This introduces the 'select-group-by-url' config option
that allows selecting an authgroup just by connecting to
a dedicated URI.
Signed-off-by: Marcin Ochab <marcin.ochab@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Hijack Roaring Penguin's RADIUS attributes for that purpose:
* RP-Upstream-Speed-Limit → rx_per_sec
* RP-Downstream-Speed-Limit → tx_per_sec
While the ocserv configuration options use b/s, ocserv uses kb/s
internally. The radius attributes are already expressed in kb/s,
so we don't need to convert them.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
The main benefit is that there is less manual work to add a
test (discovery of unique random addresses is not necessary),
but it also ensures that the tests can run on environments where the
previously hard-coded addresses were present.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
* this test allows to validate the occtl output (JSON format) returns
expected fields
* we only test 2 fields for now (ID and raw_connected_at), but could
be expanded easily
Signed-off-by: Florian Domain <f.domain@criteo.com>
This checks the functionality of idle-timeout and
session-timeout as well as whether the cookies are
invalidated after the user is disconnected.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Also measure whether ban points are credited to the right
address for failed attempts.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
It is not necessary to specify the device config directive on
each virtual host configuration. Ensure that we don't require it
by mistake. This also introduces a traffic test when operating
with virtual hosts.
Resolves: #480
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Added test-group-cert and test-fork tests that were
present but were never included in the CI test suite.
Removed unix-test which was an obsolete test present
in tests/.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This adds a test for the available multi-group options as
well as documentation for the feature. This tests two options:
* Separate group names in separate class attributes
* Separate group names in separate class attributes with the OU= format
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This adds a "camouflage" functionality (looking and acting like an ordinary web server),
to prevent OCserv installations from being automatically scanned or blocked with active probing techniques.
Signed-off-by: Kirill Ovchinnikov <kirill.ovchinn@gmail.com>
By default, anyconnect clients will drop all traffic of a given IP
version if there is no IP address in that version assigned to the
client. The client-bypass-protocol option, if enabled, will send an
extra header to the clients telling anyconnect client to bypass VPN
tunnel if there is no IP assigned. No impact for openconnect clients,
this header will simply be ignored.
Signed-off-by: Florian Domain <f.domain@criteo.com>
while using udp, we later open a file descriptor for the worker. With a
listen netns config, I overlooked this case which oblige me to move the
struct containing the file descriptor in the main one. Then I can access
them from each worker to make it possible to open the socket in the
correct netns. I also need to keep the netns fd open during the whole
life of the process.
the issue was not visible on a tcp-only case, but while using udp you
can see logs such as:
main[user]: x.x.x.x:54024 bind UDP to 0.0.0.0:443: Cannot assign requested address
worker[user]: x.x.x.x setting up DTLS-PSK connection
main[user]: x.x.x.x:54024 bind UDP to 0.0.0.0:443: Cannot assign requested address
update tests to reflects that:
- instead of creating our own netns, use the one created in common.sh
- we start server in ns1, but listen in ns2, and test client from ns3
(we don't want to listen in ns1 to test listen-ns)
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
This ignores any items following the first group class attribute.
Resolves: #332
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Now all tests configs are being auto-generated, so this variable
will be replaced.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.
Resolves: #59
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
- this patch adds `listen-netns` parameter
- when set the listening socket will be created in the given namespace
it allows to properly segregate your traffic:
- do the backend traffic in the root namespace
- receive the VIP traffic in a given namespace
All this patch is widely inspired by haproxy implementation which allows
to bind each IP in a given namespace.
Resolves: #316
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
This addresses issues with anyconnect clients which send back the descriptive labels.
Resolves#267
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This fixes the ban entries listing from printing all the items in
the database, to all the items that are actually banned from
connecting.
Resolves: #272
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This permits the validation of OpenID Connect auth tokens OpenID
Connect is an OAuth 2.0 protocol used to identify a resource owner
(VPN client end-user) to a resource server (VPN server) intermediated
by an Authorization server.
Resolves: #240
Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
When a client re-uses a cookie and takes over a previous connection
previously the disconnect script of the old connection wouldn't receive
the IP information. Ensure that all information is provided to scripts
at this case.
Resolves: #231
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This modifies test-pass-script to force a DPD timeout to
verify whether ${IP_REMOTE} is set on the disconnect script.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This test verifies that the server will continue to operate
even if the up script will block indefinitely.
Resolves: #241
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
