smoketest: openvpn: extend server verify() test with TLS auth keys

author: Christian Poessinger <christian@poessinger.com> 2020-10-30 16:57:36 +0100
committer: Christian Poessinger <christian@poessinger.com> 2020-10-30 16:57:36 +0100
commit: d0a5df6b3563b0a8c4b06f37629e49d0644a3457 (patch)
tree: 85360a70e245927261c2170e0256e568878fa95a /smoketest
parent: 31f4075c95fc488f510e42b4e1d9eb4a4dddee15 (diff)
download: vyos-1x-d0a5df6b3563b0a8c4b06f37629e49d0644a3457.tar.gz
vyos-1x-d0a5df6b3563b0a8c4b06f37629e49d0644a3457.zip
1 files changed, 53 insertions, 14 deletions
diff --git a/smoketest/scripts/cli/test_interfaces_openvpn.py b/smoketest/scripts/cli/test_interfaces_openvpn.py
index a36c67f8a..03a3171ed 100755
--- a/smoketest/scripts/cli/test_interfaces_openvpn.py
+++ b/smoketest/scripts/cli/test_interfaces_openvpn.py
@@ -35,6 +35,7 @@ ssl_cert = '/config/auth/ovpn_test_server.pem'
 ssl_key  = '/config/auth/ovpn_test_server.key'
 dh_pem   = '/config/auth/ovpn_test_dh.pem'
 s2s_key  = '/config/auth/ovpn_test_site2site.key'
+auth_key = '/config/auth/ovpn_test_tls_auth.key'
 
 remote_port = '1194'
 protocol = 'udp'
@@ -254,9 +255,46 @@ class TestInterfacesOpenVPN(unittest.TestCase):
             self.session.commit()
         self.session.set(path + ['tls', 'key-file', ssl_key])
 
+        # check validate() - cannot specify "tls role" in client-server mode'
+        self.session.set(path + ['tls', 'role', 'active'])
+        with self.assertRaises(ConfigSessionError):
+            self.session.commit()
+
+        # check validate() - cannot specify "tls role" in client-server mode'
+        self.session.set(path + ['tls', 'auth-file', auth_key])
+        with self.assertRaises(ConfigSessionError):
+            self.session.commit()
+
+        # check validate() - cannot specify "tcp-passive" when "tls role" is "active"
+        self.session.set(path + ['protocol', 'tcp-passive'])
+        with self.assertRaises(ConfigSessionError):
+            self.session.commit()
+        self.session.delete(path + ['protocol'])
+
+        # check validate() - cannot specify "tls dh-file" when "tls role" is "active"
+        self.session.set(path + ['tls', 'dh-file', dh_pem])
+        with self.assertRaises(ConfigSessionError):
+            self.session.commit()
+        self.session.delete(path + ['tls', 'dh-file'])
+
+        # Now test the other path with tls role passive
+        self.session.set(path + ['tls', 'role', 'passive'])
+        # check validate() - cannot specify "tcp-active" when "tls role" is "passive"
+        self.session.set(path + ['protocol', 'tcp-active'])
+        with self.assertRaises(ConfigSessionError):
+            self.session.commit()
+        self.session.delete(path + ['protocol'])
+
+
+        # check validate() - must specify "tls dh-file" when "tls role" is "passive"
+        with self.assertRaises(ConfigSessionError):
+            self.session.commit()
+        self.session.set(path + ['tls', 'dh-file', dh_pem])
 
         self.session.commit()
 
+        self.assertTrue(process_named_running(PROCESS_NAME))
+        self.assertIn(interface, interfaces())
 
     def test_server_interfaces(self):
         """ Create OpenVPN server interfaces using different client subnets.
@@ -427,32 +465,33 @@ if __name__ == '__main__':
     subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos/' \
               'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/'
 
-    if (not os.path.isfile(ssl_key) and not os.path.isfile(ssl_cert) and
-        not os.path.isfile(ca_cert) and not os.path.isfile(dh_pem) and
-        not os.path.isfile(s2s_key)):
-
+    if not (os.path.isfile(ssl_key) and os.path.isfile(ssl_cert)):
         # Generate mandatory SSL certificate
         tmp = f'openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 '\
               f'-keyout {ssl_key} -out {ssl_cert} -subj {subject}'
-        out = cmd(tmp)
-        print(out)
+        print(cmd(tmp))
 
+    if not os.path.isfile(ca_cert):
         # Generate "CA"
         tmp = f'openssl req -new -x509 -key {ssl_key} -out {ca_cert} -subj {subject}'
-        out = cmd(tmp)
-        print(out)
+        print(cmd(tmp))
 
+    if not os.path.isfile(dh_pem):
         # Generate "DH" key
         tmp = f'openssl dhparam -out {dh_pem} 2048'
-        out = cmd(tmp)
-        print(out)
+        print(cmd(tmp))
 
+    if not os.path.isfile(s2s_key):
         # Generate site-2-site key
         tmp = f'openvpn --genkey --secret {s2s_key}'
-        out = cmd(tmp)
-        print(out)
+        print(cmd(tmp))
+
+    if not os.path.isfile(auth_key):
+        # Generate TLS auth key
+        tmp = f'openvpn --genkey --secret {auth_key}'
+        print(cmd(tmp))
 
-        for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key]:
-            cmd(f'sudo chown openvpn:openvpn {file}')
+    for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key, auth_key]:
+        cmd(f'sudo chown openvpn:openvpn {file}')
 
     unittest.main()
author	Christian Poessinger <christian@poessinger.com>	2020-10-30 16:57:36 +0100
committer	Christian Poessinger <christian@poessinger.com>	2020-10-30 16:57:36 +0100
commit	d0a5df6b3563b0a8c4b06f37629e49d0644a3457 (patch)
tree	85360a70e245927261c2170e0256e568878fa95a /smoketest
parent	31f4075c95fc488f510e42b4e1d9eb4a4dddee15 (diff)
download	vyos-1x-d0a5df6b3563b0a8c4b06f37629e49d0644a3457.tar.gz vyos-1x-d0a5df6b3563b0a8c4b06f37629e49d0644a3457.zip