summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-10-30 16:57:36 +0100
committerChristian Poessinger <christian@poessinger.com>2020-10-30 16:57:36 +0100
commitd0a5df6b3563b0a8c4b06f37629e49d0644a3457 (patch)
tree85360a70e245927261c2170e0256e568878fa95a
parent31f4075c95fc488f510e42b4e1d9eb4a4dddee15 (diff)
downloadvyos-1x-d0a5df6b3563b0a8c4b06f37629e49d0644a3457.tar.gz
vyos-1x-d0a5df6b3563b0a8c4b06f37629e49d0644a3457.zip
smoketest: openvpn: extend server verify() test with TLS auth keys
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_openvpn.py67
1 files changed, 53 insertions, 14 deletions
diff --git a/smoketest/scripts/cli/test_interfaces_openvpn.py b/smoketest/scripts/cli/test_interfaces_openvpn.py
index a36c67f8a..03a3171ed 100755
--- a/smoketest/scripts/cli/test_interfaces_openvpn.py
+++ b/smoketest/scripts/cli/test_interfaces_openvpn.py
@@ -35,6 +35,7 @@ ssl_cert = '/config/auth/ovpn_test_server.pem'
ssl_key = '/config/auth/ovpn_test_server.key'
dh_pem = '/config/auth/ovpn_test_dh.pem'
s2s_key = '/config/auth/ovpn_test_site2site.key'
+auth_key = '/config/auth/ovpn_test_tls_auth.key'
remote_port = '1194'
protocol = 'udp'
@@ -254,9 +255,46 @@ class TestInterfacesOpenVPN(unittest.TestCase):
self.session.commit()
self.session.set(path + ['tls', 'key-file', ssl_key])
+ # check validate() - cannot specify "tls role" in client-server mode'
+ self.session.set(path + ['tls', 'role', 'active'])
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+
+ # check validate() - cannot specify "tls role" in client-server mode'
+ self.session.set(path + ['tls', 'auth-file', auth_key])
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+
+ # check validate() - cannot specify "tcp-passive" when "tls role" is "active"
+ self.session.set(path + ['protocol', 'tcp-passive'])
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.delete(path + ['protocol'])
+
+ # check validate() - cannot specify "tls dh-file" when "tls role" is "active"
+ self.session.set(path + ['tls', 'dh-file', dh_pem])
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.delete(path + ['tls', 'dh-file'])
+
+ # Now test the other path with tls role passive
+ self.session.set(path + ['tls', 'role', 'passive'])
+ # check validate() - cannot specify "tcp-active" when "tls role" is "passive"
+ self.session.set(path + ['protocol', 'tcp-active'])
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.delete(path + ['protocol'])
+
+
+ # check validate() - must specify "tls dh-file" when "tls role" is "passive"
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.set(path + ['tls', 'dh-file', dh_pem])
self.session.commit()
+ self.assertTrue(process_named_running(PROCESS_NAME))
+ self.assertIn(interface, interfaces())
def test_server_interfaces(self):
""" Create OpenVPN server interfaces using different client subnets.
@@ -427,32 +465,33 @@ if __name__ == '__main__':
subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos/' \
'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/'
- if (not os.path.isfile(ssl_key) and not os.path.isfile(ssl_cert) and
- not os.path.isfile(ca_cert) and not os.path.isfile(dh_pem) and
- not os.path.isfile(s2s_key)):
-
+ if not (os.path.isfile(ssl_key) and os.path.isfile(ssl_cert)):
# Generate mandatory SSL certificate
tmp = f'openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 '\
f'-keyout {ssl_key} -out {ssl_cert} -subj {subject}'
- out = cmd(tmp)
- print(out)
+ print(cmd(tmp))
+ if not os.path.isfile(ca_cert):
# Generate "CA"
tmp = f'openssl req -new -x509 -key {ssl_key} -out {ca_cert} -subj {subject}'
- out = cmd(tmp)
- print(out)
+ print(cmd(tmp))
+ if not os.path.isfile(dh_pem):
# Generate "DH" key
tmp = f'openssl dhparam -out {dh_pem} 2048'
- out = cmd(tmp)
- print(out)
+ print(cmd(tmp))
+ if not os.path.isfile(s2s_key):
# Generate site-2-site key
tmp = f'openvpn --genkey --secret {s2s_key}'
- out = cmd(tmp)
- print(out)
+ print(cmd(tmp))
+
+ if not os.path.isfile(auth_key):
+ # Generate TLS auth key
+ tmp = f'openvpn --genkey --secret {auth_key}'
+ print(cmd(tmp))
- for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key]:
- cmd(f'sudo chown openvpn:openvpn {file}')
+ for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key, auth_key]:
+ cmd(f'sudo chown openvpn:openvpn {file}')
unittest.main()