#!/bin/bash # # Copyright (C) 2018 Nikos Mavrogiannopoulos # # This file is part of ocserv. # # ocserv is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # ocserv is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # OCCTL="${OCCTL:-../src/occtl/occtl}" SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} PIDFILE=ocserv-pid.$$.tmp CLIPID=oc-pid.$$.tmp HACONFIG=haproxy.conf.$$.tmp PATH=${PATH}:/usr/sbin OCCTL_SOCKET=./occtl-haproxy-$$.socket HAPROXY=$(which haproxy) IP=$(which ip) OUTPUT=./proxyproto.tmp . `dirname $0`/common.sh eval "${GETPORT}" HAPORT=${PORT} eval "${GETPORT}" if test -z "${HAPROXY}";then echo "no haproxy present" exit 77 fi if test -z "${IP}";then echo "no IP tool is present" exit 77 fi if test "$(id -u)" != "0";then echo "This test must be run as root" exit 77 fi echo "Testing ocserv connection via haproxy... " function finish { set +e echo " * Cleaning up..." test -n "${HAPID}" && kill ${HAPID} >/dev/null 2>&1 test -n "${PID}" && kill ${PID} >/dev/null 2>&1 test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1 test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1 test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1 test -n "${HACONFIG}" && rm -f ${HACONFIG} >/dev/null 2>&1 test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1 test -n "${NUTTCPPID}" && kill ${NUTTCPPID} >/dev/null 2>&1 rm -f proxyproto-connect-ok rm -f $OUTPUT } trap finish EXIT rm -f proxyproto-connect-ok # server address . `dirname $0`/random-net.sh . `dirname $0`/ns.sh # Run servers update_config haproxy-proxyproto.config if test "$VERBOSE" = 1;then DEBUG="-d 3" fi ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! sleep 1 rm -f ${HACONFIG} sed -e 's|@HAPORT@|'${HAPORT}'|g' -e 's|@PORT@|'${PORT}'|g' -e 's|@ADDRESS@|'${ADDRESS}'|g' ${srcdir}/data/haproxy-proxyproto.cfg >${HACONFIG} ${CMDNS2} ${HAPROXY} -f ${HACONFIG} -d & HAPID=$! sleep 3 # Run clients echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." ( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then echo "Could not get cookie from server" exit 1 fi echo " * Connecting to ${ADDRESS}:${HAPORT}..." ( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 fi set -e echo " * ping remote address" ${CMDNS1} ping -c 3 ${VPNADDR} set +e ${CMDNS2} ${OCCTL} -j -s ${OCCTL_SOCKET} show user test >$OUTPUT if test $? != 0;then echo "occtl didn't find connected user!" exit 1 fi REMOTE_IP=$(cat $OUTPUT|grep "Remote IP"|sed 's/[",\ ]//g'|cut -d ':' -f 2) if test "$REMOTE_IP" != "$CLI_ADDRESS";then echo Remote IP: $REMOTE_IP echo Client IP: $CLI_ADDRESS exit 1 fi echo " * Connecting with wrong password ${ADDRESS}:${HAPORT}..." ( echo "xxest" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? = 0;then echo "Got cookie unexpectedly!" exit 1 fi ( echo "xxest" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? = 0;then echo "Got cookie unexpectedly!" exit 1 fi ${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} show ip ban points >${OUTPUT} POINTS=$(grep "$CLI_ADDRESS" ${OUTPUT}|tr -s ' '|sed 's/^ //g'|cut -d ' ' -f 2) if test "$POINTS" -lt 20;then echo "Client did not get ban points ($CLI_ADDRESS - $POINTS)" cat $OUTPUT exit 1 fi echo " * checking for connect-ok" if ! test -f proxyproto-connect-ok;then echo "Could not find file written by script" exit 1 fi if ! test -f ${PIDFILE};then echo "Could not find pid file ${PIDFILE}" exit 1 fi exit 0