4 files changed, 80 insertions, 17 deletions

diff --git a/data/templates/ocserv/ocserv_config.tmpl b/data/templates/ocserv/ocserv_config.tmpl
index 328af0c0d..8a394f0ac 100644
--- a/data/templates/ocserv/ocserv_config.tmpl
+++ b/data/templates/ocserv/ocserv_config.tmpl
@@ -70,6 +70,11 @@ ipv6-network = {{ network_settings.client_ipv6_pool.prefix }}
 ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }}
 {%     endif %}
 {%   endif %}
+{%   if network_settings.split_dns is defined %}
+{%     for tmp in network_settings.split_dns %}
+split-dns = {{ tmp }}
+{%     endfor %}
+{%   endif %}
 {% endif %}
 
 {% if network_settings.push_route is string %}
@@ -79,4 +84,3 @@ route = {{ network_settings.push_route }}
 route = {{ route }}
 {%   endfor %}
 {% endif %}
-
diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in
index f35b1ebbd..888f32b99 100644
--- a/interface-definitions/vpn_openconnect.xml.in
+++ b/interface-definitions/vpn_openconnect.xml.in
@@ -191,6 +191,19 @@
                 </children>
               </node>
               #include <include/name-server-ipv4-ipv6.xml.i>
+              <leafNode name="split-dns">
+                <properties>
+                  <help>Domains over which the provided DNS should be used</help>
+                  <valueHelp>
+                    <format>txt</format>
+                    <description>Client prefix length</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="fqdn"/>
+                  </constraint>
+                  <multi/>
+                </properties>
+              </leafNode>
             </children>
           </node>
       </children>
diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py
index ccac0820d..6db49abab 100755
--- a/smoketest/scripts/cli/test_vpn_openconnect.py
+++ b/smoketest/scripts/cli/test_vpn_openconnect.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -19,36 +19,82 @@ import unittest
 from base_vyostest_shim import VyOSUnitTestSHIM
 from vyos.util import process_named_running
 from vyos.util import cmd
+from vyos.util import read_file
 from os import path, mkdir
 
-OCSERV_CONF = '/run/ocserv/ocserv.conf'
 base_path   = ['vpn', 'openconnect']
 cert_dir    = '/config/auth/'
 ca_cert     = f'{cert_dir}ca.crt'
 ssl_cert    = f'{cert_dir}server.crt'
 ssl_key     = f'{cert_dir}server.key'
 
-class TestVpnOpenconnect(VyOSUnitTestSHIM.TestCase):
+PROCESS_NAME = 'ocserv-main'
+config_file = '/run/ocserv/ocserv.conf'
+auth_file = '/run/ocserv/ocpasswd'
+otp_file = '/run/ocserv/users.oath'
+
+class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        super(TestVPNOpenConnect, cls).setUpClass()
+
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
+        cls.cli_set(cls, base_path + ["ssl", "ca-cert-file", ca_cert])
+        cls.cli_set(cls, base_path + ["ssl", "cert-file", ssl_cert])
+        cls.cli_set(cls, base_path + ["ssl", "key-file", ssl_key])
+
     def tearDown(self):
+        self.assertTrue(process_named_running(PROCESS_NAME))
+
         # Delete vpn openconnect configuration
         self.cli_delete(base_path)
         self.cli_commit()
 
-    def test_vpn(self):
+        self.assertFalse(process_named_running(PROCESS_NAME))
+
+    def test_ocserv(self):
         user = 'vyos_user'
         password = 'vyos_pass'
-        self.cli_delete(base_path)
-        self.cli_set(base_path + ["authentication", "local-users", "username", user, "password", password])
-        self.cli_set(base_path + ["authentication", "mode", "local"])
-        self.cli_set(base_path + ["network-settings", "client-ip-settings", "subnet", "192.0.2.0/24"])
-        self.cli_set(base_path + ["ssl", "ca-cert-file", ca_cert])
-        self.cli_set(base_path + ["ssl", "cert-file", ssl_cert])
-        self.cli_set(base_path + ["ssl", "key-file", ssl_key])
+
+        v4_subnet = '192.0.2.0/24'
+        v6_prefix = '2001:db8:1000::/64'
+        v6_len = '126'
+        name_server = ['1.2.3.4', '1.2.3.5', '2001:db8::1']
+        split_dns = ['vyos.net', 'vyos.io']
+
+        self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'password', password])
+        self.cli_set(base_path + ['authentication', 'mode', "local"])
+        self.cli_set(base_path + ["network-settings", "client-ip-settings", "subnet", v4_subnet])
+        self.cli_set(base_path + ['network-settings', 'client-ip-settings', 'subnet', v4_subnet])
+        self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'prefix', v6_prefix])
+        self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'mask', v6_len])
+
+        for ns in name_server:
+            self.cli_set(base_path + ['network-settings', 'name-server', ns])
+        for domain in split_dns:
+            self.cli_set(base_path + ['network-settings', 'split-dns', domain])
 
         self.cli_commit()
 
-        # Check for running process
-        self.assertTrue(process_named_running('ocserv-main'))
+        # Verify configuration
+        daemon_config = read_file(config_file)
+
+        # authentication mode local password-otp
+        self.assertIn(f'auth = "plain[/run/ocserv/ocpasswd]"', daemon_config)
+        self.assertIn(f'ipv4-network = {v4_subnet}', daemon_config)
+        self.assertIn(f'ipv6-network = {v6_prefix}', daemon_config)
+        self.assertIn(f'ipv6-subnet-prefix = {v6_len}', daemon_config)
+
+        for ns in name_server:
+            self.assertIn(f'dns = {ns}', daemon_config)
+        for domain in split_dns:
+            self.assertIn(f'split-dns = {domain}', daemon_config)
+
+        auth_config = read_file(auth_file)
+        self.assertIn(f'{user}:*:$', auth_config)
 
 if __name__ == '__main__':
     if not path.exists(cert_dir):
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 00b96884b..f24d5b618 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -61,8 +61,8 @@ def verify(ocserv):
     if "authentication" in ocserv:
         if "mode" in ocserv["authentication"]:
             if "local" in ocserv["authentication"]["mode"]:
-                if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]:
-                    raise ConfigError('openconnect mode local required at leat one user')
+                if 'local_users' not in ocserv["authentication"] or 'username' not in ocserv["authentication"]["local_users"]:
+                    raise ConfigError('openconnect mode local requires at leat one user')
                 else:
                     for user in ocserv["authentication"]["local_users"]["username"]:
                         if not "password" in ocserv["authentication"]["local_users"]["username"][user]: