diff options
Diffstat (limited to 'smoketest')
-rwxr-xr-x | smoketest/bin/vyos-configtest | 82 | ||||
-rw-r--r-- | smoketest/configs/pppoe-client | 62 | ||||
-rw-r--r-- | smoketest/configs/pppoe-server | 94 | ||||
-rw-r--r-- | smoketest/scripts/cli/base_accel_ppp_test.py | 22 | ||||
-rw-r--r-- | smoketest/scripts/cli/base_interfaces_test.py | 36 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_interfaces_bridge.py | 92 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_interfaces_openvpn.py | 396 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_interfaces_tunnel.py | 328 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_interfaces_wireless.py | 80 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_nat.py | 20 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_service_snmp.py | 2 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_service_ssh.py | 32 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_service_tftp-server.py | 2 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_system_ntp.py | 8 |
14 files changed, 1139 insertions, 117 deletions
diff --git a/smoketest/bin/vyos-configtest b/smoketest/bin/vyos-configtest new file mode 100755 index 000000000..3e42b0380 --- /dev/null +++ b/smoketest/bin/vyos-configtest @@ -0,0 +1,82 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import sys +import time +import logging +import unittest + +from vyos.configsession import ConfigSession, ConfigSessionError +from vyos import ConfigError + +config_dir = '/usr/libexec/vyos/tests/config' +save_config = '/tmp/vyos-configtest-save' + +class DynamicClassBase(unittest.TestCase): + def setUp(self): + self._start_time = time.time() + self.session = ConfigSession(os.getpid()) + self.session.save_config(save_config) + + def tearDown(self): + self.session.migrate_and_load_config(save_config) + self.session.commit() + log.info(f" time: {time.time() - self._start_time:.3f}") + del self.session + try: + os.remove(save_config) + except OSError: + pass + +def make_test_function(filename): + def test_config_load(self): + config_path = os.path.join(config_dir, filename) + self.session.migrate_and_load_config(config_path) + try: + self.session.commit() + except (ConfigError, ConfigSessionError): + self.session.discard() + self.fail() + return test_config_load + +def class_name_from_func_name(s): + res = ''.join(str.capitalize(x) for x in s.split('_')) + return res + +if __name__ == '__main__': + logging.basicConfig(stream=sys.stdout, level=logging.DEBUG, + format='%(message)s') + log = logging.getLogger("TestConfigLog") + + start_time = time.time() + log.info("Generating tests") + + (_, _, config_list) = next(iter(os.walk(config_dir))) + config_list.sort() + + for config in config_list: + test_func = make_test_function(config) + + func_name = config.replace('-', '_') + klassname = f'TestConfig{class_name_from_func_name(func_name)}' + globals()[klassname] = type(klassname, + (DynamicClassBase,), + {f'test_{func_name}': test_func}) + + log.info(f"... completed: {time.time() - start_time:.6f}") + + unittest.main(verbosity=2) diff --git a/smoketest/configs/pppoe-client b/smoketest/configs/pppoe-client new file mode 100644 index 000000000..ef6a26423 --- /dev/null +++ b/smoketest/configs/pppoe-client @@ -0,0 +1,62 @@ +interfaces { + ethernet eth0 { + } + loopback lo { + } + pppoe pppoe0 { + authentication { + password bar + user foo + } + connect-on-demand + default-route auto + mtu 1492 + source-interface eth0 + } +} +service { + ssh { + } +} +system { + config-management { + commit-revisions 100 + } + console { + device ttyS0 { + speed 115200 + } + } + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/ + plaintext-password "" + } + } + } + ntp { + server 0.pool.ntp.org { + } + server 1.pool.ntp.org { + } + server 2.pool.ntp.org { + } + } + syslog { + global { + facility all { + level info + } + facility protocols { + level debug + } + } + } +} + + +// Warning: Do not remove the following line. +// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" +// Release version: 1.3-rolling-202010241631 diff --git a/smoketest/configs/pppoe-server b/smoketest/configs/pppoe-server new file mode 100644 index 000000000..7e4ccc80e --- /dev/null +++ b/smoketest/configs/pppoe-server @@ -0,0 +1,94 @@ +interfaces { + ethernet eth0 { + address dhcp + } + ethernet eth1 { + address 192.168.0.1/24 + } + ethernet eth2 { + } + loopback lo { + } +} +nat { + source { + rule 100 { + outbound-interface eth0 + source { + address 192.168.0.0/24 + } + translation { + address masquerade + } + } + } +} +service { + pppoe-server { + access-concentrator ACN + authentication { + local-users { + username foo { + password bar + rate-limit { + download 20480 + upload 10240 + } + } + } + mode local + } + client-ip-pool { + start 192.168.0.100 + stop 192.168.0.200 + } + gateway-address 192.168.0.2 + interface eth2 { + } + name-server 192.168.0.1 + } + ssh { + } +} +system { + config-management { + commit-revisions 100 + } + console { + device ttyS0 { + speed 115200 + } + } + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0 + plaintext-password "" + } + } + } + ntp { + server 0.pool.ntp.org { + } + server 1.pool.ntp.org { + } + server 2.pool.ntp.org { + } + } + syslog { + global { + facility all { + level info + } + facility protocols { + level debug + } + } + } +} + + +// Warning: Do not remove the following line. +// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" +// Release version: 1.3-rolling-202010260127 diff --git a/smoketest/scripts/cli/base_accel_ppp_test.py b/smoketest/scripts/cli/base_accel_ppp_test.py index 56cbf1dd4..e46a16137 100644 --- a/smoketest/scripts/cli/base_accel_ppp_test.py +++ b/smoketest/scripts/cli/base_accel_ppp_test.py @@ -20,10 +20,10 @@ from configparser import ConfigParser from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError +from vyos.template import is_ipv4 from vyos.util import cmd from vyos.util import get_half_cpus from vyos.util import process_named_running -from vyos.validate import is_ipv4 class BasicAccelPPPTest: class BaseTest(unittest.TestCase): @@ -192,3 +192,23 @@ class BasicAccelPPPTest: # Check for running process self.assertTrue(process_named_running(self._process_name)) + + # + # Disable Radius Accounting + # + self.delete(['authentication', 'radius', 'server', radius_server, 'acct-port']) + self.set(['authentication', 'radius', 'server', radius_server, 'disable-accounting']) + + # commit changes + self.session.commit() + + conf.read(self._config_file) + + server = conf['radius']['server'].split(',') + self.assertEqual(radius_server, server[0]) + self.assertEqual(radius_key, server[1]) + self.assertEqual(f'auth-port={radius_port}', server[2]) + self.assertEqual(f'acct-port=0', server[3]) + self.assertEqual(f'req-limit=0', server[4]) + self.assertEqual(f'fail-time=0', server[5]) + diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py index c6bb5bd1a..e02424073 100644 --- a/smoketest/scripts/cli/base_interfaces_test.py +++ b/smoketest/scripts/cli/base_interfaces_test.py @@ -22,8 +22,9 @@ from vyos.configsession import ConfigSession from vyos.ifconfig import Interface from vyos.util import read_file from vyos.util import cmd -from vyos.util import vyos_dict_search -from vyos.validate import is_intf_addr_assigned, is_ipv6_link_local +from vyos.util import dict_search +from vyos.validate import is_intf_addr_assigned +from vyos.validate import is_ipv6_link_local class BasicInterfaceTest: class BaseTest(unittest.TestCase): @@ -162,16 +163,45 @@ class BasicInterfaceTest: """ Testcase if MTU can be changed on interface """ if not self._test_mtu: return None + + for intf in self._interfaces: + base = self._base_path + [intf] + self.session.set(base + ['mtu', self._mtu]) + for option in self._options.get(intf, []): + self.session.set(base + option.split()) + + # commit interface changes + self.session.commit() + + # verify changed MTU + for intf in self._interfaces: + self._mtu_test(intf) + + def test_change_mtu_1200(self): + """ Testcase if MTU can be changed to 1200 on non IPv6 enabled interfaces """ + if not self._test_mtu: + return None + + old_mtu = self._mtu + self._mtu = '1200' + for intf in self._interfaces: base = self._base_path + [intf] self.session.set(base + ['mtu', self._mtu]) + self.session.set(base + ['ipv6', 'address', 'no-default-link-local']) + for option in self._options.get(intf, []): self.session.set(base + option.split()) + # commit interface changes self.session.commit() + + # verify changed MTU for intf in self._interfaces: self._mtu_test(intf) + self._mtu = old_mtu + def test_8021q_vlan(self): """ Testcase for 802.1q VLAN interfaces """ if not self._test_vlan: @@ -219,7 +249,7 @@ class BasicInterfaceTest: for interface in self._interfaces: for vif_s in self._qinq_range: tmp = json.loads(cmd(f'ip -d -j link show dev {interface}.{vif_s}'))[0] - self.assertEqual(vyos_dict_search('linkinfo.info_data.protocol', tmp), '802.1ad') + self.assertEqual(dict_search('linkinfo.info_data.protocol', tmp), '802.1ad') for vif_c in self._vlan_range: vif = f'{interface}.{vif_s}.{vif_c}' diff --git a/smoketest/scripts/cli/test_interfaces_bridge.py b/smoketest/scripts/cli/test_interfaces_bridge.py index a1359680b..3b7f1bc9a 100755 --- a/smoketest/scripts/cli/test_interfaces_bridge.py +++ b/smoketest/scripts/cli/test_interfaces_bridge.py @@ -21,12 +21,16 @@ from base_interfaces_test import BasicInterfaceTest from glob import glob from netifaces import interfaces from vyos.ifconfig import Section +from vyos.util import cmd +import json class BridgeInterfaceTest(BasicInterfaceTest.BaseTest): def setUp(self): super().setUp() self._test_ipv6 = True + self._test_vlan = True + self._test_qinq = True self._base_path = ['interfaces', 'bridge'] self._interfaces = ['br0'] @@ -78,6 +82,94 @@ class BridgeInterfaceTest(BasicInterfaceTest.BaseTest): self.session.delete(self._base_path + [interface, 'member']) self.session.commit() + + def test_vlan_filter(self): + """ Add member interface to bridge and set VLAN filter """ + for interface in self._interfaces: + base = self._base_path + [interface] + self.session.set(base + ['address', '192.0.2.1/24']) + self.session.set(base + ['vif', '2','address','192.0.3.1/24']) + + vlan_id = 101 + allowed_vlan = 2 + allowed_vlan_range = '4-9' + # assign members to bridge interface + for member in self._members: + base_member = base + ['member', 'interface', member] + self.session.set(base_member + ['allowed-vlan', str(allowed_vlan)]) + self.session.set(base_member + ['allowed-vlan', allowed_vlan_range]) + self.session.set(base_member + ['native-vlan', str(vlan_id)]) + vlan_id += 1 + + # commit config + self.session.commit() + + # Detect the vlan filter function + for interface in self._interfaces: + with open(f'/sys/class/net/{interface}/bridge/vlan_filtering', 'r') as f: + flags = f.read() + self.assertEqual(int(flags), 1) + + # Execute the program to obtain status information + + json_data = cmd('bridge -j vlan show', shell=True) + + vlan_filter_status = None + + vlan_filter_status = json.loads(json_data) + + + if vlan_filter_status is not None: + for interface_status in vlan_filter_status: + ifname = interface_status['ifname'] + for interface in self._members: + vlan_success = 0; + if interface == ifname: + vlans_status = interface_status['vlans'] + for vlan_status in vlans_status: + vlan_id = vlan_status['vlan'] + flag_num = 0 + if 'flags' in vlan_status: + flags = vlan_status['flags'] + for flag in flags: + flag_num = flag_num +1 + if vlan_id == 2: + if flag_num == 0: + vlan_success = vlan_success + 1 + else: + for id in range(4,10): + if vlan_id == id: + if flag_num == 0: + vlan_success = vlan_success + 1 + if vlan_id >= 101: + if flag_num == 2: + vlan_success = vlan_success + 1 + if vlan_success >= 7: + self.assertTrue(True) + else: + self.assertTrue(False) + + else: + self.assertTrue(False) + + + + + # check member interfaces are added on the bridge + + for interface in self._interfaces: + bridge_members = [] + for tmp in glob(f'/sys/class/net/{interface}/lower_*'): + bridge_members.append(os.path.basename(tmp).replace('lower_', '')) + + for member in self._members: + self.assertIn(member, bridge_members) + + # delete all members + for interface in self._interfaces: + self.session.delete(self._base_path + [interface, 'member']) + + self.session.commit() def test_vlan_members(self): """ T2945: ensure that VIFs are not dropped from bridge """ diff --git a/smoketest/scripts/cli/test_interfaces_openvpn.py b/smoketest/scripts/cli/test_interfaces_openvpn.py index 5cc62e3e2..41e48c2f8 100755 --- a/smoketest/scripts/cli/test_interfaces_openvpn.py +++ b/smoketest/scripts/cli/test_interfaces_openvpn.py @@ -26,6 +26,11 @@ from vyos.configsession import ConfigSessionError from vyos.util import cmd from vyos.util import process_named_running from vyos.util import read_file +from vyos.template import address_from_cidr +from vyos.template import dec_ip +from vyos.template import inc_ip +from vyos.template import last_host_address +from vyos.template import netmask_from_cidr PROCESS_NAME = 'openvpn' @@ -35,13 +40,15 @@ ssl_cert = '/config/auth/ovpn_test_server.pem' ssl_key = '/config/auth/ovpn_test_server.key' dh_pem = '/config/auth/ovpn_test_dh.pem' s2s_key = '/config/auth/ovpn_test_site2site.key' +auth_key = '/config/auth/ovpn_test_tls_auth.key' remote_port = '1194' protocol = 'udp' path = [] interface = '' remote_host = '' -vrf_name = 'mgmt' +vrf_name = 'orange' +dummy_if = 'dum1301' def get_vrf(interface): for upper in glob(f'/sys/class/net/{interface}/upper*'): @@ -54,20 +61,88 @@ def get_vrf(interface): class TestInterfacesOpenVPN(unittest.TestCase): def setUp(self): self.session = ConfigSession(os.getpid()) - self.session.set(['interfaces', 'dummy', 'dum1328', 'address', '192.0.2.1/24']) + self.session.set(['interfaces', 'dummy', dummy_if, 'address', '192.0.2.1/32']) self.session.set(['vrf', 'name', vrf_name, 'table', '12345']) def tearDown(self): self.session.delete(base_path) - self.session.delete(['interfaces', 'dummy', 'dum1328']) - self.session.delete(['vrf', 'name', vrf_name]) + self.session.delete(['interfaces', 'dummy', dummy_if]) + self.session.delete(['vrf']) self.session.commit() del self.session - def test_client_interfaces(self): - """ Create OpenVPN client interfaces connecting to different - server IP addresses. Validate configuration afterwards. """ + def test_client_verify(self): + """ + Create OpenVPN client interface and test verify() steps. + """ + interface = 'vtun2000' + path = base_path + [interface] + self.session.set(path + ['mode', 'client']) + + # check validate() - cannot specify both "encryption disable-ncp" and + # "encryption ncp-ciphers" at the same time + self.session.set(path + ['encryption', 'disable-ncp']) + self.session.set(path + ['encryption', 'ncp-ciphers', 'aes192gcm']) + + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['encryption', 'ncp-ciphers']) + + # check validate() - cannot specify local-port in client mode + self.session.set(path + ['local-port', '5000']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['local-port']) + + # check validate() - cannot specify local-host in client mode + self.session.set(path + ['local-host', '127.0.0.1']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['local-host']) + + # check validate() - cannot specify protocol tcp-passive in client mode + self.session.set(path + ['protocol', 'tcp-passive']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['protocol']) + + # check validate() - remote-host must be set in client mode + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['remote-host', '192.0.9.9']) + + # check validate() - cannot specify "tls dh-file" in client mode + self.session.set(path + ['tls', 'dh-file', dh_pem]) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['tls']) + + # check validate() - must specify one of "shared-secret-key-file" and "tls" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['shared-secret-key-file', s2s_key]) + + # check validate() - must specify one of "shared-secret-key-file" and "tls" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['shared-secret-key-file', s2s_key]) + + self.session.set(path + ['tls', 'ca-cert-file', ca_cert]) + self.session.set(path + ['tls', 'cert-file', ssl_cert]) + self.session.set(path + ['tls', 'key-file', ssl_key]) + + # client commit must pass + self.session.commit() + + self.assertTrue(process_named_running(PROCESS_NAME)) + self.assertIn(interface, interfaces()) + + def test_client_interfaces(self): + """ + Create OpenVPN client interfaces connecting to different + server IP addresses. Validate configuration afterwards. + """ num_range = range(10, 15) for ii in num_range: interface = f'vtun{ii}' @@ -122,11 +197,215 @@ class TestInterfacesOpenVPN(unittest.TestCase): interface = f'vtun{ii}' self.assertNotIn(interface, interfaces()) + def test_server_verify(self): + """ + Create one OpenVPN server interface and check required verify() stages + """ + interface = 'vtun5000' + path = base_path + [interface] + + # check validate() - must speciy operating mode + self.session.set(path) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['mode', 'server']) + + # check validate() - cannot specify protocol tcp-active in server mode + self.session.set(path + ['protocol', 'tcp-active']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['protocol']) + + # check validate() - cannot specify local-port in client mode + self.session.set(path + ['remote-port', '5000']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['remote-port']) + + # check validate() - cannot specify local-host in client mode + self.session.set(path + ['remote-host', '127.0.0.1']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['remote-host']) + + # check validate() - must specify "tls dh-file" when not using EC keys + # in server mode + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['tls', 'dh-file', dh_pem]) + + # check validate() - must specify "server subnet" or add interface to + # bridge in server mode + with self.assertRaises(ConfigSessionError): + self.session.commit() + + # check validate() - server client-ip-pool is too large + # [100.64.0.4 -> 100.127.255.251 = 4194295], maximum is 65536 addresses. + self.session.set(path + ['server', 'subnet', '100.64.0.0/10']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + + # check validate() - cannot specify more than 1 IPv4 and 1 IPv6 server subnet + self.session.set(path + ['server', 'subnet', '100.64.0.0/20']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['server', 'subnet', '100.64.0.0/10']) + + # check validate() - must specify "tls ca-cert-file" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['tls', 'ca-cert-file', ca_cert]) + + # check validate() - must specify "tls cert-file" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['tls', 'cert-file', ssl_cert]) + + # check validate() - must specify "tls key-file" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['tls', 'key-file', ssl_key]) + + # check validate() - cannot specify "tls role" in client-server mode' + self.session.set(path + ['tls', 'role', 'active']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + + # check validate() - cannot specify "tls role" in client-server mode' + self.session.set(path + ['tls', 'auth-file', auth_key]) + with self.assertRaises(ConfigSessionError): + self.session.commit() + + # check validate() - cannot specify "tcp-passive" when "tls role" is "active" + self.session.set(path + ['protocol', 'tcp-passive']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['protocol']) + + # check validate() - cannot specify "tls dh-file" when "tls role" is "active" + self.session.set(path + ['tls', 'dh-file', dh_pem]) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['tls', 'dh-file']) + + # Now test the other path with tls role passive + self.session.set(path + ['tls', 'role', 'passive']) + # check validate() - cannot specify "tcp-active" when "tls role" is "passive" + self.session.set(path + ['protocol', 'tcp-active']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['protocol']) + + + # check validate() - must specify "tls dh-file" when "tls role" is "passive" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['tls', 'dh-file', dh_pem]) + + self.session.commit() + + self.assertTrue(process_named_running(PROCESS_NAME)) + self.assertIn(interface, interfaces()) + + def test_server_subnet_topology(self): + """ + Create OpenVPN server interfaces using different client subnets. + Validate configuration afterwards. + """ + auth_hash = 'sha256' + num_range = range(20, 25) + port = '' + client1_routes = ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] + for ii in num_range: + interface = f'vtun{ii}' + subnet = f'192.0.{ii}.0/24' + client_ip = inc_ip(subnet, '5') + path = base_path + [interface] + port = str(2000 + ii) + + self.session.set(path + ['device-type', 'tun']) + self.session.set(path + ['encryption', 'cipher', 'aes192']) + self.session.set(path + ['hash', auth_hash]) + self.session.set(path + ['mode', 'server']) + self.session.set(path + ['local-port', port]) + self.session.set(path + ['server', 'subnet', subnet]) + self.session.set(path + ['server', 'topology', 'subnet']) + + # clients + self.session.set(path + ['server', 'client', 'client1', 'ip', client_ip]) + for route in client1_routes: + self.session.set(path + ['server', 'client', 'client1', 'subnet', route]) + + self.session.set(path + ['replace-default-route']) + self.session.set(path + ['tls', 'ca-cert-file', ca_cert]) + self.session.set(path + ['tls', 'cert-file', ssl_cert]) + self.session.set(path + ['tls', 'key-file', ssl_key]) + self.session.set(path + ['tls', 'dh-file', dh_pem]) + self.session.set(path + ['vrf', vrf_name]) + + self.session.commit() + + for ii in num_range: + interface = f'vtun{ii}' + subnet = f'192.0.{ii}.0/24' + + start_addr = inc_ip(subnet, '2') + stop_addr = last_host_address(subnet) + + client_ip = inc_ip(subnet, '5') + client_netmask = netmask_from_cidr(subnet) + + port = str(2000 + ii) + + config_file = f'/run/openvpn/{interface}.conf' + client_config_file = f'/run/openvpn/ccd/{interface}/client1' + config = read_file(config_file) + + self.assertIn(f'dev {interface}', config) + self.assertIn(f'dev-type tun', config) + self.assertIn(f'persist-key', config) + self.assertIn(f'proto udp', config) # default protocol + self.assertIn(f'auth {auth_hash}', config) + self.assertIn(f'cipher aes-192-cbc', config) + self.assertIn(f'topology subnet', config) + self.assertIn(f'lport {port}', config) + self.assertIn(f'push "redirect-gateway def1"', config) + + # TLS options + self.assertIn(f'ca {ca_cert}', config) + self.assertIn(f'cert {ssl_cert}', config) + self.assertIn(f'key {ssl_key}', config) + self.assertIn(f'dh {dh_pem}', config) + + # IP pool configuration + netmask = IPv4Network(subnet).netmask + network = IPv4Network(subnet).network_address + self.assertIn(f'server {network} {netmask} nopool', config) + + # Verify client + client_config = read_file(client_config_file) + + self.assertIn(f'ifconfig-push {client_ip} {client_netmask}', client_config) + for route in client1_routes: + self.assertIn('iroute {} {}'.format(address_from_cidr(route), netmask_from_cidr(route)), client_config) + + self.assertTrue(process_named_running(PROCESS_NAME)) + self.assertEqual(get_vrf(interface), vrf_name) + self.assertIn(interface, interfaces()) + + # check that no interface remained after deleting them + self.session.delete(base_path) + self.session.commit() - def test_server_interfaces(self): - """ Create OpenVPN server interfaces using different client subnets. - Validate configuration afterwards. """ + for ii in num_range: + interface = f'vtun{ii}' + self.assertNotIn(interface, interfaces()) + def test_server_net30_topology(self): + """ + Create OpenVPN server interfaces (net30) using different client + subnets. Validate configuration afterwards. + """ auth_hash = 'sha256' num_range = range(20, 25) port = '' @@ -142,6 +421,8 @@ class TestInterfacesOpenVPN(unittest.TestCase): self.session.set(path + ['mode', 'server']) self.session.set(path + ['local-port', port]) self.session.set(path + ['server', 'subnet', subnet]) + self.session.set(path + ['server', 'topology', 'net30']) + self.session.set(path + ['replace-default-route']) self.session.set(path + ['tls', 'ca-cert-file', ca_cert]) self.session.set(path + ['tls', 'cert-file', ssl_cert]) self.session.set(path + ['tls', 'key-file', ssl_key]) @@ -153,6 +434,8 @@ class TestInterfacesOpenVPN(unittest.TestCase): for ii in num_range: interface = f'vtun{ii}' subnet = f'192.0.{ii}.0/24' + start_addr = inc_ip(subnet, '4') + stop_addr = dec_ip(last_host_address(subnet), '1') port = str(2000 + ii) config_file = f'/run/openvpn/{interface}.conf' @@ -166,6 +449,7 @@ class TestInterfacesOpenVPN(unittest.TestCase): self.assertIn(f'cipher aes-192-cbc', config) self.assertIn(f'topology net30', config) self.assertIn(f'lport {port}', config) + self.assertIn(f'push "redirect-gateway def1"', config) # TLS options self.assertIn(f'ca {ca_cert}', config) @@ -177,6 +461,7 @@ class TestInterfacesOpenVPN(unittest.TestCase): netmask = IPv4Network(subnet).netmask network = IPv4Network(subnet).network_address self.assertIn(f'server {network} {netmask} nopool', config) + self.assertIn(f'ifconfig-pool {start_addr} {stop_addr}', config) self.assertTrue(process_named_running(PROCESS_NAME)) self.assertEqual(get_vrf(interface), vrf_name) @@ -190,9 +475,69 @@ class TestInterfacesOpenVPN(unittest.TestCase): interface = f'vtun{ii}' self.assertNotIn(interface, interfaces()) + def test_site2site_verify(self): + """ + Create one OpenVPN site2site interface and check required verify() stages + """ + interface = 'vtun5000' + path = base_path + [interface] + + self.session.set(path + ['mode', 'site-to-site']) + + # check validate() - encryption ncp-ciphers cannot be specified in site-to-site mode + self.session.set(path + ['encryption', 'ncp-ciphers', 'aes192gcm']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['encryption']) + + # check validate() - must specify "local-address" or add interface to bridge + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['local-address', '10.0.0.1']) + self.session.set(path + ['local-address', '2001:db8:1::1']) + + # check validate() - cannot specify more than 1 IPv4 local-address + self.session.set(path + ['local-address', '10.0.0.2']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['local-address', '10.0.0.2']) + + # check validate() - cannot specify more than 1 IPv6 local-address + self.session.set(path + ['local-address', '2001:db8:1::2']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['local-address', '2001:db8:1::2']) + + # check validate() - IPv4 "local-address" requires IPv4 "remote-address" + # or IPv4 "local-address subnet" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['remote-address', '192.168.0.1']) + self.session.set(path + ['remote-address', '2001:db8:ffff::1']) + + # check validate() - Cannot specify more than 1 IPv4 "remote-address" + self.session.set(path + ['remote-address', '192.168.0.2']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['remote-address', '192.168.0.2']) + + # check validate() - Cannot specify more than 1 IPv6 "remote-address" + self.session.set(path + ['remote-address', '2001:db8:ffff::2']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['remote-address', '2001:db8:ffff::2']) + + # check validate() - Must specify one of "shared-secret-key-file" and "tls" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['shared-secret-key-file', s2s_key]) + + self.session.commit() def test_site2site_interfaces(self): - """ Create two OpenVPN site-to-site interfaces """ + """ + Create two OpenVPN site-to-site interfaces + """ num_range = range(30, 35) port = '' local_address = '' @@ -250,32 +595,33 @@ if __name__ == '__main__': subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos/' \ 'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/' - if (not os.path.isfile(ssl_key) and not os.path.isfile(ssl_cert) and - not os.path.isfile(ca_cert) and not os.path.isfile(dh_pem) and - not os.path.isfile(s2s_key)): - + if not (os.path.isfile(ssl_key) and os.path.isfile(ssl_cert)): # Generate mandatory SSL certificate tmp = f'openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 '\ f'-keyout {ssl_key} -out {ssl_cert} -subj {subject}' - out = cmd(tmp) - print(out) + print(cmd(tmp)) + if not os.path.isfile(ca_cert): # Generate "CA" tmp = f'openssl req -new -x509 -key {ssl_key} -out {ca_cert} -subj {subject}' - out = cmd(tmp) - print(out) + print(cmd(tmp)) + if not os.path.isfile(dh_pem): # Generate "DH" key tmp = f'openssl dhparam -out {dh_pem} 2048' - out = cmd(tmp) - print(out) + print(cmd(tmp)) + if not os.path.isfile(s2s_key): # Generate site-2-site key tmp = f'openvpn --genkey --secret {s2s_key}' - out = cmd(tmp) - print(out) + print(cmd(tmp)) + + if not os.path.isfile(auth_key): + # Generate TLS auth key + tmp = f'openvpn --genkey --secret {auth_key}' + print(cmd(tmp)) - for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key]: - cmd(f'sudo chown openvpn:openvpn {file}') + for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key, auth_key]: + cmd(f'sudo chown openvpn:openvpn {file}') unittest.main() diff --git a/smoketest/scripts/cli/test_interfaces_tunnel.py b/smoketest/scripts/cli/test_interfaces_tunnel.py index 7611ffe26..1033196ce 100755 --- a/smoketest/scripts/cli/test_interfaces_tunnel.py +++ b/smoketest/scripts/cli/test_interfaces_tunnel.py @@ -14,95 +14,289 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import os import unittest +import json from vyos.configsession import ConfigSession +from vyos.configsession import ConfigSessionError +from vyos.util import cmd from base_interfaces_test import BasicInterfaceTest -class TunnelInterfaceTest(BasicInterfaceTest.BaseTest): - # encoding, tunnel endpoint (v4/v6), address (v4/v6) - _valid = [ - ('gre', 4, 4), - ('gre', 4, 6), - ('ip6gre', 6, 4), - ('ip6gre', 6, 6), - ('gre-bridge', 4, 4), - ('ipip', 4, 4), - ('ipip', 4, 6), - ('ipip6', 6, 4), - ('ipip6', 6, 6), - ('ip6ip6', 6, 6), - ('sit', 4, 6), - ] - - local = { - 4: '10.100.{}.1/24', - 6: '2001:db8:{}::1/64', - } - - remote = { - 4: '192.0.{}.1', - 6: '2002::{}:1', - } - - address = { - 4: '10.100.{}.1/24', - 6: '2001:db8:{}::1/64', - } +remote_ip4 = '192.0.2.100' +remote_ip6 = '2001:db8::ffff' +source_if = 'dum2222' +mtu = 1476 + +def tunnel_conf(interface): + tmp = cmd(f'ip -d -j link show {interface}') + # {'address': '2.2.2.2', + # 'broadcast': '192.0.2.10', + # 'flags': ['POINTOPOINT', 'NOARP', 'UP', 'LOWER_UP'], + # 'group': 'default', + # 'gso_max_segs': 65535, + # 'gso_max_size': 65536, + # 'ifindex': 10, + # 'ifname': 'tun10', + # 'inet6_addr_gen_mode': 'none', + # 'link': None, + # 'link_pointtopoint': True, + # 'link_type': 'gre', + # 'linkinfo': {'info_data': {'local': '2.2.2.2', + # 'pmtudisc': True, + # 'remote': '192.0.2.10', + # 'tos': '0x1', + # 'ttl': 255}, + # 'info_kind': 'gre'}, + # 'linkmode': 'DEFAULT', + # 'max_mtu': 65511, + # 'min_mtu': 68, + # 'mtu': 1476, + # 'num_rx_queues': 1, + # 'num_tx_queues': 1, + # 'operstate': 'UNKNOWN', + # 'promiscuity': 0, + # 'qdisc': 'noqueue', + # 'txqlen': 1000} + return json.loads(tmp)[0] +class TunnelInterfaceTest(BasicInterfaceTest.BaseTest): def setUp(self): - local = {} - remote = {} - address = {} + super().setUp() - self._intf_dummy = ['interfaces', 'dummy'] self._base_path = ['interfaces', 'tunnel'] - self._interfaces = ['tun{}'.format(n) for n in range(len(self._valid))] - self._test_mtu = True - super().setUp() - for number in range(len(self._valid)): - dum4 = 'dum4{}'.format(number) - dum6 = 'dum6{}'.format(number) + self.local_v4 = '192.0.2.1' + self.local_v6 = '2001:db8::1' + + self.session.set(['interfaces', 'dummy', source_if, 'address', self.local_v4 + '/32']) + self.session.set(['interfaces', 'dummy', source_if, 'address', self.local_v6 + '/128']) - ipv4 = self.local[4].format(number) - ipv6 = self.local[6].format(number) + self._options = { + 'tun10': ['encapsulation ipip', 'remote-ip 192.0.2.10', 'local-ip ' + self.local_v4], + 'tun20': ['encapsulation gre', 'remote-ip 192.0.2.20', 'local-ip ' + self.local_v4], + } - local.setdefault(4, {})[number] = ipv4 - local.setdefault(6, {})[number] = ipv6 + self._interfaces = list(self._options) - ipv4 = self.remote[4].format(number) - ipv6 = self.remote[6].format(number) + def tearDown(self): + self.session.delete(['interfaces', 'dummy', source_if]) + super().tearDown() - remote.setdefault(4, {})[number] = ipv4 - remote.setdefault(6, {})[number] = ipv6 + def test_ipip(self): + interface = 'tun100' + encapsulation = 'ipip' + local_if_addr = '10.10.10.1/24' - ipv4 = self.address[4].format(number) - ipv6 = self.address[6].format(number) + self.session.set(self._base_path + [interface, 'address', local_if_addr]) - address.setdefault(4, {})[number] = ipv4 - address.setdefault(6, {})[number] = ipv6 + # Must provide an "encapsulation" for tunnel tun10 + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'encapsulation', encapsulation]) + + # Must configure either local-ip or dhcp-interface for tunnel ipip tun100 + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'local-ip', self.local_v4]) + + # missing required option remote for ipip + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'remote-ip', remote_ip4]) + + # Configure Tunnel Source interface + self.session.set(self._base_path + [interface, 'source-interface', source_if]) - self.session.set(self._intf_dummy + [dum4, 'address', ipv4]) - self.session.set(self._intf_dummy + [dum6, 'address', ipv6]) self.session.commit() - for number, (encap, p2p, addr) in enumerate(self._valid): - intf = 'tun%d' % number - tunnel = {} - tunnel['encapsulation'] = encap - tunnel['local-ip'] = local[p2p][number].split('/')[0] - tunnel['remote-ip'] = remote[p2p][number].split('/')[0] - tunnel['address'] = address[addr][number] - for name in tunnel: - self.session.set(self._base_path + [intf, name, tunnel[name]]) + conf = tunnel_conf(interface) + self.assertEqual(interface, conf['ifname']) + self.assertEqual(encapsulation, conf['link_type']) + self.assertEqual(mtu, conf['mtu']) + self.assertEqual(source_if, conf['link']) - def tearDown(self): - self.session.delete(self._intf_dummy) - super().tearDown() + self.assertEqual(self.local_v4, conf['linkinfo']['info_data']['local']) + self.assertEqual(remote_ip4, conf['linkinfo']['info_data']['remote']) + + def test_ipip6(self): + interface = 'tun110' + encapsulation = 'ipip6' + local_if_addr = '10.10.10.1/24' + + self.session.set(self._base_path + [interface, 'address', local_if_addr]) + + # Must provide an "encapsulation" for tunnel tun10 + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'encapsulation', encapsulation]) + + # Must configure either local-ip or dhcp-interface for tunnel ipip tun100 + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'local-ip', self.local_v6]) + + # missing required option remote for ipip + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'remote-ip', remote_ip6]) + + # Configure Tunnel Source interface + self.session.set(self._base_path + [interface, 'source-interface', source_if]) + + self.session.commit() + + conf = tunnel_conf(interface) + self.assertEqual(interface, conf['ifname']) + self.assertEqual('tunnel6', conf['link_type']) + self.assertEqual(mtu, conf['mtu']) + self.assertEqual(source_if, conf['link']) + + self.assertEqual(self.local_v6, conf['linkinfo']['info_data']['local']) + self.assertEqual(remote_ip6, conf['linkinfo']['info_data']['remote']) + + def test_ip6ip6(self): + interface = 'tun120' + encapsulation = 'ip6ip6' + local_if_addr = '2001:db8:f00::1/24' + + self.session.set(self._base_path + [interface, 'address', local_if_addr]) + + # Must provide an "encapsulation" for tunnel tun10 + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'encapsulation', encapsulation]) + + # Must configure either local-ip or dhcp-interface for tunnel ipip tun100 + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'local-ip', self.local_v6]) + + # missing required option remote for ipip + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'remote-ip', remote_ip6]) + + # Configure Tunnel Source interface + self.session.set(self._base_path + [interface, 'source-interface', source_if]) + + self.session.commit() + + conf = tunnel_conf(interface) + self.assertEqual(interface, conf['ifname']) + self.assertEqual('tunnel6', conf['link_type']) + self.assertEqual(mtu, conf['mtu']) + self.assertEqual(source_if, conf['link']) + + self.assertEqual(self.local_v6, conf['linkinfo']['info_data']['local']) + self.assertEqual(remote_ip6, conf['linkinfo']['info_data']['remote']) + + def test_gre_ipv4(self): + interface = 'tun200' + encapsulation = 'gre' + local_if_addr = '172.16.1.1/24' + + self.session.set(self._base_path + [interface, 'address', local_if_addr]) + + # Must provide an "encapsulation" for tunnel tun10 + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'encapsulation', encapsulation]) + + # Must configure either local-ip or dhcp-interface + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'local-ip', self.local_v4]) + + # No assertion is raised for GRE remote-ip when missing + self.session.set(self._base_path + [interface, 'remote-ip', remote_ip4]) + + # Configure Tunnel Source interface + self.session.set(self._base_path + [interface, 'source-interface', source_if]) + + self.session.commit() + + conf = tunnel_conf(interface) + self.assertEqual(interface, conf['ifname']) + self.assertEqual(encapsulation, conf['link_type']) + self.assertEqual(mtu, conf['mtu']) + self.assertEqual(source_if, conf['link']) + + self.assertEqual(self.local_v4, conf['linkinfo']['info_data']['local']) + self.assertEqual(remote_ip4, conf['linkinfo']['info_data']['remote']) + + + def test_gre_ipv6(self): + interface = 'tun210' + encapsulation = 'ip6gre' + local_if_addr = '2001:db8:f01::1/24' + + self.session.set(self._base_path + [interface, 'address', local_if_addr]) + + # Must provide an "encapsulation" for tunnel tun10 + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'encapsulation', encapsulation]) + + # Must configure either local-ip or dhcp-interface + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'local-ip', self.local_v6]) + + # No assertion is raised for GRE remote-ip when missing + self.session.set(self._base_path + [interface, 'remote-ip', remote_ip6]) + + # Configure Tunnel Source interface + self.session.set(self._base_path + [interface, 'source-interface', source_if]) + + self.session.commit() + + conf = tunnel_conf(interface) + self.assertEqual(interface, conf['ifname']) + self.assertEqual(encapsulation, conf['link_type']) + self.assertEqual(mtu, conf['mtu']) + self.assertEqual(source_if, conf['link']) + + self.assertEqual(self.local_v6, conf['linkinfo']['info_data']['local']) + self.assertEqual(remote_ip6, conf['linkinfo']['info_data']['remote']) + + + def test_sit(self): + interface = 'tun300' + encapsulation = 'sit' + local_if_addr = '172.16.2.1/24' + + self.session.set(self._base_path + [interface, 'address', local_if_addr]) + + # Must provide an "encapsulation" for tunnel tun10 + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'encapsulation', encapsulation]) + + # Must configure either local-ip or dhcp-interface + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'local-ip', self.local_v4]) + + # No assertion is raised for GRE remote-ip when missing + self.session.set(self._base_path + [interface, 'remote-ip', remote_ip4]) + + # Source interface can not be used with si + self.session.set(self._base_path + [interface, 'source-interface', source_if]) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(self._base_path + [interface, 'source-interface']) + + self.session.commit() + + conf = tunnel_conf(interface) + self.assertEqual(interface, conf['ifname']) + self.assertEqual(encapsulation, conf['link_type']) + self.assertEqual(mtu, conf['mtu']) + + self.assertEqual(self.local_v4, conf['linkinfo']['info_data']['local']) + self.assertEqual(remote_ip4, conf['linkinfo']['info_data']['remote']) if __name__ == '__main__': diff --git a/smoketest/scripts/cli/test_interfaces_wireless.py b/smoketest/scripts/cli/test_interfaces_wireless.py index 0e93b6432..65cf127ce 100755 --- a/smoketest/scripts/cli/test_interfaces_wireless.py +++ b/smoketest/scripts/cli/test_interfaces_wireless.py @@ -18,14 +18,16 @@ import os import re import unittest +from vyos.configsession import ConfigSessionError from base_interfaces_test import BasicInterfaceTest + from vyos.util import process_named_running from vyos.util import check_kmod from vyos.util import read_file def get_config_value(interface, key): tmp = read_file(f'/run/hostapd/{interface}.conf') - tmp = re.findall(r'\n?{}=+(.*)'.format(key), tmp) + tmp = re.findall(f'{key}=+(.*)', tmp) return tmp[0] class WirelessInterfaceTest(BasicInterfaceTest.BaseTest): @@ -36,15 +38,14 @@ class WirelessInterfaceTest(BasicInterfaceTest.BaseTest): self._options = { 'wlan0': ['physical-device phy0', 'ssid VyOS-WIFI-0', 'type station', 'address 192.0.2.1/30'], - 'wlan1': ['physical-device phy0', 'ssid VyOS-WIFI-1', + 'wlan1': ['physical-device phy0', 'ssid VyOS-WIFI-1', 'country-code SE', 'type access-point', 'address 192.0.2.5/30', 'channel 0'], 'wlan10': ['physical-device phy1', 'ssid VyOS-WIFI-2', 'type station', 'address 192.0.2.9/30'], - 'wlan11': ['physical-device phy1', 'ssid VyOS-WIFI-3', + 'wlan11': ['physical-device phy1', 'ssid VyOS-WIFI-3', 'country-code SE', 'type access-point', 'address 192.0.2.13/30', 'channel 0'], } self._interfaces = list(self._options) - self.session.set(['system', 'wifi-regulatory-domain', 'SE']) def test_add_address_single(self): """ derived method to check if member interfaces are enslaved properly """ @@ -73,6 +74,7 @@ class WirelessInterfaceTest(BasicInterfaceTest.BaseTest): self.session.set(self._base_path + [interface, 'ssid', ssid]) self.session.set(self._base_path + [interface, 'type', 'access-point']) self.session.set(self._base_path + [interface, 'channel', channel]) + self.session.set(self._base_path + [interface, 'country-code', 'SE']) # auto-powersave is special self.session.set(self._base_path + [interface, 'capabilities', 'ht', 'auto-powersave']) @@ -114,6 +116,8 @@ class WirelessInterfaceTest(BasicInterfaceTest.BaseTest): # # Validate Config # + tmp = get_config_value(interface, 'interface') + self.assertEqual(interface, tmp) # ssid tmp = get_config_value(interface, 'ssid') @@ -138,6 +142,74 @@ class WirelessInterfaceTest(BasicInterfaceTest.BaseTest): # Check for running process self.assertTrue(process_named_running('hostapd')) + def test_hostapd_wpa_config(self): + """ Check if hostapd config is properly generated """ + + # Only set the hostapd (access-point) options + interface = 'wlan0' + phy = 'phy0' + ssid = 'ssid' + channel = '0' + wpa_key = 'VyOSVyOSVyOS' + mode = 'n' + country = 'DE' + + self.session.set(self._base_path + [interface, 'physical-device', phy]) + self.session.set(self._base_path + [interface, 'type', 'access-point']) + self.session.set(self._base_path + [interface, 'mode', mode]) + + # SSID must be set + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'ssid', ssid]) + + # Channel must be set + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'channel', channel]) + + # Country-Code must be set + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(self._base_path + [interface, 'country-code', country]) + + self.session.set(self._base_path + [interface, 'security', 'wpa', 'mode', 'wpa2']) + self.session.set(self._base_path + [interface, 'security', 'wpa', 'passphrase', wpa_key]) + + self.session.commit() + + # + # Validate Config + # + tmp = get_config_value(interface, 'interface') + self.assertEqual(interface, tmp) + + tmp = get_config_value(interface, 'hw_mode') + # rewrite special mode + if mode == 'n': mode = 'g' + self.assertEqual(mode, tmp) + + # WPA key + tmp = get_config_value(interface, 'wpa') + self.assertEqual('2', tmp) + tmp = get_config_value(interface, 'wpa_passphrase') + self.assertEqual(wpa_key, tmp) + + # SSID + tmp = get_config_value(interface, 'ssid') + self.assertEqual(ssid, tmp) + + # channel + tmp = get_config_value(interface, 'channel') + self.assertEqual(channel, tmp) + + # Country code + tmp = get_config_value(interface, 'country_code') + self.assertEqual(country, tmp) + + # Check for running process + self.assertTrue(process_named_running('hostapd')) + if __name__ == '__main__': check_kmod('mac80211_hwsim') unittest.main() diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py index b5bde743b..43392bde3 100755 --- a/smoketest/scripts/cli/test_nat.py +++ b/smoketest/scripts/cli/test_nat.py @@ -22,7 +22,7 @@ import unittest from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError from vyos.util import cmd -from vyos.util import vyos_dict_search +from vyos.util import dict_search base_path = ['nat'] src_path = base_path + ['source'] @@ -73,10 +73,10 @@ class TestNAT(unittest.TestCase): self.assertEqual(data['family'], 'ip') self.assertEqual(data['table'], 'nat') - iface = vyos_dict_search('match.right', data['expr'][0]) - direction = vyos_dict_search('match.left.payload.field', data['expr'][1]) - address = vyos_dict_search('match.right.prefix.addr', data['expr'][1]) - mask = vyos_dict_search('match.right.prefix.len', data['expr'][1]) + iface = dict_search('match.right', data['expr'][0]) + direction = dict_search('match.left.payload.field', data['expr'][1]) + address = dict_search('match.right.prefix.addr', data['expr'][1]) + mask = dict_search('match.right.prefix.len', data['expr'][1]) if int(rule) < 200: self.assertEqual(direction, 'saddr') @@ -127,11 +127,11 @@ class TestNAT(unittest.TestCase): self.assertEqual(data['family'], 'ip') self.assertEqual(data['table'], 'nat') - iface = vyos_dict_search('match.right', data['expr'][0]) - direction = vyos_dict_search('match.left.payload.field', data['expr'][1]) - protocol = vyos_dict_search('match.left.payload.protocol', data['expr'][1]) - dnat_addr = vyos_dict_search('dnat.addr', data['expr'][3]) - dnat_port = vyos_dict_search('dnat.port', data['expr'][3]) + iface = dict_search('match.right', data['expr'][0]) + direction = dict_search('match.left.payload.field', data['expr'][1]) + protocol = dict_search('match.left.payload.protocol', data['expr'][1]) + dnat_addr = dict_search('dnat.addr', data['expr'][3]) + dnat_port = dict_search('dnat.port', data['expr'][3]) self.assertEqual(direction, 'sport') self.assertEqual(dnat_addr, '192.0.2.1') diff --git a/smoketest/scripts/cli/test_service_snmp.py b/smoketest/scripts/cli/test_service_snmp.py index 067a3c76b..2c2e2181b 100755 --- a/smoketest/scripts/cli/test_service_snmp.py +++ b/smoketest/scripts/cli/test_service_snmp.py @@ -18,10 +18,10 @@ import os import re import unittest -from vyos.validate import is_ipv4 from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError +from vyos.template import is_ipv4 from vyos.util import read_file from vyos.util import process_named_running diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py index 0cd00ccce..ea70d8e03 100755 --- a/smoketest/scripts/cli/test_service_ssh.py +++ b/smoketest/scripts/cli/test_service_ssh.py @@ -20,12 +20,14 @@ import unittest from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError -from vyos.util import read_file +from vyos.util import cmd from vyos.util import process_named_running +from vyos.util import read_file PROCESS_NAME = 'sshd' SSHD_CONF = '/run/ssh/sshd_config' base_path = ['service', 'ssh'] +vrf = 'ssh-test' def get_config_value(key): tmp = read_file(SSHD_CONF) @@ -44,6 +46,8 @@ class TestServiceSSH(unittest.TestCase): self.session.delete(base_path) # restore "plain" SSH access self.session.set(base_path) + # delete VRF + self.session.delete(['vrf', 'name', vrf]) self.session.commit() del self.session @@ -129,5 +133,31 @@ class TestServiceSSH(unittest.TestCase): # Check for running process self.assertTrue(process_named_running(PROCESS_NAME)) + def test_ssh_vrf(self): + """ Check if SSH service can be bound to given VRF """ + port = '22' + self.session.set(base_path + ['port', port]) + self.session.set(base_path + ['vrf', vrf]) + + # VRF does yet not exist - an error must be thrown + with self.assertRaises(ConfigSessionError): + self.session.commit() + + self.session.set(['vrf', 'name', vrf, 'table', '1001']) + + # commit changes + self.session.commit() + + # Check configured port + tmp = get_config_value('Port') + self.assertIn(port, tmp) + + # Check for running process + self.assertTrue(process_named_running(PROCESS_NAME)) + + # Check for process in VRF + tmp = cmd(f'ip vrf pids {vrf}') + self.assertIn(PROCESS_NAME, tmp) + if __name__ == '__main__': unittest.main() diff --git a/smoketest/scripts/cli/test_service_tftp-server.py b/smoketest/scripts/cli/test_service_tftp-server.py index 92333392a..3210e622f 100755 --- a/smoketest/scripts/cli/test_service_tftp-server.py +++ b/smoketest/scripts/cli/test_service_tftp-server.py @@ -24,7 +24,7 @@ from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError from vyos.util import read_file from vyos.util import process_named_running -from vyos.validate import is_ipv6 +from vyos.template import is_ipv6 PROCESS_NAME = 'in.tftpd' base_path = ['service', 'tftp-server'] diff --git a/smoketest/scripts/cli/test_system_ntp.py b/smoketest/scripts/cli/test_system_ntp.py index 4f62b62d5..822a9aff2 100755 --- a/smoketest/scripts/cli/test_system_ntp.py +++ b/smoketest/scripts/cli/test_system_ntp.py @@ -20,8 +20,8 @@ import unittest from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError -from vyos.template import vyos_address_from_cidr -from vyos.template import vyos_netmask_from_cidr +from vyos.template import address_from_cidr +from vyos.template import netmask_from_cidr from vyos.util import read_file from vyos.util import process_named_running @@ -86,8 +86,8 @@ class TestSystemNTP(unittest.TestCase): # Check generated client address configuration for network in networks: - network_address = vyos_address_from_cidr(network) - network_netmask = vyos_netmask_from_cidr(network) + network_address = address_from_cidr(network) + network_netmask = netmask_from_cidr(network) tmp = get_config_value(f'restrict {network_address}')[0] test = f'mask {network_netmask} nomodify notrap nopeer' |