tests: added radius test

tests/Makefile.am

@@ -11,7 +11,7 @@ SUBDIRS = docker-ocserv
 dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \
 	test-multi-cookie test-pam test-stress full-test test-group-pass test-pass-group-cert \
 	ocpasswd-test test-pass-group-cert-no-pass unix-test test-pass-opt-cert \
-	test-cookie-timeout test-cookie-timeout-2
+	test-cookie-timeout test-cookie-timeout-2 radius-test
 
 TESTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \
 	test-multi-cookie full-test test-group-pass test-pass-group-cert \

tests/docker-common.sh

@@ -49,11 +49,7 @@ if test "$FEDORA" = 1;then
 		$UNLOCKFILE
 		exit 1
 	fi
-	if test "$UNIX" = 1;then
+	cp docker-ocserv/Dockerfile-fedora-$CONFIG docker-ocserv/Dockerfile
-		cp docker-ocserv/Dockerfile-fedora-unix docker-ocserv/Dockerfile
-	else
-		cp docker-ocserv/Dockerfile-fedora-tcp docker-ocserv/Dockerfile
-	fi
 else #DEBIAN
 	echo "Using the Debian image"
 	$DOCKER pull debian:jessie
@@ -62,11 +58,7 @@ else #DEBIAN
 		$UNLOCKFILE
 		exit 1
 	fi
-	if test "$UNIX" = 1;then
+	cp docker-ocserv/Dockerfile-debian-$CONFIG docker-ocserv/Dockerfile
-		cp docker-ocserv/Dockerfile-debian-unix docker-ocserv/Dockerfile
-	else
-		cp docker-ocserv/Dockerfile-debian-tcp docker-ocserv/Dockerfile
-	fi
 fi
 
 cp ../src/ocserv ../src/ocpasswd ../src/occtl docker-ocserv/

tests/docker-ocserv/Dockerfile-debian-radius

@@ -0,0 +1,43 @@
+FROM debian:jessie
+
+RUN apt-get update;sleep 3
+RUN apt-get install -y libgnutls-deb0-28
+RUN apt-get install -y libprotobuf-c1
+RUN apt-get install -y libwrap0 libpam0g libseccomp2 libdbus-1-3 libreadline5 libnl-route-3-200
+RUN apt-get install -y libhttp-parser2.1 libpcl1 libopts25 autogen
+RUN apt-get install -y libsystemd-daemon0 valgrind nuttcp openssh-server bash
+RUN apt-get install -y libtalloc2
+RUN apt-get install -y liblz4-1
+RUN apt-get install -y freeradius libfreeradius-client2
+RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
+
+RUN echo 'root:root' |chpasswd
+RUN useradd -m -d /home/admin -s /bin/bash admin
+RUN echo 'admin:admin' |chpasswd
+EXPOSE 10500
+EXPOSE 10500/udp
+EXPOSE 10501
+EXPOSE 10501/udp
+EXPOSE 10522
+EXPOSE 10522/udp
+EXPOSE 22
+
+RUN mkdir /etc/ocserv
+
+
+ADD key.pem /etc/ocserv/
+ADD cert.pem /etc/ocserv/
+ADD ocserv-radius.conf /etc/ocserv/ocserv.conf
+ADD radiusclient.conf /etc/radiusclient/
+ADD radius-clients.conf /etc/freeradius/clients.conf
+ADD radiusclient-servers /etc/freeradius/servers
+ADD ocserv /usr/sbin/
+ADD ocpasswd /usr/bin/
+ADD occtl /usr/bin/
+ADD myscript /usr/bin/
+ADD freeradius-users /etc/freeradius/users
+# It's not possible to use mknod inside a container with the default LXC
+# template, so we untar it from this archive.
+ADD dev-tun.tgz /dev/
+
+CMD nuttcp -S;/etc/init.d/ssh restart;/usr/sbin/freeradius -X -f >/tmp/freeradius.out 2>&1 & mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600

tests/docker-ocserv/Dockerfile-fedora-radius

@@ -0,0 +1,40 @@
+FROM fedora:21
+
+RUN yum install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp
+RUN yum install -y bash openssh-server nuttcp
+RUN yum install -y libnl3 libtalloc
+RUN yum install -y lz4
+RUN yum install -y freeradius freeradius-client
+RUN systemctl enable sshd
+RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
+
+RUN echo 'root:root' |chpasswd
+RUN useradd -m -d /home/admin -s /bin/bash admin
+RUN echo 'admin:admin' |chpasswd
+EXPOSE 10500
+EXPOSE 10500/udp
+EXPOSE 10501
+EXPOSE 10501/udp
+EXPOSE 10522
+EXPOSE 10522/udp
+EXPOSE 22
+
+RUN mkdir /etc/ocserv
+
+
+ADD key.pem /etc/ocserv/
+ADD cert.pem /etc/ocserv/
+ADD ocserv-radius.conf /etc/ocserv/ocserv.conf
+ADD radiusclient.conf /etc/radiusclient/
+ADD radius-clients.conf /etc/freeradius/clients.conf
+ADD radiusclient-servers /etc/freeradius/servers
+ADD ocserv /usr/sbin/
+ADD ocpasswd /usr/bin/
+ADD occtl /usr/bin/
+ADD myscript /usr/bin/
+ADD freeradius-users /etc/freeradius/users
+# It's not possible to use mknod inside a container with the default LXC
+# template, so we untar it from this archive.
+ADD dev-tun.tgz /dev/
+
+CMD nuttcp -S;sshd-keygen;/usr/sbin/sshd;mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600

tests/docker-ocserv/Makefile.am

@@ -1,6 +1,8 @@
 EXTRA_DIST = passwd ocserv.conf Dockerfile-debian-tcp dev-tun.tgz myscript key.pem cert.pem \
 	Dockerfile-debian-unix ocserv-unix.conf haproxy.cfg combo.pem Dockerfile-fedora-unix \
-	Dockerfile-fedora-tcp
+	Dockerfile-fedora-tcp freeradius-users Dockerfile-debian-radius Dockerfile-fedora-radius \
+	freeradius-users ocserv-radius.conf radiusclient.conf radius-clients.conf \
+	radiusclient-servers
 
 TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
 	top_builddir="$(top_builddir)"

tests/docker-ocserv/freeradius-users

@@ -0,0 +1,16 @@
+#
+# This is a complete entry for "steve". Note that there is no Fall-Through
+# entry so that no DEFAULT entry will be used, and the user will NOT
+# get any attributes in addition to the ones listed here.
+#
+test	Cleartext-Password := "test"
+	Service-Type = Framed-User,
+	Framed-Protocol = PPP,
+	Framed-Route = 192.168.100.5/24,
+	Framed-Route = 192.168.1.0/8,
+	Framed-IPv6-Prefix = "2000:0:0:106::/64",
+	Framed-IP-Address = 192.168.1.190,
+	Framed-IP-Netmask = 255.255.255.0,
+	Framed-Routing = Broadcast-Listen,
+	Framed-MTU = 1500,
+

tests/docker-ocserv/ocserv-radius.conf

@@ -0,0 +1,304 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+#auth = "plain[/etc/ocserv/passwd]"
+#auth = "pam"
+auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]"
+
+# Whether to enable support for the occtl tool (i.e., either through D-BUS,
+# or via a unix socket).
+use-occtl = true
+
+# socket file used for IPC with occtl. You only need to set that,
+# if you use more than a single servers.
+#occtl-socket-file = /var/run/occtl.socket
+
+# The plain option requires specifying a password file which contains
+# entries of the following format.
+# "username:groupname:encoded-password"
+# One entry must be listed per line, and 'ocpasswd' can be used
+# to generate password entries.
+#auth = "plain[/etc/ocserv/ocpasswd]"
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+stats-report-time = 60
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided 
+# hostname.
+#listen-host = [IP|HOSTNAME]
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting 
+# multiple times). Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 10522
+udp-port = 10522
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds.
+dpd = 240
+
+# Dead peer detection for mobile clients. The needs to
+# be much higher to prevent such clients being awaken too 
+# often by the DPD messages, and save battery.
+# (clients that send the X-AnyConnect-Identifier-DeviceType)
+mobile-dpd = 1800
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = /etc/ocserv/cert.pem
+server-key = /etc/ocserv/key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only, and is the 
+# storage root key.
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used to verify
+# client certificates (public keys) if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the 
+# client  certificate. The object identifier should be part of the certificate's
+# DN. Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# The revocation list of the certificates issued by the 'ca-cert' above.
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is allowed to stay idle (no traffic)
+# before being disconnected. Unset to disable.
+#idle-timeout = 1200
+
+# The time (in seconds) that a mobile client is allowed to stay idle (no
+# traffic) before being disconnected. Unset to disable.
+#mobile-idle-timeout = 2400
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 86400
+
+# ReKey time (in seconds)
+# ocserv will ask the client to refresh keys periodically once
+# this amount of seconds is elapsed. Set to zero to disable.
+rekey-time = 172800
+
+# ReKey method
+# Valid options: ssl, new-tunnel
+#  ssl: Will perform an efficient rehandshake on the channel allowing
+#       a seamless connection during rekey.
+#  new-tunnel: Will instruct the client to discard and re-establish the channel.
+#       Use this option only if the connecting clients have issues with the ssl
+#       option.
+rekey-method = ssl
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
+# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# D-BUS usage. If disabled occtl tool cannot be used. If enabled
+# then ocserv must have access to register org.infradead.ocserv
+# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
+use-dbus = false
+
+# PID file. It can be overriden in the command line.
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = daemon
+
+# Set the protocol-defined priority (SO_PRIORITY) for packets to
+# be sent. That is a number from 0 to 6 with 0 being the lowest
+# priority. Alternatively this can be used to set the IP Type-
+# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
+# This can be set per user/group or globally.
+#net-priority = 3
+
+# Set the VPN worker process into a specific cgroup. This is Linux
+# specific and can be set per user/group or globally.
+#cgroup = "cpuset,cpu:test"
+
+#
+# Network settings
+#
+
+# The name of the tun device
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+# The pool of addresses that leases will be given from.
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+
+# The advertized DNS server. Use multiple lines for
+# multiple servers.
+# dns = fc00::4be0
+#dns = 192.168.1.2
+
+# The NBNS server (if any)
+#nbns = 192.168.1.3
+
+# The IPv6 subnet that leases will be given from.
+ipv6-network = fd91:6d87:7341:db6a::
+ipv6-prefix = 64
+
+# The domains over which the provided DNS should be used. Use
+# multiple lines for multiple domains.
+#split-dns = example.com
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Unset to assign the default MTU of the device
+# mtu = 
+
+# Unset to enable bandwidth restrictions (in bytes/sec). The
+# setting here is global, but can also be set per user or per group.
+#rx-data-per-sec = 40000
+#tx-data-per-sec = 40000
+
+# The number of packets (of MTU size) that are available in
+# the output buffer. The default is low to improve latency.
+# Setting it higher will improve throughput.
+#output-buffer = 10
+
+# Routes to be forwarded to the client. If you need the
+# client to forward routes to the server, you may use the 
+# config-per-user/group or even connect and disconnect scripts.
+#
+# To set the server as the default gateway for the client just
+# comment out all routes from the server.
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+#route = fef4:db8:1000:1001::/64
+
+# Configuration files that will be applied per user connection or
+# per group. Each file name on these directories must match the username
+# or the groupname.
+# The options allowed in the configuration files are dns, nbns,
+#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
+#  net-priority and cgroup.
+#
+# Note that the 'iroute' option allows to add routes on the server
+# based on a user or group. The syntax depends on the input accepted
+# by the commands route-add-cmd and route-del-cmd (see below).
+
+#config-per-user = /etc/ocserv/config-per-user/
+#config-per-group = /etc/ocserv/config-per-group/
+
+# The system command to use to setup a route. %R will be replaced with the
+# route/mask and %D with the (tun) device.
+#
+# The following example is from linux systems. %R should be something
+# like 192.168.2.0/24
+
+#route-add-cmd = "ip route add %R dev %D"
+#route-del-cmd = "ip route delete %R dev %D"
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. 
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# It is not used by the openconnect client.
+#user-profile = profile.xml
+
+# Binary files that may be downloaded by the CISCO client. Must
+# be within any chroot environment.
+#binary-files = /path/to/binaries
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie and complete their authentication in the same TCP connection.
+# Legacy CISCO clients do not do that, and thus this option should be 
+# set for them.
+#cisco-client-compat = false
+
+#Advanced options
+
+# Option to allow sending arbitrary custom headers to the client after
+# authentication and prior to VPN tunnel establishment.
+#custom-header = "X-My-Header: hi there"

tests/docker-ocserv/radius-clients.conf

@@ -0,0 +1,235 @@
+# -*- text -*-
+##
+## clients.conf -- client configuration directives
+##
+##	$Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
+
+#######################################################################
+#
+#  Define RADIUS clients (usually a NAS, Access Point, etc.).
+
+#
+#  Defines a RADIUS client.
+#
+#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
+#  to allow testing of the server after an initial installation.  If you
+#  are not going to be permitting RADIUS queries from localhost, we suggest
+#  that you delete, or comment out, this entry.
+#
+#
+
+#
+#  Each client has a "short name" that is used to distinguish it from
+#  other clients.
+#
+#  In version 1.x, the string after the word "client" was the IP
+#  address of the client.  In 2.0, the IP address is configured via
+#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
+#  format is still accepted.
+#
+client localhost {
+	#  Allowed values are:
+	#	dotted quad (1.2.3.4)
+	#       hostname    (radius.example.com)
+	ipaddr = 127.0.0.1
+
+	#  OR, you can use an IPv6 address, but not both
+	#  at the same time.
+#	ipv6addr = ::	# any.  ::1 == localhost
+
+	#
+	#  A note on DNS:  We STRONGLY recommend using IP addresses
+	#  rather than host names.  Using host names means that the
+	#  server will do DNS lookups when it starts, making it
+	#  dependent on DNS.  i.e. If anything goes wrong with DNS,
+	#  the server won't start!
+	#
+	#  The server also looks up the IP address from DNS once, and
+	#  only once, when it starts.  If the DNS record is later
+	#  updated, the server WILL NOT see that update.
+	#
+
+	#  One client definition can be applied to an entire network.
+	#  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
+	#  "netmask = 8"
+	#
+	#  If not specified, the default netmask is 32 (i.e. /32)
+	#
+	#  We do NOT recommend using anything other than 32.  There
+	#  are usually other, better ways to achieve the same goal.
+	#  Using netmasks of other than 32 can cause security issues.
+	#
+	#  You can specify overlapping networks (127/8 and 127.0/16)
+	#  In that case, the smallest possible network will be used
+	#  as the "best match" for the client.
+	#
+	#  Clients can also be defined dynamically at run time, based
+	#  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
+	#  etc.
+	#  See raddb/sites-available/dynamic-clients for details.
+	#
+
+#	netmask = 32
+
+	#
+	#  The shared secret use to "encrypt" and "sign" packets between
+	#  the NAS and FreeRADIUS.  You MUST change this secret from the
+	#  default, otherwise it's not a secret any more!
+	#
+	#  The secret can be any string, up to 8k characters in length.
+	#
+	#  Control codes can be entered vi octal encoding,
+	#	e.g. "\101\102" == "AB"
+	#  Quotation marks can be entered by escaping them,
+	#	e.g. "foo\"bar"
+	#
+	#  A note on security:  The security of the RADIUS protocol
+	#  depends COMPLETELY on this secret!  We recommend using a
+	#  shared secret that is composed of:
+	#
+	#	upper case letters
+	#	lower case letters
+	#	numbers
+	#
+	#  And is at LEAST 8 characters long, preferably 16 characters in
+	#  length.  The secret MUST be random, and should not be words,
+	#  phrase, or anything else that is recognizable.
+	#
+	#  The default secret below is only for testing, and should
+	#  not be used in any real environment.
+	#
+	secret		= testing123
+
+	#
+	#  Old-style clients do not send a Message-Authenticator
+	#  in an Access-Request.  RFC 5080 suggests that all clients
+	#  SHOULD include it in an Access-Request.  The configuration
+	#  item below allows the server to require it.  If a client
+	#  is required to include a Message-Authenticator and it does
+	#  not, then the packet will be silently discarded.
+	#
+	#  allowed values: yes, no
+	require_message_authenticator = no
+
+	#
+	#  The short name is used as an alias for the fully qualified
+	#  domain name, or the IP address.
+	#
+	#  It is accepted for compatibility with 1.x, but it is no
+	#  longer necessary in 2.0
+	#
+#	shortname	= localhost
+
+	#
+	# the following three fields are optional, but may be used by
+	# checkrad.pl for simultaneous use checks
+	#
+
+	#
+	# The nastype tells 'checkrad.pl' which NAS-specific method to
+	#  use to query the NAS for simultaneous use.
+	#
+	#  Permitted NAS types are:
+	#
+	#	cisco
+	#	computone
+	#	livingston
+	#	juniper
+	#	max40xx
+	#	multitech
+	#	netserver
+	#	pathras
+	#	patton
+	#	portslave
+	#	tc
+	#	usrhiper
+	#	other		# for all other types
+
+	#
+	nastype     = other	# localhost isn't usually a NAS...
+
+	#
+	#  The following two configurations are for future use.
+	#  The 'naspasswd' file is currently used to store the NAS
+	#  login name and password, which is used by checkrad.pl
+	#  when querying the NAS for simultaneous use.
+	#
+#	login       = !root
+#	password    = someadminpas
+
+	#
+	#  As of 2.0, clients can also be tied to a virtual server.
+	#  This is done by setting the "virtual_server" configuration
+	#  item, as in the example below.
+	#
+#	virtual_server = home1
+
+	#
+	#  A pointer to the "home_server_pool" OR a "home_server"
+	#  section that contains the CoA configuration for this
+	#  client.  For an example of a coa home server or pool,
+	#  see raddb/sites-available/originate-coa
+#	coa_server = coa
+}
+
+# IPv6 Client
+#client ::1 {
+#	secret		= testing123
+#	shortname	= localhost
+#}
+#
+# All IPv6 Site-local clients
+#client fe80::/16 {
+#	secret		= testing123
+#	shortname	= localhost
+#}
+
+#client some.host.org {
+#	secret		= testing123
+#	shortname	= localhost
+#}
+
+#
+#  You can now specify one secret for a network of clients.
+#  When a client request comes in, the BEST match is chosen.
+#  i.e. The entry from the smallest possible network.
+#
+#client 192.168.0.0/24 {
+#	secret		= testing123-1
+#	shortname	= private-network-1
+#}
+#
+#client 192.168.0.0/16 {
+#	secret		= testing123-2
+#	shortname	= private-network-2
+#}
+
+
+#client 10.10.10.10 {
+#	# secret and password are mapped through the "secrets" file.
+#	secret      = testing123
+#	shortname   = liv1
+#       # the following three fields are optional, but may be used by
+#       # checkrad.pl for simultaneous usage checks
+#	nastype     = livingston
+#	login       = !root
+#	password    = someadminpas
+#}
+
+#######################################################################
+#
+#  Per-socket client lists.  The configuration entries are exactly
+#  the same as above, but they are nested inside of a section.
+#
+#  You can have as many per-socket client lists as you have "listen"
+#  sections, or you can re-use a list among multiple "listen" sections.
+#
+#  Un-comment this section, and edit a "listen" section to add:
+#  "clients = per_socket_clients".  That IP address/port combination
+#  will then accept ONLY the clients listed in this section.
+#
+#clients per_socket_clients {
+#	client 192.168.3.4 {
+#		secret = testing123
+#        }
+#}

tests/docker-ocserv/radiusclient-servers

@@ -0,0 +1,10 @@
+## Server Name or Client/Server pair		Key		
+## ----------------				---------------
+#
+#portmaster.elemental.net			hardlyasecret
+#portmaster2.elemental.net			donttellanyone
+#
+## uncomment the following line for simple testing of radlogin
+## with freeradius-server
+#
+localhost/localhost				testing123

tests/docker-ocserv/radiusclient.conf

@@ -0,0 +1,92 @@
+# General settings
+
+# specify which authentication comes first respectively which
+# authentication is used. possible values are: "radius" and "local".
+# if you specify "radius,local" then the RADIUS server is asked
+# first then the local one. if only one keyword is specified only
+# this server is asked.
+auth_order	radius,local
+
+# maximum login tries a user has
+login_tries	4
+
+# timeout for all login tries
+# if this time is exceeded the user is kicked out
+login_timeout	60
+
+# name of the nologin file which when it exists disables logins.
+# it may be extended by the ttyname which will result in
+# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
+# logins on /dev/ttyS2)
+nologin /etc/nologin
+
+# name of the issue file. it's only display when no username is passed
+# on the radlogin command line
+issue	/etc/radiusclient/issue
+
+# RADIUS settings
+
+# RADIUS server to use for authentication requests. this config
+# item can appear more then one time. if multiple servers are
+# defined they are tried in a round robin fashion if one
+# server is not answering.
+# optionally you can specify a the port number on which is remote
+# RADIUS listens separated by a colon from the hostname. if
+# no port is specified /etc/services is consulted of the radius
+# service. if this fails also a compiled in default is used.
+authserver 	localhost
+
+# RADIUS server to use for accouting requests. All that I
+# said for authserver applies, too. 
+#
+acctserver 	localhost
+
+# file holding shared secrets used for the communication
+# between the RADIUS client and server
+servers		/etc/radiusclient/servers
+
+# dictionary of allowed attributes and values
+# just like in the normal RADIUS distributions
+dictionary 	/etc/radiusclient/dictionary
+
+# program to call for a RADIUS authenticated login
+login_radius	/usr/sbin/login.radius
+
+# file which holds sequence number for communication with the
+# RADIUS server
+seqfile		/var/run/radius.seq
+
+# file which specifies mapping between ttyname and NAS-Port attribute
+mapfile		/etc/radiusclient/port-id-map
+
+# default authentication realm to append to all usernames if no
+# realm was explicitly specified by the user
+# the radiusd directly form Livingston doesnt use any realms, so leave
+# it blank then
+default_realm
+
+# time to wait for a reply from the RADIUS server
+radius_timeout	10
+
+# resend request this many times before trying the next server
+radius_retries	3
+
+# The length of time in seconds that we skip a nonresponsive RADIUS
+# server for transaction requests.  Server(s) being in the "dead" state
+# are tried only after all other non-dead servers have been tried and
+# failed or timeouted.  The deadtime interval starts when the server
+# does not respond to an authentication/accounting request transmissions. 
+# When the interval expires, the "dead" server would be re-tried again,
+# and if it's still down then it will be considered "dead" for another
+# such interval and so on. This option is no-op if there is only one
+# server in the list. Set to 0 in order to disable the feature.
+radius_deadtime	0
+
+# local address from which radius packets have to be sent
+bindaddr *
+
+# LOCAL settings
+
+# program to execute for local login
+# it must support the -f flag for preauthenticated login
+login_local	/bin/login

tests/full-test

@@ -26,6 +26,7 @@ if [ $? != 0 ];then
 	exit 77
 fi
 
+CONFIG="tcp"
 IMAGE=ocserv-test1
 . ./docker-common.sh
 

tests/radius-test

@@ -0,0 +1,168 @@
+#!/bin/sh
+#
+# Copyright (C) 2014 Red Hat
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with ocserv; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir=${srcdir:-.}
+
+PORT=10500
+PORT2=10501
+PORT_OCSERV=10522
+#this test can only be run as root
+id|grep root >/dev/null 2>&1
+if [ $? != 0 ];then
+	exit 77
+fi
+
+CONFIG="radius"
+IMAGE=ocserv-radius-test
+. ./docker-common.sh
+
+stop() {
+	$DOCKER stop test_ocserv_radius
+	$DOCKER rm test_ocserv_radius
+	exit 1
+}
+
+$DOCKER run -P --privileged=true -p $PORT:$PORT/udp -p $PORT2:$PORT2/udp -p 22 -p $PORT_OCSERV:$PORT_OCSERV/udp --tty=false -d --name test_ocserv_radius $IMAGE
+if test $? != 0;then
+	echo "Cannot run docker image"
+	exit 1
+fi
+
+echo "ocserv image was run"
+#wait for ocserv to server
+sleep 5
+
+IP=`$DOCKER inspect test_ocserv_radius | grep IPAddress | cut -d '"' -f 4`
+if test -z "$IP";then
+	echo "Detected IP is null!"
+	stop
+fi
+echo "Detected IP: $IP"
+
+printf "test\ntest\n" >pass.tmp
+openconnect $IP:$PORT_OCSERV -u test --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass.tmp &
+PID=$!
+
+rm -f pass.tmp
+
+#wait for openconnect
+sleep 5
+
+# The client IP depends on the username so it shouldn't change.
+ping -w 5 192.168.1.190
+if test $? != 0;then
+	kill $PID
+	echo "Cannot ping ocserv"
+	stop
+fi
+
+ping -w 5 192.168.1.190 -s 1500
+if test $? != 0;then
+	kill $PID
+	echo "Cannot ping ocserv"
+	stop
+fi
+
+ping6 -w 5 fd91:6d87:7341:db6a:0:52:190c:be00
+if test $? != 0;then
+	kill $PID
+	echo "Cannot ping the IPv6 of ocserv"
+	stop
+fi
+
+echo "UserKnownHostsFile ./known-hosts.tmp" >config.tmp
+printf "#\!/bin/sh\n" >echo-admin.tmp
+printf "echo yes" >>echo-admin.tmp
+printf "echo root" >>echo-admin.tmp
+printf "\n" >>echo-admin.tmp
+chmod 755 echo-admin.tmp
+export SSH_ASKPASS="./echo-admin.tmp"
+setsid ssh -T -F config.tmp root@192.168.1.190 occtl show user test >out.tmp 2>&1
+cat out.tmp
+
+printf "#\!/bin/sh\n" >echo-admin.tmp
+printf "echo root" >>echo-admin.tmp
+printf "\n" >>echo-admin.tmp
+chmod 755 echo-admin.tmp
+setsid ssh -T -F config.tmp root@192.168.1.190 occtl show user test >out.tmp 2>&1
+cat out.tmp
+rm -f echo-admin.tmp
+rm -f config.tmp
+rm -f known-hosts.tmp
+
+grep "Username" out.tmp
+if test $? != 0;then
+	kill $PID
+	echo "could not find user information"
+	stop
+fi
+
+rm -f out.tmp
+
+# There is an issue in nuttcp that makes it crash under docker if
+# /proc/sys/net/ipv4/tcp_adv_win_scale does not exist.
+if test "$FEDORA" = 1;then
+nuttcp -T 10 -t 192.168.1.190
+if test $? != 0;then
+	kill $PID
+	echo "Cannot send to ocserv"
+	stop
+fi
+
+nuttcp -T 10 -r 192.168.1.190
+if test $? != 0;then
+	kill $PID
+	echo "Cannot recv from ocserv"
+	stop
+fi
+fi
+
+sleep 2
+
+kill $PID
+
+sleep 4
+
+#check whether /tmp/disconnect/ok was created
+rm -f ./not-ok
+$DOCKER cp test_ocserv_radius:/tmp/disconnect/not-ok ./
+if test -f ./not-ok;then
+	echo "There was an issue getting stats"
+	stop
+fi
+rm -f ./not-ok
+
+ret=0
+
+rm -f ./tmp-full/ok
+$DOCKER cp test_ocserv_radius:/tmp/disconnect/ok ./tmp-full/
+if ! test -f ./tmp-full/ok;then
+	echo "Don't know if stats were received"
+	ret=77
+else
+	echo -n "stats: "
+	echo `cat ./tmp-full/ok`
+	rm -rf ./tmp-full/
+fi
+
+$DOCKER stop test_ocserv_radius
+$DOCKER rm test_ocserv_radius
+
+exit $ret

tests/unix-test

@@ -27,6 +27,7 @@ if [ $? != 0 ];then
 fi
 
 UNIX=1
+CONFIG="unix"
 IMAGE=ocserv-test2
 . ./docker-common.sh