2026-02-10 08:46:58 +08:00 · 2019-06-03 21:10:23 +00:00
parent 33633560b4 15380220ac
commit 4a6120e211
31 changed files with 2310 additions and 1184 deletions
							
							
								
							
							
						
@@ -14,6 +14,7 @@ Build/Debian:
  stage: testing
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD
  script:
  - chmod -R o-w tests/data/raddb
  - git submodule update --init && autoreconf -fvi &&
    ./configure --without-nuttcp-tests --without-docker-tests && make -j$(nproc) && make check -j$(nproc)
  tags:
							
								
							
							
								
							
							
						
@@ -68,6 +69,7 @@ Build/Fedora:
  script:
  # ensure gcov scripts are writable
  - umask 000
  - chmod -R o-w tests/data/raddb
  - git submodule update --init && autoreconf -fvi &&
    CFLAGS="-g -O0" ./configure --disable-maintainer-mode --without-docker-tests --with-werror --enable-code-coverage && make -j$(nproc) && make check -j$(nproc) COVERAGE=1
    && make files-update && make dist && make local-code-coverage-output
							
								
							
							
								
							
							
						
@@ -121,6 +123,7 @@ Build/minimal:
  stage: testing
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  script:
  - chmod o-w tests/data/raddb
  - git submodule update --init && autoreconf -fvi && CFLAGS="-fsanitize=address -g -O2" LDFLAGS="-static-libasan"
    ./configure --without-pam --without-docker-tests && make -j$(nproc) && make check -j$(nproc) VERBOSE=1
  tags:
							
							
							
								
							
						
@@ -138,6 +141,7 @@ ubsan/Fedora:
  stage: testing
  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
  script:
  - chmod -R o-w tests/data/raddb
  - git submodule update --init && autoreconf -fvi && CFLAGS="-fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2"
    ./configure --without-docker-tests && make -j$(nproc) && make check -j$(nproc)
  tags:
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -55,6 +55,8 @@ libsocket-wrapper  / socket_wrapper
gss-ntlmssp        / gssntlmssp
haproxy            / haproxy
iputils-ping       / iputils
freeradius	   / freeradius
gawk		   / gawk
```
See [README-radius](doc/README-radius.md) for more information on Radius
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -232,6 +232,9 @@ static void parse_groupnames(struct radius_ctx_st *pctx, const char *full)
			syslog(LOG_DEBUG, "radius-auth: found group %s", p2);
			p2 = strsep(&p, ";");
			if (i == MAX_GROUPS)
				break;
		}
	} else {
		pctx->groupnames[0] = talloc_strdup(pctx, full);
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -1329,6 +1329,9 @@ int main(int argc, char** argv)
		}
	}
	/* create our process group */
	setpgid(0, 0);
	/* we don't need them */
	close(STDIN_FILENO);
	close(STDOUT_FILENO);
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -29,7 +29,11 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
	data/haproxy-connect.cfg data/test-haproxy-connect.config scripts/vpnc-script \
	data/test-traffic.config data/test-compression-lzs.config data/test-compression-lz4.config \
	certs/crl.pem server-cert-rsa-pss data/test-gssapi-opt-cert.config data/test-ciphers.config \
	cipher-common.sh data/config-per-group.config data/group-config/tost
	cipher-common.sh data/config-per-group.config data/group-config/tost \
	data/raddb/access_reject data/raddb/accounting_response data/raddb/acct_users \
	data/raddb/clients.conf data/raddb/radiusd.conf data/raddb/users \
	data/radiusclient/dictionary data/radiusclient/radiusclient.conf \
	data/radiusclient/servers data/radius.config data/radius-group.config
SUBDIRS = docker-ocserv docker-kerberos
							
							
							
								
							
						
@@ -44,23 +48,23 @@ endif
if ENABLE_ROOT_TESTS
if ENABLE_DOCKER_TESTS
#docker tests
dist_check_SCRIPTS += radius-test unix-test kerberos-test radius-test-config \
dist_check_SCRIPTS += unix-test kerberos-test \
	proxyproto-test proxyproto-v1-test proxyproto-unix-test \
	reload-info-test radius-group-test
	reload-info-test
endif
#other root requiring tests
dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script \
	test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
	test-cookie-invalidation test-user-config test-append-routes test-ban \
	multiple-routes haproxy-connect
	multiple-routes haproxy-connect radius-group
#other tests requiring nuttcp for traffic
if ENABLE_NUTTCP_TESTS
dist_check_SCRIPTS += traffic lz4-compression lzs-compression \
	aes256-cipher aes128-cipher oc-aes256-gcm-cipher oc-aes128-gcm-cipher \
	test-config-per-group ac-aes128-gcm-cipher ac-aes256-gcm-cipher \
	no-dtls-cipher
	no-dtls-cipher radius radius-config
endif
endif
							
								
							
							
							
						
 
							
							
							
						
@@ -0,0 +1,20 @@
#
#	Configuration file for the rlm_attr_filter module.
#	Please see rlm_attr_filter(5) manpage for more information.
#
#	$Id: afd89473dc50e4ff62389e35e5cb73b512e9d352 $
#
#	This configuration file is used to remove almost all of the attributes
#	From an Access-Reject message.  The RFCs say that an Access-Reject
#	packet can contain only a few attributes.  We enforce that here.
#
DEFAULT
	EAP-Message =* ANY,
	State =* ANY,
	Message-Authenticator =* ANY,
	Error-Cause =* ANY,
	Reply-Message =* ANY,
	MS-CHAP-Error =* ANY,
	Proxy-State =* ANY,
	FreeRADIUS-Response-Delay =* ANY,
	FreeRADIUS-Response-Delay-USec =* ANY
							
							
							
						
@@ -0,0 +1,16 @@
#
#	Configuration file for the rlm_attr_filter module.
#	Please see rlm_attr_filter(5) manpage for more information.
#
#	$Id: 01e9c6f5bda7a138f45da5010c624d92b6d398a0 $
#
#	This configuration file is used to remove almost all of the attributes
#	From an Accounting-Response message.  The RFC's say that an
#	Accounting-Response packet can contain only a few attributes.
#	We enforce that here.
#
DEFAULT
	Vendor-Specific =* ANY,
	Message-Authenticator =* ANY,
	Error-Cause =* ANY,
	Proxy-State =* ANY
							
							
							
						
@@ -0,0 +1 @@
DEFAULT         Acct-Session-Time == "12000"
							
							
								
							
							
						
@@ -6,9 +6,8 @@
test	Cleartext-Password := "test"
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-Route = 192.168.100.5/24,
	Framed-IPv6-Prefix = "2000:0:0:106::/64",
	Framed-IP-Address = 192.168.55.190,
	Framed-Route = 192.168.100.0/24,
	Framed-IP-Address = 192.168.7.2,
	Framed-IP-Netmask = 255.255.255.0,
	Framed-Routing = Broadcast-Listen,
	Framed-MTU = 1500
							
								
							
							
								
							
							
						
@@ -95,9 +94,7 @@ test-arb	Cleartext-Password := "test-arb"
test-class	Cleartext-Password := "test-class"
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-Route = 192.168.100.0/24,
	Framed-Route = 192.168.1.0/8,
	Framed-IP-Address = 192.168.35.190,
	Framed-IP-Address = 192.168.93.190,
	Framed-IP-Netmask = 255.255.255.0,
	Framed-Routing = Broadcast-Listen,
	Class = "OU=group1;group2",
							
							
							
								
							
						
@@ -110,6 +107,6 @@ testtime	Cleartext-Password := "test"
	Framed-Route = 192.168.67.0/24,
	Framed-IP-Netmask = 255.255.255.0,
	Framed-MTU = 1500,
	Session-Timeout = 120,
	Acct-Interim-Interval = 60
	Session-Timeout = 60,
	Acct-Interim-Interval = 20
							
							
								
							
							
						
@@ -4,13 +4,20 @@
#auth = "certificate"
#auth = "plain[/etc/ocserv/passwd]"
#auth = "pam"
auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]"
enable-auth = "certificate"
auth = "radius[config=@SRCDIR@/data/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]"
#enable-auth = "certificate"
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
occtl-socket-file = @OCCTL_SOCKET@
use-occtl = true
select-group = group1
select-group = group2
select-group = group3
isolate-workers = @ISOLATE_WORKERS@
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket
							
							
							
								
							
						
@@ -22,16 +29,16 @@ use-occtl = true
# to generate password entries.
#auth = "plain[/etc/ocserv/ocpasswd]"
acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
acct = "radius[config=@SRCDIR@/data/radiusclient/radiusclient.conf]"
# A banner to be displayed on clients
#banner = "Welcome"
stats-report-time = 60
stats-report-time = 30
# Use listen-host to limit to specific IPs or to the IPs of a provided 
# hostname.
#listen-host = [IP|HOSTNAME]
#listen-host = @ADDRESS@
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
							
							
							
								
							
						
@@ -46,8 +53,8 @@ max-clients = 16
max-same-clients = 2
# TCP and UDP port number
tcp-port = 443
udp-port = 443
tcp-port = @PORT@
udp-port = @PORT@
# Keepalive in seconds
keepalive = 32400
							
							
							
								
							
						
@@ -71,8 +78,8 @@ try-mtu-discovery = false
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/cert.pem
server-key = /etc/ocserv/key.pem
server-cert = @SRCDIR@/certs/server-cert.pem
server-key = @SRCDIR@/certs/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
							
								
							
							
								
							
							
						
@@ -137,12 +144,6 @@ auth-timeout = 40
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 86400
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
							
								
							
							
								
							
							
						
@@ -186,8 +187,8 @@ socket-file = /var/run/ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
run-as-user = @USERNAME@
run-as-group = @GROUP@
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
							
							
							
								
							
						
@@ -211,8 +212,8 @@ device = vpns
default-domain = example.com
# The pool of addresses that leases will be given from.
ipv4-network = 192.168.55.0
ipv4-netmask = 255.255.255.0
ipv4-network = @VPNNET@
ipv6-network = @VPNNET6@
# The advertized DNS server. Use multiple lines for
# multiple servers.
							
							
							
								
							
						
@@ -222,10 +223,6 @@ ipv4-netmask = 255.255.255.0
# The NBNS server (if any)
#nbns = 192.168.1.3
# The IPv6 subnet that leases will be given from.
ipv6-network = fc13:71:ea31:4b4e::
ipv6-prefix = 64
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
							
							
								
							
							
						
@@ -4,13 +4,16 @@
#auth = "certificate"
#auth = "plain[/etc/ocserv/passwd]"
#auth = "pam"
auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]"
enable-auth = "certificate"
auth = "radius[config=@SRCDIR@/data/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]"
#enable-auth = "certificate"
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
occtl-socket-file = @OCCTL_SOCKET@
use-occtl = true
isolate-workers = @ISOLATE_WORKERS@
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket
							
							
							
								
							
						
@@ -22,20 +25,16 @@ use-occtl = true
# to generate password entries.
#auth = "plain[/etc/ocserv/ocpasswd]"
acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
acct = "radius[config=@SRCDIR@/data/radiusclient/radiusclient.conf]"
# A banner to be displayed on clients
#banner = "Welcome"
stats-report-time = 60
select-group = group1
select-group = group2
select-group = group3
stats-report-time = 30
# Use listen-host to limit to specific IPs or to the IPs of a provided 
# hostname.
#listen-host = [IP|HOSTNAME]
#listen-host = @ADDRESS@
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
							
							
							
								
							
						
@@ -50,8 +49,8 @@ max-clients = 16
max-same-clients = 2
# TCP and UDP port number
tcp-port = 10522
udp-port = 10522
tcp-port = @PORT@
udp-port = @PORT@
# Keepalive in seconds
keepalive = 32400
							
							
							
								
							
						
@@ -75,8 +74,8 @@ try-mtu-discovery = false
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/cert.pem
server-key = /etc/ocserv/key.pem
server-cert = @SRCDIR@/certs/server-cert.pem
server-key = @SRCDIR@/certs/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
							
								
							
							
								
							
							
						
@@ -141,12 +140,6 @@ auth-timeout = 40
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 86400
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
							
								
							
							
								
							
							
						
@@ -190,8 +183,8 @@ socket-file = /var/run/ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
run-as-user = @USERNAME@
run-as-group = @GROUP@
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
							
							
							
								
							
						
@@ -215,8 +208,8 @@ device = vpns
default-domain = example.com
# The pool of addresses that leases will be given from.
ipv4-network = 192.168.35.0
ipv4-netmask = 255.255.255.0
ipv4-network = @VPNNET@
ipv6-network = @VPNNET6@
# The advertized DNS server. Use multiple lines for
# multiple servers.
							
							
							
								
							
						
@@ -226,10 +219,6 @@ ipv4-netmask = 255.255.255.0
# The NBNS server (if any)
#nbns = 192.168.1.3
# The IPv6 subnet that leases will be given from.
ipv6-network = fc13:71:ea31:4b4e::
ipv6-prefix = 64
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
							
							
								
							
							
						
@@ -14,16 +14,6 @@ login_tries	4
# if this time is exceeded the user is kicked out
login_timeout	60
# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin
# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue	/etc/radiusclient/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config
							
							
							
								
							
						
@@ -43,21 +33,18 @@ acctserver 	localhost
# file holding shared secrets used for the communication
# between the RADIUS client and server
servers		/etc/radiusclient/servers
servers		./data/radiusclient/servers
# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary 	/etc/radiusclient/dictionary
# program to call for a RADIUS authenticated login
login_radius	/usr/sbin/login.radius
dictionary 	./data/radiusclient/dictionary
# file which holds sequence number for communication with the
# RADIUS server
seqfile		/var/run/radius.seq
seqfile		./radius.seq.tmp
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile		/etc/radiusclient/port-id-map
#mapfile		./data/radiusclient/port-id-map
# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
							
								
							
							
								
							
							
						
@@ -85,8 +72,3 @@ radius_deadtime	0
# local address from which radius packets have to be sent
bindaddr *
# LOCAL settings
# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local	/bin/login
							
							
							
						
@@ -0,0 +1,4 @@
## Server Name or Client/Server pair		Key		
## ----------------				---------------
#
localhost/localhost				testing123
							
							
							
						
@@ -1,38 +0,0 @@
FROM debian:stretch
RUN apt-get update -y
RUN apt-get install -y libgnutls30 libprotobuf-c1 liboath0 libev4
RUN apt-get install -y libwrap0 libpam0g libseccomp2 libdbus-1-3 libreadline5 libnl-route-3-200
RUN apt-get install -y libhttp-parser2.1 libpcl1 libopts25
RUN apt-get install -y libsystemd0 valgrind nuttcp openssh-server bash
RUN apt-get install -y libtalloc2 liblz4-1 freeradius libradcli4
RUN apt-get install -y libkrb5-3 less
RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
RUN sed 's|/var/log/freeradius|/var/log/radius|g' -i /etc/freeradius/radiusd.conf
RUN echo 'root:root' |chpasswd
RUN useradd -m -d /home/admin -s /bin/bash admin
RUN echo 'admin:admin' |chpasswd
RUN mkdir /etc/ocserv
RUN mv /var/log/freeradius /var/log/radius
ADD ca.pem /etc/ocserv/
ADD key.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD ocserv-radius.conf /etc/ocserv/ocserv.conf
ADD radiusclient-debian.conf /etc/radiusclient/radiusclient.conf
ADD radius-clients.conf /etc/freeradius/clients.conf
ADD radiusclient-servers /etc/radiusclient/servers
ADD ocserv /usr/sbin/
ADD ocpasswd /usr/bin/
ADD occtl /usr/bin/
ADD myscript /usr/bin/
ADD freeradius-users /etc/freeradius/users
# It's not possible to use mknod inside a container with the default LXC
# template, so we untar it from this archive.
ADD dev-tun.tgz /dev/
CMD nuttcp -S;/etc/init.d/ssh restart;/usr/sbin/freeradius -X -f >/tmp/freeradius.out 2>&1 & mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600
							
							
							
						
@@ -1,39 +0,0 @@
FROM debian:stretch
RUN apt-get update
RUN apt-get install -y libgnutls30 liboath0 libprotobuf-c1 libev4
RUN apt-get install -y libwrap0 libpam0g libseccomp2 libdbus-1-3 libreadline5 libnl-route-3-200
RUN apt-get install -y libhttp-parser2.1 libpcl1 libopts25
RUN apt-get install -y libsystemd0 valgrind nuttcp openssh-server bash
RUN apt-get install -y libtalloc2 liblz4-1 less
RUN apt-get install -y freeradius libradcli4
RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
RUN sed 's|/var/log/freeradius|/var/log/radius|g' -i /etc/freeradius/radiusd.conf
RUN echo 'root:root' |chpasswd
RUN useradd -m -d /home/admin -s /bin/bash admin
RUN echo 'admin:admin' |chpasswd
RUN mkdir /etc/ocserv
RUN mv /var/log/freeradius /var/log/radius
ADD ca.pem /etc/ocserv/
ADD key.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD ocserv-radius-config.conf /etc/ocserv/ocserv.conf
ADD radiusclient-debian.conf /etc/radiusclient/radiusclient.conf
ADD radius-clients.conf /etc/freeradius/clients.conf
ADD radiusclient-servers /etc/radiusclient/servers
ADD ocserv /usr/sbin/
ADD ocpasswd /usr/bin/
ADD occtl /usr/bin/
ADD myscript /usr/bin/
ADD freeradius-users /etc/freeradius/users
ADD radius-dictionary /etc/radiusclient/dictionary
# It's not possible to use mknod inside a container with the default LXC
# template, so we untar it from this archive.
ADD dev-tun.tgz /dev/
CMD nuttcp -S;/etc/init.d/ssh restart;/usr/sbin/freeradius -X -f >/tmp/freeradius.out 2>&1 & mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600
							
							
							
						
@@ -1,36 +0,0 @@
FROM fedora:25
RUN yum install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp
RUN yum install -y bash openssh-server nuttcp
RUN yum install -y libnl3 libtalloc libev
RUN yum install -y procps-ng lz4 radcli liboauth oathtool
RUN yum install -y freeradius krb5-libs less bash
RUN yum update -y
RUN systemctl enable sshd
RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
RUN echo 'root:root' |chpasswd
RUN useradd -m -d /home/admin -s /bin/bash admin
RUN echo 'admin:admin' |chpasswd
RUN mkdir /etc/ocserv
ADD key.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD ca.pem /etc/ocserv/
ADD ocserv-radius.conf /etc/ocserv/ocserv.conf
ADD radiusclient.conf /etc/radiusclient/
ADD radius-clients.conf /etc/raddb/clients.conf
ADD radiusclient-servers /etc/radiusclient/servers
ADD ocserv /usr/sbin/
ADD ocpasswd /usr/bin/
ADD occtl /usr/bin/
ADD myscript /usr/bin/
ADD freeradius-users /etc/raddb/users
ADD radius-dictionary /etc/radiusclient/dictionary
# It's not possible to use mknod inside a container with the default LXC
# template, so we untar it from this archive.
ADD dev-tun.tgz /dev/
CMD nuttcp -S;radiusd;sshd-keygen;/usr/sbin/sshd;mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600
							
							
							
						
@@ -1,38 +0,0 @@
FROM fedora:25
RUN yum install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp
RUN yum install -y bash openssh-server nuttcp
RUN yum install -y libnl3 libtalloc libev
RUN yum install -y lz4 radcli liboauth oathtool procps-ng
RUN yum install -y freeradius-client
RUN yum install -y freeradius
RUN yum install -y krb5-libs less
RUN yum update -y
RUN systemctl enable sshd
RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
RUN echo 'root:root' |chpasswd
RUN useradd -m -d /home/admin -s /bin/bash admin
RUN echo 'admin:admin' |chpasswd
RUN mkdir /etc/ocserv
ADD key.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD ca.pem /etc/ocserv/
ADD ocserv-radius-config.conf /etc/ocserv/ocserv.conf
ADD radiusclient.conf /etc/radiusclient/
ADD radius-clients.conf /etc/raddb/clients.conf
ADD radiusclient-servers /etc/radiusclient/servers
ADD ocserv /usr/sbin/
ADD ocpasswd /usr/bin/
ADD occtl /usr/bin/
ADD myscript /usr/bin/
ADD freeradius-users /etc/raddb/users
ADD radius-dictionary /etc/radiusclient/dictionary
# It's not possible to use mknod inside a container with the default LXC
# template, so we untar it from this archive.
ADD dev-tun.tgz /dev/
CMD nuttcp -S;radiusd;sshd-keygen;/usr/sbin/sshd;mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600
							
							
							
						
@@ -1,38 +0,0 @@
FROM fedora:25
RUN yum install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp
RUN yum install -y bash openssh-server nuttcp
RUN yum install -y libnl3 libtalloc libev
RUN yum install -y procps-ng lz4 radcli liboauth oathtool
RUN yum install -y freeradius-client
RUN yum install -y freeradius
RUN yum install -y krb5-libs less
RUN yum update -y
RUN systemctl enable sshd
RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
RUN echo 'root:root' |chpasswd
RUN useradd -m -d /home/admin -s /bin/bash admin
RUN echo 'admin:admin' |chpasswd
RUN mkdir /etc/ocserv
ADD key.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD ca.pem /etc/ocserv/
ADD ocserv-radius-group.conf /etc/ocserv/ocserv.conf
ADD radiusclient.conf /etc/radiusclient/
ADD radius-clients.conf /etc/raddb/clients.conf
ADD radiusclient-servers /etc/radiusclient/servers
ADD ocserv /usr/sbin/
ADD ocpasswd /usr/bin/
ADD occtl /usr/bin/
ADD myscript /usr/bin/
ADD freeradius-users /etc/raddb/users
ADD radius-dictionary /etc/radiusclient/dictionary
# It's not possible to use mknod inside a container with the default LXC
# template, so we untar it from this archive.
ADD dev-tun.tgz /dev/
CMD nuttcp -S;radiusd;sshd-keygen;/usr/sbin/sshd;mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600
							
							
							
						
@@ -1,15 +1,10 @@
EXTRA_DIST = passwd ocserv.conf Dockerfile-debian-tcp dev-tun.tgz myscript key.pem cert.pem \
	Dockerfile-debian-unix ocserv-unix.conf haproxy.cfg combo.pem Dockerfile-fedora-unix \
	Dockerfile-fedora-tcp freeradius-users Dockerfile-debian-radius Dockerfile-fedora-radius \
	freeradius-users ocserv-radius.conf radiusclient.conf radius-clients.conf \
	radiusclient-servers ca.pem ocserv-radius-config.conf \
	Dockerfile-fedora-radius-config radius-dictionary Dockerfile-debian-radius-config \
	ocserv-proxyproto.conf Dockerfile-fedora-proxyproto haproxy-proxyproto.cfg \
	Dockerfile-fedora-tcp ca.pem ocserv-proxyproto.conf Dockerfile-fedora-proxyproto haproxy-proxyproto.cfg \
	haproxy-proxyproto-unix.cfg Dockerfile-fedora-proxyproto-unix ocserv-proxyproto-unix.conf \
	proxy-connectscript \
	Dockerfile-fedora-reload \
	ocserv-reload.conf radiusclient-debian.conf \
	ocserv-radius-group.conf Dockerfile-fedora-radius-group
	ocserv-reload.conf
TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
	top_builddir="$(top_builddir)"
							
							
							
						
 
							
							
							
						
@@ -1,308 +0,0 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam. 
#auth = "certificate"
#auth = "plain[/etc/ocserv/passwd]"
#auth = "pam"
auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]"
enable-auth = "certificate"
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
# One entry must be listed per line, and 'ocpasswd' can be used
# to generate password entries.
#auth = "plain[/etc/ocserv/ocpasswd]"
acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
# A banner to be displayed on clients
#banner = "Welcome"
stats-report-time = 3600
session-timeout = 4000
# Use listen-host to limit to specific IPs or to the IPs of a provided 
# hostname.
#listen-host = [IP|HOSTNAME]
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds 
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting 
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
# TCP and UDP port number
tcp-port = 443
udp-port = 443
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds.
dpd = 240
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too 
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
mobile-dpd = 1800
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g., 
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/cert.pem
server-key = /etc/ocserv/key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the 
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
ca-cert = /etc/ocserv/ca.pem
# The object identifier that will be used to read the user ID in the client 
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are: 
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the 
# client  certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are: 
#  OU (organizational unit) = 2.5.4.11 
cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
#crl = /path/to/crl.pem
# GnuTLS priority string
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 1200
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after 
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 86400
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
#  ssl: Will perform an efficient rehandshake on the channel allowing
#       a seamless connection during rekey.
#  new-tunnel: Will instruct the client to discard and re-establish the channel.
#       Use this option only if the connecting clients have issues with the ssl
#       option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
disconnect-script = /usr/bin/myscript
# UTMP
use-utmp = true
# D-BUS usage. If disabled occtl tool cannot be used. If enabled
# then ocserv must have access to register org.infradead.ocserv
# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
use-dbus = false
# PID file. It can be overridden in the command line.
pid-file = /var/run/ocserv.pid
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name of the tun device
device = vpns
# The default domain to be advertised
default-domain = example.com
# The pool of addresses that leases will be given from.
ipv4-network = 192.168.66.0
ipv4-netmask = 255.255.255.0
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
#dns = 192.168.1.2
# The NBNS server (if any)
#nbns = 192.168.1.3
# The IPv6 subnet that leases will be given from.
ipv6-network = fd91:6d87:7341:dd6b::
ipv6-prefix = 64
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Unset to assign the default MTU of the device
# mtu = 
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the 
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server.
route = 10.154.92.0/24
#route = 192.168.5.0/255.255.255.0
route = fd91:6d87:7341:dd6b::/64
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
#  net-priority and cgroup.
#
# Note that the 'iroute' option allows one to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# The system command to use to setup a route. %R will be replaced with the
# route/mask and %D with the (tun) device.
#
# The following example is from linux systems. %R should be something
# like 192.168.2.0/24
#route-add-cmd = "ip route add %R dev %D"
#route-del-cmd = "ip route delete %R dev %D"
#
# The following options are for (experimental) AnyConnect client 
# compatibility. 
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot. 
# It is not used by the openconnect client.
#user-profile = profile.xml
# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment.
#binary-files = /path/to/binaries
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be 
# set for them.
#cisco-client-compat = false
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
#custom-header = "X-My-Header: hi there"
							
							
							
						
@@ -1,92 +0,0 @@
# General settings
# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order	radius,local
# maximum login tries a user has
login_tries	4
# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout	60
# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin
# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue	/etc/radiusclient/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
authserver 	127.0.0.1
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too. 
#
acctserver 	127.0.0.1
# file holding shared secrets used for the communication
# between the RADIUS client and server
servers		/etc/radiusclient/servers
# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary 	/usr/share/radcli/dictionary
# program to call for a RADIUS authenticated login
login_radius	/usr/sbin/login.radius
# file which holds sequence number for communication with the
# RADIUS server
seqfile		/var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile		/etc/radiusclient/port-id-map
# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout	10
# resend request this many times before trying the next server
radius_retries	3
# The length of time in seconds that we skip a nonresponsive RADIUS
# server for transaction requests.  Server(s) being in the "dead" state
# are tried only after all other non-dead servers have been tried and
# failed or timeouted.  The deadtime interval starts when the server
# does not respond to an authentication/accounting request transmissions. 
# When the interval expires, the "dead" server would be re-tried again,
# and if it's still down then it will be considered "dead" for another
# such interval and so on. This option is no-op if there is only one
# server in the list. Set to 0 in order to disable the feature.
radius_deadtime	0
# local address from which radius packets have to be sent
bindaddr *
# LOCAL settings
# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local	/bin/login
							
							
							
						
@@ -1,10 +0,0 @@
## Server Name or Client/Server pair		Key		
## ----------------				---------------
#
#portmaster.elemental.net			hardlyasecret
#portmaster2.elemental.net			donttellanyone
#
## uncomment the following line for simple testing of radlogin
## with freeradius-server
#
localhost/localhost				testing123
							
							
							
						
@@ -0,0 +1,215 @@
#!/bin/bash
#
# Copyright (C) 2018 Nikos Mavrogiannopoulos
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# This tests operation/traffic under compression (lzs or lz4).
OCCTL="${OCCTL:-../src/occtl/occtl}"
SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.}
PORT=4569
PIDFILE=ocserv-pid.$$.tmp
CLIPID=oc-pid.$$.tmp
PATH=${PATH}:/usr/sbin
IP=$(which ip)
OUTFILE=traffic.$$.tmp
RADIUSLOG=log.$$.tmp
RADIUSD=$(which radiusd)
if test -z "${RADIUSD}";then
	RADIUSD=$(which freeradius)
fi 
. `dirname $0`/common.sh
if test -z "${IP}";then
	echo "no IP tool is present"
	exit 77
fi
if test -z "${RADIUSD}";then
	echo "no radiusd is present"
	exit 77
fi
if test "$(id -u)" != "0";then
	echo "This test must be run as root"
	exit 77
fi
echo "Testing ocserv with radius (basic)... "
function finish {
  set +e
  echo " * Cleaning up..."
  test -n "${PID}" && kill ${PID} >/dev/null 2>&1
  test -n "${RADIUSPID}" && kill ${RADIUSPID} >/dev/null 2>&1
  test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
  test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
  test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
  test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
  test -n "${RADIUSLOG}" && rm -f ${RADIUSLOG} >/dev/null 2>&1
  rm -f ${OUTFILE} 2>&1
}
trap finish EXIT
# server address
ADDRESS=10.203.2.1
CLI_ADDRESS=10.203.1.1
VPNNET=192.168.7.0/24
VPNADDR=192.168.7.1
VPNNET6=fd3e:4469:d98:ff54:e437:c9ee:52ac:0/112
VPNADDR6=fd3e:4469:d98:ff54:e437:c9ee:52ac:1
OCCTL_SOCKET=./occtl-radius-$$.socket
USERNAME=test
. `dirname $0`/ns.sh
${CMDNS2} ${IP} link set dev lo up
# Run servers
${CMDNS2} ${RADIUSD} -d ${srcdir}/data/raddb/ -s -x -l ${RADIUSLOG} &
RADIUSPID=$!
update_config radius.config
if test "$VERBOSE" = 1;then
DEBUG="-d 3"
fi
${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
sleep 4
# Run clients
echo " * Testing wrong username at ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
if test $? = 0;then
	echo "Connected with incorrect username"
	exit 1
fi
echo " * Testing wrong password at ${ADDRESS}:${PORT}..."
( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
if test $? = 0;then
	echo "Connected with incorrect password"
	exit 1
fi
echo " * Getting cookie from ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
if test $? != 0;then
	echo "Could not get cookie from server"
	exit 1
fi
echo " * Connecting to ${ADDRESS}:${PORT} with special IP..."
USERNAME=test-arb
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
	echo "Could not connect to server"
	exit 1
fi
sleep 3
${CMDNS1} ${IP} addr show|grep $(echo ${VPNADDR}|cut -d '.' -f 1-3)
if test $? != 0;then
	${CMDNS1} ${IP} addr show
	echo "Did not find expected special IP in VPN"
	exit 1
fi
${CMDNS1} ping -w 3 ${VPNADDR}
if test $? != 0;then
	echo "Could not ping server special IP"
	exit 1
fi
kill $(cat ${CLIPID})
rm -f ${CLIPID}
sleep 3
echo " * Connecting to ${ADDRESS}:${PORT}..."
USERNAME=test
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
	echo "Could not connect to server"
	exit 1
fi
set -e
${CMDNS2} nuttcp -1
echo " * ping remote address"
${CMDNS1} ping -c 3 ${VPNADDR}
# IPv6
${CMDNS1} ping -6 -c 3 ${VPNADDR6}
echo " * traffic"
${CMDNS1} nuttcp -T 6 -t ${VPNADDR}
set +e
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
if test $? != 0;then
	echo "occtl didn't find connected user!"
	exit 1
fi
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
if test $? != 0;then
	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
	echo "occtl didn't find connected user!"
	exit 1
fi
grep "Username: ${USERNAME}" ${OUTFILE}
if test $? != 0;then
	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
	echo "occtl show user didn't find connected user!"
	exit 1
fi
grep ${CLI_ADDRESS} ${OUTFILE}
if test $? != 0;then
	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
	echo "occtl show user didn't find client address!"
	exit 1
fi
echo "Waiting for accounting report"
sleep 35
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
test -n "${CLIPID}" && rm -f ${CLIPID}
CLIPID=""
OCTETS=$(cat ${RADIUSLOG}|grep Acct-Input-Octets|tail -1|sed 's/Acct-Input-Octets = //g')
if test -z "$OCTETS" || test "$OCTETS" = 0;then
	cat ${RADIUSLOG}
	echo "Interim update showed no data!"
	exit 1
fi
echo "Transferred ${OCTETS} bytes"
exit 0
							
							
							
						
@@ -0,0 +1,167 @@
#!/bin/bash
#
# Copyright (C) 2018 Nikos Mavrogiannopoulos
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# This tests operation/traffic under compression (lzs or lz4).
OCCTL="${OCCTL:-../src/occtl/occtl}"
SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.}
PORT=4569
PIDFILE=ocserv-pid.$$.tmp
CLIPID=oc-pid.$$.tmp
PATH=${PATH}:/usr/sbin
IP=$(which ip)
OUTFILE=traffic.$$.tmp
RADIUSLOG=log.$$.tmp
RADIUSD=$(which radiusd)
if test -z "${RADIUSD}";then
	RADIUSD=$(which freeradius)
fi 
. `dirname $0`/common.sh
if test -z "${IP}";then
	echo "no IP tool is present"
	exit 77
fi
if test -z "${RADIUSD}";then
	echo "no radiusd is present"
	exit 77
fi
if test "$(id -u)" != "0";then
	echo "This test must be run as root"
	exit 77
fi
echo "Testing ocserv with radius (user config)... "
function finish {
  set +e
  echo " * Cleaning up..."
  test -n "${PID}" && kill ${PID} >/dev/null 2>&1
  test -n "${RADIUSPID}" && kill ${RADIUSPID} >/dev/null 2>&1
  test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
  test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
  test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
  test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
  test -n "${RADIUSLOG}" && rm -f ${RADIUSLOG} >/dev/null 2>&1
  rm -f ${OUTFILE} 2>&1
}
trap finish EXIT
# server address
ADDRESS=10.102.246.1
CLI_ADDRESS=10.102.247.1
# These addresses must match the radius sent ranges
VPNNET=192.168.66.0/24
VPNADDR=192.168.66.1
CLIVPNADDR=192.168.66.192
VPNNET6=fd91:6d14:7241:dc6a::/112
VPNADDR6=fd91:6d14:7241:dc6a::1
OCCTL_SOCKET=./occtl-radius-$$.socket
. `dirname $0`/ns.sh
${CMDNS2} ${IP} link set dev lo up
# Run servers
${CMDNS2} ${RADIUSD} -d ${srcdir}/data/raddb/ -s -x -l ${RADIUSLOG} &
RADIUSPID=$!
update_config radius.config
if test "$VERBOSE" = 1;then
DEBUG="-d 3"
fi
${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
sleep 4
echo " * Connecting to ${ADDRESS}:${PORT}..."
USERNAME=testtime
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
	echo "Could not connect to server"
	exit 1
fi
sleep 3
# check whether the interface has the expected address
${CMDNS1} ${IP} addr show|grep ${CLIVPNADDR}
if test $? != 0;then
	${CMDNS1} ${IP} addr show
	echo "Did not find expected IP in device"
	exit 1
fi
${CMDNS1} ping -w 5 ${VPNADDR}
if test $? != 0;then
	echo "Could not ping server IP"
	exit 1
fi
${CMDNS2} ping -w 3 ${CLIVPNADDR}
if test $? != 0;then
	echo "Could not ping client IP"
	exit 1
fi
#check whether the routes have been applied
MATCH='192.168.67.0/255.255.255.0'
${OCCTL} -s ${OCCTL_SOCKET} show user $USERNAME >${OUTFILE} 2>&1
grep "$MATCH" ${OUTFILE}
if test $? != 0;then
	echo "could not find user information"
	exit 1
fi
echo "Waiting for accounting report"
sleep 28
OCTETS=$(cat ${RADIUSLOG}|grep Acct-Input-Octets|tail -1|sed 's/Acct-Input-Octets = //g')
if test -z "$OCTETS" || test "$OCTETS" = 0;then
	cat ${RADIUSLOG}|grep Acct-Input-Octets
	echo "Interim update showed no data!"
	exit 1
fi
echo "Transferred ${OCTETS} bytes"
echo "Waiting for disconnection report"
sleep 50
DISC=$(cat ${RADIUSLOG}|grep "Acct-Status-Type = Start"|tail -1)
if test -z "$DISC";then
	echo "No connect status was detected!"
	exit 1
fi
DISC=$(cat ${RADIUSLOG}|grep "Acct-Terminate-Cause = Session-Timeout"|tail -1)
if test -z "$DISC";then
	echo "No disconnect was detected!"
	exit 1
fi
exit 0
							
							
							
						
@@ -0,0 +1,164 @@
#!/bin/bash
#
# Copyright (C) 2018 Nikos Mavrogiannopoulos
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# This tests operation/traffic under compression (lzs or lz4).
OCCTL="${OCCTL:-../src/occtl/occtl}"
SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.}
PORT=4569
PIDFILE=ocserv-pid.$$.tmp
CLIPID=oc-pid.$$.tmp
PATH=${PATH}:/usr/sbin
IP=$(which ip)
OUTFILE=traffic.$$.tmp
RADIUSLOG=log.$$.tmp
RADIUSD=$(which radiusd)
if test -z "${RADIUSD}";then
	RADIUSD=$(which freeradius)
fi 
. `dirname $0`/common.sh
if test -z "${IP}";then
	echo "no IP tool is present"
	exit 77
fi
if test -z "${RADIUSD}";then
	echo "no radiusd is present"
	exit 77
fi
if test "$(id -u)" != "0";then
	echo "This test must be run as root"
	exit 77
fi
echo "Testing ocserv and radius... "
function finish {
  set +e
  echo " * Cleaning up..."
  test -n "${PID}" && kill ${PID} >/dev/null 2>&1
  test -n "${RADIUSPID}" && kill ${RADIUSPID} >/dev/null 2>&1
  test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
  test -f "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
  test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
  test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
  test -n "${RADIUSLOG}" && rm -f ${RADIUSLOG} >/dev/null 2>&1
  rm -f ${OUTFILE} 2>&1
}
trap finish EXIT
# server address
ADDRESS=10.173.78.1
CLI_ADDRESS=10.173.79.1
# These must match the data/raddb/users:test-class user
VPNNET=192.168.93.0/24
VPNADDR=192.168.93.1
VPNNET6=fc7d:b139:f7ba:5f53:c634:e98e:b777:0/112
VPNADDR6=fc7d:b139:f7ba:5f53:c634:e98e:b777:1
OCCTL_SOCKET=./occtl-radius-group-$$.socket
. `dirname $0`/ns.sh
${CMDNS2} ${IP} link set dev lo up
# Run servers
${CMDNS2} ${RADIUSD} -d ${srcdir}/data/raddb/ -s -x -l ${RADIUSLOG} &
RADIUSPID=$!
update_config radius-group.config
if test "$VERBOSE" = 1;then
DEBUG="-d 3"
fi
${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
sleep 4
echo " * Tests the radius group functionality"
USERNAME=test-class
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
	echo "Could not connect to server"
	exit 1
fi
sleep 3
${CMDNS1} ${IP} addr show|grep $(echo ${VPNADDR}|cut -d '.' -f 1-3)
if test $? != 0;then
	${CMDNS1} ${IP} addr show
	echo "Did not find expected IP in VPN"
	exit 1
fi
${CMDNS1} ping -w 3 ${VPNADDR}
if test $? != 0;then
	echo "Could not ping server VPN IP"
	exit 1
fi
MATCH="Groupname: group2"
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE} 2>&1
grep "${MATCH}" ${OUTFILE}
if test $? != 0;then
	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
	echo "could not find group information"
	exit 1
fi
test -f "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
sleep 4
echo " * Tests the alt radius group functionality"
USERNAME=test-class
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
	echo "Could not connect to server"
	exit 1
fi
sleep 3
${CMDNS1} ${IP} addr show|grep $(echo ${VPNADDR}|cut -d '.' -f 1-3)
if test $? != 0;then
	${CMDNS1} ${IP} addr show
	echo "Did not find expected IP in VPN"
	exit 1
fi
MATCH="Groupname: group1"
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE} 2>&1
grep "${MATCH}" ${OUTFILE}
if test $? != 0;then
	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
	echo "could not find group information"
	exit 1
fi
exit 0
							
							
							
						
@@ -1,92 +0,0 @@
#!/bin/sh
#
# Copyright (C) 2014-2016 Red Hat
# Copyright (C) 2016 Nikos Mavrogiannopoulos
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ocserv; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
srcdir=${srcdir:-.}
PORT_OCSERV=10522
#this test can only be run as root
id|grep root >/dev/null 2>&1
if [ $? != 0 ];then
	exit 77
fi
CONFIG="radius-group"
IMAGE=ocserv-radius-group-test
IMAGE_NAME=test_ocserv_radius_group
TMP=$IMAGE_NAME.tmp
. ./docker-common.sh
$DOCKER run -e OCCTL_PAGER=cat -P --privileged=true --tty=false -d --name $IMAGE_NAME $IMAGE
if test $? != 0;then
	echo "Cannot run docker image"
	exit 1
fi
echo "ocserv image was run"
#wait for ocserv to server
sleep 5
get_ip
if test -z "$IP";then
	echo "Detected IP is null!"
	stop
fi
echo "Detected IP: $IP"
if test ! -z "$QUIT_ON_INIT";then
	exit 0
fi
echo "Trying with correct password"
$ECHO_E "test-class" >pass-radius$TMP
$OPENCONNECT $IP:$PORT_OCSERV -u test-class --authgroup group2 --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass-radius$TMP &
PID=$!
#wait for openconnect
sleep 5
rm -f pass-radius$TMP
# The client IP depends on the username so it shouldn't change.
ping -w 5 192.168.35.1
if test $? != 0;then
	kill -INT $PID
	echo "Cannot ping ocserv"
	stop
fi
ping -w 5 192.168.35.1 -s 1500
if test $? != 0;then
	kill -INT $PID
	echo "Cannot ping ocserv"
	stop
fi
retrieve_user_info test-class group2
kill -INT $PID
$DOCKER stop $IMAGE_NAME
$DOCKER rm $IMAGE_NAME
rm -f out$TMP
exit $ret
							
							
							
						
@@ -1,270 +0,0 @@
#!/bin/sh
#
# Copyright (C) 2014 Red Hat
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ocserv; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
srcdir=${srcdir:-.}
PORT_OCSERV=443
#this test can only be run as root
id|grep root >/dev/null 2>&1
if [ $? != 0 ];then
	exit 77
fi
CONFIG="radius"
IMAGE=ocserv-radius-test
IMAGE_NAME=test_ocserv_radius
TMP=$IMAGE_NAME.tmp
TMPFILE=$IMAGE_NAME-tmp.tmp
. ./docker-common.sh
$DOCKER run -e OCCTL_PAGER=cat -P --privileged=true --tty=false -d --name $IMAGE_NAME $IMAGE
if test $? != 0;then
	echo "Cannot run docker image"
	exit 1
fi
echo "ocserv image was run"
#wait for ocserv to server
sleep 5
get_ip
if test -z "$IP";then
	echo "Detected IP is null!"
	stop
fi
echo "Detected IP: $IP"
if test ! -z "$QUIT_ON_INIT";then
	exit 0
fi
echo ""
$ECHO_E "testuser" >pass-radius$TMP
$OPENCONNECT $IP:$PORT_OCSERV -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-radius$TMP
if test $? = 0;then
	echo "Authentication with wrong password succeeded!"
	stop
fi
echo ""
$ECHO_E "test" >pass-radius$TMP
$OPENCONNECT $IP:$PORT_OCSERV -u testuser --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-radius$TMP
if test $? = 0;then
	echo "Authentication with wrong username succeeded!"
	stop
fi
echo ""
echo "Trying with correct password and special IP"
$ECHO_E "test-arb" >pass-radius$TMP
$OPENCONNECT $IP:$PORT_OCSERV -v -u test-arb --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass-radius$TMP >$TMPFILE &
PID=$!
sleep 5
grep 'X-CSTP-Address: 192.168.55.' $TMPFILE
if test $? != 0;then
	kill -INT $PID
	echo "Unexpected address was assigned"
	stop
fi
ping -w 3 192.168.55.1
if test $? != 0;then
	kill -INT $PID
	echo "Cannot ping ocserv"
	stop
fi
kill -INT $PID
sleep 3
echo "Trying with correct password and normal IP"
$ECHO_E "test" >pass-radius$TMP
$OPENCONNECT $IP:$PORT_OCSERV -u test --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass-radius$TMP &
PID=$!
#wait for openconnect
sleep 5
rm -f pass-radius$TMP
# The client IP depends on the username so it shouldn't change.
ping -w 5 192.168.55.1
if test $? != 0;then
	kill -INT $PID
	echo "Cannot ping ocserv"
	stop
fi
ping -w 5 192.168.55.1 -s 1500
if test $? != 0;then
	kill -INT $PID
	echo "Cannot ping ocserv"
	stop
fi
ping6 -w 5 fc13:71:ea31:4b4e::1
if test $? != 0;then
	kill -INT $PID
	echo "Cannot ping the IPv6 of ocserv"
	stop
fi
retrieve_user_info test
# There is an issue in nuttcp that makes it crash under docker if
# /proc/sys/net/ipv4/tcp_adv_win_scale does not exist.
if test "$FEDORA" = 1;then
nuttcp -T 10 -t 192.168.55.1
if test $? != 0;then
	kill -INT $PID
	echo "Cannot send to ocserv"
	stop
fi
nuttcp -T 10 -r 192.168.55.1
if test $? != 0;then
	kill -INT $PID
	echo "Cannot recv from ocserv"
	stop
fi
fi
echo "Waiting for accounting report"
sleep 70
kill -INT $PID
sleep 4
check_for_file /tmp/disconnect/not-ok
if test $? = 0;then
	echo "There was an issue"
	stop
fi
DIR=`$DOCKER exec $IMAGE_NAME ls '/var/log/radius/radacct/'|tail -1`
FILE=`$DOCKER exec $IMAGE_NAME ls '/var/log/radius/radacct/'"$DIR"|tail -1`
OCTETS=`$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/$DIR/$FILE"|grep Acct-Input-Octets|tail -1|sed 's/Acct-Input-Octets = //g'`
if test -z "$OCTETS" || test "$OCTETS" = 0;then
	$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/$DIR/$FILE"
	echo "Interim update showed no data!"
	stop
fi
check_for_file /tmp/disconnect/ok
if test $? != 0;then
	$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/$DIR/$FILE"
	echo "There was an issue getting stats"
	stop
fi
ret=0
#wait until sec-mod has cleaned up its entries
echo "Waiting for disconnection report"
sleep 10
DISC=`$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/$DIR/$FILE"|grep "Acct-Terminate-Cause = User-Request"|tail -1`
if test -z "$DISC";then
	$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/$DIR/$FILE"
	echo "No disconnect was detected!"
	stop
fi
PIDFILE=out$TMP.pid.tmp
# do the same with a certificate - test radius accounting with certificate auth
echo "Trying with certificate"
rm -f "$PIDFILE"
$DOCKER exec $IMAGE_NAME truncate --size=0 /var/log/radius/radacct/$DIR/$FILE
$OPENCONNECT $IP:$PORT_OCSERV -b --sslkey ./certs/user-key.pem -c ./certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --pid-file="$PIDFILE"
sleep 10
if test -f "$PIDFILE";then
	PID=`cat "$PIDFILE"`
else
	echo "Cannot determine PID of client"
	stop
fi	
ping -w 5 192.168.55.1
if test $? != 0;then
	kill -INT $PID
	echo "Cannot ping ocserv"
	stop
fi
sleep 4
echo "Waiting for accounting report"
sleep 70
kill -INT $PID
sleep 10
DIR=`$DOCKER exec $IMAGE_NAME ls '/var/log/radius/radacct/'|tail -1`
FILE=`$DOCKER exec $IMAGE_NAME ls '/var/log/radius/radacct/'"$DIR"|tail -1`
$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/$DIR/$FILE" >out$TMP
cat out$TMP
OCTETS=`cat out$TMP|grep Acct-Input-Octets|tail -1|sed 's/Acct-Input-Octets = //g'`
if test -z "$OCTETS" || test "$OCTETS" = 0;then
	echo "Interim update showed no data!"
	stop
fi
DISC=`cat out$TMP|grep "Acct-Status-Type = Start"|tail -1`
if test -z "$DISC";then
	echo "No connect status was detected!"
	stop
fi
DISC=`cat out$TMP|grep Connect-Info`
if test -z "$DISC";then
	cat out$TMP
	echo "Accounting information had no Connect-Info!"
	stop
fi
DISC=`cat out$TMP|grep "Acct-Terminate-Cause = User-Request"|tail -1`
if test -z "$DISC";then
	cat out$TMP
	echo "No disconnect was detected!"
	stop
fi
DISC=`cat out$TMP|grep "NAS-IP-Address = 127.0.0.1"|tail -1`
if test -n "$DISC";then
	cat out$TMP
	echo "NAS-IP-Address has invalid value!"
	stop
fi
$DOCKER stop $IMAGE_NAME
$DOCKER rm $IMAGE_NAME
rm -f out$TMP $TMPFILE
exit $ret
							
							
							
						
@@ -1,130 +0,0 @@
#!/bin/sh
#
# Copyright (C) 2014 Red Hat
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ocserv; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
srcdir=${srcdir:-.}
PORT_OCSERV=443
#this test can only be run as root
id|grep root >/dev/null 2>&1
if [ $? != 0 ];then
	exit 77
fi
CONFIG="radius-config"
IMAGE=ocserv-radius-test-config
IMAGE_NAME=test_ocserv_radius_config
TMP=$IMAGE_NAME.tmp
. ./docker-common.sh
$DOCKER run -e OCCTL_PAGER=cat -P --privileged=true --tty=false -d --name $IMAGE_NAME $IMAGE
if test $? != 0;then
	echo "Cannot run docker image"
	exit 1
fi
echo "ocserv image was run"
#wait for ocserv to server
sleep 5
IP=`$DOCKER inspect $IMAGE_NAME | grep IPAddress |tail -1| cut -d '"' -f 4`
if test -z "$IP";then
	echo "Detected IP is null!"
	stop
fi
echo "Detected IP: $IP"
if test ! -z "$QUIT_ON_INIT";then
	exit 0
fi
echo "Trying with correct password"
echo "test" >pass-radius$TMP
$OPENCONNECT $IP:$PORT_OCSERV -b -u testtime --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --pid-file ${srcdir}/pid1.$$ <pass-radius$TMP
if test $? != 0;then
	echo "Cannot connect to server"
	stop
fi
#wait for openconnect
sleep 5
rm -f pass-radius$TMP
if [ ! -f ${srcdir}/pid1.$$ ];then
	echo "It was not possible to establish session!"
	stop
fi
PID=`cat ${srcdir}/pid1.$$`
# The client IP depends on the username so it shouldn't change.
ping -w 5 192.168.66.1
if test $? != 0;then
	kill $PID
	echo "Cannot ping ocserv"
	stop
fi
#check whether the routes have been applied
retrieve_route_info testtime '192.168.67.0/255.255.255.0'
echo "Waiting for accounting report"
sleep 95
DIR=`$DOCKER exec $IMAGE_NAME ls '/var/log/radius/radacct/'|tail -1`
FILE=`$DOCKER exec $IMAGE_NAME ls '/var/log/radius/radacct/'"$DIR"|tail -1`
OCTETS=`$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/$DIR/$FILE"|grep Acct-Input-Octets|tail -1|sed 's/Acct-Input-Octets = //g'`
if test -z "$OCTETS" || test "$OCTETS" = 0;then
	kill $PID
	$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/$DIR/$FILE"
	echo "Interim update showed no data!"
	stop
fi
#wait until sec-mod has cleaned up its entries
echo "Waiting for disconnection report"
sleep 75
rm -f out$TMP
$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/$DIR/$FILE" >out$TMP
DISC=`cat out$TMP|grep "Acct-Status-Type = Start"|tail -1`
if test -z "$DISC";then
	kill $PID
	cat out$TMP
	echo "No connect status was detected!"
	stop
fi
DISC=`cat out$TMP|grep "Acct-Terminate-Cause = Session-Timeout"|tail -1`
if test -z "$DISC";then
	cat out$TMP
	kill -INT $PID
	echo "No disconnect was detected!"
	stop
fi
$DOCKER stop $IMAGE_NAME
$DOCKER rm $IMAGE_NAME
rm -f out$TMP
exit $ret