diff --git a/.gitignore b/.gitignore index 60bcb76b..37872df3 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,5 @@ doc/occtl.8 tests/docker-ocserv/ocpasswd tests/docker-ocserv/occtl tests/docker-ocserv/ocserv +tests/docker-ocserv/Dockerfile +gl/strings.h diff --git a/tests/Makefile.am b/tests/Makefile.am index 205ef22f..ec4073da 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -9,11 +9,11 @@ SUBDIRS = docker-ocserv dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \ test-multi-cookie test-pam test-stress full-test test-group-pass test-pass-group-cert \ - ocpasswd-test test-pass-group-cert-no-pass + ocpasswd-test test-pass-group-cert-no-pass unix-test TESTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \ test-multi-cookie full-test test-group-pass test-pass-group-cert \ - ocpasswd-test test-pass-group-cert-no-pass + ocpasswd-test test-pass-group-cert-no-pass unix-test TESTS_ENVIRONMENT = srcdir="$(srcdir)" \ top_builddir="$(top_builddir)" diff --git a/tests/docker-ocserv/Dockerfile b/tests/docker-ocserv/Dockerfile-tcp similarity index 100% rename from tests/docker-ocserv/Dockerfile rename to tests/docker-ocserv/Dockerfile-tcp diff --git a/tests/docker-ocserv/Dockerfile-unix b/tests/docker-ocserv/Dockerfile-unix new file mode 100644 index 00000000..994ef055 --- /dev/null +++ b/tests/docker-ocserv/Dockerfile-unix @@ -0,0 +1,41 @@ +FROM tianon/debian:jessie + +RUN apt-get update +RUN apt-get install -y haproxy +RUN apt-get install -y libgnutls-deb0-28 +RUN apt-get install -y libprotobuf-c1 +RUN apt-get install -y libwrap0 libpam0g libseccomp2 libdbus-1-3 libreadline5 libnl-route-3-200 +RUN apt-get install -y libhttp-parser2.1 libpcl1 libopts25 autogen +RUN apt-get install -y libsystemd-daemon0 valgrind nuttcp openssh-server bash +RUN apt-get install -y libtalloc2 +RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config + +RUN echo 'root:root' |chpasswd +RUN useradd -m -d /home/admin -s /bin/bash admin +RUN echo 'admin:admin' |chpasswd +EXPOSE 6000 +EXPOSE 6000/udp +EXPOSE 6001 +EXPOSE 6001/udp +EXPOSE 6551 +EXPOSE 6551/udp +EXPOSE 22 + +RUN mkdir /etc/ocserv + + +ADD key.pem /etc/ocserv/ +ADD cert.pem /etc/ocserv/ +ADD combo.pem /etc/ocserv/ +ADD haproxy.cfg /etc/haproxy/ +ADD ocserv-unix.conf /etc/ocserv/ocserv.conf +ADD passwd /etc/ocserv/ +ADD ocserv /usr/sbin/ +ADD ocpasswd /usr/bin/ +ADD occtl /usr/bin/ +ADD myscript /usr/bin/ +# It's not possible to use mknod inside a container with the default LXC +# template, so we untar it from this archive. +ADD dev-tun.tgz /dev/ + +CMD nuttcp -S;/etc/init.d/ssh restart;mkdir -p /tmp/disconnect/;/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg;/usr/sbin/ocserv -d 1 -f;sleep 3600 diff --git a/tests/docker-ocserv/Makefile.am b/tests/docker-ocserv/Makefile.am index a31dbc2a..e561281d 100644 --- a/tests/docker-ocserv/Makefile.am +++ b/tests/docker-ocserv/Makefile.am @@ -1,4 +1,5 @@ -EXTRA_DIST = passwd ocserv.conf Dockerfile dev-tun.tgz myscript key.pem cert.pem +EXTRA_DIST = passwd ocserv.conf Dockerfile-tcp dev-tun.tgz myscript key.pem cert.pem \ + Dockerfile-unix ocserv-unix.conf haproxy.cfg combo.pem TESTS_ENVIRONMENT = srcdir="$(srcdir)" \ top_builddir="$(top_builddir)" diff --git a/tests/docker-ocserv/combo.pem b/tests/docker-ocserv/combo.pem new file mode 100644 index 00000000..0dee3459 --- /dev/null +++ b/tests/docker-ocserv/combo.pem @@ -0,0 +1,187 @@ +Public Key Info: + Public Key Algorithm: RSA + Key Security Level: Normal (2432 bits) + +modulus: + 00:a7:3a:2b:ec:3f:14:b0:2c:19:f6:f1:6e:90:1d: + bf:8e:a9:f6:e9:70:84:09:87:f3:50:f3:5f:c3:94: + 50:fa:2c:64:d6:57:80:58:e1:96:fc:ee:d0:bd:04: + 15:7e:5f:7f:a5:33:f8:fc:bb:91:ef:37:79:c3:5a: + db:f8:19:ed:03:af:22:d6:e9:37:2c:e8:53:c2:b7: + 8b:2b:11:f0:a4:87:99:79:e0:ba:cc:99:66:e1:16: + 09:15:94:de:5f:4e:aa:18:d2:59:dd:60:9c:76:5f: + c5:96:95:d4:63:78:bf:bc:13:b9:c5:51:c1:52:b5: + 6a:e0:8b:d0:33:80:c1:6b:8e:c2:f8:a6:a9:7d:ed: + 80:19:45:77:0c:a1:05:d5:8d:b4:66:cd:52:d9:21: + 5b:a6:43:2e:dc:fa:d9:7b:12:ac:fc:97:1f:f1:4b: + fe:45:c7:db:48:46:e9:ea:35:2e:63:11:4b:3c:36: + 7e:44:e8:5b:eb:68:07:32:f9:e2:34:81:74:c6:93: + be:7d:28:d3:d8:8a:c4:aa:02:e1:40:9a:6b:7f:5c: + 34:d3:be:f3:a8:e9:da:40:b1:e5:ea:b5:1d:bf:2e: + 36:49:58:e9:57:76:26:7f:ca:31:e0:e7:e4:4a:43: + 97:6d:dd:d9:39:ee:50:08:58:44:7d:7a:02:0e:a3: + ff:86:02:4c:9e:93:46:49:e4:65:94:e9:5c:53:b0: + 57:08:97:aa:32:dd:2e:c4:b4:1d:0d:08:83:3b:86: + f8:72:df:64:2b:27:96:54:c8:d9:dc:4d:27:fa:a8: + c5:68:79:d8:1d: + +public exponent: + 01:00:01: + +private exponent: + 79:2b:86:6d:fd:5b:41:38:03:6c:52:8e:59:70:a4: + bf:7b:da:44:55:d9:e6:8a:12:bd:22:4b:ce:8c:66: + 8c:8f:a4:55:47:3b:e1:ab:3c:5b:73:b3:de:71:da: + 1d:22:97:7c:1e:07:99:21:54:61:f0:61:93:32:ff: + d6:6a:fa:b9:43:aa:cb:ec:5a:a5:78:86:50:bd:eb: + e2:3e:72:8e:d5:0e:59:28:84:52:02:09:70:a9:25: + d5:f4:73:98:bd:88:34:ca:1e:81:71:22:8e:07:61: + 45:76:b5:59:8a:41:eb:c6:a3:42:1d:b6:25:f6:fc: + 45:4e:29:83:58:15:4e:99:38:1f:31:ab:f8:6a:21: + fa:ad:c1:d0:6d:d0:ab:67:ad:43:1c:1d:9e:e5:33: + e2:68:f9:e2:fa:d8:9a:e7:36:e0:20:8c:25:4d:e9: + 17:95:4b:71:38:df:18:71:cd:e0:a0:7f:b2:58:fe: + 8b:c0:1c:d2:96:4a:17:14:bf:1c:3b:e8:b5:54:2b: + 8d:47:50:a7:77:56:61:a8:e3:79:dd:70:88:5f:89: + a1:f8:78:0d:47:ef:32:98:c1:47:88:d8:33:ed:95: + 10:90:7f:f1:57:cb:2b:18:c9:58:a1:de:ef:1c:70: + 5a:58:3c:86:3d:96:17:ad:9c:fd:0b:eb:d8:33:a4: + 5f:7f:db:97:c0:78:b4:94:56:56:0a:83:b3:d3:02: + c6:6f:08:dc:0d:22:8f:2a:4b:25:7a:34:97:8e:63: + 49:8a:39:d1:c1:1e:9b:93:41:c5:9c:b6:50:9e:ff: + 7a:37:e4:c1: + +prime1: + 00:cb:13:4a:a3:8f:ad:5c:63:89:30:f3:3b:eb:25: + 85:d9:6c:ad:6d:50:f8:03:00:d3:1e:e3:ae:ad:54: + 7a:9b:21:1a:72:18:a6:54:e4:32:58:8d:66:37:65: + 8c:f7:8f:37:65:ec:f8:ef:2e:a9:c1:78:bb:04:90: + aa:fe:0a:f2:7c:80:82:32:c7:db:ef:bc:10:c6:ff: + e0:d4:2e:b9:3a:0e:cc:29:28:81:b8:41:78:37:80: + 69:39:5e:97:44:36:d6:cd:39:af:14:c2:df:f3:67: + b7:d4:a7:49:da:f4:d3:ee:14:10:e4:5c:3f:4a:62: + 52:81:34:d0:8e:f3:7e:d4:42:0a:34:e2:f9:a7:bc: + 03:f9:c0:48:e8:9b:7f:da:08:ec:db:82:fd:a2:aa: + 0f:5d:71: + +prime2: + 00:d2:cf:2d:81:00:28:43:76:b3:76:10:3f:04:57: + 63:94:fa:bb:08:6a:a2:7d:99:4b:0f:ad:76:11:da: + 5c:2a:2b:33:0a:05:0d:f8:51:9a:4d:b3:40:4b:53: + 63:c8:c1:96:45:c7:42:35:cf:05:cf:8a:e2:aa:bd: + dc:96:c0:fd:c8:c4:dc:4c:0b:1f:43:74:04:cf:13: + f5:fa:ea:b6:0d:82:92:8c:03:bd:e9:7b:b1:f2:d0: + df:fd:c5:1b:6e:66:b7:ce:f6:12:65:34:c8:15:01: + da:36:5e:f9:d8:ad:37:86:52:2b:ea:9f:f5:75:6b: + 91:b3:01:6f:52:e9:e9:07:16:db:ba:65:e2:49:cc: + 4f:70:11:39:5c:fa:d2:da:d4:0c:24:17:c4:68:6f: + d4:7f:6d: + +coefficient: + 3b:96:f2:06:96:22:14:a2:fe:27:09:2f:43:b0:22: + a6:f4:ae:33:c2:f8:be:d5:03:96:7d:4a:d1:eb:7b: + 9d:51:bd:77:1d:3f:79:ef:62:1d:c3:e9:c2:9a:53: + df:ec:33:9b:32:36:f6:e7:40:e8:6c:1b:16:3d:4e: + 94:97:94:02:5d:cc:23:45:6b:53:8d:b8:7c:0e:24: + f9:5c:30:e4:e3:76:5b:f6:1f:74:3d:ca:e7:ef:a0: + 1e:d3:c8:a2:54:d2:db:06:4b:0d:b0:b9:64:ca:dd: + 68:44:51:d6:07:c5:ac:5b:e7:11:4b:76:b0:78:ba: + aa:b1:af:06:64:0d:27:1a:85:2d:a8:5a:c1:d7:c1: + 2e:f6:ef:fe:f6:0d:d6:f1:18:fc:0b:14:b1:d7:76: + 51:1b: + +exp1: + 76:ce:d4:8e:18:92:ee:48:75:8d:23:e0:dc:53:d9: + 99:38:d1:c5:f0:e7:08:aa:c4:d9:7f:8f:44:6c:f6: + 46:27:f9:d6:e2:c0:fd:4d:7c:7e:fe:4a:dd:02:16: + 95:07:3e:fb:ec:c6:3e:f8:e7:eb:fe:fc:3b:51:80: + 18:9c:c2:fd:40:19:ec:27:ad:6e:f6:72:42:5a:95: + 68:cd:e5:24:28:60:1d:7c:4b:58:47:45:54:03:56: + 8c:6f:e0:c3:d1:e9:9d:ab:af:d8:cf:a2:42:3f:5d: + f7:95:df:c9:b0:0f:05:6c:cb:ed:2e:63:00:db:c1: + 35:42:76:fa:0b:4f:1a:53:80:b1:2c:51:af:66:7a: + 54:f5:c0:32:06:37:a8:92:2c:30:c8:d4:27:04:a3: + 74:a1: + +exp2: + 18:07:41:5a:88:d8:0e:08:83:a0:1b:6d:f3:62:ba: + 99:0a:93:32:fc:64:95:08:5a:03:e9:73:a1:c9:4f: + e4:06:94:84:b9:da:c3:c9:19:5b:6d:e9:10:2c:eb: + 1c:c0:e4:0e:04:0e:49:ef:d4:eb:b9:1a:e8:f7:47: + 23:6f:cf:fd:88:62:cb:d0:20:ba:21:89:42:c9:35: + aa:6a:02:62:3b:d5:d4:5b:c0:d3:d2:23:90:57:ba: + 90:44:5d:42:12:37:35:41:db:0a:ea:1f:3c:35:bf: + d7:9e:af:bf:c0:ce:a9:62:c8:5a:af:ec:dc:7b:6c: + 5a:08:f9:d5:6b:90:02:1c:da:e2:be:26:32:df:34: + d6:c3:3f:d4:97:4a:5d:62:fa:17:4b:16:3a:09:35: + 21:69: + + +Public Key ID: A8:25:47:F6:8F:44:D6:35:1B:EF:6C:AC:D1:D7:B9:6E:84:F9:DF:A3 +Public key's random art: ++--[ RSA 2432]----+ +| + | +| . . = | +| o o . . . | +| o = = o| +| . + S . O.o| +| = . o * o.| +| . . . . o. | +| .+.| +| Eo.=| ++-----------------+ + +-----BEGIN RSA PRIVATE KEY----- +MIIFegIBAAKCATEApzor7D8UsCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leA +WOGW/O7QvQQVfl9/pTP4/LuR7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6 +zJlm4RYJFZTeX06qGNJZ3WCcdl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kap +fe2AGUV3DKEF1Y20Zs1S2SFbpkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ +ROhb62gHMvniNIF0xpO+fSjT2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjp +V3Ymf8ox4OfkSkOXbd3ZOe5QCFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0u +xLQdDQiDO4b4ct9kKyeWVMjZ3E0n+qjFaHnYHQIDAQABAoIBMHkrhm39W0E4A2xS +jllwpL972kRV2eaKEr0iS86MZoyPpFVHO+GrPFtzs95x2h0il3weB5khVGHwYZMy +/9Zq+rlDqsvsWqV4hlC96+I+co7VDlkohFICCXCpJdX0c5i9iDTKHoFxIo4HYUV2 +tVmKQevGo0IdtiX2/EVOKYNYFU6ZOB8xq/hqIfqtwdBt0KtnrUMcHZ7lM+Jo+eL6 +2JrnNuAgjCVN6ReVS3E43xhxzeCgf7JY/ovAHNKWShcUvxw76LVUK41HUKd3VmGo +43ndcIhfiaH4eA1H7zKYwUeI2DPtlRCQf/FXyysYyVih3u8ccFpYPIY9lhetnP0L +69gzpF9/25fAeLSUVlYKg7PTAsZvCNwNIo8qSyV6NJeOY0mKOdHBHpuTQcWctlCe +/3o35MECgZkAyxNKo4+tXGOJMPM76yWF2WytbVD4AwDTHuOurVR6myEachimVOQy +WI1mN2WM9483Zez47y6pwXi7BJCq/gryfICCMsfb77wQxv/g1C65Og7MKSiBuEF4 +N4BpOV6XRDbWzTmvFMLf82e31KdJ2vTT7hQQ5Fw/SmJSgTTQjvN+1EIKNOL5p7wD ++cBI6Jt/2gjs24L9oqoPXXECgZkA0s8tgQAoQ3azdhA/BFdjlPq7CGqifZlLD612 +EdpcKiszCgUN+FGaTbNAS1NjyMGWRcdCNc8Fz4riqr3clsD9yMTcTAsfQ3QEzxP1 ++uq2DYKSjAO96Xux8tDf/cUbbma3zvYSZTTIFQHaNl752K03hlIr6p/1dWuRswFv +UunpBxbbumXiScxPcBE5XPrS2tQMJBfEaG/Uf20CgZh2ztSOGJLuSHWNI+DcU9mZ +ONHF8OcIqsTZf49EbPZGJ/nW4sD9TXx+/krdAhaVBz777MY++Ofr/vw7UYAYnML9 +QBnsJ61u9nJCWpVozeUkKGAdfEtYR0VUA1aMb+DD0emdq6/Yz6JCP133ld/JsA8F +bMvtLmMA28E1Qnb6C08aU4CxLFGvZnpU9cAyBjeokiwwyNQnBKN0oQKBmBgHQVqI +2A4Ig6AbbfNiupkKkzL8ZJUIWgPpc6HJT+QGlIS52sPJGVtt6RAs6xzA5A4EDknv +1Ou5Guj3RyNvz/2IYsvQILohiULJNapqAmI71dRbwNPSI5BXupBEXUISNzVB2wrq +Hzw1v9eer7/AzqliyFqv7Nx7bFoI+dVrkAIc2uK+JjLfNNbDP9SXSl1i+hdLFjoJ +NSFpAoGYO5byBpYiFKL+JwkvQ7AipvSuM8L4vtUDln1K0et7nVG9dx0/ee9iHcPp +wppT3+wzmzI29udA6GwbFj1OlJeUAl3MI0VrU424fA4k+Vww5ON2W/YfdD3K5++g +HtPIolTS2wZLDbC5ZMrdaERR1gfFrFvnEUt2sHi6qrGvBmQNJxqFLahawdfBLvbv +/vYN1vEY/AsUsdd2URs= +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD +Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs +PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8 +u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd +YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ +IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759 +KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5 +7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU +yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL +gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg +ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0 +UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s +9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9 +GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C +zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/ +eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF +FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j +LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM +zzJKdNg= +-----END CERTIFICATE----- diff --git a/tests/docker-ocserv/haproxy.cfg b/tests/docker-ocserv/haproxy.cfg new file mode 100644 index 00000000..d5fabf85 --- /dev/null +++ b/tests/docker-ocserv/haproxy.cfg @@ -0,0 +1,41 @@ +global +# log /dev/log local0 +# log /dev/log local1 notice +# chroot /var/lib/haproxy + stats socket /var/run/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). + ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend www-https + bind 0.0.0.0:6551 ssl crt /etc/ocserv/combo.pem + reqadd X-Forwarded-Proto:\ https + default_backend www-backend + +backend www-backend + server ocserv unix@/var/run/ocserv-conn.socket check diff --git a/tests/docker-ocserv/ocserv-unix.conf b/tests/docker-ocserv/ocserv-unix.conf new file mode 100644 index 00000000..6935b2f5 --- /dev/null +++ b/tests/docker-ocserv/ocserv-unix.conf @@ -0,0 +1,305 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +auth = "plain[/etc/ocserv/passwd]" +#auth = "pam" + +# Whether to enable support for the occtl tool (i.e., either through D-BUS, +# or via a unix socket). +use-occtl = true + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +#occtl-socket-file = /var/run/occtl.socket + +# The plain option requires specifying a password file which contains +# entries of the following format. +# "username:groupname:encoded-password" +# One entry must be listed per line, and 'ocpasswd' can be used +# to generate password entries. +#auth = "plain[/etc/ocserv/ocpasswd]" + +# A banner to be displayed on clients +#banner = "Welcome" + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 16 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +#tcp-port = 5551 +udp-port = 6551 + +# Accept connections using a socket file. The connections are +# forwarded without SSL/TLS. +unix-conn-file = /var/run/ocserv-conn.socket + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds. +dpd = 240 + +# Dead peer detection for mobile clients. The needs to +# be much higher to prevent such clients being awaken too +# often by the DPD messages, and save battery. +# (clients that send the X-AnyConnect-Identifier-DeviceType) +mobile-dpd = 1800 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = /etc/ocserv/cert.pem +server-key = /etc/ocserv/key.pem + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication +# is set. +#ca-cert = /path/to/ca.pem + +# The object identifier that will be used to read the user ID in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the +# client certificate. The object identifier should be part of the certificate's +# DN. Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# The revocation list of the certificates issued by the 'ca-cert' above. +#crl = /path/to/crl.pem + +# GnuTLS priority string +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is allowed to stay idle (no traffic) +# before being disconnected. Unset to disable. +#idle-timeout = 1200 + +# The time (in seconds) that a mobile client is allowed to stay idle (no +# traffic) before being disconnected. Unset to disable. +#mobile-idle-timeout = 2400 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 + +# Cookie validity time (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. This option sets the maximum lifetime +# of that cookie. +cookie-validity = 86400 + +# ReKey time (in seconds) +# ocserv will ask the client to refresh keys periodically once +# this amount of seconds is elapsed. Set to zero to disable. +rekey-time = 172800 + +# ReKey method +# Valid options: ssl, new-tunnel +# ssl: Will perform an efficient rehandshake on the channel allowing +# a seamless connection during rekey. +# new-tunnel: Will instruct the client to discard and re-establish the channel. +# Use this option only if the connecting clients have issues with the ssl +# option. +rekey-method = ssl + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# ID (a unique numeric ID); REASON may be "connect" or "disconnect". +#connect-script = /usr/bin/myscript +disconnect-script = /usr/bin/myscript + +# UTMP +use-utmp = true + +# D-BUS usage. If disabled occtl tool cannot be used. If enabled +# then ocserv must have access to register org.infradead.ocserv +# D-BUS service. See doc/dbus/org.infradead.ocserv.conf +use-dbus = false + +# PID file. It can be overriden in the command line. +pid-file = /var/run/ocserv.pid + +# The default server directory. Does not require any devices present. +#chroot-dir = /path/to/chroot + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +socket-file = /var/run/ocserv-socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = nobody +run-as-group = haproxy + +# Set the protocol-defined priority (SO_PRIORITY) for packets to +# be sent. That is a number from 0 to 6 with 0 being the lowest +# priority. Alternatively this can be used to set the IP Type- +# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). +# This can be set per user/group or globally. +#net-priority = 3 + +# Set the VPN worker process into a specific cgroup. This is Linux +# specific and can be set per user/group or globally. +#cgroup = "cpuset,cpu:test" + +# +# Network settings +# + +# The name of the tun device +device = vpns + +# The default domain to be advertised +default-domain = example.com + +# The pool of addresses that leases will be given from. +ipv4-network = 192.168.1.0 +ipv4-netmask = 255.255.255.0 + +# The advertized DNS server. Use multiple lines for +# multiple servers. +# dns = fc00::4be0 +#dns = 192.168.1.2 + +# The NBNS server (if any) +#nbns = 192.168.1.3 + +# The IPv6 subnet that leases will be given from. +#ipv6-network = fc00:: +#ipv6-prefix = 16 + +# The domains over which the provided DNS should be used. Use +# multiple lines for multiple domains. +#split-dns = example.com + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Unset to assign the default MTU of the device +# mtu = + +# Unset to enable bandwidth restrictions (in bytes/sec). The +# setting here is global, but can also be set per user or per group. +#rx-data-per-sec = 40000 +#tx-data-per-sec = 40000 + +# The number of packets (of MTU size) that are available in +# the output buffer. The default is low to improve latency. +# Setting it higher will improve throughput. +#output-buffer = 10 + +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the +# config-per-user/group or even connect and disconnect scripts. +# +# To set the server as the default gateway for the client just +# comment out all routes from the server. +route = 192.168.1.0/255.255.255.0 +#route = 192.168.5.0/255.255.255.0 +#route = fef4:db8:1000:1001::/64 + +# Configuration files that will be applied per user connection or +# per group. Each file name on these directories must match the username +# or the groupname. +# The options allowed in the configuration files are dns, nbns, +# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, +# net-priority and cgroup. +# +# Note that the 'iroute' option allows to add routes on the server +# based on a user or group. The syntax depends on the input accepted +# by the commands route-add-cmd and route-del-cmd (see below). + +#config-per-user = /etc/ocserv/config-per-user/ +#config-per-group = /etc/ocserv/config-per-group/ + +# The system command to use to setup a route. %R will be replaced with the +# route/mask and %D with the (tun) device. +# +# The following example is from linux systems. %R should be something +# like 192.168.2.0/24 + +#route-add-cmd = "ip route add %R dev %D" +#route-del-cmd = "ip route delete %R dev %D" + +# +# The following options are for (experimental) AnyConnect client +# compatibility. + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# It is not used by the openconnect client. +#user-profile = profile.xml + +# Binary files that may be downloaded by the CISCO client. Must +# be within any chroot environment. +#binary-files = /path/to/binaries + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie and complete their authentication in the same TCP connection. +# Legacy CISCO clients do not do that, and thus this option should be +# set for them. +#cisco-client-compat = false + +#Advanced options + +# Option to allow sending arbitrary custom headers to the client after +# authentication and prior to VPN tunnel establishment. +#custom-header = "X-My-Header: hi there" diff --git a/tests/full-test b/tests/full-test index 4cd332df..91e795c1 100755 --- a/tests/full-test +++ b/tests/full-test @@ -58,6 +58,7 @@ fi cp ../src/ocserv ../src/ocpasswd ../src/occtl docker-ocserv/ +cp docker-ocserv/Dockerfile-tcp docker-ocserv/Dockerfile $DOCKER build -t ocserv-test1 docker-ocserv/ if test $? != 0;then echo "Cannot build docker image" diff --git a/tests/unix-test b/tests/unix-test new file mode 100755 index 00000000..f30044fb --- /dev/null +++ b/tests/unix-test @@ -0,0 +1,186 @@ +#!/bin/sh +# +# Copyright (C) 2014 Red Hat +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with ocserv; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir=${srcdir:-.} + +#this test can only be run as root +id|grep root >/dev/null 2>&1 +if [ $? != 0 ];then + exit 77 +fi + +if test -x /usr/bin/docker;then +DOCKER=/usr/bin/docker +else +DOCKER=/usr/bin/docker.io +fi + +if ! test -x $DOCKER;then + echo "The docker program is needed to perform this test" + exit 77 +fi + +if ! test -f /etc/debian_version;then + echo "******************************************************" + echo "This test requires compiling ocserv in a Debian system" + echo "******************************************************" + exit 77 +fi + +stop() { + $DOCKER stop test_unix + $DOCKER rm test_unix + exit 1 +} + +$DOCKER pull tianon/debian:jessie +if test $? != 0;then + echo "Cannot pull docker image" + exit 1 +fi + +cp ../src/ocserv ../src/ocpasswd ../src/occtl docker-ocserv/ + +cp docker-ocserv/Dockerfile-unix docker-ocserv/Dockerfile +$DOCKER build -t ocserv-test2 docker-ocserv/ +#$DOCKER build --no-cache=true -t ocserv-test2 docker-ocserv/ +if test $? != 0;then + echo "Cannot build docker image" + exit 1 +fi + +$DOCKER stop test_unix >/dev/null 2>&1 +$DOCKER rm test_unix >/dev/null 2>&1 + +$DOCKER run -P --privileged=true -p 6000:6000/udp -p 6001:6001/udp -p 22 -p 6551:6551/udp --tty=false -d --name test_unix ocserv-test2 +if test $? != 0;then + echo "Cannot run docker image" + exit 1 +fi + +#wait for ocserv to server +sleep 5 + +IP=`$DOCKER inspect test_unix | grep IPAddress | cut -d '"' -f 4` +if test -z "$IP";then + echo "Detected IP is null!" + stop +fi + +printf "test\ntest\n" >pass.tmp +openconnect $IP:6551 -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass.tmp & +PID=$! + +rm -f pass.tmp + +#wait for openconnect +sleep 5 + +# The client IP depends on the username so it shouldn't change. +ping -w 5 192.168.1.190 +if test $? != 0;then + kill $PID + echo "Cannot ping ocserv" + stop +fi + +ping -w 5 192.168.1.190 -s 1500 +if test $? != 0;then + kill $PID + echo "Cannot ping ocserv" + stop +fi + +echo "UserKnownHostsFile ./known-hosts.tmp" >config.tmp +printf "#\!/bin/sh\n" >echo-admin.tmp +printf "echo yes" >>echo-admin.tmp +printf "echo root" >>echo-admin.tmp +printf "\n" >>echo-admin.tmp +chmod 755 echo-admin.tmp +export SSH_ASKPASS="./echo-admin.tmp" +setsid ssh -T -F config.tmp root@192.168.1.190 occtl show user test >out.tmp 2>&1 +cat out.tmp + +printf "#\!/bin/sh\n" >echo-admin.tmp +printf "echo root" >>echo-admin.tmp +printf "\n" >>echo-admin.tmp +chmod 755 echo-admin.tmp +setsid ssh -T -F config.tmp root@192.168.1.190 occtl show user test >out.tmp 2>&1 +cat out.tmp +rm -f echo-admin.tmp +rm -f config.tmp +rm -f known-hosts.tmp + +grep "Username" out.tmp +if test $? != 0;then + kill $PID + echo "could not find user information" + stop +fi + +rm -f out.tmp + +# There is an issue in nuttcp that makes it crash under docker if +# /proc/sys/net/ipv4/tcp_adv_win_scale does not exist. + +#nuttcp -T 10 -t 192.168.1.190 +#if test $? != 0;then +# kill $PID +# echo "Cannot send to ocserv" +# stop +#fi + +#nuttcp -T 10 -r 192.168.1.190 +#if test $? != 0;then +# kill $PID +# echo "Cannot recv from ocserv" +# stop +#fi +sleep 2 + +kill $PID + +sleep 4 + +#check whether /tmp/disconnect/ok was created +rm -f ./not-ok +$DOCKER cp test_unix:/tmp/disconnect/not-ok ./ +if test -f ./not-ok;then + echo "There was an issue getting stats" + stop +fi +rm -f ./not-ok + +ret=0 + +rm -f ./ok +$DOCKER cp test_unix:/tmp/disconnect/ok ./ +if ! test -f ./ok;then + echo "Don't know if stats were received" + ret=77 +fi +echo -n "stats: " +echo `cat ./ok` +rm -f ./ok + +$DOCKER stop test_unix +$DOCKER rm test_unix + +exit $ret