From 923728b19a790728685027ef8fadabffee20e5bc Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 15 Aug 2022 20:04:29 +0200 Subject: smoketest: ocserv: implement config file validation (cherry picked from commit bd102eac6d0c97a5f75324d1248814ebdad42da5) --- smoketest/scripts/cli/test_vpn_openconnect.py | 67 +++++++++++++++++++++------ 1 file changed, 54 insertions(+), 13 deletions(-) (limited to 'smoketest/scripts/cli') diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py index ccac0820d..999d7267d 100755 --- a/smoketest/scripts/cli/test_vpn_openconnect.py +++ b/smoketest/scripts/cli/test_vpn_openconnect.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020 VyOS maintainers and contributors +# Copyright (C) 2020-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -19,36 +19,77 @@ import unittest from base_vyostest_shim import VyOSUnitTestSHIM from vyos.util import process_named_running from vyos.util import cmd +from vyos.util import read_file from os import path, mkdir -OCSERV_CONF = '/run/ocserv/ocserv.conf' base_path = ['vpn', 'openconnect'] cert_dir = '/config/auth/' ca_cert = f'{cert_dir}ca.crt' ssl_cert = f'{cert_dir}server.crt' ssl_key = f'{cert_dir}server.key' -class TestVpnOpenconnect(VyOSUnitTestSHIM.TestCase): +PROCESS_NAME = 'ocserv-main' +config_file = '/run/ocserv/ocserv.conf' +auth_file = '/run/ocserv/ocpasswd' +otp_file = '/run/ocserv/users.oath' + +class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): + @classmethod + def setUpClass(cls): + super(TestVPNOpenConnect, cls).setUpClass() + + # ensure we can also run this test on a live system - so lets clean + # out the current configuration :) + cls.cli_delete(cls, base_path) + + cls.cli_set(cls, base_path + ["ssl", "ca-cert-file", ca_cert]) + cls.cli_set(cls, base_path + ["ssl", "cert-file", ssl_cert]) + cls.cli_set(cls, base_path + ["ssl", "key-file", ssl_key]) + def tearDown(self): + self.assertTrue(process_named_running(PROCESS_NAME)) + # Delete vpn openconnect configuration self.cli_delete(base_path) self.cli_commit() - def test_vpn(self): + self.assertFalse(process_named_running(PROCESS_NAME)) + + def test_ocserv(self): user = 'vyos_user' password = 'vyos_pass' - self.cli_delete(base_path) - self.cli_set(base_path + ["authentication", "local-users", "username", user, "password", password]) - self.cli_set(base_path + ["authentication", "mode", "local"]) - self.cli_set(base_path + ["network-settings", "client-ip-settings", "subnet", "192.0.2.0/24"]) - self.cli_set(base_path + ["ssl", "ca-cert-file", ca_cert]) - self.cli_set(base_path + ["ssl", "cert-file", ssl_cert]) - self.cli_set(base_path + ["ssl", "key-file", ssl_key]) + + v4_subnet = '192.0.2.0/24' + v6_prefix = '2001:db8:1000::/64' + v6_len = '126' + name_server = ['1.2.3.4', '1.2.3.5', '2001:db8::1'] + + self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'password', password]) + self.cli_set(base_path + ['authentication', 'mode', "local"]) + self.cli_set(base_path + ["network-settings", "client-ip-settings", "subnet", v4_subnet]) + self.cli_set(base_path + ['network-settings', 'client-ip-settings', 'subnet', v4_subnet]) + self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'prefix', v6_prefix]) + self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'mask', v6_len]) + + for ns in name_server: + self.cli_set(base_path + ['network-settings', 'name-server', ns]) self.cli_commit() - # Check for running process - self.assertTrue(process_named_running('ocserv-main')) + # Verify configuration + daemon_config = read_file(config_file) + + # authentication mode local password-otp + self.assertIn(f'auth = "plain[/run/ocserv/ocpasswd]"', daemon_config) + self.assertIn(f'ipv4-network = {v4_subnet}', daemon_config) + self.assertIn(f'ipv6-network = {v6_prefix}', daemon_config) + self.assertIn(f'ipv6-subnet-prefix = {v6_len}', daemon_config) + + for ns in name_server: + self.assertIn(f'dns = {ns}', daemon_config) + + auth_config = read_file(auth_file) + self.assertIn(f'{user}:*:$', auth_config) if __name__ == '__main__': if not path.exists(cert_dir): -- cgit v1.2.3