diff options
Diffstat (limited to 'smoketest')
| -rwxr-xr-x | smoketest/bin/vyos-configtest | 82 | ||||
| -rw-r--r-- | smoketest/configs/pppoe-client | 62 | ||||
| -rw-r--r-- | smoketest/configs/pppoe-server | 94 | ||||
| -rw-r--r-- | smoketest/scripts/cli/base_accel_ppp_test.py | 20 | ||||
| -rw-r--r-- | smoketest/scripts/cli/base_interfaces_test.py | 33 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_interfaces_openvpn.py | 374 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_nat.py | 20 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_service_ssh.py | 32 |
8 files changed, 679 insertions, 38 deletions
diff --git a/smoketest/bin/vyos-configtest b/smoketest/bin/vyos-configtest new file mode 100755 index 000000000..3e42b0380 --- /dev/null +++ b/smoketest/bin/vyos-configtest @@ -0,0 +1,82 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import sys +import time +import logging +import unittest + +from vyos.configsession import ConfigSession, ConfigSessionError +from vyos import ConfigError + +config_dir = '/usr/libexec/vyos/tests/config' +save_config = '/tmp/vyos-configtest-save' + +class DynamicClassBase(unittest.TestCase): + def setUp(self): + self._start_time = time.time() + self.session = ConfigSession(os.getpid()) + self.session.save_config(save_config) + + def tearDown(self): + self.session.migrate_and_load_config(save_config) + self.session.commit() + log.info(f" time: {time.time() - self._start_time:.3f}") + del self.session + try: + os.remove(save_config) + except OSError: + pass + +def make_test_function(filename): + def test_config_load(self): + config_path = os.path.join(config_dir, filename) + self.session.migrate_and_load_config(config_path) + try: + self.session.commit() + except (ConfigError, ConfigSessionError): + self.session.discard() + self.fail() + return test_config_load + +def class_name_from_func_name(s): + res = ''.join(str.capitalize(x) for x in s.split('_')) + return res + +if __name__ == '__main__': + logging.basicConfig(stream=sys.stdout, level=logging.DEBUG, + format='%(message)s') + log = logging.getLogger("TestConfigLog") + + start_time = time.time() + log.info("Generating tests") + + (_, _, config_list) = next(iter(os.walk(config_dir))) + config_list.sort() + + for config in config_list: + test_func = make_test_function(config) + + func_name = config.replace('-', '_') + klassname = f'TestConfig{class_name_from_func_name(func_name)}' + globals()[klassname] = type(klassname, + (DynamicClassBase,), + {f'test_{func_name}': test_func}) + + log.info(f"... completed: {time.time() - start_time:.6f}") + + unittest.main(verbosity=2) diff --git a/smoketest/configs/pppoe-client b/smoketest/configs/pppoe-client new file mode 100644 index 000000000..ef6a26423 --- /dev/null +++ b/smoketest/configs/pppoe-client @@ -0,0 +1,62 @@ +interfaces { + ethernet eth0 { + } + loopback lo { + } + pppoe pppoe0 { + authentication { + password bar + user foo + } + connect-on-demand + default-route auto + mtu 1492 + source-interface eth0 + } +} +service { + ssh { + } +} +system { + config-management { + commit-revisions 100 + } + console { + device ttyS0 { + speed 115200 + } + } + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/ + plaintext-password "" + } + } + } + ntp { + server 0.pool.ntp.org { + } + server 1.pool.ntp.org { + } + server 2.pool.ntp.org { + } + } + syslog { + global { + facility all { + level info + } + facility protocols { + level debug + } + } + } +} + + +// Warning: Do not remove the following line. +// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" +// Release version: 1.3-rolling-202010241631 diff --git a/smoketest/configs/pppoe-server b/smoketest/configs/pppoe-server new file mode 100644 index 000000000..7e4ccc80e --- /dev/null +++ b/smoketest/configs/pppoe-server @@ -0,0 +1,94 @@ +interfaces { + ethernet eth0 { + address dhcp + } + ethernet eth1 { + address 192.168.0.1/24 + } + ethernet eth2 { + } + loopback lo { + } +} +nat { + source { + rule 100 { + outbound-interface eth0 + source { + address 192.168.0.0/24 + } + translation { + address masquerade + } + } + } +} +service { + pppoe-server { + access-concentrator ACN + authentication { + local-users { + username foo { + password bar + rate-limit { + download 20480 + upload 10240 + } + } + } + mode local + } + client-ip-pool { + start 192.168.0.100 + stop 192.168.0.200 + } + gateway-address 192.168.0.2 + interface eth2 { + } + name-server 192.168.0.1 + } + ssh { + } +} +system { + config-management { + commit-revisions 100 + } + console { + device ttyS0 { + speed 115200 + } + } + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0 + plaintext-password "" + } + } + } + ntp { + server 0.pool.ntp.org { + } + server 1.pool.ntp.org { + } + server 2.pool.ntp.org { + } + } + syslog { + global { + facility all { + level info + } + facility protocols { + level debug + } + } + } +} + + +// Warning: Do not remove the following line. +// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" +// Release version: 1.3-rolling-202010260127 diff --git a/smoketest/scripts/cli/base_accel_ppp_test.py b/smoketest/scripts/cli/base_accel_ppp_test.py index 56cbf1dd4..e3e5071c1 100644 --- a/smoketest/scripts/cli/base_accel_ppp_test.py +++ b/smoketest/scripts/cli/base_accel_ppp_test.py @@ -192,3 +192,23 @@ class BasicAccelPPPTest: # Check for running process self.assertTrue(process_named_running(self._process_name)) + + # + # Disable Radius Accounting + # + self.delete(['authentication', 'radius', 'server', radius_server, 'acct-port']) + self.set(['authentication', 'radius', 'server', radius_server, 'disable-accounting']) + + # commit changes + self.session.commit() + + conf.read(self._config_file) + + server = conf['radius']['server'].split(',') + self.assertEqual(radius_server, server[0]) + self.assertEqual(radius_key, server[1]) + self.assertEqual(f'auth-port={radius_port}', server[2]) + self.assertEqual(f'acct-port=0', server[3]) + self.assertEqual(f'req-limit=0', server[4]) + self.assertEqual(f'fail-time=0', server[5]) + diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py index c6bb5bd1a..653cc91f9 100644 --- a/smoketest/scripts/cli/base_interfaces_test.py +++ b/smoketest/scripts/cli/base_interfaces_test.py @@ -22,7 +22,7 @@ from vyos.configsession import ConfigSession from vyos.ifconfig import Interface from vyos.util import read_file from vyos.util import cmd -from vyos.util import vyos_dict_search +from vyos.util import dict_search from vyos.validate import is_intf_addr_assigned, is_ipv6_link_local class BasicInterfaceTest: @@ -162,16 +162,45 @@ class BasicInterfaceTest: """ Testcase if MTU can be changed on interface """ if not self._test_mtu: return None + + for intf in self._interfaces: + base = self._base_path + [intf] + self.session.set(base + ['mtu', self._mtu]) + for option in self._options.get(intf, []): + self.session.set(base + option.split()) + + # commit interface changes + self.session.commit() + + # verify changed MTU + for intf in self._interfaces: + self._mtu_test(intf) + + def test_change_mtu_1200(self): + """ Testcase if MTU can be changed to 1200 on non IPv6 enabled interfaces """ + if not self._test_mtu: + return None + + old_mtu = self._mtu + self._mtu = '1200' + for intf in self._interfaces: base = self._base_path + [intf] self.session.set(base + ['mtu', self._mtu]) + self.session.set(base + ['ipv6', 'address', 'no-default-link-local']) + for option in self._options.get(intf, []): self.session.set(base + option.split()) + # commit interface changes self.session.commit() + + # verify changed MTU for intf in self._interfaces: self._mtu_test(intf) + self._mtu = old_mtu + def test_8021q_vlan(self): """ Testcase for 802.1q VLAN interfaces """ if not self._test_vlan: @@ -219,7 +248,7 @@ class BasicInterfaceTest: for interface in self._interfaces: for vif_s in self._qinq_range: tmp = json.loads(cmd(f'ip -d -j link show dev {interface}.{vif_s}'))[0] - self.assertEqual(vyos_dict_search('linkinfo.info_data.protocol', tmp), '802.1ad') + self.assertEqual(dict_search('linkinfo.info_data.protocol', tmp), '802.1ad') for vif_c in self._vlan_range: vif = f'{interface}.{vif_s}.{vif_c}' diff --git a/smoketest/scripts/cli/test_interfaces_openvpn.py b/smoketest/scripts/cli/test_interfaces_openvpn.py index 5cc62e3e2..9ffb945b9 100755 --- a/smoketest/scripts/cli/test_interfaces_openvpn.py +++ b/smoketest/scripts/cli/test_interfaces_openvpn.py @@ -26,6 +26,9 @@ from vyos.configsession import ConfigSessionError from vyos.util import cmd from vyos.util import process_named_running from vyos.util import read_file +from vyos.template import vyos_inc_ip +from vyos.template import vyos_netmask_from_cidr +from vyos.template import vyos_last_host_address PROCESS_NAME = 'openvpn' @@ -35,13 +38,15 @@ ssl_cert = '/config/auth/ovpn_test_server.pem' ssl_key = '/config/auth/ovpn_test_server.key' dh_pem = '/config/auth/ovpn_test_dh.pem' s2s_key = '/config/auth/ovpn_test_site2site.key' +auth_key = '/config/auth/ovpn_test_tls_auth.key' remote_port = '1194' protocol = 'udp' path = [] interface = '' remote_host = '' -vrf_name = 'mgmt' +vrf_name = 'orange' +dummy_if = 'dum1301' def get_vrf(interface): for upper in glob(f'/sys/class/net/{interface}/upper*'): @@ -54,20 +59,88 @@ def get_vrf(interface): class TestInterfacesOpenVPN(unittest.TestCase): def setUp(self): self.session = ConfigSession(os.getpid()) - self.session.set(['interfaces', 'dummy', 'dum1328', 'address', '192.0.2.1/24']) + self.session.set(['interfaces', 'dummy', dummy_if, 'address', '192.0.2.1/32']) self.session.set(['vrf', 'name', vrf_name, 'table', '12345']) def tearDown(self): self.session.delete(base_path) - self.session.delete(['interfaces', 'dummy', 'dum1328']) - self.session.delete(['vrf', 'name', vrf_name]) + self.session.delete(['interfaces', 'dummy', dummy_if]) + self.session.delete(['vrf']) self.session.commit() del self.session - def test_client_interfaces(self): - """ Create OpenVPN client interfaces connecting to different - server IP addresses. Validate configuration afterwards. """ + def test_client_verify(self): + """ + Create OpenVPN client interface and test verify() steps. + """ + interface = 'vtun2000' + path = base_path + [interface] + self.session.set(path + ['mode', 'client']) + + # check validate() - cannot specify both "encryption disable-ncp" and + # "encryption ncp-ciphers" at the same time + self.session.set(path + ['encryption', 'disable-ncp']) + self.session.set(path + ['encryption', 'ncp-ciphers', 'aes192gcm']) + + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['encryption', 'ncp-ciphers']) + + # check validate() - cannot specify local-port in client mode + self.session.set(path + ['local-port', '5000']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['local-port']) + + # check validate() - cannot specify local-host in client mode + self.session.set(path + ['local-host', '127.0.0.1']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['local-host']) + + # check validate() - cannot specify protocol tcp-passive in client mode + self.session.set(path + ['protocol', 'tcp-passive']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['protocol']) + + # check validate() - remote-host must be set in client mode + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['remote-host', '192.0.9.9']) + + # check validate() - cannot specify "tls dh-file" in client mode + self.session.set(path + ['tls', 'dh-file', dh_pem]) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['tls']) + + # check validate() - must specify one of "shared-secret-key-file" and "tls" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['shared-secret-key-file', s2s_key]) + + # check validate() - must specify one of "shared-secret-key-file" and "tls" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['shared-secret-key-file', s2s_key]) + + self.session.set(path + ['tls', 'ca-cert-file', ca_cert]) + self.session.set(path + ['tls', 'cert-file', ssl_cert]) + self.session.set(path + ['tls', 'key-file', ssl_key]) + + # client commit must pass + self.session.commit() + + self.assertTrue(process_named_running(PROCESS_NAME)) + self.assertIn(interface, interfaces()) + + def test_client_interfaces(self): + """ + Create OpenVPN client interfaces connecting to different + server IP addresses. Validate configuration afterwards. + """ num_range = range(10, 15) for ii in num_range: interface = f'vtun{ii}' @@ -122,11 +195,121 @@ class TestInterfacesOpenVPN(unittest.TestCase): interface = f'vtun{ii}' self.assertNotIn(interface, interfaces()) + def test_server_verify(self): + """ + Create one OpenVPN server interface and check required verify() stages + """ + interface = 'vtun5000' + path = base_path + [interface] + + # check validate() - must speciy operating mode + self.session.set(path) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['mode', 'server']) + + # check validate() - cannot specify protocol tcp-active in server mode + self.session.set(path + ['protocol', 'tcp-active']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['protocol']) + + # check validate() - cannot specify local-port in client mode + self.session.set(path + ['remote-port', '5000']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['remote-port']) + + # check validate() - cannot specify local-host in client mode + self.session.set(path + ['remote-host', '127.0.0.1']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['remote-host']) + + # check validate() - must specify "tls dh-file" when not using EC keys + # in server mode + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['tls', 'dh-file', dh_pem]) + + # check validate() - must specify "server subnet" or add interface to + # bridge in server mode + with self.assertRaises(ConfigSessionError): + self.session.commit() + + # check validate() - server client-ip-pool is too large + # [100.64.0.4 -> 100.127.255.251 = 4194295], maximum is 65536 addresses. + self.session.set(path + ['server', 'subnet', '100.64.0.0/10']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + + # check validate() - cannot specify more than 1 IPv4 and 1 IPv6 server subnet + self.session.set(path + ['server', 'subnet', '100.64.0.0/20']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['server', 'subnet', '100.64.0.0/10']) + + # check validate() - must specify "tls ca-cert-file" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['tls', 'ca-cert-file', ca_cert]) + + # check validate() - must specify "tls cert-file" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['tls', 'cert-file', ssl_cert]) + + # check validate() - must specify "tls key-file" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['tls', 'key-file', ssl_key]) + + # check validate() - cannot specify "tls role" in client-server mode' + self.session.set(path + ['tls', 'role', 'active']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + + # check validate() - cannot specify "tls role" in client-server mode' + self.session.set(path + ['tls', 'auth-file', auth_key]) + with self.assertRaises(ConfigSessionError): + self.session.commit() + + # check validate() - cannot specify "tcp-passive" when "tls role" is "active" + self.session.set(path + ['protocol', 'tcp-passive']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['protocol']) + + # check validate() - cannot specify "tls dh-file" when "tls role" is "active" + self.session.set(path + ['tls', 'dh-file', dh_pem]) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['tls', 'dh-file']) + + # Now test the other path with tls role passive + self.session.set(path + ['tls', 'role', 'passive']) + # check validate() - cannot specify "tcp-active" when "tls role" is "passive" + self.session.set(path + ['protocol', 'tcp-active']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['protocol']) + + + # check validate() - must specify "tls dh-file" when "tls role" is "passive" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['tls', 'dh-file', dh_pem]) - def test_server_interfaces(self): - """ Create OpenVPN server interfaces using different client subnets. - Validate configuration afterwards. """ + self.session.commit() + + self.assertTrue(process_named_running(PROCESS_NAME)) + self.assertIn(interface, interfaces()) + def test_server_subnet_topology(self): + """ + Create OpenVPN server interfaces using different client subnets. + Validate configuration afterwards. + """ auth_hash = 'sha256' num_range = range(20, 25) port = '' @@ -142,6 +325,8 @@ class TestInterfacesOpenVPN(unittest.TestCase): self.session.set(path + ['mode', 'server']) self.session.set(path + ['local-port', port]) self.session.set(path + ['server', 'subnet', subnet]) + self.session.set(path + ['server', 'topology', 'subnet']) + self.session.set(path + ['replace-default-route']) self.session.set(path + ['tls', 'ca-cert-file', ca_cert]) self.session.set(path + ['tls', 'cert-file', ssl_cert]) self.session.set(path + ['tls', 'key-file', ssl_key]) @@ -153,6 +338,82 @@ class TestInterfacesOpenVPN(unittest.TestCase): for ii in num_range: interface = f'vtun{ii}' subnet = f'192.0.{ii}.0/24' + start_addr = vyos_inc_ip(subnet, '2') + stop_addr = vyos_last_host_address(subnet) + port = str(2000 + ii) + + config_file = f'/run/openvpn/{interface}.conf' + config = read_file(config_file) + + self.assertIn(f'dev {interface}', config) + self.assertIn(f'dev-type tun', config) + self.assertIn(f'persist-key', config) + self.assertIn(f'proto udp', config) # default protocol + self.assertIn(f'auth {auth_hash}', config) + self.assertIn(f'cipher aes-192-cbc', config) + self.assertIn(f'topology subnet', config) + self.assertIn(f'lport {port}', config) + self.assertIn(f'push "redirect-gateway def1"', config) + + # TLS options + self.assertIn(f'ca {ca_cert}', config) + self.assertIn(f'cert {ssl_cert}', config) + self.assertIn(f'key {ssl_key}', config) + self.assertIn(f'dh {dh_pem}', config) + + # IP pool configuration + netmask = IPv4Network(subnet).netmask + network = IPv4Network(subnet).network_address + self.assertIn(f'server {network} {netmask} nopool', config) + self.assertIn(f'ifconfig-pool {start_addr} {stop_addr}', config) + + self.assertTrue(process_named_running(PROCESS_NAME)) + self.assertEqual(get_vrf(interface), vrf_name) + self.assertIn(interface, interfaces()) + + # check that no interface remained after deleting them + self.session.delete(base_path) + self.session.commit() + + for ii in num_range: + interface = f'vtun{ii}' + self.assertNotIn(interface, interfaces()) + + def test_server_net30_topology(self): + """ + Create OpenVPN server interfaces (net30) using different client + subnets. Validate configuration afterwards. + """ + auth_hash = 'sha256' + num_range = range(20, 25) + port = '' + for ii in num_range: + interface = f'vtun{ii}' + subnet = f'192.0.{ii}.0/24' + path = base_path + [interface] + port = str(2000 + ii) + + self.session.set(path + ['device-type', 'tun']) + self.session.set(path + ['encryption', 'cipher', 'aes192']) + self.session.set(path + ['hash', auth_hash]) + self.session.set(path + ['mode', 'server']) + self.session.set(path + ['local-port', port]) + self.session.set(path + ['server', 'subnet', subnet]) + self.session.set(path + ['server', 'topology', 'net30']) + self.session.set(path + ['replace-default-route']) + self.session.set(path + ['tls', 'ca-cert-file', ca_cert]) + self.session.set(path + ['tls', 'cert-file', ssl_cert]) + self.session.set(path + ['tls', 'key-file', ssl_key]) + self.session.set(path + ['tls', 'dh-file', dh_pem]) + self.session.set(path + ['vrf', vrf_name]) + + self.session.commit() + + for ii in num_range: + interface = f'vtun{ii}' + subnet = f'192.0.{ii}.0/24' + start_addr = vyos_inc_ip(subnet, '4') + stop_addr = vyos_last_host_address(subnet) port = str(2000 + ii) config_file = f'/run/openvpn/{interface}.conf' @@ -166,6 +427,7 @@ class TestInterfacesOpenVPN(unittest.TestCase): self.assertIn(f'cipher aes-192-cbc', config) self.assertIn(f'topology net30', config) self.assertIn(f'lport {port}', config) + self.assertIn(f'push "redirect-gateway def1"', config) # TLS options self.assertIn(f'ca {ca_cert}', config) @@ -177,6 +439,7 @@ class TestInterfacesOpenVPN(unittest.TestCase): netmask = IPv4Network(subnet).netmask network = IPv4Network(subnet).network_address self.assertIn(f'server {network} {netmask} nopool', config) + self.assertIn(f'ifconfig-pool {start_addr} {stop_addr}', config) self.assertTrue(process_named_running(PROCESS_NAME)) self.assertEqual(get_vrf(interface), vrf_name) @@ -190,9 +453,69 @@ class TestInterfacesOpenVPN(unittest.TestCase): interface = f'vtun{ii}' self.assertNotIn(interface, interfaces()) + def test_site2site_verify(self): + """ + Create one OpenVPN site2site interface and check required verify() stages + """ + interface = 'vtun5000' + path = base_path + [interface] + + self.session.set(path + ['mode', 'site-to-site']) + + # check validate() - encryption ncp-ciphers cannot be specified in site-to-site mode + self.session.set(path + ['encryption', 'ncp-ciphers', 'aes192gcm']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['encryption']) + + # check validate() - must specify "local-address" or add interface to bridge + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['local-address', '10.0.0.1']) + self.session.set(path + ['local-address', '2001:db8:1::1']) + + # check validate() - cannot specify more than 1 IPv4 local-address + self.session.set(path + ['local-address', '10.0.0.2']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['local-address', '10.0.0.2']) + + # check validate() - cannot specify more than 1 IPv6 local-address + self.session.set(path + ['local-address', '2001:db8:1::2']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['local-address', '2001:db8:1::2']) + + # check validate() - IPv4 "local-address" requires IPv4 "remote-address" + # or IPv4 "local-address subnet" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['remote-address', '192.168.0.1']) + self.session.set(path + ['remote-address', '2001:db8:ffff::1']) + + # check validate() - Cannot specify more than 1 IPv4 "remote-address" + self.session.set(path + ['remote-address', '192.168.0.2']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['remote-address', '192.168.0.2']) + + # check validate() - Cannot specify more than 1 IPv6 "remote-address" + self.session.set(path + ['remote-address', '2001:db8:ffff::2']) + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.delete(path + ['remote-address', '2001:db8:ffff::2']) + + # check validate() - Must specify one of "shared-secret-key-file" and "tls" + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(path + ['shared-secret-key-file', s2s_key]) + + self.session.commit() def test_site2site_interfaces(self): - """ Create two OpenVPN site-to-site interfaces """ + """ + Create two OpenVPN site-to-site interfaces + """ num_range = range(30, 35) port = '' local_address = '' @@ -250,32 +573,33 @@ if __name__ == '__main__': subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos/' \ 'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/' - if (not os.path.isfile(ssl_key) and not os.path.isfile(ssl_cert) and - not os.path.isfile(ca_cert) and not os.path.isfile(dh_pem) and - not os.path.isfile(s2s_key)): - + if not (os.path.isfile(ssl_key) and os.path.isfile(ssl_cert)): # Generate mandatory SSL certificate tmp = f'openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 '\ f'-keyout {ssl_key} -out {ssl_cert} -subj {subject}' - out = cmd(tmp) - print(out) + print(cmd(tmp)) + if not os.path.isfile(ca_cert): # Generate "CA" tmp = f'openssl req -new -x509 -key {ssl_key} -out {ca_cert} -subj {subject}' - out = cmd(tmp) - print(out) + print(cmd(tmp)) + if not os.path.isfile(dh_pem): # Generate "DH" key tmp = f'openssl dhparam -out {dh_pem} 2048' - out = cmd(tmp) - print(out) + print(cmd(tmp)) + if not os.path.isfile(s2s_key): # Generate site-2-site key tmp = f'openvpn --genkey --secret {s2s_key}' - out = cmd(tmp) - print(out) + print(cmd(tmp)) + + if not os.path.isfile(auth_key): + # Generate TLS auth key + tmp = f'openvpn --genkey --secret {auth_key}' + print(cmd(tmp)) - for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key]: - cmd(f'sudo chown openvpn:openvpn {file}') + for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key, auth_key]: + cmd(f'sudo chown openvpn:openvpn {file}') unittest.main() diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py index b5bde743b..43392bde3 100755 --- a/smoketest/scripts/cli/test_nat.py +++ b/smoketest/scripts/cli/test_nat.py @@ -22,7 +22,7 @@ import unittest from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError from vyos.util import cmd -from vyos.util import vyos_dict_search +from vyos.util import dict_search base_path = ['nat'] src_path = base_path + ['source'] @@ -73,10 +73,10 @@ class TestNAT(unittest.TestCase): self.assertEqual(data['family'], 'ip') self.assertEqual(data['table'], 'nat') - iface = vyos_dict_search('match.right', data['expr'][0]) - direction = vyos_dict_search('match.left.payload.field', data['expr'][1]) - address = vyos_dict_search('match.right.prefix.addr', data['expr'][1]) - mask = vyos_dict_search('match.right.prefix.len', data['expr'][1]) + iface = dict_search('match.right', data['expr'][0]) + direction = dict_search('match.left.payload.field', data['expr'][1]) + address = dict_search('match.right.prefix.addr', data['expr'][1]) + mask = dict_search('match.right.prefix.len', data['expr'][1]) if int(rule) < 200: self.assertEqual(direction, 'saddr') @@ -127,11 +127,11 @@ class TestNAT(unittest.TestCase): self.assertEqual(data['family'], 'ip') self.assertEqual(data['table'], 'nat') - iface = vyos_dict_search('match.right', data['expr'][0]) - direction = vyos_dict_search('match.left.payload.field', data['expr'][1]) - protocol = vyos_dict_search('match.left.payload.protocol', data['expr'][1]) - dnat_addr = vyos_dict_search('dnat.addr', data['expr'][3]) - dnat_port = vyos_dict_search('dnat.port', data['expr'][3]) + iface = dict_search('match.right', data['expr'][0]) + direction = dict_search('match.left.payload.field', data['expr'][1]) + protocol = dict_search('match.left.payload.protocol', data['expr'][1]) + dnat_addr = dict_search('dnat.addr', data['expr'][3]) + dnat_port = dict_search('dnat.port', data['expr'][3]) self.assertEqual(direction, 'sport') self.assertEqual(dnat_addr, '192.0.2.1') diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py index 0cd00ccce..ea70d8e03 100755 --- a/smoketest/scripts/cli/test_service_ssh.py +++ b/smoketest/scripts/cli/test_service_ssh.py @@ -20,12 +20,14 @@ import unittest from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError -from vyos.util import read_file +from vyos.util import cmd from vyos.util import process_named_running +from vyos.util import read_file PROCESS_NAME = 'sshd' SSHD_CONF = '/run/ssh/sshd_config' base_path = ['service', 'ssh'] +vrf = 'ssh-test' def get_config_value(key): tmp = read_file(SSHD_CONF) @@ -44,6 +46,8 @@ class TestServiceSSH(unittest.TestCase): self.session.delete(base_path) # restore "plain" SSH access self.session.set(base_path) + # delete VRF + self.session.delete(['vrf', 'name', vrf]) self.session.commit() del self.session @@ -129,5 +133,31 @@ class TestServiceSSH(unittest.TestCase): # Check for running process self.assertTrue(process_named_running(PROCESS_NAME)) + def test_ssh_vrf(self): + """ Check if SSH service can be bound to given VRF """ + port = '22' + self.session.set(base_path + ['port', port]) + self.session.set(base_path + ['vrf', vrf]) + + # VRF does yet not exist - an error must be thrown + with self.assertRaises(ConfigSessionError): + self.session.commit() + + self.session.set(['vrf', 'name', vrf, 'table', '1001']) + + # commit changes + self.session.commit() + + # Check configured port + tmp = get_config_value('Port') + self.assertIn(port, tmp) + + # Check for running process + self.assertTrue(process_named_running(PROCESS_NAME)) + + # Check for process in VRF + tmp = cmd(f'ip vrf pids {vrf}') + self.assertIn(PROCESS_NAME, tmp) + if __name__ == '__main__': unittest.main() |