#!/bin/bash # # Copyright (C) 2023 Nikos Mavrogiannopoulos # # This file is part of ocserv. # # ocserv is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # ocserv is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. OCCTL="${OCCTL:-../src/occtl/occtl}" SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} OCCTL_SOCKET=./occtl-ban-$$.socket PIDFILE=ocserv-pid.$$.tmp CPIDFILE=openpid.$$.tmp OUTFILE=ban.$$.tmp . `dirname $0`/random-net.sh . `dirname $0`/common.sh . `dirname $0`/ns.sh eval "${GETPORT}" function finish { set +e echo " * Cleaning up..." test -n "${PID}" && kill ${PID} >/dev/null 2>&1 test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1 test -n "${CPIDFILE}" && rm -f ${CPIDFILE} >/dev/null 2>&1 test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1 test -n "${OUTFILE}" && rm -f ${OUTFILE} >/dev/null 2>&1 } trap finish EXIT echo "Testing whether session timeout works as expected... " update_config session-timeout.config ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} -d 3 & PID=$! sleep 5 echo "Connecting to obtain cookie... " eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -z "$COOKIE" ];then fail $PID "Could not obtain cookie" fi #echo "Cookie: $COOKIE" sleep 10 echo "" echo "Connecting with cookie... " ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --background --pid-file "${CPIDFILE}" --verbose >${OUTFILE} sleep 4 if [ ! -f "${CPIDFILE}" ];then fail $PID "It was not possible to establish session!" fi TIME_LEFT=$(awk '/X-CSTP-Session-Timeout-Remaining/ {print $2}' ${OUTFILE}) if [ -z "${TIME_LEFT}" ];then fail $PID "No session timeout advertised by server!" fi # session-timeout is 25 seconds, and we have already waited 10s before reconnecting. # So the remaining time should be no more than 15 seconds (25 - 10 = 15). # If it is greater than this, it indicates the timeout was reset # back to 25 seconds on the new connection (ref: issue #599) if [ "${TIME_LEFT}" -gt 20 ];then fail $PID "Session timeout was reset to ${TIME_LEFT}s after reconnection!" fi echo "ping remote address" set -e ${CMDNS1} ping -c 3 ${VPNADDR} UPTIME=$(${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} -j show user test | jq 'now - .[].raw_session_started_at | floor') set +e if [ -z "${UPTIME}" ];then fail $PID "Failed to retrieve session start time from occtl show user!" fi if [ "${UPTIME}" -lt 10 -o "${UPTIME}" -gt 60 ];then fail $PID "Session uptime ${UPTIME}s is outside the expected range (10–60 seconds)!" fi # We wait more than the configured time as session timeout is enforced every # a couple of seconds. echo "Waiting for session timeout... " sleep 60 ${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} show user test if test $? = 0;then fail $PID "Client listed in occtl after timeout!" fi ${CMDNS1} ping -c 3 ${VPNADDR} if test $? = 0;then fail $PID "Client remains connected after timeout!" fi sleep 5 echo "Connecting with cookie... " rm -f "${CPIDFILE}" ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --background --pid-file "${CPIDFILE}" sleep 4 if [ -f "${CPIDFILE}" ];then fail $PID "Established session with invalidated cookie!" fi exit 0