This introduces the 'select-group-by-url' config option
that allows selecting an authgroup just by connecting to
a dedicated URI.
Signed-off-by: Marcin Ochab <marcin.ochab@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
As added in c1a6f2b04a, this test verifies
that ocserv will NOT send IPv6 routes to OpenConnect v3 clients, which can't
handle them correctly.
Additionally, we can also verify that ocserv DOES send IPv6 routes to
totally unknown clients, which is the intended outcome resulting from
8b8a1a7b53.
Signed-off-by: Daniel Lenski <dlenski@amazon.com>
Hijack Roaring Penguin's RADIUS attributes for that purpose:
* RP-Upstream-Speed-Limit → rx_per_sec
* RP-Downstream-Speed-Limit → tx_per_sec
While the ocserv configuration options use b/s, ocserv uses kb/s
internally. The radius attributes are already expressed in kb/s,
so we don't need to convert them.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
The main benefit is that there is less manual work to add a
test (discovery of unique random addresses is not necessary),
but it also ensures that the tests can run on environments where the
previously hard-coded addresses were present.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Include the radiusd output with debugging information on stdout
for the radius tests. This allows better visibility to potential
configuration issues of radiusd.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This makes oc_syslog respect the configured log-level. This also introduces
a clear separation of the logging function between the two processes.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Separated the logging logically from any remaining debugging
features. Introduced command line option for logging to stderr
only (for systemd and containers). The default log level is set
to (2) info.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Once a client has progressed through the initial
auth checks (and successfully passed the initial
camouflage check), it's safe to skip further camouflage
checks. This allows the Cisco Secure client continue
successfully through HTTP requests for /profiles//etc/ocserv/profile.xml
and /1/VPNManifest.xml.
Resolves: #544
Signed-off-by: Rob van Oostenrijk <robvanoostenrijk@users.noreply.github.com>
* this test allows to validate the occtl output (JSON format) returns
expected fields
* we only test 2 fields for now (ID and raw_connected_at), but could
be expanded easily
Signed-off-by: Florian Domain <f.domain@criteo.com>
This checks the functionality of idle-timeout and
session-timeout as well as whether the cookies are
invalidated after the user is disconnected.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Also measure whether ban points are credited to the right
address for failed attempts.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
iperf3 is consistently included in all distributions we
are testing at, in contrast with nuttcp.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
It is not necessary to specify the device config directive on
each virtual host configuration. Ensure that we don't require it
by mistake. This also introduces a traffic test when operating
with virtual hosts.
Resolves: #480
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The VPN client that comes with the Cisco IP-Phone Enterprise
firmware is based on AnyConnect but was unable to authenticate
with ocserv.
The phone makes an initial GET request and looks for a cookie
named 'webvpn' that has an expiry attribute and a cookie named
'webvpnlogin' containing a non-empty value.
When username+password mode is configured, the phone will then
send a POST request containing those credentials. When using
certificate authentication an empty POST request is sent.
A handler that implements this new behaviour has been added
under the '/svc' path.
To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must
be 443, a new 'cisco-svc-client-compat' option automatically
checks those settings.
New test cases test-pass-svc and test-cert-svc check the above
behaviour.
Older versions of the phone's firmware will fail to create the
DTLS tunnel if the cipher negotiated for HTTPS does not match
that selected for DTLS.
To work-around this either disable DTLS or only allow the
RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used.
doc/README-cisco-svc.md includes additional information.
Note: 'Enterprise' here is used to differentiate between that
firmware and the MPP (Multi-Platform) firmware which uses the
same hardware.
Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
Added test-group-cert and test-fork tests that were
present but were never included in the CI test suite.
Removed unix-test which was an obsolete test present
in tests/.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This adds a test for the available multi-group options as
well as documentation for the feature. This tests two options:
* Separate group names in separate class attributes
* Separate group names in separate class attributes with the OU= format
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Supporting gnulib brought a whole class of problems due to its complexity.
Removing its support eliminates this class of problems and simplifies the
code significantly.
This sets the locale explicitly on server startup to eliminate the
need for custom string comparison functions.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Declare C string constants using array syntax, avoid pointer syntax
when possible. They are different, the array syntax generates smaller,
faster code.
Also, const char[] should usually be static, again to avoid poor
compilation and runtime performance where compilers tend to
initialize the const declaration for every call instead of using
.rodata for the string.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
By default, anyconnect clients will drop all traffic of a given IP
version if there is no IP address in that version assigned to the
client. The client-bypass-protocol option, if enabled, will send an
extra header to the clients telling anyconnect client to bypass VPN
tunnel if there is no IP assigned. No impact for openconnect clients,
this header will simply be ignored.
Signed-off-by: Florian Domain <f.domain@criteo.com>
