2026-02-09 08:16:58 +08:00 · 2019-10-17 16:19:03 +02:00
parent ea845a57fc
commit c9e907c841
24 changed files with 213 additions and 561 deletions
							
							
								
							
							
						
@@ -123,9 +123,10 @@ Build/Fedora:
  # ensure gcov scripts are writable
  - umask 000
  - chmod -R o-w tests/data/raddb
  - git submodule update --init && autoreconf -fvi &&
    CFLAGS="-g -O0" ./configure --disable-maintainer-mode --without-docker-tests --with-werror --enable-code-coverage && make -j$(nproc) && make check -j$(nproc) COVERAGE=1
    && make files-update && make dist && make local-code-coverage-output
  - git submodule update --init && autoreconf -fvi
  - CFLAGS="-g -O0" ./configure --disable-maintainer-mode --without-docker-tests --with-werror --enable-code-coverage --enable-kerberos-tests
  - make -j$(nproc) && make check -j$(nproc) COVERAGE=1
  - make files-update && make dist && make local-code-coverage-output
  tags:
  - shared
  except:
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -116,6 +116,13 @@ AC_ARG_WITH(docker-tests,
AM_CONDITIONAL(ENABLE_DOCKER_TESTS, test "x$docker_tests" = xyes)
AC_ARG_WITH(kerberos-tests,
  AS_HELP_STRING([--with-kerberos-tests], [enable any tests requiring kerberos setup]),
  kerberos_tests=$withval,
  kerberos_tests=no)
AM_CONDITIONAL(ENABLE_KERBEROS_TESTS, test "x$kerberos_tests" = xyes)
AC_ARG_WITH(nuttcp-tests,
  AS_HELP_STRING([--without-nuttcp-tests], [disable any tests requiring nuttcp]),
  nuttcp_tests=$withval,
							
								
							
							
								
							
							
						
@@ -582,9 +589,7 @@ AC_CONFIG_FILES([
	doc/Makefile
	gl/Makefile
	tests/docker-ocserv/Makefile
	tests/docker-kerberos/Makefile
	tests/data/pam/ocserv
	tests/data/pam-single/ocserv
	tests/data/pam/nss-passwd
	tests/data/pam/nss-group
	tests/Makefile
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -34,9 +34,9 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
	data/raddb/clients.conf data/raddb/radiusd.conf data/raddb/users \
	data/radiusclient/dictionary data/radiusclient/radiusclient.conf \
	data/radiusclient/servers data/radius.config data/radius-group.config data/radius-otp.config \
	data/test-udp-listen-host.config
	data/test-udp-listen-host.config data/pam-kerberos/passdb.templ
SUBDIRS = docker-ocserv docker-kerberos
SUBDIRS = docker-ocserv
xfail_scripts =
dist_check_SCRIPTS =  ocpasswd-test
							
							
							
								
							
						
@@ -49,7 +49,7 @@ endif
if ENABLE_ROOT_TESTS
if ENABLE_DOCKER_TESTS
#docker tests
dist_check_SCRIPTS += unix-test kerberos-test \
dist_check_SCRIPTS += unix-test \
	proxyproto-test proxyproto-v1-test proxyproto-unix-test \
	reload-info-test
endif
							
								
							
							
								
							
							
						
@@ -84,6 +84,10 @@ dist_check_SCRIPTS += test-pass test-pass-cert test-cert test-group-pass \
if HAVE_CWRAP_PAM
dist_check_SCRIPTS += test-pam test-pam-noauth
if ENABLE_KERBEROS_TESTS
dist_check_SCRIPTS += kerberos
endif
endif
if HAVE_LIBOATH
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -115,24 +115,31 @@ launch_sr_server() {
	fi
}
launch_sr_pam_server() {
launch_pam_server() {
	test -z "${TEST_PAMDIR}" && exit 2
	export PAM_WRAPPER_DEBUGLEVEL=3
	export PAM_WRAPPER_SERVICE_DIR="${builddir}/pam.$$.tmp/"
	mkdir -p "${PAM_WRAPPER_SERVICE_DIR}"
	test -f "${srcdir}/${TEST_PAMDIR}/users.oath.templ" && cp "${srcdir}/${TEST_PAMDIR}/users.oath.templ" "${PAM_WRAPPER_SERVICE_DIR}/users.oath"
	test -f "${srcdir}/${TEST_PAMDIR}/passdb.templ" && cp "${srcdir}/${TEST_PAMDIR}/passdb.templ" "${PAM_WRAPPER_SERVICE_DIR}/passdb"
	test -f "${builddir}/${TEST_PAMDIR}/ocserv" && cp "${builddir}/${TEST_PAMDIR}/ocserv" "${PAM_WRAPPER_SERVICE_DIR}/"
	if test -f "${builddir}/${TEST_PAMDIR}/ocserv";then
		cp "${builddir}/${TEST_PAMDIR}/ocserv" "${PAM_WRAPPER_SERVICE_DIR}/"
	else
		cp "${builddir}/data/pam/ocserv" "${PAM_WRAPPER_SERVICE_DIR}/"
	fi
	sed -i -e 's|%PAM_WRAPPER_SERVICE_DIR%|'${PAM_WRAPPER_SERVICE_DIR}'|g' "${PAM_WRAPPER_SERVICE_DIR}/ocserv"
	cp "${builddir}/data/pam/nss-passwd" "${PAM_WRAPPER_SERVICE_DIR}/"
	cp "${builddir}/data/pam/nss-group" "${PAM_WRAPPER_SERVICE_DIR}/"
	export NSS_WRAPPER_PASSWD=${PAM_WRAPPER_SERVICE_DIR}/nss-passwd
	export NSS_WRAPPER_GROUP=${PAM_WRAPPER_SERVICE_DIR}/nss-group
	if test "$SOCKET_WRAPPER" != 0;then
		SR="libsocket_wrapper.so:"
	fi
	if test -n "${VERBOSE}" && test "${VERBOSE}" -ge 1;then
		LD_PRELOAD=libnss_wrapper.so:libpam_wrapper.so:libsocket_wrapper.so:libuid_wrapper.so PAM_WRAPPER=1 UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $SERV $* &
		LD_PRELOAD=libnss_wrapper.so:${SR}libpam_wrapper.so:libuid_wrapper.so PAM_WRAPPER=1 UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $SERV $* &
	else
		LD_PRELOAD=libnss_wrapper.so:libpam_wrapper.so:libsocket_wrapper.so:libuid_wrapper.so PAM_WRAPPER=1 UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $SERV $* >/dev/null 2>&1 &
		LD_PRELOAD=libnss_wrapper.so:${SR}libpam_wrapper.so:libuid_wrapper.so PAM_WRAPPER=1 UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $SERV $* >/dev/null 2>&1 &
	fi
	LOCALPID="$!";
	unset NSS_WRAPPER_PASSWD
							
							
							
								
							
						
@@ -146,6 +153,10 @@ launch_sr_pam_server() {
	fi
}
launch_sr_pam_server() {
	SOCKET_WRAPPER=1 launch_pam_server $*
}
launch_simple_sr_server() {
	if test -n "${VERBOSE}" && test "${VERBOSE}" -ge 1;then
		LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $SERV $* -d 3 &
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -8,8 +8,11 @@ enable-auth = gssapi[tgt-freshness-time=60]
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
occtl-socket-file = @OCCTL_SOCKET@
use-occtl = true
isolate-workers = @ISOLATE_WORKERS@
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket
							
							
							
								
							
						
@@ -21,12 +24,16 @@ use-occtl = true
# to generate password entries.
#auth = "plain[/etc/ocserv/ocpasswd]"
#acct = "radius[config=@SRCDIR@/data/radiusclient/radiusclient.conf]"
# A banner to be displayed on clients
#banner = "Welcome"
stats-report-time = 30
# Use listen-host to limit to specific IPs or to the IPs of a provided 
# hostname.
#listen-host = [IP|HOSTNAME]
#listen-host = @ADDRESS@
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
							
							
							
								
							
						
@@ -41,8 +48,8 @@ max-clients = 16
max-same-clients = 2
# TCP and UDP port number
tcp-port = 443
udp-port = 443
tcp-port = @PORT@
udp-port = @PORT@
# Keepalive in seconds
keepalive = 32400
							
							
							
								
							
						
@@ -66,8 +73,8 @@ try-mtu-discovery = false
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/cert.pem
server-key = /etc/ocserv/key.pem
server-cert = @SRCDIR@/certs/server-cert.pem
server-key = @SRCDIR@/certs/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
							
							
							
								
							
						
@@ -93,7 +100,7 @@ server-key = /etc/ocserv/key.pem
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
ca-cert = /etc/ocserv/ca.pem
# The object identifier that will be used to read the user ID in the client 
# certificate. The object identifier should be part of the certificate's DN
							
								
							
							
								
							
							
						
@@ -132,12 +139,6 @@ auth-timeout = 40
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 86400
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
							
							
							
								
							
						
@@ -158,8 +159,8 @@ rekey-method = ssl
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
connect-script = /usr/bin/myscript
disconnect-script = /usr/bin/myscript
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
use-utmp = true
							
							
							
								
							
						
@@ -181,8 +182,8 @@ socket-file = /var/run/ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
run-as-user = @USERNAME@
run-as-group = @GROUP@
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
							
							
							
								
							
						
@@ -206,8 +207,8 @@ device = vpns
default-domain = example.com
# The pool of addresses that leases will be given from.
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
ipv4-network = @VPNNET@
ipv6-network = @VPNNET6@
# The advertized DNS server. Use multiple lines for
# multiple servers.
							
							
							
								
							
						
@@ -217,10 +218,6 @@ ipv4-netmask = 255.255.255.0
# The NBNS server (if any)
#nbns = 192.168.1.3
# The IPv6 subnet that leases will be given from.
ipv6-network = fd91:6d87:7341:db6a::
ipv6-prefix = 64
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
							
								
							
							
								
							
							
						
@@ -248,9 +245,9 @@ ping-leases = false
#
# To set the server as the default gateway for the client just
# comment out all routes from the server.
route = 192.168.1.0/255.255.255.0
route = 10.209.209.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
route = fd91:6d87:7341:db6a::/64
route = fc13:71:ea31:4b4e::/64
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
							
							
							
								
							
						
@@ -275,17 +272,6 @@ route = fd91:6d87:7341:db6a::/64
#route-add-cmd = "ip route add %R dev %D"
#route-del-cmd = "ip route delete %R dev %D"
# This option allows one to forward a proxy. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# This option is available if ocserv is compiled with GSSAPI support. 
kkdcp = /kerberos KERBEROS.TEST tcp@127.0.0.1:88
#
# The following options are for (experimental) AnyConnect client 
# compatibility. 
							
							
							
								
							
						
@@ -311,3 +297,10 @@ kkdcp = /kerberos KERBEROS.TEST tcp@127.0.0.1:88
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
#custom-header = "X-My-Header: hi there"
# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# This option is available if ocserv is compiled with GSSAPI support. 
kkdcp = /kerberos KERBEROS.TEST tcp@@ADDRESS@:88
							
							
							
						
@@ -0,0 +1,2 @@
testuser:testuser123:ocserv
krb5user:krb5user123:ocserv
							
							
							
						
@@ -1,5 +0,0 @@
#%PAM-1.0
auth       required	@PAMWRAPDIR@/pam_matrix.so passdb=%PAM_WRAPPER_SERVICE_DIR%/passdb
account    required	@PAMWRAPDIR@/pam_matrix.so passdb=%PAM_WRAPPER_SERVICE_DIR%/passdb
account    required	@PAMWRAPDIR@/pam_matrix.so passdb=%PAM_WRAPPER_SERVICE_DIR%/passdb
session    required	@PAMWRAPDIR@/pam_matrix.so passdb=%PAM_WRAPPER_SERVICE_DIR%/passdb
							
							
							
						
@@ -1,27 +0,0 @@
# Clone from the Fedora 22 image
FROM fedora:25
RUN dnf install -y krb5-libs krb5-workstation libev
RUN dnf install -y gnutls gnutls-utils iproute systemd
RUN dnf install -y bash net-tools nuttcp iputils openssh-clients passwd
RUN dnf install -y lz4 radcli liboauth oathtool procps-ng iputils
RUN dnf install -y openconnect
# To be able to debug
RUN dnf install -y openssh-server strace lsof && dnf clean all
RUN echo 'root:root' | chpasswd
RUN echo set -o vi >> /etc/bashrc
ADD krb5.conf /etc/
RUN useradd -m -p "$6$ZzoUpzPP$PaQoBzfpVCSO23OXB523mgcHaXeVkW/zqYFr84GiItggqo9NK.MAkqMXKuDLybuscuEwxtpAMSNaxTftyaQjT." testuser
ADD ca.pem /etc/
# It's not possible to use mknod inside a container with the default LXC
# template, so we untar it from this archive.
ADD dev-tun.tgz /dev/
RUN ldconfig
CMD sshd-keygen;/usr/sbin/sshd;echo testuser123|kinit testuser@KERBEROS.TEST && /usr/sbin/openconnect kerberos.test --cafile /etc/ca.pem -b && sleep 5 && ping -w 5 192.168.1.1 && kdestroy && ( /usr/sbin/openconnect kerberos.test --cafile /etc/ca.pem --cookieonly --non-inter || touch /tmp/ok1 );echo testuser123|kinit testuser@KERBEROS.TEST && sleep 61 && ( /usr/sbin/openconnect kerberos.test --non-inter --cafile /etc/ca.pem || touch /tmp/ok2 );sleep 3600
							
							
							
						
@@ -1,45 +0,0 @@
# Clone from the Fedora 22 image
FROM fedora:25
RUN dnf install -y krb5-libs krb5-server krb5-workstation libev
RUN dnf install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp
RUN dnf install -y bash net-tools nuttcp iputils openssh-clients
RUN dnf install -y libnl3 libtalloc libev
RUN dnf install -y lz4 radcli liboauth oathtool procps-ng iputils
RUN dnf install -y freeradius-client
RUN dnf install -y pam_krb5
# To be able to debug
RUN dnf install -y openssh-server strace lsof && dnf clean all
RUN echo 'root:root' | chpasswd
RUN echo set -o vi >> /etc/bashrc
RUN mkdir -p /etc/ocserv
RUN mkdir -p /tmp/disconnect/
ADD krb5.conf /etc/
ADD kdc.conf /var/kerberos/krb5kdc/
ADD k5.KERBEROS.TEST /var/kerberos/krb5kdc/
ADD kadm5.acl /var/kerberos/krb5kdc/
RUN echo -e "secret123\nsecret123"|/usr/sbin/kdb5_util create -s
RUN echo -e "testuser123\ntestuser123" | /usr/sbin/kadmin.local -q "addprinc testuser"
RUN echo -e "test123\ntest123" | /usr/sbin/kadmin.local -q "addprinc HTTP/kerberos.test"
RUN /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/krb5-keytab HTTP/kerberos.test@KERBEROS.TEST"
RUN useradd testuser
ADD key.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD ocserv.conf /etc/ocserv/
ADD passwd /etc/ocserv/
ADD myscript /usr/bin/
# It's not possible to use mknod inside a container with the default LXC
# template, so we untar it from this archive.
ADD dev-tun.tgz /dev/
ADD pam-ocserv /etc/pam.d/ocserv
ADD ocserv /usr/sbin/
ADD ocpasswd /usr/bin/
ADD occtl /usr/bin/
CMD nuttcp -S;/usr/sbin/krb5kdc;sshd-keygen;/usr/sbin/sshd;/usr/sbin/ocserv -d 1 -f;sleep 3600
							
							
							
						
@@ -1,7 +0,0 @@
EXTRA_DIST = Dockerfile-fedora-kerberos krb5.conf kdc.conf \
	Dockerfile-fedora-client \
	ocserv.conf cert.pem key.pem myscript passwd dev-tun.tgz \
	k5.KERBEROS.TEST kadm5.acl pam-ocserv ca.pem
TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
	top_builddir="$(top_builddir)"
							
							
							
						
@@ -1,20 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD
EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw
fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ
l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW
DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh
zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt
c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b
7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep
n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA
MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC
ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT
z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP
g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX
ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk
x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH
yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg
fJbi9Ui2FmXEeKkX34f1ONNj9Q==
-----END CERTIFICATE-----
							
							
							
						
@@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDnzCCAlegAwIBAgIIVOSF2gcNB+swDQYJKoZIhvcNAQELBQAwDTELMAkGA1UE
AxMCQ0EwIhgPMjAxNTAyMTgxMjMwMTlaGA85OTk5MTIzMTIzNTk1OVowGjEYMBYG
A1UEAxMPS2VyYmVyb3Mgc2VydmVyMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIB
OgKCATEApzor7D8UsCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7Q
vQQVfl9/pTP4/LuR7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJ
FZTeX06qGNJZ3WCcdl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3
DKEF1Y20Zs1S2SFbpkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gH
MvniNIF0xpO+fSjT2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox
4OfkSkOXbd3ZOe5QCFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiD
O4b4ct9kKyeWVMjZ3E0n+qjFaHnYHQIDAQABo4GRMIGOMAwGA1UdEwEB/wQCMAAw
GAYDVR0RBBEwD4INa2VyYmVyb3MudGVzdDATBgNVHSUEDDAKBggrBgEFBQcDATAP
BgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBSoJUf2j0TWNRvvbKzR17luhPnfozAf
BgNVHSMEGDAWgBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC
ATEAUp1NcsVZ/kuZ3+GY7PiHOT76LoOtRKjlDdMEGysGbnKwAU8I6BJEHsMfjPMH
o5lxfIKhJOxXQIe2Ry/oYvEs7UzGNj8jlx1LgZopVyPZ1iPQgwXeEOkCwNDNtTcb
WRFokYHzjawbmGZsRS/HCA3JvUA41uIsY1apQLTZrEKZpx1jZ1L67nfGIKgItBo/
0IHipCqrVh4VUOBUNXRsgqSgL8V3fzo+wQ8QHlylZXWEXunofKtiPaEjK+2OUWoD
GB43yKkydhd0LKTYg/6UY5+lSUOjLw+WIic5viF7myNwtLCxwxK92e1Tok6sMPNO
MPfAu3IGPvV6fLyYI0JVo7D5FCvpjdXTvkriP6jYNV4KzEGS2/URVJS93xrxEjz5
8iy8tcXqNhVSDgQrxzRmbtHNaA==
-----END CERTIFICATE-----
							
							
							
						
@@ -1,16 +0,0 @@
[Unit]
Description=D-Bus System Message Bus
Requires=dbus.socket
After=syslog.target
[Service]
PIDFile=/var/run/messagebus.pid
ExecStartPre=/bin/mkdir -p /var/run/dbus
ExecStartPre=/bin/chmod g+w /var/run/ /var/run/dbus/
ExecStart=/bin/dbus-daemon --system --fork
ExecReload=/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
ExecStopPost=/bin/rm -f /var/run/messagebus.pid
OOMScoreAdjust=-900
User=dbus
Group=root
PermissionsStartOnly=true
							
							
							
						
@@ -1 +0,0 @@
secret123
							
							
							
						
@@ -1 +0,0 @@
*/admin@KERBEROS.TEST	*
							
							
							
						
@@ -1,13 +0,0 @@
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
[realms]
 KERBEROS.TEST = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  key_stash_file = /var/kerberos/krb5kdc/k5.KERBEROS.TEST,
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }
							
							
							
						
@@ -1,165 +0,0 @@
Public Key Info:
	Public Key Algorithm: RSA
	Key Security Level: Normal (2432 bits)
modulus:
	00:a7:3a:2b:ec:3f:14:b0:2c:19:f6:f1:6e:90:1d:
	bf:8e:a9:f6:e9:70:84:09:87:f3:50:f3:5f:c3:94:
	50:fa:2c:64:d6:57:80:58:e1:96:fc:ee:d0:bd:04:
	15:7e:5f:7f:a5:33:f8:fc:bb:91:ef:37:79:c3:5a:
	db:f8:19:ed:03:af:22:d6:e9:37:2c:e8:53:c2:b7:
	8b:2b:11:f0:a4:87:99:79:e0:ba:cc:99:66:e1:16:
	09:15:94:de:5f:4e:aa:18:d2:59:dd:60:9c:76:5f:
	c5:96:95:d4:63:78:bf:bc:13:b9:c5:51:c1:52:b5:
	6a:e0:8b:d0:33:80:c1:6b:8e:c2:f8:a6:a9:7d:ed:
	80:19:45:77:0c:a1:05:d5:8d:b4:66:cd:52:d9:21:
	5b:a6:43:2e:dc:fa:d9:7b:12:ac:fc:97:1f:f1:4b:
	fe:45:c7:db:48:46:e9:ea:35:2e:63:11:4b:3c:36:
	7e:44:e8:5b:eb:68:07:32:f9:e2:34:81:74:c6:93:
	be:7d:28:d3:d8:8a:c4:aa:02:e1:40:9a:6b:7f:5c:
	34:d3:be:f3:a8:e9:da:40:b1:e5:ea:b5:1d:bf:2e:
	36:49:58:e9:57:76:26:7f:ca:31:e0:e7:e4:4a:43:
	97:6d:dd:d9:39:ee:50:08:58:44:7d:7a:02:0e:a3:
	ff:86:02:4c:9e:93:46:49:e4:65:94:e9:5c:53:b0:
	57:08:97:aa:32:dd:2e:c4:b4:1d:0d:08:83:3b:86:
	f8:72:df:64:2b:27:96:54:c8:d9:dc:4d:27:fa:a8:
	c5:68:79:d8:1d:
public exponent:
	01:00:01:
private exponent:
	79:2b:86:6d:fd:5b:41:38:03:6c:52:8e:59:70:a4:
	bf:7b:da:44:55:d9:e6:8a:12:bd:22:4b:ce:8c:66:
	8c:8f:a4:55:47:3b:e1:ab:3c:5b:73:b3:de:71:da:
	1d:22:97:7c:1e:07:99:21:54:61:f0:61:93:32:ff:
	d6:6a:fa:b9:43:aa:cb:ec:5a:a5:78:86:50:bd:eb:
	e2:3e:72:8e:d5:0e:59:28:84:52:02:09:70:a9:25:
	d5:f4:73:98:bd:88:34:ca:1e:81:71:22:8e:07:61:
	45:76:b5:59:8a:41:eb:c6:a3:42:1d:b6:25:f6:fc:
	45:4e:29:83:58:15:4e:99:38:1f:31:ab:f8:6a:21:
	fa:ad:c1:d0:6d:d0:ab:67:ad:43:1c:1d:9e:e5:33:
	e2:68:f9:e2:fa:d8:9a:e7:36:e0:20:8c:25:4d:e9:
	17:95:4b:71:38:df:18:71:cd:e0:a0:7f:b2:58:fe:
	8b:c0:1c:d2:96:4a:17:14:bf:1c:3b:e8:b5:54:2b:
	8d:47:50:a7:77:56:61:a8:e3:79:dd:70:88:5f:89:
	a1:f8:78:0d:47:ef:32:98:c1:47:88:d8:33:ed:95:
	10:90:7f:f1:57:cb:2b:18:c9:58:a1:de:ef:1c:70:
	5a:58:3c:86:3d:96:17:ad:9c:fd:0b:eb:d8:33:a4:
	5f:7f:db:97:c0:78:b4:94:56:56:0a:83:b3:d3:02:
	c6:6f:08:dc:0d:22:8f:2a:4b:25:7a:34:97:8e:63:
	49:8a:39:d1:c1:1e:9b:93:41:c5:9c:b6:50:9e:ff:
	7a:37:e4:c1:
prime1:
	00:cb:13:4a:a3:8f:ad:5c:63:89:30:f3:3b:eb:25:
	85:d9:6c:ad:6d:50:f8:03:00:d3:1e:e3:ae:ad:54:
	7a:9b:21:1a:72:18:a6:54:e4:32:58:8d:66:37:65:
	8c:f7:8f:37:65:ec:f8:ef:2e:a9:c1:78:bb:04:90:
	aa:fe:0a:f2:7c:80:82:32:c7:db:ef:bc:10:c6:ff:
	e0:d4:2e:b9:3a:0e:cc:29:28:81:b8:41:78:37:80:
	69:39:5e:97:44:36:d6:cd:39:af:14:c2:df:f3:67:
	b7:d4:a7:49:da:f4:d3:ee:14:10:e4:5c:3f:4a:62:
	52:81:34:d0:8e:f3:7e:d4:42:0a:34:e2:f9:a7:bc:
	03:f9:c0:48:e8:9b:7f:da:08:ec:db:82:fd:a2:aa:
	0f:5d:71:
prime2:
	00:d2:cf:2d:81:00:28:43:76:b3:76:10:3f:04:57:
	63:94:fa:bb:08:6a:a2:7d:99:4b:0f:ad:76:11:da:
	5c:2a:2b:33:0a:05:0d:f8:51:9a:4d:b3:40:4b:53:
	63:c8:c1:96:45:c7:42:35:cf:05:cf:8a:e2:aa:bd:
	dc:96:c0:fd:c8:c4:dc:4c:0b:1f:43:74:04:cf:13:
	f5:fa:ea:b6:0d:82:92:8c:03:bd:e9:7b:b1:f2:d0:
	df:fd:c5:1b:6e:66:b7:ce:f6:12:65:34:c8:15:01:
	da:36:5e:f9:d8:ad:37:86:52:2b:ea:9f:f5:75:6b:
	91:b3:01:6f:52:e9:e9:07:16:db:ba:65:e2:49:cc:
	4f:70:11:39:5c:fa:d2:da:d4:0c:24:17:c4:68:6f:
	d4:7f:6d:
coefficient:
	3b:96:f2:06:96:22:14:a2:fe:27:09:2f:43:b0:22:
	a6:f4:ae:33:c2:f8:be:d5:03:96:7d:4a:d1:eb:7b:
	9d:51:bd:77:1d:3f:79:ef:62:1d:c3:e9:c2:9a:53:
	df:ec:33:9b:32:36:f6:e7:40:e8:6c:1b:16:3d:4e:
	94:97:94:02:5d:cc:23:45:6b:53:8d:b8:7c:0e:24:
	f9:5c:30:e4:e3:76:5b:f6:1f:74:3d:ca:e7:ef:a0:
	1e:d3:c8:a2:54:d2:db:06:4b:0d:b0:b9:64:ca:dd:
	68:44:51:d6:07:c5:ac:5b:e7:11:4b:76:b0:78:ba:
	aa:b1:af:06:64:0d:27:1a:85:2d:a8:5a:c1:d7:c1:
	2e:f6:ef:fe:f6:0d:d6:f1:18:fc:0b:14:b1:d7:76:
	51:1b:
exp1:
	76:ce:d4:8e:18:92:ee:48:75:8d:23:e0:dc:53:d9:
	99:38:d1:c5:f0:e7:08:aa:c4:d9:7f:8f:44:6c:f6:
	46:27:f9:d6:e2:c0:fd:4d:7c:7e:fe:4a:dd:02:16:
	95:07:3e:fb:ec:c6:3e:f8:e7:eb:fe:fc:3b:51:80:
	18:9c:c2:fd:40:19:ec:27:ad:6e:f6:72:42:5a:95:
	68:cd:e5:24:28:60:1d:7c:4b:58:47:45:54:03:56:
	8c:6f:e0:c3:d1:e9:9d:ab:af:d8:cf:a2:42:3f:5d:
	f7:95:df:c9:b0:0f:05:6c:cb:ed:2e:63:00:db:c1:
	35:42:76:fa:0b:4f:1a:53:80:b1:2c:51:af:66:7a:
	54:f5:c0:32:06:37:a8:92:2c:30:c8:d4:27:04:a3:
	74:a1:
exp2:
	18:07:41:5a:88:d8:0e:08:83:a0:1b:6d:f3:62:ba:
	99:0a:93:32:fc:64:95:08:5a:03:e9:73:a1:c9:4f:
	e4:06:94:84:b9:da:c3:c9:19:5b:6d:e9:10:2c:eb:
	1c:c0:e4:0e:04:0e:49:ef:d4:eb:b9:1a:e8:f7:47:
	23:6f:cf:fd:88:62:cb:d0:20:ba:21:89:42:c9:35:
	aa:6a:02:62:3b:d5:d4:5b:c0:d3:d2:23:90:57:ba:
	90:44:5d:42:12:37:35:41:db:0a:ea:1f:3c:35:bf:
	d7:9e:af:bf:c0:ce:a9:62:c8:5a:af:ec:dc:7b:6c:
	5a:08:f9:d5:6b:90:02:1c:da:e2:be:26:32:df:34:
	d6:c3:3f:d4:97:4a:5d:62:fa:17:4b:16:3a:09:35:
	21:69:
Public Key ID: A8:25:47:F6:8F:44:D6:35:1B:EF:6C:AC:D1:D7:B9:6E:84:F9:DF:A3
Public key's random art:
+--[ RSA 2432]----+
|            +    |
|         . . =   |
|      o o . . .  |
|     o =     =  o|
|    . + S   . O.o|
|     = . o   * o.|
|    .   . . . o. |
|              .+.|
|             Eo.=|
+-----------------+
-----BEGIN RSA PRIVATE KEY-----
MIIFegIBAAKCATEApzor7D8UsCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leA
WOGW/O7QvQQVfl9/pTP4/LuR7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6
zJlm4RYJFZTeX06qGNJZ3WCcdl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kap
fe2AGUV3DKEF1Y20Zs1S2SFbpkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+
ROhb62gHMvniNIF0xpO+fSjT2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjp
V3Ymf8ox4OfkSkOXbd3ZOe5QCFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0u
xLQdDQiDO4b4ct9kKyeWVMjZ3E0n+qjFaHnYHQIDAQABAoIBMHkrhm39W0E4A2xS
jllwpL972kRV2eaKEr0iS86MZoyPpFVHO+GrPFtzs95x2h0il3weB5khVGHwYZMy
/9Zq+rlDqsvsWqV4hlC96+I+co7VDlkohFICCXCpJdX0c5i9iDTKHoFxIo4HYUV2
tVmKQevGo0IdtiX2/EVOKYNYFU6ZOB8xq/hqIfqtwdBt0KtnrUMcHZ7lM+Jo+eL6
2JrnNuAgjCVN6ReVS3E43xhxzeCgf7JY/ovAHNKWShcUvxw76LVUK41HUKd3VmGo
43ndcIhfiaH4eA1H7zKYwUeI2DPtlRCQf/FXyysYyVih3u8ccFpYPIY9lhetnP0L
69gzpF9/25fAeLSUVlYKg7PTAsZvCNwNIo8qSyV6NJeOY0mKOdHBHpuTQcWctlCe
/3o35MECgZkAyxNKo4+tXGOJMPM76yWF2WytbVD4AwDTHuOurVR6myEachimVOQy
WI1mN2WM9483Zez47y6pwXi7BJCq/gryfICCMsfb77wQxv/g1C65Og7MKSiBuEF4
N4BpOV6XRDbWzTmvFMLf82e31KdJ2vTT7hQQ5Fw/SmJSgTTQjvN+1EIKNOL5p7wD
+cBI6Jt/2gjs24L9oqoPXXECgZkA0s8tgQAoQ3azdhA/BFdjlPq7CGqifZlLD612
EdpcKiszCgUN+FGaTbNAS1NjyMGWRcdCNc8Fz4riqr3clsD9yMTcTAsfQ3QEzxP1
+uq2DYKSjAO96Xux8tDf/cUbbma3zvYSZTTIFQHaNl752K03hlIr6p/1dWuRswFv
UunpBxbbumXiScxPcBE5XPrS2tQMJBfEaG/Uf20CgZh2ztSOGJLuSHWNI+DcU9mZ
ONHF8OcIqsTZf49EbPZGJ/nW4sD9TXx+/krdAhaVBz777MY++Ofr/vw7UYAYnML9
QBnsJ61u9nJCWpVozeUkKGAdfEtYR0VUA1aMb+DD0emdq6/Yz6JCP133ld/JsA8F
bMvtLmMA28E1Qnb6C08aU4CxLFGvZnpU9cAyBjeokiwwyNQnBKN0oQKBmBgHQVqI
2A4Ig6AbbfNiupkKkzL8ZJUIWgPpc6HJT+QGlIS52sPJGVtt6RAs6xzA5A4EDknv
1Ou5Guj3RyNvz/2IYsvQILohiULJNapqAmI71dRbwNPSI5BXupBEXUISNzVB2wrq
Hzw1v9eer7/AzqliyFqv7Nx7bFoI+dVrkAIc2uK+JjLfNNbDP9SXSl1i+hdLFjoJ
NSFpAoGYO5byBpYiFKL+JwkvQ7AipvSuM8L4vtUDln1K0et7nVG9dx0/ee9iHcPp
wppT3+wzmzI29udA6GwbFj1OlJeUAl3MI0VrU424fA4k+Vww5ON2W/YfdD3K5++g
HtPIolTS2wZLDbC5ZMrdaERR1gfFrFvnEUt2sHi6qrGvBmQNJxqFLahawdfBLvbv
/vYN1vEY/AsUsdd2URs=
-----END RSA PRIVATE KEY-----
							
							
							
						
@@ -1,28 +0,0 @@
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = KERBEROS.TEST
 default_keytab_name = /etc/krb5-keytab
 default_ccache_name = FILE:/tmp/krb5_cc%{uid}
[realms]
KERBEROS.TEST = {
 kdc = https://kerberos.test/kerberos
 http_anchors = FILE:/etc/ca.pem
# kdc = kerberos.test
 admin_server = kerberos.test
 auto_to_local = DEFAULT
}
[domain_realm]
.kerberos.test = KERBEROS.TEST
kerberos.test = KERBEROS.TEST
							
							
							
						
@@ -1,20 +0,0 @@
#!/bin/sh
if [ "$REASON" != "connect" ];then
	if test "$STATS_BYTES_IN" != "0";then
		echo $STATS_BYTES_IN >/tmp/disconnect/ok
	else
		echo $STATS_BYTES_IN >/tmp/disconnect/not-ok
	fi
elif [ "$REASON" = "connect" ];then
	rm -f /tmp/disconnect/group-ok
	if test "$GROUPNAME" != "testuser";then
		echo "Groupname failed: $GROUPNAME" >/tmp/group-not-ok
		exit 1;
	else
		echo "Groupname ok: $GROUPNAME" >/tmp/group-ok
	fi
fi
exit 0
							
							
							
						
@@ -1,24 +0,0 @@
#%PAM-1.0
auth	   required	pam_sepermit.so
#auth       substack     password-auth
auth required pam_krb5.so
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account sufficient pam_krb5.so
password sufficient pam_krb5.so
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session optional pam_krb5.so
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
							
							
							
						
@@ -1,2 +0,0 @@
test:tost:$5$i6SNmLDCgBNjyJ7q$SZ4bVJb7I/DLgXo3txHBVohRFBjOtdbxGQZp.DOnrA.
tost:*:$5$qc1CKWjcmlrFREe2$h9zQJcD3AeuQmwMncdIqqls47TDOUvu2r2nXQ7aDfcD
							
							
							
						
@@ -0,0 +1,150 @@
#!/bin/bash
#
# Copyright (C) 2019 Nikos Mavrogiannopoulos
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# This tests operation/traffic under compression (lzs or lz4).
OCCTL="${OCCTL:-../src/occtl/occtl}"
SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.}
PORT=5647
PIDFILE=ocserv-pid.$$.tmp
CLIPID=oc-pid.$$.tmp
PATH=${PATH}:/usr/sbin
IP=$(which ip)
OUTFILE=traffic.$$.tmp
USERNAME=krb5user
USERPASS=krb5user123
. `dirname $0`/common.sh
if test -z "${IP}";then
	echo "no IP tool is present"
	exit 77
fi
if test "$(id -u)" != "0";then
	echo "This test must be run as root"
	exit 77
fi
if ! test -f /etc/krb5.conf && ! test -f /var/kerberos/krb5kdc/kdc.conf;then
	echo "This test must be run on a KDC-running system"
	exit 1
fi
echo "Testing ocserv with kerberos... "
function finish {
  set +e
  echo " * Cleaning up..."
  test -n "${PID}" && kill ${PID} >/dev/null 2>&1
  test -n "${KRB5PID}" && kill ${KRB5PID} >/dev/null 2>&1
  test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
  test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
  test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
  test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
  rm -f ${OUTFILE} 2>&1
}
trap finish EXIT
# server address
ADDRESS=10.97.216.1
CLI_ADDRESS=10.97.217.1
VPNNET=192.168.1.0/24
VPNADDR=192.168.1.1
VPNNET6=fd91:6d87:7341:db6a::/112
VPNADDR6=fd91:6d87:7341:db6a::1
OCCTL_SOCKET=./occtl-radius-$$.socket
. `dirname $0`/ns.sh
${CMDNS2} ${IP} link set dev lo up
# Run KDC
# This is destructive at the moment as it changes the system that it is being run.
echo -e "secret123\nsecret123"|/usr/sbin/kdb5_util create -s
echo " * added ${USERNAME}"
echo -e "${USERPASS}\n${USERPASS}" | /usr/sbin/kadmin.local -q "addprinc ${USERNAME}"
echo -e "test123\ntest123" | /usr/sbin/kadmin.local -q "addprinc HTTP/kerberos.test"
/usr/sbin/kadmin.local -q "xst -norandkey -k /etc/krb5-keytab HTTP/kerberos.test@KERBEROS.TEST"
${CMDNS2} /usr/sbin/krb5kdc &
KRB5PID=$!
sleep 2
export TEST_PAMDIR=data/pam-kerberos
update_config kerberos.config
if test "$VERBOSE" = 1;then
DEBUG="-d 3"
fi
# Run ocserv
PREPEND_CMD=${CMDNS2}
launch_pam_server -d 1 -f -c ${CONFIG} & PID=$!
PREPEND_CMD=""
sleep 5
echo " * Getting cookie via PAM from ${ADDRESS}:${PORT}..."
( echo "${USERPASS}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
if test $? != 0;then
	echo "Could not get cookie from server"
	exit 1
fi
${CMDNS1} echo ${USERPASS}|kinit ${USERNAME}@KERBEROS.TEST
echo " * Connecting via krb5 to ${ADDRESS}:${PORT}..."
( ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
	echo "Could not connect to server"
	exit 1
fi
sleep 3
${CMDNS1} ping -w 5 ${VPNADDR}
if test $? != 0;then
	echo "Could not ping server IP"
	exit 1
fi
${CMDNS2} ping -w 3 ${CLIVPNADDR}
if test $? != 0;then
	echo "Could not ping client IP"
	exit 1
fi
sleep 60
echo " * Connecting via krb5 and non-fresh ticket to ${ADDRESS}:${PORT}..."
( ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? = 0;then
	echo "Could connect to server although not expected"
	exit 1
fi
exit 0
							
							
							
						
@@ -1,118 +0,0 @@
#!/bin/sh
#
# Copyright (C) 2014 Red Hat
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ocserv; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
srcdir=${srcdir:-.}
SERV="${SERV:-../src/ocserv}"
#this test can only be run as root
id|grep root >/dev/null 2>&1
if [ $? != 0 ];then
	exit 77
fi
$SERV --version 2>&1|grep gssapi >/dev/null 2>&1
if [ $? != 0 ];then
	exit 77
fi
stop_all() {
        $DOCKER stop test_ocserv_client_kerberos
        $DOCKER rm test_ocserv_client_kerberos
        $DOCKER stop test_ocserv_kerberos
        $DOCKER rm test_ocserv_kerberos
        exit 1
}
CONFIG="kerberos"
DOCKER_DIR=docker-kerberos
IMAGE=ocserv-kerberos-test
IMAGE_NAME=test_ocserv_kerberos
. ./docker-common.sh
$DOCKER run -P --privileged=true --hostname=kerberos.test --add-host='kerberos.test:127.0.0.1' --tty=false -d --name $IMAGE_NAME $IMAGE
if test $? != 0;then
	echo "Cannot run docker image"
	exit 1
fi
echo "ocserv image was run"
#wait for ocserv to server
sleep 5
get_ip
if test -z "$IP";then
	echo "Detected IP is null!"
	$DOCKER inspect $IMAGE_NAME
	stop
fi
echo "Detected KDC IP: $IP"
# run the client
CONFIG="client"
DOCKER_DIR=docker-kerberos
IMAGE=ocserv-kerberos-client-test
IMAGE_NAME=test_ocserv_client_kerberos
. ./docker-common.sh
$DOCKER run -P --privileged=true --add-host="kerberos.test:$IP" --tty=false -d --name test_ocserv_client_kerberos $IMAGE
if test $? != 0;then
	echo "Could not run client docker image"
	stop_all
fi
CIP=`$DOCKER inspect test_ocserv_client_kerberos | grep IPAddress | cut -d '"' -f 4`
if test -z "$CIP";then
	echo "Detected client IP is null!"
	$DOCKER inspect $IMAGE_NAME
	stop
fi
echo "Detected client IP: $CIP"
if test ! -z "$QUIT_ON_INIT";then
	exit 0
fi
echo "Waiting for client tests"
sleep 100
check_for_file /tmp/ok1 test_ocserv_client_kerberos
if test $? != 0;then
	echo "Kerberos client basic test failed"
	ret=1
fi
check_for_file /tmp/ok2 test_ocserv_client_kerberos
if test $? != 0;then
	echo "Kerberos client TGT freshness test failed"
	ret=1
fi
check_for_file /tmp/group-ok test_ocserv_kerberos
if test $? != 0;then
	echo "Kerberos group name detection test failed"
	ret=1
fi
$DOCKER stop test_ocserv_kerberos
$DOCKER rm test_ocserv_kerberos
$DOCKER stop test_ocserv_client_kerberos
$DOCKER rm test_ocserv_client_kerberos
exit $ret