From bd102eac6d0c97a5f75324d1248814ebdad42da5 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 15 Aug 2022 20:04:29 +0200
Subject: smoketest: ocserv: implement config file validation

---
 smoketest/scripts/cli/test_vpn_openconnect.py | 75 +++++++++++++++++++++------
 1 file changed, 60 insertions(+), 15 deletions(-)

(limited to 'smoketest/scripts/cli')

diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py
index bda279342..094812791 100755
--- a/smoketest/scripts/cli/test_vpn_openconnect.py
+++ b/smoketest/scripts/cli/test_vpn_openconnect.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -19,6 +19,7 @@ import unittest
 from base_vyostest_shim import VyOSUnitTestSHIM
 
 from vyos.util import process_named_running
+from vyos.util import read_file
 
 OCSERV_CONF = '/run/ocserv/ocserv.conf'
 base_path = ['vpn', 'openconnect']
@@ -46,36 +47,80 @@ MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx
 u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww
 """
 
-class TestVpnOpenconnect(VyOSUnitTestSHIM.TestCase):
+PROCESS_NAME = 'ocserv-main'
+config_file = '/run/ocserv/ocserv.conf'
+auth_file = '/run/ocserv/ocpasswd'
+otp_file = '/run/ocserv/users.oath'
+
+class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        super(TestVPNOpenConnect, cls).setUpClass()
+
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
+        cls.cli_set(cls, pki_path + ['ca', 'openconnect', 'certificate', cert_data.replace('\n','')])
+        cls.cli_set(cls, pki_path + ['certificate', 'openconnect', 'certificate', cert_data.replace('\n','')])
+        cls.cli_set(cls, pki_path + ['certificate', 'openconnect', 'private', 'key', key_data.replace('\n','')])
+
+    @classmethod
+    def tearDownClass(cls):
+        cls.cli_delete(cls, pki_path)
+        super(TestVPNOpenConnect, cls).tearDownClass()
+
     def tearDown(self):
-        # Delete vpn openconnect configuration
-        self.cli_delete(pki_path)
+        self.assertTrue(process_named_running(PROCESS_NAME))
+
         self.cli_delete(base_path)
         self.cli_commit()
 
-    def test_vpn(self):
+        self.assertFalse(process_named_running(PROCESS_NAME))
+
+    def test_ocserv(self):
         user = 'vyos_user'
         password = 'vyos_pass'
         otp = '37500000026900000000200000000000'
-
-        self.cli_delete(pki_path)
-        self.cli_delete(base_path)
-
-        self.cli_set(pki_path + ['ca', 'openconnect', 'certificate', cert_data.replace('\n','')])
-        self.cli_set(pki_path + ['certificate', 'openconnect', 'certificate', cert_data.replace('\n','')])
-        self.cli_set(pki_path + ['certificate', 'openconnect', 'private', 'key', key_data.replace('\n','')])
+        v4_subnet = '192.0.2.0/24'
+        v6_prefix = '2001:db8:1000::/64'
+        v6_len = '126'
+        name_server = ['1.2.3.4', '1.2.3.5', '2001:db8::1']
+        split_dns = ['vyos.net', 'vyos.io']
 
         self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'password', password])
         self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'otp', 'key', otp])
         self.cli_set(base_path + ['authentication', 'mode', 'local', 'password-otp'])
-        self.cli_set(base_path + ['network-settings', 'client-ip-settings', 'subnet', '192.0.2.0/24'])
+
+        self.cli_set(base_path + ['network-settings', 'client-ip-settings', 'subnet', v4_subnet])
+        self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'prefix', v6_prefix])
+        self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'mask', v6_len])
+
+        for ns in name_server:
+            self.cli_set(base_path + ['network-settings', 'name-server', ns])
+
         self.cli_set(base_path + ['ssl', 'ca-certificate', 'openconnect'])
         self.cli_set(base_path + ['ssl', 'certificate', 'openconnect'])
 
         self.cli_commit()
 
-        # Check for running process
-        self.assertTrue(process_named_running('ocserv-main'))
+        # Verify configuration
+        daemon_config = read_file(config_file)
+
+        # authentication mode local password-otp
+        self.assertIn(f'auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"', daemon_config)
+        self.assertIn(f'ipv4-network = {v4_subnet}', daemon_config)
+        self.assertIn(f'ipv6-network = {v6_prefix}', daemon_config)
+        self.assertIn(f'ipv6-subnet-prefix = {v6_len}', daemon_config)
+
+        for ns in name_server:
+            self.assertIn(f'dns = {ns}', daemon_config)
+
+        auth_config = read_file(auth_file)
+        self.assertIn(f'{user}:*:$', auth_config)
+
+        otp_config = read_file(otp_file)
+        self.assertIn(f'HOTP/T30/6 {user} - {otp}', otp_config)
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
-- 
cgit v1.2.3