GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 00:37:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

tests: verify that address got by the proxy matches the client

Browse Source 
Also measure whether ban points are credited to the right
address for failed attempts.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This commit is contained in:
Nikos Mavrogiannopoulos
2023-08-16 13:19:12 +02:00
parent e269f22a43
commit 59400941cf
2 changed files with 44 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
tests/data/haproxy-proxyproto.config
View File

@@ -7,7 +7,9 @@ auth = "plain[@SRCDIR@/data/test1.passwd]"
isolate-workers = @ISOLATE_WORKERS@ isolate-workers = @ISOLATE_WORKERS@
max-ban-score = 0 max-ban-score = 50
ban-reset-time = 10
ban-points-wrong-password = 10
# A banner to be displayed on clients # A banner to be displayed on clients
#banner = "Welcome" #banner = "Welcome"
@@ -131,6 +133,9 @@ pid-file = ./ocserv.pid
# It must be accessible within the chroot environment (if any) # It must be accessible within the chroot environment (if any)
socket-file = ./ocserv-socket socket-file = ./ocserv-socket
occtl-socket-file = @OCCTL_SOCKET@
use-occtl = true
# The user the worker processes will be run as. It should be # The user the worker processes will be run as. It should be
# unique (no other services run as this user). # unique (no other services run as this user).
run-as-user = @USERNAME@ run-as-user = @USERNAME@

38
tests/haproxy-proxyproto
View File

@@ -18,14 +18,17 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# #
OCCTL="${OCCTL:-../src/occtl/occtl}"
SERV="${SERV:-../src/ocserv}" SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.} srcdir=${srcdir:-.}
PIDFILE=ocserv-pid.$$.tmp PIDFILE=ocserv-pid.$$.tmp
CLIPID=oc-pid.$$.tmp CLIPID=oc-pid.$$.tmp
HACONFIG=haproxy.conf.$$.tmp HACONFIG=haproxy.conf.$$.tmp
PATH=${PATH}:/usr/sbin PATH=${PATH}:/usr/sbin
OCCTL_SOCKET=./occtl-haproxy-$$.socket
HAPROXY=$(which haproxy) HAPROXY=$(which haproxy)
IP=$(which ip) IP=$(which ip)
OUTPUT=./proxyproto.tmp
. `dirname $0`/common.sh . `dirname $0`/common.sh
@@ -63,6 +66,7 @@ function finish {
test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1 test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
test -n "${NUTTCPPID}" && kill ${NUTTCPPID} >/dev/null 2>&1 test -n "${NUTTCPPID}" && kill ${NUTTCPPID} >/dev/null 2>&1
rm -f proxyproto-connect-ok rm -f proxyproto-connect-ok
rm -f $OUTPUT
} }
trap finish EXIT trap finish EXIT
@@ -114,6 +118,40 @@ ${CMDNS1} ping -c 3 ${VPNADDR}
set +e set +e
${CMDNS2} ${OCCTL} -j -s ${OCCTL_SOCKET} show user test >$OUTPUT
if test $? != 0;then
echo "occtl didn't find connected user!"
exit 1
fi
REMOTE_IP=$(cat $OUTPUT|grep "Remote IP"|sed 's/[",\ ]//g'|cut -d ':' -f 2)
if test "$REMOTE_IP" != "$CLI_ADDRESS";then
echo Remote IP: $REMOTE_IP
echo Client IP: $CLI_ADDRESS
exit 1
fi
echo " * Connecting with wrong password ${ADDRESS}:${HAPORT}..."
( echo "xxest" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? = 0;then
echo "Got cookie unexpectedly!"
exit 1
fi
( echo "xxest" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? = 0;then
echo "Got cookie unexpectedly!"
exit 1
fi
${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} show ip ban points >${OUTPUT}
POINTS=$(grep "$CLI_ADDRESS" ${OUTPUT}|tr -s ' '|sed 's/^ //g'|cut -d ' ' -f 2)
if test "$POINTS" -lt 20;then
echo "Client did not get ban points ($CLI_ADDRESS - $POINTS)"
cat $OUTPUT
exit 1
fi
echo " * checking for connect-ok" echo " * checking for connect-ok"
if ! test -f proxyproto-connect-ok;then if ! test -f proxyproto-connect-ok;then
echo "Could not find file written by script" echo "Could not find file written by script"