This disables all the tests that use LD_PRELOAD, and thus limits
the test suite on the tests that are run as root.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The previously used HOSTNAME variable is being overriden by bash and
thus was not a reliable one. We switch to setting REMOTE_HOSTNAME,
but keep the HOSTNAME for compatibility.
This also changes 'test-pass-script' to check for the new variable.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.
Resolves: #59
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
- this patch adds `listen-netns` parameter
- when set the listening socket will be created in the given namespace
it allows to properly segregate your traffic:
- do the backend traffic in the root namespace
- receive the VIP traffic in a given namespace
All this patch is widely inspired by haproxy implementation which allows
to bind each IP in a given namespace.
Resolves: #316
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
Capture all the required worker process state in a protobuf and
pass to worker via env. Snapshot all config files to ensure ocserv-sm
and ocserv-worker remain in sync. Split ocserv-worker functionality
into it's own executable with minimal dependencies.
Resolves: #285
Signed-off-by: Alan Jowett alanjo@microsoft.com
This addresses issues with anyconnect clients which send back the descriptive labels.
Resolves#267
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This fixes the ban entries listing from printing all the items in
the database, to all the items that are actually banned from
connecting.
Resolves: #272
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Export more information to the script, including client device platform,
type and user agent.
Resolves: #256
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
This permits the validation of OpenID Connect auth tokens OpenID
Connect is an OAuth 2.0 protocol used to identify a resource owner
(VPN client end-user) to a resource server (VPN server) intermediated
by an Authorization server.
Resolves: #240
Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
When a client re-uses a cookie and takes over a previous connection
previously the disconnect script of the old connection wouldn't receive
the IP information. Ensure that all information is provided to scripts
at this case.
Resolves: #231
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This modifies test-pass-script to force a DPD timeout to
verify whether ${IP_REMOTE} is set on the disconnect script.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This test verifies that the server will continue to operate
even if the up script will block indefinitely.
Resolves: #241
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When max-same-clients is set to 1 and a user re-using a cookie
connects, check_multiple_users() would prevent the user from
reconnecting. This corrects the issue by taking into account
only valid sessions that have not yet been disconnected.
Resolves: #223
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This option supports different listen addresses for tcp and
udp such as haproxy for tcp, but support dtls at the same time (haproxy
does not support UDP at the moment)
