diff --git a/tests/Makefile.am b/tests/Makefile.am index 58d0f0ec..c7d6e3d8 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -11,7 +11,7 @@ SUBDIRS = docker-ocserv dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \ test-multi-cookie test-pam test-stress full-test test-group-pass test-pass-group-cert \ ocpasswd-test test-pass-group-cert-no-pass unix-test test-pass-opt-cert \ - test-cookie-timeout test-cookie-timeout-2 + test-cookie-timeout test-cookie-timeout-2 radius-test TESTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \ test-multi-cookie full-test test-group-pass test-pass-group-cert \ diff --git a/tests/docker-common.sh b/tests/docker-common.sh index d470a8db..2e957407 100755 --- a/tests/docker-common.sh +++ b/tests/docker-common.sh @@ -49,11 +49,7 @@ if test "$FEDORA" = 1;then $UNLOCKFILE exit 1 fi - if test "$UNIX" = 1;then - cp docker-ocserv/Dockerfile-fedora-unix docker-ocserv/Dockerfile - else - cp docker-ocserv/Dockerfile-fedora-tcp docker-ocserv/Dockerfile - fi + cp docker-ocserv/Dockerfile-fedora-$CONFIG docker-ocserv/Dockerfile else #DEBIAN echo "Using the Debian image" $DOCKER pull debian:jessie @@ -62,11 +58,7 @@ else #DEBIAN $UNLOCKFILE exit 1 fi - if test "$UNIX" = 1;then - cp docker-ocserv/Dockerfile-debian-unix docker-ocserv/Dockerfile - else - cp docker-ocserv/Dockerfile-debian-tcp docker-ocserv/Dockerfile - fi + cp docker-ocserv/Dockerfile-debian-$CONFIG docker-ocserv/Dockerfile fi cp ../src/ocserv ../src/ocpasswd ../src/occtl docker-ocserv/ diff --git a/tests/docker-ocserv/Dockerfile-debian-radius b/tests/docker-ocserv/Dockerfile-debian-radius new file mode 100644 index 00000000..bf082795 --- /dev/null +++ b/tests/docker-ocserv/Dockerfile-debian-radius @@ -0,0 +1,43 @@ +FROM debian:jessie + +RUN apt-get update;sleep 3 +RUN apt-get install -y libgnutls-deb0-28 +RUN apt-get install -y libprotobuf-c1 +RUN apt-get install -y libwrap0 libpam0g libseccomp2 libdbus-1-3 libreadline5 libnl-route-3-200 +RUN apt-get install -y libhttp-parser2.1 libpcl1 libopts25 autogen +RUN apt-get install -y libsystemd-daemon0 valgrind nuttcp openssh-server bash +RUN apt-get install -y libtalloc2 +RUN apt-get install -y liblz4-1 +RUN apt-get install -y freeradius libfreeradius-client2 +RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config + +RUN echo 'root:root' |chpasswd +RUN useradd -m -d /home/admin -s /bin/bash admin +RUN echo 'admin:admin' |chpasswd +EXPOSE 10500 +EXPOSE 10500/udp +EXPOSE 10501 +EXPOSE 10501/udp +EXPOSE 10522 +EXPOSE 10522/udp +EXPOSE 22 + +RUN mkdir /etc/ocserv + + +ADD key.pem /etc/ocserv/ +ADD cert.pem /etc/ocserv/ +ADD ocserv-radius.conf /etc/ocserv/ocserv.conf +ADD radiusclient.conf /etc/radiusclient/ +ADD radius-clients.conf /etc/freeradius/clients.conf +ADD radiusclient-servers /etc/freeradius/servers +ADD ocserv /usr/sbin/ +ADD ocpasswd /usr/bin/ +ADD occtl /usr/bin/ +ADD myscript /usr/bin/ +ADD freeradius-users /etc/freeradius/users +# It's not possible to use mknod inside a container with the default LXC +# template, so we untar it from this archive. +ADD dev-tun.tgz /dev/ + +CMD nuttcp -S;/etc/init.d/ssh restart;/usr/sbin/freeradius -X -f >/tmp/freeradius.out 2>&1 & mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600 diff --git a/tests/docker-ocserv/Dockerfile-fedora-radius b/tests/docker-ocserv/Dockerfile-fedora-radius new file mode 100644 index 00000000..ab2c127e --- /dev/null +++ b/tests/docker-ocserv/Dockerfile-fedora-radius @@ -0,0 +1,40 @@ +FROM fedora:21 + +RUN yum install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp +RUN yum install -y bash openssh-server nuttcp +RUN yum install -y libnl3 libtalloc +RUN yum install -y lz4 +RUN yum install -y freeradius freeradius-client +RUN systemctl enable sshd +RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config + +RUN echo 'root:root' |chpasswd +RUN useradd -m -d /home/admin -s /bin/bash admin +RUN echo 'admin:admin' |chpasswd +EXPOSE 10500 +EXPOSE 10500/udp +EXPOSE 10501 +EXPOSE 10501/udp +EXPOSE 10522 +EXPOSE 10522/udp +EXPOSE 22 + +RUN mkdir /etc/ocserv + + +ADD key.pem /etc/ocserv/ +ADD cert.pem /etc/ocserv/ +ADD ocserv-radius.conf /etc/ocserv/ocserv.conf +ADD radiusclient.conf /etc/radiusclient/ +ADD radius-clients.conf /etc/freeradius/clients.conf +ADD radiusclient-servers /etc/freeradius/servers +ADD ocserv /usr/sbin/ +ADD ocpasswd /usr/bin/ +ADD occtl /usr/bin/ +ADD myscript /usr/bin/ +ADD freeradius-users /etc/freeradius/users +# It's not possible to use mknod inside a container with the default LXC +# template, so we untar it from this archive. +ADD dev-tun.tgz /dev/ + +CMD nuttcp -S;sshd-keygen;/usr/sbin/sshd;mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600 diff --git a/tests/docker-ocserv/Makefile.am b/tests/docker-ocserv/Makefile.am index f479d565..2d48c205 100644 --- a/tests/docker-ocserv/Makefile.am +++ b/tests/docker-ocserv/Makefile.am @@ -1,6 +1,8 @@ EXTRA_DIST = passwd ocserv.conf Dockerfile-debian-tcp dev-tun.tgz myscript key.pem cert.pem \ Dockerfile-debian-unix ocserv-unix.conf haproxy.cfg combo.pem Dockerfile-fedora-unix \ - Dockerfile-fedora-tcp + Dockerfile-fedora-tcp freeradius-users Dockerfile-debian-radius Dockerfile-fedora-radius \ + freeradius-users ocserv-radius.conf radiusclient.conf radius-clients.conf \ + radiusclient-servers TESTS_ENVIRONMENT = srcdir="$(srcdir)" \ top_builddir="$(top_builddir)" diff --git a/tests/docker-ocserv/freeradius-users b/tests/docker-ocserv/freeradius-users new file mode 100644 index 00000000..367ccc79 --- /dev/null +++ b/tests/docker-ocserv/freeradius-users @@ -0,0 +1,16 @@ +# +# This is a complete entry for "steve". Note that there is no Fall-Through +# entry so that no DEFAULT entry will be used, and the user will NOT +# get any attributes in addition to the ones listed here. +# +test Cleartext-Password := "test" + Service-Type = Framed-User, + Framed-Protocol = PPP, + Framed-Route = 192.168.100.5/24, + Framed-Route = 192.168.1.0/8, + Framed-IPv6-Prefix = "2000:0:0:106::/64", + Framed-IP-Address = 192.168.1.190, + Framed-IP-Netmask = 255.255.255.0, + Framed-Routing = Broadcast-Listen, + Framed-MTU = 1500, + diff --git a/tests/docker-ocserv/ocserv-radius.conf b/tests/docker-ocserv/ocserv-radius.conf new file mode 100644 index 00000000..b30841c8 --- /dev/null +++ b/tests/docker-ocserv/ocserv-radius.conf @@ -0,0 +1,304 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +#auth = "plain[/etc/ocserv/passwd]" +#auth = "pam" +auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]" + +# Whether to enable support for the occtl tool (i.e., either through D-BUS, +# or via a unix socket). +use-occtl = true + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +#occtl-socket-file = /var/run/occtl.socket + +# The plain option requires specifying a password file which contains +# entries of the following format. +# "username:groupname:encoded-password" +# One entry must be listed per line, and 'ocpasswd' can be used +# to generate password entries. +#auth = "plain[/etc/ocserv/ocpasswd]" + +# A banner to be displayed on clients +#banner = "Welcome" + +stats-report-time = 60 + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 16 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +tcp-port = 10522 +udp-port = 10522 + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds. +dpd = 240 + +# Dead peer detection for mobile clients. The needs to +# be much higher to prevent such clients being awaken too +# often by the DPD messages, and save battery. +# (clients that send the X-AnyConnect-Identifier-DeviceType) +mobile-dpd = 1800 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = /etc/ocserv/cert.pem +server-key = /etc/ocserv/key.pem + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication +# is set. +#ca-cert = /path/to/ca.pem + +# The object identifier that will be used to read the user ID in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the +# client certificate. The object identifier should be part of the certificate's +# DN. Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# The revocation list of the certificates issued by the 'ca-cert' above. +#crl = /path/to/crl.pem + +# GnuTLS priority string +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is allowed to stay idle (no traffic) +# before being disconnected. Unset to disable. +#idle-timeout = 1200 + +# The time (in seconds) that a mobile client is allowed to stay idle (no +# traffic) before being disconnected. Unset to disable. +#mobile-idle-timeout = 2400 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 + +# Cookie validity time (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. This option sets the maximum lifetime +# of that cookie. +cookie-validity = 86400 + +# ReKey time (in seconds) +# ocserv will ask the client to refresh keys periodically once +# this amount of seconds is elapsed. Set to zero to disable. +rekey-time = 172800 + +# ReKey method +# Valid options: ssl, new-tunnel +# ssl: Will perform an efficient rehandshake on the channel allowing +# a seamless connection during rekey. +# new-tunnel: Will instruct the client to discard and re-establish the channel. +# Use this option only if the connecting clients have issues with the ssl +# option. +rekey-method = ssl + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# ID (a unique numeric ID); REASON may be "connect" or "disconnect". +#connect-script = /usr/bin/myscript +disconnect-script = /usr/bin/myscript + +# UTMP +use-utmp = true + +# D-BUS usage. If disabled occtl tool cannot be used. If enabled +# then ocserv must have access to register org.infradead.ocserv +# D-BUS service. See doc/dbus/org.infradead.ocserv.conf +use-dbus = false + +# PID file. It can be overriden in the command line. +pid-file = /var/run/ocserv.pid + +# The default server directory. Does not require any devices present. +#chroot-dir = /path/to/chroot + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +socket-file = /var/run/ocserv-socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = nobody +run-as-group = daemon + +# Set the protocol-defined priority (SO_PRIORITY) for packets to +# be sent. That is a number from 0 to 6 with 0 being the lowest +# priority. Alternatively this can be used to set the IP Type- +# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). +# This can be set per user/group or globally. +#net-priority = 3 + +# Set the VPN worker process into a specific cgroup. This is Linux +# specific and can be set per user/group or globally. +#cgroup = "cpuset,cpu:test" + +# +# Network settings +# + +# The name of the tun device +device = vpns + +# The default domain to be advertised +default-domain = example.com + +# The pool of addresses that leases will be given from. +ipv4-network = 192.168.1.0 +ipv4-netmask = 255.255.255.0 + +# The advertized DNS server. Use multiple lines for +# multiple servers. +# dns = fc00::4be0 +#dns = 192.168.1.2 + +# The NBNS server (if any) +#nbns = 192.168.1.3 + +# The IPv6 subnet that leases will be given from. +ipv6-network = fd91:6d87:7341:db6a:: +ipv6-prefix = 64 + +# The domains over which the provided DNS should be used. Use +# multiple lines for multiple domains. +#split-dns = example.com + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Unset to assign the default MTU of the device +# mtu = + +# Unset to enable bandwidth restrictions (in bytes/sec). The +# setting here is global, but can also be set per user or per group. +#rx-data-per-sec = 40000 +#tx-data-per-sec = 40000 + +# The number of packets (of MTU size) that are available in +# the output buffer. The default is low to improve latency. +# Setting it higher will improve throughput. +#output-buffer = 10 + +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the +# config-per-user/group or even connect and disconnect scripts. +# +# To set the server as the default gateway for the client just +# comment out all routes from the server. +route = 192.168.1.0/255.255.255.0 +#route = 192.168.5.0/255.255.255.0 +#route = fef4:db8:1000:1001::/64 + +# Configuration files that will be applied per user connection or +# per group. Each file name on these directories must match the username +# or the groupname. +# The options allowed in the configuration files are dns, nbns, +# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, +# net-priority and cgroup. +# +# Note that the 'iroute' option allows to add routes on the server +# based on a user or group. The syntax depends on the input accepted +# by the commands route-add-cmd and route-del-cmd (see below). + +#config-per-user = /etc/ocserv/config-per-user/ +#config-per-group = /etc/ocserv/config-per-group/ + +# The system command to use to setup a route. %R will be replaced with the +# route/mask and %D with the (tun) device. +# +# The following example is from linux systems. %R should be something +# like 192.168.2.0/24 + +#route-add-cmd = "ip route add %R dev %D" +#route-del-cmd = "ip route delete %R dev %D" + +# +# The following options are for (experimental) AnyConnect client +# compatibility. + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# It is not used by the openconnect client. +#user-profile = profile.xml + +# Binary files that may be downloaded by the CISCO client. Must +# be within any chroot environment. +#binary-files = /path/to/binaries + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie and complete their authentication in the same TCP connection. +# Legacy CISCO clients do not do that, and thus this option should be +# set for them. +#cisco-client-compat = false + +#Advanced options + +# Option to allow sending arbitrary custom headers to the client after +# authentication and prior to VPN tunnel establishment. +#custom-header = "X-My-Header: hi there" diff --git a/tests/docker-ocserv/radius-clients.conf b/tests/docker-ocserv/radius-clients.conf new file mode 100644 index 00000000..d5b1f742 --- /dev/null +++ b/tests/docker-ocserv/radius-clients.conf @@ -0,0 +1,235 @@ +# -*- text -*- +## +## clients.conf -- client configuration directives +## +## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $ + +####################################################################### +# +# Define RADIUS clients (usually a NAS, Access Point, etc.). + +# +# Defines a RADIUS client. +# +# '127.0.0.1' is another name for 'localhost'. It is enabled by default, +# to allow testing of the server after an initial installation. If you +# are not going to be permitting RADIUS queries from localhost, we suggest +# that you delete, or comment out, this entry. +# +# + +# +# Each client has a "short name" that is used to distinguish it from +# other clients. +# +# In version 1.x, the string after the word "client" was the IP +# address of the client. In 2.0, the IP address is configured via +# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x +# format is still accepted. +# +client localhost { + # Allowed values are: + # dotted quad (1.2.3.4) + # hostname (radius.example.com) + ipaddr = 127.0.0.1 + + # OR, you can use an IPv6 address, but not both + # at the same time. +# ipv6addr = :: # any. ::1 == localhost + + # + # A note on DNS: We STRONGLY recommend using IP addresses + # rather than host names. Using host names means that the + # server will do DNS lookups when it starts, making it + # dependent on DNS. i.e. If anything goes wrong with DNS, + # the server won't start! + # + # The server also looks up the IP address from DNS once, and + # only once, when it starts. If the DNS record is later + # updated, the server WILL NOT see that update. + # + + # One client definition can be applied to an entire network. + # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and + # "netmask = 8" + # + # If not specified, the default netmask is 32 (i.e. /32) + # + # We do NOT recommend using anything other than 32. There + # are usually other, better ways to achieve the same goal. + # Using netmasks of other than 32 can cause security issues. + # + # You can specify overlapping networks (127/8 and 127.0/16) + # In that case, the smallest possible network will be used + # as the "best match" for the client. + # + # Clients can also be defined dynamically at run time, based + # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier, + # etc. + # See raddb/sites-available/dynamic-clients for details. + # + +# netmask = 32 + + # + # The shared secret use to "encrypt" and "sign" packets between + # the NAS and FreeRADIUS. You MUST change this secret from the + # default, otherwise it's not a secret any more! + # + # The secret can be any string, up to 8k characters in length. + # + # Control codes can be entered vi octal encoding, + # e.g. "\101\102" == "AB" + # Quotation marks can be entered by escaping them, + # e.g. "foo\"bar" + # + # A note on security: The security of the RADIUS protocol + # depends COMPLETELY on this secret! We recommend using a + # shared secret that is composed of: + # + # upper case letters + # lower case letters + # numbers + # + # And is at LEAST 8 characters long, preferably 16 characters in + # length. The secret MUST be random, and should not be words, + # phrase, or anything else that is recognizable. + # + # The default secret below is only for testing, and should + # not be used in any real environment. + # + secret = testing123 + + # + # Old-style clients do not send a Message-Authenticator + # in an Access-Request. RFC 5080 suggests that all clients + # SHOULD include it in an Access-Request. The configuration + # item below allows the server to require it. If a client + # is required to include a Message-Authenticator and it does + # not, then the packet will be silently discarded. + # + # allowed values: yes, no + require_message_authenticator = no + + # + # The short name is used as an alias for the fully qualified + # domain name, or the IP address. + # + # It is accepted for compatibility with 1.x, but it is no + # longer necessary in 2.0 + # +# shortname = localhost + + # + # the following three fields are optional, but may be used by + # checkrad.pl for simultaneous use checks + # + + # + # The nastype tells 'checkrad.pl' which NAS-specific method to + # use to query the NAS for simultaneous use. + # + # Permitted NAS types are: + # + # cisco + # computone + # livingston + # juniper + # max40xx + # multitech + # netserver + # pathras + # patton + # portslave + # tc + # usrhiper + # other # for all other types + + # + nastype = other # localhost isn't usually a NAS... + + # + # The following two configurations are for future use. + # The 'naspasswd' file is currently used to store the NAS + # login name and password, which is used by checkrad.pl + # when querying the NAS for simultaneous use. + # +# login = !root +# password = someadminpas + + # + # As of 2.0, clients can also be tied to a virtual server. + # This is done by setting the "virtual_server" configuration + # item, as in the example below. + # +# virtual_server = home1 + + # + # A pointer to the "home_server_pool" OR a "home_server" + # section that contains the CoA configuration for this + # client. For an example of a coa home server or pool, + # see raddb/sites-available/originate-coa +# coa_server = coa +} + +# IPv6 Client +#client ::1 { +# secret = testing123 +# shortname = localhost +#} +# +# All IPv6 Site-local clients +#client fe80::/16 { +# secret = testing123 +# shortname = localhost +#} + +#client some.host.org { +# secret = testing123 +# shortname = localhost +#} + +# +# You can now specify one secret for a network of clients. +# When a client request comes in, the BEST match is chosen. +# i.e. The entry from the smallest possible network. +# +#client 192.168.0.0/24 { +# secret = testing123-1 +# shortname = private-network-1 +#} +# +#client 192.168.0.0/16 { +# secret = testing123-2 +# shortname = private-network-2 +#} + + +#client 10.10.10.10 { +# # secret and password are mapped through the "secrets" file. +# secret = testing123 +# shortname = liv1 +# # the following three fields are optional, but may be used by +# # checkrad.pl for simultaneous usage checks +# nastype = livingston +# login = !root +# password = someadminpas +#} + +####################################################################### +# +# Per-socket client lists. The configuration entries are exactly +# the same as above, but they are nested inside of a section. +# +# You can have as many per-socket client lists as you have "listen" +# sections, or you can re-use a list among multiple "listen" sections. +# +# Un-comment this section, and edit a "listen" section to add: +# "clients = per_socket_clients". That IP address/port combination +# will then accept ONLY the clients listed in this section. +# +#clients per_socket_clients { +# client 192.168.3.4 { +# secret = testing123 +# } +#} diff --git a/tests/docker-ocserv/radiusclient-servers b/tests/docker-ocserv/radiusclient-servers new file mode 100644 index 00000000..a6863a9d --- /dev/null +++ b/tests/docker-ocserv/radiusclient-servers @@ -0,0 +1,10 @@ +## Server Name or Client/Server pair Key +## ---------------- --------------- +# +#portmaster.elemental.net hardlyasecret +#portmaster2.elemental.net donttellanyone +# +## uncomment the following line for simple testing of radlogin +## with freeradius-server +# +localhost/localhost testing123 diff --git a/tests/docker-ocserv/radiusclient.conf b/tests/docker-ocserv/radiusclient.conf new file mode 100644 index 00000000..7ad93a16 --- /dev/null +++ b/tests/docker-ocserv/radiusclient.conf @@ -0,0 +1,92 @@ +# General settings + +# specify which authentication comes first respectively which +# authentication is used. possible values are: "radius" and "local". +# if you specify "radius,local" then the RADIUS server is asked +# first then the local one. if only one keyword is specified only +# this server is asked. +auth_order radius,local + +# maximum login tries a user has +login_tries 4 + +# timeout for all login tries +# if this time is exceeded the user is kicked out +login_timeout 60 + +# name of the nologin file which when it exists disables logins. +# it may be extended by the ttyname which will result in +# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable +# logins on /dev/ttyS2) +nologin /etc/nologin + +# name of the issue file. it's only display when no username is passed +# on the radlogin command line +issue /etc/radiusclient/issue + +# RADIUS settings + +# RADIUS server to use for authentication requests. this config +# item can appear more then one time. if multiple servers are +# defined they are tried in a round robin fashion if one +# server is not answering. +# optionally you can specify a the port number on which is remote +# RADIUS listens separated by a colon from the hostname. if +# no port is specified /etc/services is consulted of the radius +# service. if this fails also a compiled in default is used. +authserver localhost + +# RADIUS server to use for accouting requests. All that I +# said for authserver applies, too. +# +acctserver localhost + +# file holding shared secrets used for the communication +# between the RADIUS client and server +servers /etc/radiusclient/servers + +# dictionary of allowed attributes and values +# just like in the normal RADIUS distributions +dictionary /etc/radiusclient/dictionary + +# program to call for a RADIUS authenticated login +login_radius /usr/sbin/login.radius + +# file which holds sequence number for communication with the +# RADIUS server +seqfile /var/run/radius.seq + +# file which specifies mapping between ttyname and NAS-Port attribute +mapfile /etc/radiusclient/port-id-map + +# default authentication realm to append to all usernames if no +# realm was explicitly specified by the user +# the radiusd directly form Livingston doesnt use any realms, so leave +# it blank then +default_realm + +# time to wait for a reply from the RADIUS server +radius_timeout 10 + +# resend request this many times before trying the next server +radius_retries 3 + +# The length of time in seconds that we skip a nonresponsive RADIUS +# server for transaction requests. Server(s) being in the "dead" state +# are tried only after all other non-dead servers have been tried and +# failed or timeouted. The deadtime interval starts when the server +# does not respond to an authentication/accounting request transmissions. +# When the interval expires, the "dead" server would be re-tried again, +# and if it's still down then it will be considered "dead" for another +# such interval and so on. This option is no-op if there is only one +# server in the list. Set to 0 in order to disable the feature. +radius_deadtime 0 + +# local address from which radius packets have to be sent +bindaddr * + +# LOCAL settings + +# program to execute for local login +# it must support the -f flag for preauthenticated login +login_local /bin/login diff --git a/tests/full-test b/tests/full-test index fd53e217..d911aef6 100755 --- a/tests/full-test +++ b/tests/full-test @@ -26,6 +26,7 @@ if [ $? != 0 ];then exit 77 fi +CONFIG="tcp" IMAGE=ocserv-test1 . ./docker-common.sh diff --git a/tests/radius-test b/tests/radius-test new file mode 100755 index 00000000..61a1264d --- /dev/null +++ b/tests/radius-test @@ -0,0 +1,168 @@ +#!/bin/sh +# +# Copyright (C) 2014 Red Hat +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with ocserv; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir=${srcdir:-.} + +PORT=10500 +PORT2=10501 +PORT_OCSERV=10522 +#this test can only be run as root +id|grep root >/dev/null 2>&1 +if [ $? != 0 ];then + exit 77 +fi + +CONFIG="radius" +IMAGE=ocserv-radius-test +. ./docker-common.sh + +stop() { + $DOCKER stop test_ocserv_radius + $DOCKER rm test_ocserv_radius + exit 1 +} + +$DOCKER run -P --privileged=true -p $PORT:$PORT/udp -p $PORT2:$PORT2/udp -p 22 -p $PORT_OCSERV:$PORT_OCSERV/udp --tty=false -d --name test_ocserv_radius $IMAGE +if test $? != 0;then + echo "Cannot run docker image" + exit 1 +fi + +echo "ocserv image was run" +#wait for ocserv to server +sleep 5 + +IP=`$DOCKER inspect test_ocserv_radius | grep IPAddress | cut -d '"' -f 4` +if test -z "$IP";then + echo "Detected IP is null!" + stop +fi +echo "Detected IP: $IP" + +printf "test\ntest\n" >pass.tmp +openconnect $IP:$PORT_OCSERV -u test --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass.tmp & +PID=$! + +rm -f pass.tmp + +#wait for openconnect +sleep 5 + +# The client IP depends on the username so it shouldn't change. +ping -w 5 192.168.1.190 +if test $? != 0;then + kill $PID + echo "Cannot ping ocserv" + stop +fi + +ping -w 5 192.168.1.190 -s 1500 +if test $? != 0;then + kill $PID + echo "Cannot ping ocserv" + stop +fi + +ping6 -w 5 fd91:6d87:7341:db6a:0:52:190c:be00 +if test $? != 0;then + kill $PID + echo "Cannot ping the IPv6 of ocserv" + stop +fi + +echo "UserKnownHostsFile ./known-hosts.tmp" >config.tmp +printf "#\!/bin/sh\n" >echo-admin.tmp +printf "echo yes" >>echo-admin.tmp +printf "echo root" >>echo-admin.tmp +printf "\n" >>echo-admin.tmp +chmod 755 echo-admin.tmp +export SSH_ASKPASS="./echo-admin.tmp" +setsid ssh -T -F config.tmp root@192.168.1.190 occtl show user test >out.tmp 2>&1 +cat out.tmp + +printf "#\!/bin/sh\n" >echo-admin.tmp +printf "echo root" >>echo-admin.tmp +printf "\n" >>echo-admin.tmp +chmod 755 echo-admin.tmp +setsid ssh -T -F config.tmp root@192.168.1.190 occtl show user test >out.tmp 2>&1 +cat out.tmp +rm -f echo-admin.tmp +rm -f config.tmp +rm -f known-hosts.tmp + +grep "Username" out.tmp +if test $? != 0;then + kill $PID + echo "could not find user information" + stop +fi + +rm -f out.tmp + +# There is an issue in nuttcp that makes it crash under docker if +# /proc/sys/net/ipv4/tcp_adv_win_scale does not exist. +if test "$FEDORA" = 1;then +nuttcp -T 10 -t 192.168.1.190 +if test $? != 0;then + kill $PID + echo "Cannot send to ocserv" + stop +fi + +nuttcp -T 10 -r 192.168.1.190 +if test $? != 0;then + kill $PID + echo "Cannot recv from ocserv" + stop +fi +fi + +sleep 2 + +kill $PID + +sleep 4 + +#check whether /tmp/disconnect/ok was created +rm -f ./not-ok +$DOCKER cp test_ocserv_radius:/tmp/disconnect/not-ok ./ +if test -f ./not-ok;then + echo "There was an issue getting stats" + stop +fi +rm -f ./not-ok + +ret=0 + +rm -f ./tmp-full/ok +$DOCKER cp test_ocserv_radius:/tmp/disconnect/ok ./tmp-full/ +if ! test -f ./tmp-full/ok;then + echo "Don't know if stats were received" + ret=77 +else + echo -n "stats: " + echo `cat ./tmp-full/ok` + rm -rf ./tmp-full/ +fi + +$DOCKER stop test_ocserv_radius +$DOCKER rm test_ocserv_radius + +exit $ret diff --git a/tests/unix-test b/tests/unix-test index 6faeaf3f..89136238 100755 --- a/tests/unix-test +++ b/tests/unix-test @@ -27,6 +27,7 @@ if [ $? != 0 ];then fi UNIX=1 +CONFIG="unix" IMAGE=ocserv-test2 . ./docker-common.sh