From 8ed48a14bba4c85b14b25f1f6ca8af0175e56856 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 22 Aug 2015 20:07:59 +0200
Subject: [PATCH] tests: check whether IPs are being passed correctly to script
 when in proxyproto

That is check whether the remote IP passed is other than localhost,
and there is a non-empty IP_REAL_LOCAL.
---
 .../Dockerfile-debian-proxyproto              | 35 +++++++++++++++++++
 .../Dockerfile-fedora-proxyproto              |  1 +
 tests/docker-ocserv/Makefile.am               |  3 +-
 tests/docker-ocserv/ocserv-proxyproto.conf    |  2 +-
 tests/docker-ocserv/proxy-connectscript       |  9 +++++
 tests/proxyproto-test                         |  7 ++++
 6 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 tests/docker-ocserv/Dockerfile-debian-proxyproto
 create mode 100755 tests/docker-ocserv/proxy-connectscript

diff --git a/tests/docker-ocserv/Dockerfile-debian-proxyproto b/tests/docker-ocserv/Dockerfile-debian-proxyproto
new file mode 100644
index 00000000..3b1b6057
--- /dev/null
+++ b/tests/docker-ocserv/Dockerfile-debian-proxyproto
@@ -0,0 +1,35 @@
+FROM debian:jessie
+RUN apt-get update
+
+RUN apt-get install -y libgnutls-deb0-28 libprotobuf-c1
+RUN apt-get install -y libwrap0 libpam0g libseccomp2 libdbus-1-3 libreadline5 libnl-route-3-200
+RUN apt-get install -y libhttp-parser2.1 libpcl1 libopts25 autogen
+RUN apt-get install -y libsystemd-daemon0 valgrind nuttcp openssh-server bash
+RUN apt-get install -y libtalloc2 liblz4-1 libkrb5-3 less haproxy
+RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
+
+RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
+
+RUN echo 'root:root' |chpasswd
+RUN useradd -m -d /home/admin -s /bin/bash admin
+RUN echo 'admin:admin' |chpasswd
+
+RUN mkdir /etc/ocserv
+
+
+ADD key.pem /etc/ocserv/
+ADD cert.pem /etc/ocserv/
+ADD combo.pem /etc/ocserv/
+ADD haproxy-proxyproto.cfg /etc/haproxy/haproxy.cfg
+ADD ocserv-proxyproto.conf /etc/ocserv/ocserv.conf
+ADD passwd /etc/ocserv/
+ADD ocserv /usr/sbin/
+ADD ocpasswd /usr/bin/
+ADD occtl /usr/bin/
+ADD myscript /usr/bin/
+ADD proxy-connectscript /usr/bin/
+# It's not possible to use mknod inside a container with the default LXC
+# template, so we untar it from this archive.
+ADD dev-tun.tgz /dev/
+
+CMD nuttcp -S;/etc/init.d/ssh restart;mkdir -p /tmp/disconnect/;mkdir -p /tmp/connect;/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg;/usr/sbin/ocserv -d 1 -f;sleep 3600
diff --git a/tests/docker-ocserv/Dockerfile-fedora-proxyproto b/tests/docker-ocserv/Dockerfile-fedora-proxyproto
index a481bfaa..734c10d3 100644
--- a/tests/docker-ocserv/Dockerfile-fedora-proxyproto
+++ b/tests/docker-ocserv/Dockerfile-fedora-proxyproto
@@ -26,6 +26,7 @@ ADD ocserv /usr/sbin/
 ADD ocpasswd /usr/bin/
 ADD occtl /usr/bin/
 ADD myscript /usr/bin/
+ADD proxy-connectscript /usr/bin/
 # It's not possible to use mknod inside a container with the default LXC
 # template, so we untar it from this archive.
 ADD dev-tun.tgz /dev/
diff --git a/tests/docker-ocserv/Makefile.am b/tests/docker-ocserv/Makefile.am
index 5d9b727a..4887268b 100644
--- a/tests/docker-ocserv/Makefile.am
+++ b/tests/docker-ocserv/Makefile.am
@@ -5,7 +5,8 @@ EXTRA_DIST = passwd ocserv.conf Dockerfile-debian-tcp dev-tun.tgz myscript key.p
 	radiusclient-servers pam-ocserv ocserv-pam.conf ca.pem ocserv-radius-config.conf \
 	Dockerfile-fedora-radius-config radius-dictionary Dockerfile-debian-radius-config \
 	ocserv-proxyproto.conf Dockerfile-fedora-proxyproto haproxy-proxyproto.cfg \
-	haproxy-proxyproto-unix.cfg Dockerfile-fedora-proxyproto-unix ocserv-proxyproto-unix.conf
+	haproxy-proxyproto-unix.cfg Dockerfile-fedora-proxyproto-unix ocserv-proxyproto-unix.conf \
+	proxy-connectscript
 
 TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
 	top_builddir="$(top_builddir)"
diff --git a/tests/docker-ocserv/ocserv-proxyproto.conf b/tests/docker-ocserv/ocserv-proxyproto.conf
index ebca9b77..28d96d31 100644
--- a/tests/docker-ocserv/ocserv-proxyproto.conf
+++ b/tests/docker-ocserv/ocserv-proxyproto.conf
@@ -176,7 +176,7 @@ rekey-method = ssl
 # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
 # in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
 # ID (a unique numeric ID); REASON may be "connect" or "disconnect".
-#connect-script = /usr/bin/myscript
+connect-script = /usr/bin/proxy-connectscript
 disconnect-script = /usr/bin/myscript
 
 # UTMP
diff --git a/tests/docker-ocserv/proxy-connectscript b/tests/docker-ocserv/proxy-connectscript
new file mode 100755
index 00000000..91a7712b
--- /dev/null
+++ b/tests/docker-ocserv/proxy-connectscript
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+if [ "$REASON" = "connect" ];then
+	if test "$IP_REAL" != "127.0.0.1" && test "$IP_REAL" != "::1" && test -n "$IP_REAL_LOCAL";then
+		echo  "$IP_REAL:$IP_REAL_LOCAL" >/tmp/connect/ok
+	fi
+fi
+
+exit 0
diff --git a/tests/proxyproto-test b/tests/proxyproto-test
index 46d21981..0aaa916b 100755
--- a/tests/proxyproto-test
+++ b/tests/proxyproto-test
@@ -115,6 +115,13 @@ sleep 2
 
 kill $PID
 
+check_for_file /tmp/connect/ok
+if test $? != 0;then
+	echo "There was an issue in connect script"
+	stop
+fi
+$DOCKER exec $IMAGE_NAME cat /tmp/connect/ok
+
 sleep 4
 
 #check whether /tmp/disconnect/ok was created