from a processes with uid %u", mod, (unsigned)euid); + + /* see above */ + if (uid_wrapper_enabled() != 0) return 0; + if (euid != 0 && (euid != uid || egid != gid)) { syslog(LOG_ERR, "%s: received unauthorized request from a process with uid %u", diff --git a/tests/Makefile.am b/tests/Makefile.am index bb662866..a09bf533 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -15,15 +15,19 @@ EXTRA_DIST = ca-key.pem ca.pem common.sh server-cert.pem server-key.pem test1.co SUBDIRS = docker-ocserv docker-kerberos -dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \ - test-multi-cookie full-test test-group-pass test-pass-group-cert \ - ocpasswd-test test-pass-group-cert-no-pass unix-test test-pass-opt-cert \ +dist_check_SCRIPTS = test-iroute test-pass-script \ + test-multi-cookie full-test ocpasswd-test unix-test test-pass-opt-cert \ test-cookie-timeout test-cookie-timeout-2 radius-test test-explicit-ip \ - radius-test test-gssapi kerberos-test pam-test test-ban test-sighup \ - test-cookie-invalidation radius-test-config test-enc-key proxyproto-test \ + radius-test test-gssapi kerberos-test pam-test test-ban \ + test-cookie-invalidation radius-test-config proxyproto-test \ proxyproto-unix-test pam-noauth-test otp-test test-user-config \ test-cookie-rotation +if HAVE_CWRAP +dist_check_SCRIPTS += test-pass test-pass-cert test-cert test-group-pass \ + test-pass-group-cert test-pass-group-cert-no-pass test-sighup \ + test-enc-key +endif AM_CPPFLAGS = \ $(LIBOPTS_CFLAGS) \ diff --git a/tests/common.sh b/tests/common.sh index 5507e397..3437b373 100644 --- a/tests/common.sh +++ b/tests/common.sh @@ -22,9 +22,21 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. #this test can only be run as root -id|grep root >/dev/null 2>&1 -if [ $? != 0 ];then - exit 77 + +OPENCONNECT=/usr/sbin/openconnect + +if test -z "$NO_NEED_ROOT";then + id|grep root >/dev/null 2>&1 + if [ $? != 0 ];then + exit 77 + fi +else + SOCKDIR=${srcdir}/sockwrap.$$.tmp + mkdir -p $SOCKDIR + export SOCKET_WRAPPER_DIR=$SOCKDIR + export SOCKET_WRAPPER_DEFAULT_IFACE=2 + ADDRESS=127.0.0.$SOCKET_WRAPPER_DEFAULT_IFACE + OPENCONNECT="eval LD_PRELOAD=libsocket_wrapper.so /usr/sbin/openconnect" fi if ! test -x /usr/sbin/openconnect;then @@ -32,7 +44,6 @@ if ! test -x /usr/sbin/openconnect;then exit 77 fi -OPENCONNECT=/usr/sbin/openconnect fail() { PID=$1 @@ -54,8 +65,24 @@ launch_server() { fi } +launch_sr_server() { + LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $SERV $* >/dev/null 2>&1 & + LOCALPID="$!"; + trap "[ ! -z \"${LOCALPID}\" ] && kill ${LOCALPID};" 15 + wait "${LOCALPID}" + LOCALRET="$?" + if [ "${LOCALRET}" != "0" ] && [ "${LOCALRET}" != "143" ] ; then + # Houston, we'v got a problem... + exit 1 + fi +} + +launch_simple_sr_server() { + LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $SERV $* >/dev/null 2>&1 & +} + launch_simple_server() { - $SERV $* >/dev/null 2>&1 & + $PRELOAD_CMD $SERV $* >/dev/null 2>&1 & } launch_debug_server() { @@ -75,4 +102,10 @@ wait_server() { sleep 5 } +cleanup() { + kill $PID + wait + test -n "$SOCKDIR" && rm -rf $SOCKDIR +} + trap "fail \"Failed to launch the server, aborting test... \"" 10 diff --git a/tests/test-cert b/tests/test-cert index 9b728ca7..69e18e8f 100755 --- a/tests/test-cert +++ b/tests/test-cert @@ -20,6 +20,7 @@ SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} +NO_NEED_ROOT=1 PORT=4446 . `dirname $0`/common.sh @@ -37,24 +38,24 @@ if test $? != 0;then exit 77 fi -launch_simple_server -d 1 -f -c test3.config +launch_simple_sr_server -d 1 -f -c test3.config PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -( $OPENCONNECT -q localhost:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && fail $PID "Connected without certificate!" echo ok echo -n "Connecting to obtain cookie (with certificate)... " -( $OPENCONNECT -q localhost:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok -#Try DER encoded CRL +echo "Try a DER encoded CRL" certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem \ --outder --outfile crl.pem --template crl.tmpl >/dev/null 2>&1 @@ -68,7 +69,7 @@ kill -HUP $PID sleep 5 echo -n "Connecting to obtain cookie (with DER CRL)... " -( $OPENCONNECT -q localhost:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok @@ -76,9 +77,9 @@ echo ok #revoke the certificate certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem \ - --load-certificate ./user-cert.pem --outfile crl.pem --template crl.tmpl >/dev/null 2>&1 + --outder --load-certificate ./user-cert.pem --outfile crl.pem --template crl.tmpl >/dev/null 2>&1 if test $? != 0;then - kill $PID + cleanup exit 77 fi @@ -87,18 +88,17 @@ kill -HUP $PID sleep 5 echo -n "Connecting to obtain cookie (with revoked certificate)... " -( $OPENCONNECT -q localhost:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && fail $PID "Connected with revoked certificate!" echo ok #echo "Normal connection... " -#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || +#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || # fail $PID "Could not connect to server" rm -f crl.pem crl.tmpl -kill $PID -wait +cleanup exit 0 diff --git a/tests/test-enc-key b/tests/test-enc-key index fd0861aa..fd9faf43 100755 --- a/tests/test-enc-key +++ b/tests/test-enc-key @@ -20,17 +20,18 @@ SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} +NO_NEED_ROOT=1 PORT=4456 . `dirname $0`/common.sh echo "Testing local backend with encrypted PKCS #8 key file... " -launch_server -d 1 -f -c test-enc-key.config & PID=$! +launch_sr_server -d 1 -f -c test-enc-key.config & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" kill $PID @@ -40,15 +41,13 @@ sleep 3 echo "Testing local backend with encrypted openssl key file... " -launch_server -d 1 -f -c test-enc-key2.config & PID=$! +launch_sr_server -d 1 -f -c test-enc-key2.config & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" -kill $PID -wait - +cleanup exit 0 diff --git a/tests/test-enc-key.config b/tests/test-enc-key.config index 2f7cd6bb..b55d7359 100644 --- a/tests/test-enc-key.config +++ b/tests/test-enc-key.config @@ -124,14 +124,14 @@ cookie-validity = 172800 use-utmp = true # PID file -pid-file = /var/run/ocserv.pid +pid-file = ./ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket +socket-file = ./ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). diff --git a/tests/test-enc-key2.config b/tests/test-enc-key2.config index 5f988aa8..a7d07164 100644 --- a/tests/test-enc-key2.config +++ b/tests/test-enc-key2.config @@ -124,14 +124,14 @@ cookie-validity = 172800 use-utmp = true # PID file -pid-file = /var/run/ocserv.pid +pid-file = ./ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket +socket-file = ./ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). diff --git a/tests/test-group-cert b/tests/test-group-cert old mode 100644 new mode 100755 index 4c16b94e..44d22c3d --- a/tests/test-group-cert +++ b/tests/test-group-cert @@ -20,47 +20,47 @@ SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} +NO_NEED_ROOT=1 PORT=6550 . `dirname $0`/common.sh echo "Testing local backend with certificate... " -launch_server -d 1 -f -c test-group-cert.config & PID=$! +launch_sr_server -d 1 -f -c test-group-cert.config & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -( echo "test" | $OPENCONNECT --authgroup group1 -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && fail $PID "Connected without certificate!" echo ok echo -n "Connecting to obtain cookie - group1 (with certificate)... " -( echo "test" | $OPENCONNECT --authgroup group1 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group2 (with certificate)... " -( echo "test" | $OPENCONNECT --authgroup group2 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " -( echo "test" | $OPENCONNECT --authgroup group3 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group4 (with certificate)... " -( echo "test" | $OPENCONNECT --authgroup group4 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok -kill $PID -wait +cleanup exit 0 diff --git a/tests/test-group-cert.config b/tests/test-group-cert.config index 77c5666c..7451189c 100644 --- a/tests/test-group-cert.config +++ b/tests/test-group-cert.config @@ -129,14 +129,14 @@ cookie-validity = 172800 use-utmp = true # PID file -pid-file = /var/run/ocserv.pid +pid-file = ./ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket +socket-file = ./ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). diff --git a/tests/test-group-pass b/tests/test-group-pass index e95dd7ba..c90b617b 100755 --- a/tests/test-group-pass +++ b/tests/test-group-pass @@ -20,32 +20,32 @@ SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} +NO_NEED_ROOT=1 PORT=6552 . `dirname $0`/common.sh echo "Testing local backend with username-group-password... " -launch_server -d 1 -f -c test-group-pass.config & PID=$! +launch_sr_server -d 1 -f -c test-group-pass.config & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authgroup group1 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group1 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie... " -( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie... " -( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie with wrong groupname... " -( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authgroup group4 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group4 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" -kill $PID -wait +cleanup exit 0 diff --git a/tests/test-group-pass.config b/tests/test-group-pass.config index ef0b3e87..9a041efd 100644 --- a/tests/test-group-pass.config +++ b/tests/test-group-pass.config @@ -131,14 +131,14 @@ cookie-validity = 172800 use-utmp = true # PID file -pid-file = /var/run/ocserv.pid +pid-file = ./ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket +socket-file = ./ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). diff --git a/tests/test-pass b/tests/test-pass index b0318879..a68f581d 100755 --- a/tests/test-pass +++ b/tests/test-pass @@ -20,42 +20,42 @@ SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} +NO_NEED_ROOT=1 PORT=4444 . `dirname $0`/common.sh echo "Testing local backend with username-password... " -launch_server -d 1 -f -c test1.config & PID=$! +launch_sr_server -d 1 -f -c test1.config & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie with wrong password... " -( echo "tost" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" echo "Connecting to obtain cookie with wrong username... " -( echo "tost" | $OPENCONNECT -q localhost:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" #test special characters echo "Connecting to obtain cookie... " -( echo "!@#$%^&*()<>" | $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie with empty password... " -( echo "" | $OPENCONNECT -q localhost:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" #echo "Normal connection... " -#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || +#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || # fail $PID "Could not connect to server" -kill $PID -wait +cleanup exit 0 diff --git a/tests/test-pass-cert b/tests/test-pass-cert index 37418fef..e06c8fed 100755 --- a/tests/test-pass-cert +++ b/tests/test-pass-cert @@ -20,39 +20,39 @@ SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} +NO_NEED_ROOT=1 PORT=4445 . `dirname $0`/common.sh echo "Testing local backend with username-password and certificate... " -launch_server -d 1 -f -c test-user-cert.config & PID=$! +launch_sr_server -d 1 -f -c test-user-cert.config & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && fail $PID "Connected without certificate!" echo ok echo -n "Connecting to obtain cookie (with certificate)... " -( echo "test" | $OPENCONNECT -q localhost:$PORT --sslkey ./user-key.pem -c ./user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ./user-key.pem -c ./user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie (with incorrect certificate)... " -( echo "test" | $OPENCONNECT -q localhost:$PORT --sslkey ./user-key.pem -c ./user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ./user-key.pem -c ./user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && fail $PID "Should not have connected with wrong certificate!" echo ok #echo "Normal connection... " -#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || +#( echo "test" | $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || # fail $PID "Could not connect to server" -kill $PID -wait +cleanup exit 0 diff --git a/tests/test-pass-group-cert b/tests/test-pass-group-cert index 1e74f8de..6ee20c06 100755 --- a/tests/test-pass-group-cert +++ b/tests/test-pass-group-cert @@ -20,53 +20,53 @@ SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} +NO_NEED_ROOT=1 PORT=6551 . `dirname $0`/common.sh echo "Testing local backend with username-password and certificate... " -launch_server -d 1 -f -c test-user-group-cert.config & PID=$! +launch_sr_server -d 1 -f -c test-user-group-cert.config & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -( echo "test" | $OPENCONNECT --authgroup group1 -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && fail $PID "Connected without certificate!" echo ok echo -n "Connecting to obtain cookie - group1 (with certificate)... " -( echo "test" | $OPENCONNECT --authgroup group1 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - DEFAULT (with certificate)... " -( echo "test" | $OPENCONNECT --authgroup DEFAULT -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup DEFAULT -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group2 (with certificate)... " -( echo "test" | $OPENCONNECT --authgroup group2 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " -( echo "test" | $OPENCONNECT --authgroup group3 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group4 (with certificate)... " -( echo "test" | $OPENCONNECT --authgroup group4 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && fail $PID "Got cookie when it shouldn't!" echo ok -kill $PID -wait +cleanup exit 0 diff --git a/tests/test-pass-group-cert-no-pass b/tests/test-pass-group-cert-no-pass index d4b71dda..79815017 100755 --- a/tests/test-pass-group-cert-no-pass +++ b/tests/test-pass-group-cert-no-pass @@ -20,41 +20,41 @@ SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} +NO_NEED_ROOT=1 PORT=6555 . `dirname $0`/common.sh echo "Testing local backend with username-password and certificate... " -launch_server -d 1 -f -c test-user-group-cert-no-pass.config & PID=$! +launch_sr_server -d 1 -f -c test-user-group-cert-no-pass.config & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -$OPENCONNECT --authgroup group1 -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 && +LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 && fail $PID "Connected without certificate!" echo ok echo -n "Connecting to obtain cookie - group1 (with certificate)... " -$OPENCONNECT --authgroup group1 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || +LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group2 (with certificate)... " -$OPENCONNECT --authgroup group2 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || +LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " -$OPENCONNECT --authgroup group3 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || +LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || fail $PID "Could not connect with certificate!" echo ok -kill $PID -wait +cleanup exit 0 diff --git a/tests/test-sighup b/tests/test-sighup index d464ccdd..303f883d 100755 --- a/tests/test-sighup +++ b/tests/test-sighup @@ -20,6 +20,7 @@ SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} +NO_NEED_ROOT=1 PORT=4441 . `dirname $0`/common.sh @@ -27,42 +28,42 @@ PORT=4441 echo "Testing ocserv and SIGHUP behavior... " cp test-sighup.config test-sighup2.config -launch_simple_server -d 1 -f -c test-sighup2.config +launch_simple_sr_server -d 1 -f -c test-sighup2.config PID=$! wait_server $PID echo -n "Connecting to obtain cookie (with certificate)... " -( $OPENCONNECT -q localhost:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok - +sleep 5 echo "Reloading server" kill -HUP $PID sleep 5 echo -n "Connecting to obtain cookie (with certificate)... " -( $OPENCONNECT -q localhost:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok sed -i 's/^auth = "certificate"/#auth = "certificate"/g' test-sighup2.config sed -i 's/^#auth = "plain[.\/test1.passwd]"/auth = "plain[.\/test1.passwd]"/g' test-sighup2.config +sleep 10 echo "Reloading server" kill -HUP $PID sleep 5 echo -n "Connecting to obtain cookie (with certificate)... " -( $OPENCONNECT -q localhost:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok rm -f test-sighup2.config -kill $PID -wait +cleanup exit 0 diff --git a/tests/test-sighup.config b/tests/test-sighup.config index d40def36..1789b617 100644 --- a/tests/test-sighup.config +++ b/tests/test-sighup.config @@ -122,14 +122,14 @@ cookie-validity = 172800 use-utmp = true # PID file -pid-file = /var/run/ocserv.pid +pid-file = ./ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket +socket-file = ./ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). diff --git a/tests/test-user-cert.config b/tests/test-user-cert.config index 6dcffe9f..1afe3522 100644 --- a/tests/test-user-cert.config +++ b/tests/test-user-cert.config @@ -122,14 +122,14 @@ cookie-validity = 172800 use-utmp = true # PID file -pid-file = /var/run/ocserv.pid +pid-file = ./ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket +socket-file = ./ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). diff --git a/tests/test-user-group-cert-no-pass.config b/tests/test-user-group-cert-no-pass.config index b93f510b..e4c0ce40 100644 --- a/tests/test-user-group-cert-no-pass.config +++ b/tests/test-user-group-cert-no-pass.config @@ -129,14 +129,14 @@ cookie-validity = 172800 use-utmp = true # PID file -pid-file = /var/run/ocserv.pid +pid-file = ./ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket +socket-file = ./ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). diff --git a/tests/test-user-group-cert.config b/tests/test-user-group-cert.config index b1539e3f..19ef49be 100644 --- a/tests/test-user-group-cert.config +++ b/tests/test-user-group-cert.config @@ -129,14 +129,14 @@ cookie-validity = 172800 use-utmp = true # PID file -pid-file = /var/run/ocserv.pid +pid-file = ./ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket +socket-file = ./ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). diff --git a/tests/test1.config b/tests/test1.config index 1d0a4796..d59f68a9 100644 --- a/tests/test1.config +++ b/tests/test1.config @@ -122,14 +122,14 @@ cookie-validity = 172800 use-utmp = true # PID file -pid-file = /var/run/ocserv.pid +pid-file = ./ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket +socket-file = ./ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). diff --git a/tests/test3.config b/tests/test3.config index 8cd794bc..fdf50ab7 100644 --- a/tests/test3.config +++ b/tests/test3.config @@ -122,14 +122,14 @@ cookie-validity = 172800 use-utmp = true # PID file -pid-file = /var/run/ocserv.pid +pid-file = ./ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket +socket-file = ./ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user).