From 923728b19a790728685027ef8fadabffee20e5bc Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 15 Aug 2022 20:04:29 +0200 Subject: smoketest: ocserv: implement config file validation (cherry picked from commit bd102eac6d0c97a5f75324d1248814ebdad42da5) --- smoketest/scripts/cli/test_vpn_openconnect.py | 67 +++++++++++++++++++++------ 1 file changed, 54 insertions(+), 13 deletions(-) diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py index ccac0820d..999d7267d 100755 --- a/smoketest/scripts/cli/test_vpn_openconnect.py +++ b/smoketest/scripts/cli/test_vpn_openconnect.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020 VyOS maintainers and contributors +# Copyright (C) 2020-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -19,36 +19,77 @@ import unittest from base_vyostest_shim import VyOSUnitTestSHIM from vyos.util import process_named_running from vyos.util import cmd +from vyos.util import read_file from os import path, mkdir -OCSERV_CONF = '/run/ocserv/ocserv.conf' base_path = ['vpn', 'openconnect'] cert_dir = '/config/auth/' ca_cert = f'{cert_dir}ca.crt' ssl_cert = f'{cert_dir}server.crt' ssl_key = f'{cert_dir}server.key' -class TestVpnOpenconnect(VyOSUnitTestSHIM.TestCase): +PROCESS_NAME = 'ocserv-main' +config_file = '/run/ocserv/ocserv.conf' +auth_file = '/run/ocserv/ocpasswd' +otp_file = '/run/ocserv/users.oath' + +class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): + @classmethod + def setUpClass(cls): + super(TestVPNOpenConnect, cls).setUpClass() + + # ensure we can also run this test on a live system - so lets clean + # out the current configuration :) + cls.cli_delete(cls, base_path) + + cls.cli_set(cls, base_path + ["ssl", "ca-cert-file", ca_cert]) + cls.cli_set(cls, base_path + ["ssl", "cert-file", ssl_cert]) + cls.cli_set(cls, base_path + ["ssl", "key-file", ssl_key]) + def tearDown(self): + self.assertTrue(process_named_running(PROCESS_NAME)) + # Delete vpn openconnect configuration self.cli_delete(base_path) self.cli_commit() - def test_vpn(self): + self.assertFalse(process_named_running(PROCESS_NAME)) + + def test_ocserv(self): user = 'vyos_user' password = 'vyos_pass' - self.cli_delete(base_path) - self.cli_set(base_path + ["authentication", "local-users", "username", user, "password", password]) - self.cli_set(base_path + ["authentication", "mode", "local"]) - self.cli_set(base_path + ["network-settings", "client-ip-settings", "subnet", "192.0.2.0/24"]) - self.cli_set(base_path + ["ssl", "ca-cert-file", ca_cert]) - self.cli_set(base_path + ["ssl", "cert-file", ssl_cert]) - self.cli_set(base_path + ["ssl", "key-file", ssl_key]) + + v4_subnet = '192.0.2.0/24' + v6_prefix = '2001:db8:1000::/64' + v6_len = '126' + name_server = ['1.2.3.4', '1.2.3.5', '2001:db8::1'] + + self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'password', password]) + self.cli_set(base_path + ['authentication', 'mode', "local"]) + self.cli_set(base_path + ["network-settings", "client-ip-settings", "subnet", v4_subnet]) + self.cli_set(base_path + ['network-settings', 'client-ip-settings', 'subnet', v4_subnet]) + self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'prefix', v6_prefix]) + self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'mask', v6_len]) + + for ns in name_server: + self.cli_set(base_path + ['network-settings', 'name-server', ns]) self.cli_commit() - # Check for running process - self.assertTrue(process_named_running('ocserv-main')) + # Verify configuration + daemon_config = read_file(config_file) + + # authentication mode local password-otp + self.assertIn(f'auth = "plain[/run/ocserv/ocpasswd]"', daemon_config) + self.assertIn(f'ipv4-network = {v4_subnet}', daemon_config) + self.assertIn(f'ipv6-network = {v6_prefix}', daemon_config) + self.assertIn(f'ipv6-subnet-prefix = {v6_len}', daemon_config) + + for ns in name_server: + self.assertIn(f'dns = {ns}', daemon_config) + + auth_config = read_file(auth_file) + self.assertIn(f'{user}:*:$', auth_config) if __name__ == '__main__': if not path.exists(cert_dir): -- cgit v1.2.3 From 66af9a9daa245b9478d7103861935ee5b8c2526a Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 15 Aug 2022 20:16:02 +0200 Subject: ocserv: openconnect: T4614: add support for split-dns set vpn openconnect network-settings split-dns (cherry picked from commit e41685a2f56cca0a53b4f8c084f61a85cf561c80) --- data/templates/ocserv/ocserv_config.tmpl | 6 +++++- interface-definitions/vpn_openconnect.xml.in | 13 +++++++++++++ smoketest/scripts/cli/test_vpn_openconnect.py | 5 +++++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/data/templates/ocserv/ocserv_config.tmpl b/data/templates/ocserv/ocserv_config.tmpl index 328af0c0d..8a394f0ac 100644 --- a/data/templates/ocserv/ocserv_config.tmpl +++ b/data/templates/ocserv/ocserv_config.tmpl @@ -70,6 +70,11 @@ ipv6-network = {{ network_settings.client_ipv6_pool.prefix }} ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }} {% endif %} {% endif %} +{% if network_settings.split_dns is defined %} +{% for tmp in network_settings.split_dns %} +split-dns = {{ tmp }} +{% endfor %} +{% endif %} {% endif %} {% if network_settings.push_route is string %} @@ -79,4 +84,3 @@ route = {{ network_settings.push_route }} route = {{ route }} {% endfor %} {% endif %} - diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in index f35b1ebbd..888f32b99 100644 --- a/interface-definitions/vpn_openconnect.xml.in +++ b/interface-definitions/vpn_openconnect.xml.in @@ -191,6 +191,19 @@ #include + + + Domains over which the provided DNS should be used + + txt + Client prefix length + + + + + + + diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py index 999d7267d..6db49abab 100755 --- a/smoketest/scripts/cli/test_vpn_openconnect.py +++ b/smoketest/scripts/cli/test_vpn_openconnect.py @@ -63,6 +63,7 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): v6_prefix = '2001:db8:1000::/64' v6_len = '126' name_server = ['1.2.3.4', '1.2.3.5', '2001:db8::1'] + split_dns = ['vyos.net', 'vyos.io'] self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'password', password]) self.cli_set(base_path + ['authentication', 'mode', "local"]) @@ -73,6 +74,8 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): for ns in name_server: self.cli_set(base_path + ['network-settings', 'name-server', ns]) + for domain in split_dns: + self.cli_set(base_path + ['network-settings', 'split-dns', domain]) self.cli_commit() @@ -87,6 +90,8 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): for ns in name_server: self.assertIn(f'dns = {ns}', daemon_config) + for domain in split_dns: + self.assertIn(f'split-dns = {domain}', daemon_config) auth_config = read_file(auth_file) self.assertIn(f'{user}:*:$', auth_config) -- cgit v1.2.3 From 28936477c4f4c4633c9a384054c0a65090ece101 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 15 Aug 2022 20:54:08 +0200 Subject: openconnect: T4616: bugfix KeyError: 'local_users' To reproduce: set vpn openconnect authentication mode local commit Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 147, in verify(c) File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 64, in verify if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]: KeyError: 'local_users' --- src/conf_mode/vpn_openconnect.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 00b96884b..f24d5b618 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2020 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -61,8 +61,8 @@ def verify(ocserv): if "authentication" in ocserv: if "mode" in ocserv["authentication"]: if "local" in ocserv["authentication"]["mode"]: - if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]: - raise ConfigError('openconnect mode local required at leat one user') + if 'local_users' not in ocserv["authentication"] or 'username' not in ocserv["authentication"]["local_users"]: + raise ConfigError('openconnect mode local requires at leat one user') else: for user in ocserv["authentication"]["local_users"]["username"]: if not "password" in ocserv["authentication"]["local_users"]["username"][user]: -- cgit v1.2.3