From 59400941cf51f8d1d85cbde05f4d269bf59ee11e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 16 Aug 2023 13:19:12 +0200 Subject: [PATCH] tests: verify that address got by the proxy matches the client Also measure whether ban points are credited to the right address for failed attempts. Signed-off-by: Nikos Mavrogiannopoulos --- tests/data/haproxy-proxyproto.config | 7 ++++- tests/haproxy-proxyproto | 38 ++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/tests/data/haproxy-proxyproto.config b/tests/data/haproxy-proxyproto.config index 51f72ad8..cb5d9190 100644 --- a/tests/data/haproxy-proxyproto.config +++ b/tests/data/haproxy-proxyproto.config @@ -7,7 +7,9 @@ auth = "plain[@SRCDIR@/data/test1.passwd]" isolate-workers = @ISOLATE_WORKERS@ -max-ban-score = 0 +max-ban-score = 50 +ban-reset-time = 10 +ban-points-wrong-password = 10 # A banner to be displayed on clients #banner = "Welcome" @@ -131,6 +133,9 @@ pid-file = ./ocserv.pid # It must be accessible within the chroot environment (if any) socket-file = ./ocserv-socket +occtl-socket-file = @OCCTL_SOCKET@ +use-occtl = true + # The user the worker processes will be run as. It should be # unique (no other services run as this user). run-as-user = @USERNAME@ diff --git a/tests/haproxy-proxyproto b/tests/haproxy-proxyproto index 54e413cf..0d73ddb5 100755 --- a/tests/haproxy-proxyproto +++ b/tests/haproxy-proxyproto @@ -18,14 +18,17 @@ # along with this program. If not, see . # +OCCTL="${OCCTL:-../src/occtl/occtl}" SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} PIDFILE=ocserv-pid.$$.tmp CLIPID=oc-pid.$$.tmp HACONFIG=haproxy.conf.$$.tmp PATH=${PATH}:/usr/sbin +OCCTL_SOCKET=./occtl-haproxy-$$.socket HAPROXY=$(which haproxy) IP=$(which ip) +OUTPUT=./proxyproto.tmp . `dirname $0`/common.sh @@ -63,6 +66,7 @@ function finish { test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1 test -n "${NUTTCPPID}" && kill ${NUTTCPPID} >/dev/null 2>&1 rm -f proxyproto-connect-ok + rm -f $OUTPUT } trap finish EXIT @@ -114,6 +118,40 @@ ${CMDNS1} ping -c 3 ${VPNADDR} set +e +${CMDNS2} ${OCCTL} -j -s ${OCCTL_SOCKET} show user test >$OUTPUT +if test $? != 0;then + echo "occtl didn't find connected user!" + exit 1 +fi +REMOTE_IP=$(cat $OUTPUT|grep "Remote IP"|sed 's/[",\ ]//g'|cut -d ':' -f 2) + +if test "$REMOTE_IP" != "$CLI_ADDRESS";then + echo Remote IP: $REMOTE_IP + echo Client IP: $CLI_ADDRESS + exit 1 +fi + +echo " * Connecting with wrong password ${ADDRESS}:${HAPORT}..." +( echo "xxest" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) +if test $? = 0;then + echo "Got cookie unexpectedly!" + exit 1 +fi + +( echo "xxest" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) +if test $? = 0;then + echo "Got cookie unexpectedly!" + exit 1 +fi + +${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} show ip ban points >${OUTPUT} +POINTS=$(grep "$CLI_ADDRESS" ${OUTPUT}|tr -s ' '|sed 's/^ //g'|cut -d ' ' -f 2) +if test "$POINTS" -lt 20;then + echo "Client did not get ban points ($CLI_ADDRESS - $POINTS)" + cat $OUTPUT + exit 1 +fi + echo " * checking for connect-ok" if ! test -f proxyproto-connect-ok;then echo "Could not find file written by script"