mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2024-09-21 02:17:23 +00:00
Allow selecting group by URL or profile
This introduces the 'select-group-by-url' config option that allows selecting an authgroup just by connecting to a dedicated URI. Signed-off-by: Marcin Ochab <marcin.ochab@gmail.com> Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This commit is contained in:
parent
72b8e19cac
commit
3f966ae8ca
3
NEWS
3
NEWS
@ -1,5 +1,8 @@
|
||||
* Version 1.2.5 (unreleased)
|
||||
- Bump the number of groups per account from 128 to 512 (#219)
|
||||
- Allow connecting users to select an authgroup by appending the
|
||||
group name to the URL, as in https://vpn.example.com/groupname;
|
||||
this introduces the select-group-by-url config option.
|
||||
|
||||
|
||||
* Version 1.2.4 (released 2024-01-22)
|
||||
|
@ -589,11 +589,22 @@ no-route = 192.168.5.0/255.255.255.0
|
||||
# Groups that a client is allowed to select from.
|
||||
# A client may belong in multiple groups, and in certain use-cases
|
||||
# it is needed to switch between them. For these cases the client can
|
||||
# select prior to authentication. Add multiple entries for multiple groups.
|
||||
# select
|
||||
# 1. during authentication via a dropdown menu
|
||||
# 2. by connecting to a url like vpn.example.com/group_name
|
||||
# (when select-group-by-url is true)
|
||||
#
|
||||
# Add multiple entries for multiple groups. Note that the
|
||||
# groups are global and cannot be overridden per vhost.
|
||||
# The group may be followed by a user-friendly name in brackets.
|
||||
#select-group = group1
|
||||
#select-group = group2[My special group]
|
||||
|
||||
# Allow easy selection of the authgroup by the user by enabling
|
||||
# a URL such as vpn.example.com/group_name that the user can
|
||||
# connect, that will not prompt for the group. Default is disabled.
|
||||
#select-group-by-url = false
|
||||
|
||||
# The name of the (virtual) group that if selected it would assign the user
|
||||
# to its default group.
|
||||
#default-select-group = DEFAULT
|
||||
@ -668,6 +679,7 @@ no-route = 192.168.5.0/255.255.255.0
|
||||
# <HostEntry>
|
||||
# <HostName>VPN Server name</HostName>
|
||||
# <HostAddress>localhost</HostAddress>
|
||||
# <UserGroup>group_name</UserGroup>
|
||||
# </HostEntry>
|
||||
# </ServerList>
|
||||
# </AnyConnectProfile>
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 2013-2018 Nikos Mavrogiannopoulos
|
||||
* Copyright (C) 2013-2023 Nikos Mavrogiannopoulos
|
||||
* Copyright (C) 2014, 2015 Red Hat, Inc.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@ -1099,6 +1099,8 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co
|
||||
READ_MULTI_LINE(config->network.no_routes, config->network.no_routes_size);
|
||||
} else if (strcmp(name, "default-select-group") == 0) {
|
||||
READ_STRING(config->default_select_group);
|
||||
} else if (strcmp(name, "select-group-by-url") == 0) {
|
||||
READ_TF(config->select_group_by_url);
|
||||
} else if (strcmp(name, "auto-select-group") == 0) {
|
||||
READ_TF(vhost->auto_select_group);
|
||||
} else if (strcmp(name, "select-group") == 0) {
|
||||
@ -1528,6 +1530,11 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
|
||||
fprintf(stderr, NOTESTR"%sthe cisco-client-compat option implies dtls-legacy = true; enabling\n", PREFIX_VHOST(vhost));
|
||||
}
|
||||
config->dtls_legacy = 1;
|
||||
|
||||
if (!config->select_group_by_url && !silent) {
|
||||
fprintf(stderr, NOTESTR"%sthe cisco-client-compat option implies select-group-by-url = true; enabling\n", PREFIX_VHOST(vhost));
|
||||
}
|
||||
config->select_group_by_url = 1;
|
||||
}
|
||||
|
||||
if (config->match_dtls_and_tls) {
|
||||
|
@ -251,6 +251,7 @@ struct cfg_st {
|
||||
|
||||
char **friendly_group_list; /* the same size as group_list_size */
|
||||
|
||||
unsigned select_group_by_url;
|
||||
char *default_select_group;
|
||||
|
||||
char **custom_header;
|
||||
|
@ -362,7 +362,8 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg, unsig
|
||||
}
|
||||
}
|
||||
|
||||
if (WSCONFIG(ws)->default_select_group) {
|
||||
/* we send a list of possible groups only if user is not forcing group e.g. by url to disable dialog on client side */
|
||||
if (ws->groupname[0] == 0 && WSCONFIG(ws)->default_select_group) {
|
||||
ret = str_append_printf(&str, "<option>%s</option>\n", WSCONFIG(ws)->default_select_group);
|
||||
if (ret < 0) {
|
||||
ret = -1;
|
||||
@ -397,15 +398,17 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg, unsig
|
||||
}
|
||||
}
|
||||
|
||||
/* we send a list of possible groups only if user is not forcing group e.g. by url to disable dialog on client side */
|
||||
if (ws->groupname[0] == 0) {
|
||||
for (i=0;i<WSCONFIG(ws)->group_list_size;i++) {
|
||||
if (ws->groupname[0] != 0 && strcmp(ws->groupname, WSCONFIG(ws)->group_list[i]) == 0)
|
||||
continue;
|
||||
|
||||
for (i=0;i<WSCONFIG(ws)->group_list_size;i++) {
|
||||
if (ws->groupname[0] != 0 && strcmp(ws->groupname, WSCONFIG(ws)->group_list[i]) == 0)
|
||||
continue;
|
||||
|
||||
ret = append_group_idx(ws, &str, i);
|
||||
if (ret < 0) {
|
||||
ret = -1;
|
||||
goto cleanup;
|
||||
ret = append_group_idx(ws, &str, i);
|
||||
if (ret < 0) {
|
||||
ret = -1;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
}
|
||||
ret = str_append_str(&str, "</select>\n");
|
||||
@ -1467,15 +1470,26 @@ int post_auth_handler(worker_st * ws, unsigned http_ver)
|
||||
if (ws->auth_state == S_AUTH_INACTIVE) {
|
||||
SecAuthInitMsg ireq = SEC_AUTH_INIT_MSG__INIT;
|
||||
|
||||
ret = parse_reply(ws, req->body, req->body_length,
|
||||
GROUPNAME_FIELD, sizeof(GROUPNAME_FIELD)-1,
|
||||
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
|
||||
&groupname);
|
||||
/* If the URL is not a known one and more than a character, we parse it as a group indicator */
|
||||
if (WSCONFIG(ws)->select_group_by_url != 0 &&
|
||||
http_post_known_service_check(ws, req->url) == NULL && strlen(req->url) > 1) {
|
||||
groupname = talloc_strdup(ws->req.body, req->url+1);
|
||||
ret = 0;
|
||||
|
||||
}
|
||||
|
||||
if (ret < 0) {
|
||||
ret = parse_reply(ws, req->body, req->body_length,
|
||||
GROUPNAME_FIELD2, sizeof(GROUPNAME_FIELD2)-1,
|
||||
GROUPNAME_FIELD, sizeof(GROUPNAME_FIELD)-1,
|
||||
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
|
||||
&groupname);
|
||||
|
||||
if (ret < 0) {
|
||||
ret = parse_reply(ws, req->body, req->body_length,
|
||||
GROUPNAME_FIELD2, sizeof(GROUPNAME_FIELD2)-1,
|
||||
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
|
||||
&groupname);
|
||||
}
|
||||
}
|
||||
|
||||
if (ret < 0) {
|
||||
|
@ -726,7 +726,7 @@ url_handler_fn http_get_url_handler(const char *url)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
url_handler_fn http_post_url_handler(struct worker_st *ws, const char *url)
|
||||
url_handler_fn http_post_known_service_check(struct worker_st *ws, const char *url)
|
||||
{
|
||||
const struct known_urls_st *p;
|
||||
unsigned len = strlen(url);
|
||||
@ -751,6 +751,18 @@ url_handler_fn http_post_url_handler(struct worker_st *ws, const char *url)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
url_handler_fn http_post_url_handler(struct worker_st *ws, const char *url)
|
||||
{
|
||||
url_handler_fn h;
|
||||
|
||||
h = http_post_known_service_check(ws, url);
|
||||
if (h == NULL && ws->auth_state == S_AUTH_INACTIVE) {
|
||||
return post_auth_handler;
|
||||
}
|
||||
|
||||
return h;
|
||||
}
|
||||
|
||||
int http_url_cb(http_parser * parser, const char *at, size_t length)
|
||||
{
|
||||
struct worker_st *ws = parser->data;
|
||||
|
@ -379,6 +379,7 @@ unsigned valid_hostname(const char *host);
|
||||
|
||||
url_handler_fn http_get_url_handler(const char *url);
|
||||
url_handler_fn http_post_url_handler(worker_st * ws, const char *url);
|
||||
url_handler_fn http_post_known_service_check(worker_st * ws, const char *url);
|
||||
|
||||
int complete_vpn_info(worker_st * ws,
|
||||
struct vpn_st* vinfo);
|
||||
|
@ -29,7 +29,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
|
||||
data/haproxy-connect.cfg data/test-haproxy-connect.config scripts/vpnc-script \
|
||||
data/test-traffic.config data/test-compression-lzs.config data/test-compression-lz4.config \
|
||||
certs/crl.pem server-cert-rsa-pss data/test-gssapi-opt-cert.config data/test-ciphers.config \
|
||||
cipher-common.sh data/config-per-group.config data/group-config/tost \
|
||||
cipher-common.sh data/config-per-group.config data/config-per-group-url-cert.config \
|
||||
data/config-per-group-url-pass.config data/group-config/tost \
|
||||
data/raddb/access_reject data/raddb/accounting_response data/raddb/access_challenge data/raddb/acct_users \
|
||||
data/raddb/clients.conf data/raddb/radiusd.conf.in data/raddb/users \
|
||||
data/radiusclient/dictionary data/radiusclient/radiusclient.conf \
|
||||
@ -40,7 +41,7 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
|
||||
connect-ios-script data/apple-ios.config certs/kerberos-cert.pem \
|
||||
data/kdc.conf data/krb5.conf data/k5.KERBEROS.TEST data/kadm5.acl \
|
||||
data/ipv6-iface.config data/no-route-default.config data/no-route-group.config \
|
||||
data/group-config/group1 data/test-namespace-listen.config data/disconnect-user.config \
|
||||
data/group-config/group1 data/group-config/group2 data/test-namespace-listen.config data/disconnect-user.config \
|
||||
data/disconnect-user2.config data/ping-leases.config data/haproxy-proxyproto.config \
|
||||
data/haproxy-proxyproto.cfg scripts/proxy-connectscript data/haproxy-proxyproto-v1.config \
|
||||
data/haproxy-proxyproto-v1.cfg scripts/proxy-connectscript-v1 data/test-multiple-client-ip.config \
|
||||
@ -76,7 +77,9 @@ endif
|
||||
dist_check_SCRIPTS += traffic lz4-compression lzs-compression \
|
||||
aes256-cipher aes128-cipher oc-aes256-gcm-cipher oc-aes128-gcm-cipher \
|
||||
test-config-per-group ac-aes128-gcm-cipher ac-aes256-gcm-cipher \
|
||||
no-dtls-cipher psk-negotiate psk-negotiate-match test-multiple-client-ip
|
||||
no-dtls-cipher psk-negotiate psk-negotiate-match test-multiple-client-ip \
|
||||
test-config-per-group-url-pass test-config-per-group-url-cert
|
||||
|
||||
if RADIUS_ENABLED
|
||||
dist_check_SCRIPTS += radius
|
||||
endif
|
||||
|
180
tests/data/config-per-group-url-cert.config
Normal file
180
tests/data/config-per-group-url-cert.config
Normal file
@ -0,0 +1,180 @@
|
||||
# User authentication method. Could be set multiple times and in that case
|
||||
# all should succeed.
|
||||
# Options: certificate, pam.
|
||||
auth = "certificate"
|
||||
#auth = "plain[@SRCDIR@/data/test1.passwd]"
|
||||
#auth = "pam"
|
||||
|
||||
select-group = group1
|
||||
select-group = group2
|
||||
select-group-by-url = true
|
||||
|
||||
isolate-workers = false
|
||||
max-ban-score = 0
|
||||
|
||||
# A banner to be displayed on clients
|
||||
#banner = "Welcome"
|
||||
|
||||
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
|
||||
#listen-host = @ADDRESS@
|
||||
|
||||
# Limit the number of clients. Unset or set to zero for unlimited.
|
||||
#max-clients = 1024
|
||||
max-clients = 16
|
||||
|
||||
# Limit the number of client connections to one every X milliseconds
|
||||
# (X is the provided value). Set to zero for no limit.
|
||||
#rate-limit-ms = 100
|
||||
|
||||
# Limit the number of identical clients (i.e., users connecting multiple times)
|
||||
# Unset or set to zero for unlimited.
|
||||
max-same-clients = 2
|
||||
|
||||
# TCP and UDP port number
|
||||
tcp-port = @PORT@
|
||||
udp-port = @PORT@
|
||||
|
||||
# Keepalive in seconds
|
||||
keepalive = 32400
|
||||
|
||||
# Dead peer detection in seconds
|
||||
dpd = 440
|
||||
|
||||
# MTU discovery (DPD must be enabled)
|
||||
try-mtu-discovery = false
|
||||
|
||||
# The key and the certificates of the server
|
||||
# The key may be a file, or any URL supported by GnuTLS (e.g.,
|
||||
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
|
||||
# or pkcs11:object=my-vpn-key;object-type=private)
|
||||
#
|
||||
# There may be multiple certificate and key pairs and each key
|
||||
# should correspond to the preceding certificate.
|
||||
server-cert = @SRCDIR@/certs/server-cert.pem
|
||||
server-key = @SRCDIR@/certs/server-key.pem
|
||||
|
||||
# Diffie-Hellman parameters. Only needed if you require support
|
||||
# for the DHE ciphersuites (by default this server supports ECDHE).
|
||||
# Can be generated using:
|
||||
# certtool --generate-dh-params --outfile /path/to/dh.pem
|
||||
#dh-params = /path/to/dh.pem
|
||||
|
||||
# If you have a certificate from a CA that provides an OCSP
|
||||
# service you may provide a fresh OCSP status response within
|
||||
# the TLS handshake. That will prevent the client from connecting
|
||||
# independently on the OCSP server.
|
||||
# You can update this response periodically using:
|
||||
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
|
||||
# Make sure that you replace the following file in an atomic way.
|
||||
#ocsp-response = /path/to/ocsp.der
|
||||
|
||||
# In case PKCS #11 or TPM keys are used the PINs should be available
|
||||
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
|
||||
# root key).
|
||||
#pin-file = /path/to/pin.txt
|
||||
#srk-pin-file = /path/to/srkpin.txt
|
||||
|
||||
# The Certificate Authority that will be used
|
||||
# to verify clients if certificate authentication
|
||||
# is set.
|
||||
ca-cert = @SRCDIR@/certs/ca.pem
|
||||
|
||||
# The object identifier that will be used to read the user ID in the client certificate.
|
||||
# The object identifier should be part of the certificate's DN
|
||||
# Useful OIDs are:
|
||||
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
|
||||
cert-user-oid = 0.9.2342.19200300.100.1.1
|
||||
|
||||
# The object identifier that will be used to read the user group in the client
|
||||
# certificate. The object identifier should be part of the certificate's DN
|
||||
# Useful OIDs are:
|
||||
# OU (organizational unit) = 2.5.4.11
|
||||
cert-group-oid = 2.5.4.11
|
||||
|
||||
# A revocation list of ca-cert is set
|
||||
#crl = /path/to/crl.pem
|
||||
|
||||
# GnuTLS priority string
|
||||
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
|
||||
|
||||
# To enforce perfect forward secrecy (PFS) on the main channel.
|
||||
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
|
||||
|
||||
# The time (in seconds) that a client is allowed to stay connected prior
|
||||
# to authentication
|
||||
auth-timeout = 40
|
||||
|
||||
# The time (in seconds) that a client is not allowed to reconnect after
|
||||
# a failed authentication attempt.
|
||||
#min-reauth-time = 2
|
||||
|
||||
# Script to call when a client connects and obtains an IP
|
||||
# Parameters are passed on the environment.
|
||||
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
|
||||
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
||||
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
|
||||
# may be "connect" or "disconnect".
|
||||
#connect-script = /usr/bin/myscript
|
||||
#disconnect-script = /usr/bin/myscript
|
||||
|
||||
# UTMP
|
||||
#use-utmp = true
|
||||
use-occtl = true
|
||||
|
||||
# The default server directory. Does not require any devices present.
|
||||
#chroot-dir = /path/to/chroot
|
||||
|
||||
socket-file = ./ocserv-socket
|
||||
|
||||
occtl-socket-file = @OCCTL_SOCKET@
|
||||
|
||||
# The user the worker processes will be run as. It should be
|
||||
# unique (no other services run as this user).
|
||||
run-as-user = @USERNAME@
|
||||
run-as-group = @GROUP@
|
||||
|
||||
# Network settings
|
||||
|
||||
device = vpns
|
||||
|
||||
# The default domain to be advertised
|
||||
default-domain = example.com
|
||||
|
||||
ipv4-network = @VPNNET@
|
||||
|
||||
ipv6-network = @VPNNET6@
|
||||
|
||||
# Use the keyword local to advertise the local P-t-P address as DNS server
|
||||
ipv4-dns = 192.168.1.1
|
||||
|
||||
# The NBNS server (if any)
|
||||
#ipv4-nbns = 192.168.2.3
|
||||
|
||||
# Prior to leasing any IP from the pool ping it to verify that
|
||||
# it is not in use by another (unrelated to this server) host.
|
||||
ping-leases = false
|
||||
|
||||
# Leave empty to assign the default MTU of the device
|
||||
# mtu =
|
||||
|
||||
route = @ROUTE1@
|
||||
#route = 192.168.5.0/255.255.255.0
|
||||
|
||||
#
|
||||
# The following options are for (experimental) AnyConnect client
|
||||
# compatibility. They are only available if the server is built
|
||||
# with --enable-anyconnect
|
||||
#
|
||||
|
||||
# Client profile xml. A sample file exists in doc/profile.xml.
|
||||
# This file must be accessible from inside the worker's chroot.
|
||||
# The profile is ignored by the openconnect client.
|
||||
#user-profile = profile.xml
|
||||
|
||||
# Unless set to false it is required for clients to present their
|
||||
# certificate even if they are authenticating via a previously granted
|
||||
# cookie. Legacy CISCO clients do not do that, and thus this option
|
||||
# should be set for them.
|
||||
cisco-client-compat = true
|
||||
|
||||
config-per-group = @SRCDIR@/data/group-config/
|
180
tests/data/config-per-group-url-pass.config
Normal file
180
tests/data/config-per-group-url-pass.config
Normal file
@ -0,0 +1,180 @@
|
||||
# User authentication method. Could be set multiple times and in that case
|
||||
# all should succeed.
|
||||
# Options: certificate, pam.
|
||||
#auth = "certificate"
|
||||
auth = "plain[@SRCDIR@/data/test1.passwd]"
|
||||
#auth = "pam"
|
||||
|
||||
select-group = group1
|
||||
select-group = group2
|
||||
select-group-by-url = true
|
||||
|
||||
isolate-workers = false
|
||||
max-ban-score = 0
|
||||
|
||||
# A banner to be displayed on clients
|
||||
#banner = "Welcome"
|
||||
|
||||
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
|
||||
#listen-host = @ADDRESS@
|
||||
|
||||
# Limit the number of clients. Unset or set to zero for unlimited.
|
||||
#max-clients = 1024
|
||||
max-clients = 16
|
||||
|
||||
# Limit the number of client connections to one every X milliseconds
|
||||
# (X is the provided value). Set to zero for no limit.
|
||||
#rate-limit-ms = 100
|
||||
|
||||
# Limit the number of identical clients (i.e., users connecting multiple times)
|
||||
# Unset or set to zero for unlimited.
|
||||
max-same-clients = 2
|
||||
|
||||
# TCP and UDP port number
|
||||
tcp-port = @PORT@
|
||||
udp-port = @PORT@
|
||||
|
||||
# Keepalive in seconds
|
||||
keepalive = 32400
|
||||
|
||||
# Dead peer detection in seconds
|
||||
dpd = 440
|
||||
|
||||
# MTU discovery (DPD must be enabled)
|
||||
try-mtu-discovery = false
|
||||
|
||||
# The key and the certificates of the server
|
||||
# The key may be a file, or any URL supported by GnuTLS (e.g.,
|
||||
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
|
||||
# or pkcs11:object=my-vpn-key;object-type=private)
|
||||
#
|
||||
# There may be multiple certificate and key pairs and each key
|
||||
# should correspond to the preceding certificate.
|
||||
server-cert = @SRCDIR@/certs/server-cert.pem
|
||||
server-key = @SRCDIR@/certs/server-key.pem
|
||||
|
||||
# Diffie-Hellman parameters. Only needed if you require support
|
||||
# for the DHE ciphersuites (by default this server supports ECDHE).
|
||||
# Can be generated using:
|
||||
# certtool --generate-dh-params --outfile /path/to/dh.pem
|
||||
#dh-params = /path/to/dh.pem
|
||||
|
||||
# If you have a certificate from a CA that provides an OCSP
|
||||
# service you may provide a fresh OCSP status response within
|
||||
# the TLS handshake. That will prevent the client from connecting
|
||||
# independently on the OCSP server.
|
||||
# You can update this response periodically using:
|
||||
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
|
||||
# Make sure that you replace the following file in an atomic way.
|
||||
#ocsp-response = /path/to/ocsp.der
|
||||
|
||||
# In case PKCS #11 or TPM keys are used the PINs should be available
|
||||
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
|
||||
# root key).
|
||||
#pin-file = /path/to/pin.txt
|
||||
#srk-pin-file = /path/to/srkpin.txt
|
||||
|
||||
# The Certificate Authority that will be used
|
||||
# to verify clients if certificate authentication
|
||||
# is set.
|
||||
ca-cert = @SRCDIR@/certs/ca.pem
|
||||
|
||||
# The object identifier that will be used to read the user ID in the client certificate.
|
||||
# The object identifier should be part of the certificate's DN
|
||||
# Useful OIDs are:
|
||||
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
|
||||
cert-user-oid = 0.9.2342.19200300.100.1.1
|
||||
|
||||
# The object identifier that will be used to read the user group in the client
|
||||
# certificate. The object identifier should be part of the certificate's DN
|
||||
# Useful OIDs are:
|
||||
# OU (organizational unit) = 2.5.4.11
|
||||
cert-group-oid = 2.5.4.11
|
||||
|
||||
# A revocation list of ca-cert is set
|
||||
#crl = /path/to/crl.pem
|
||||
|
||||
# GnuTLS priority string
|
||||
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
|
||||
|
||||
# To enforce perfect forward secrecy (PFS) on the main channel.
|
||||
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
|
||||
|
||||
# The time (in seconds) that a client is allowed to stay connected prior
|
||||
# to authentication
|
||||
auth-timeout = 40
|
||||
|
||||
# The time (in seconds) that a client is not allowed to reconnect after
|
||||
# a failed authentication attempt.
|
||||
#min-reauth-time = 2
|
||||
|
||||
# Script to call when a client connects and obtains an IP
|
||||
# Parameters are passed on the environment.
|
||||
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
|
||||
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
||||
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
|
||||
# may be "connect" or "disconnect".
|
||||
#connect-script = /usr/bin/myscript
|
||||
#disconnect-script = /usr/bin/myscript
|
||||
|
||||
# UTMP
|
||||
#use-utmp = true
|
||||
use-occtl = true
|
||||
|
||||
# The default server directory. Does not require any devices present.
|
||||
#chroot-dir = /path/to/chroot
|
||||
|
||||
socket-file = ./ocserv-socket
|
||||
|
||||
occtl-socket-file = @OCCTL_SOCKET@
|
||||
|
||||
# The user the worker processes will be run as. It should be
|
||||
# unique (no other services run as this user).
|
||||
run-as-user = @USERNAME@
|
||||
run-as-group = @GROUP@
|
||||
|
||||
# Network settings
|
||||
|
||||
device = vpns
|
||||
|
||||
# The default domain to be advertised
|
||||
default-domain = example.com
|
||||
|
||||
ipv4-network = @VPNNET@
|
||||
|
||||
ipv6-network = @VPNNET6@
|
||||
|
||||
# Use the keyword local to advertise the local P-t-P address as DNS server
|
||||
ipv4-dns = 192.168.1.1
|
||||
|
||||
# The NBNS server (if any)
|
||||
#ipv4-nbns = 192.168.2.3
|
||||
|
||||
# Prior to leasing any IP from the pool ping it to verify that
|
||||
# it is not in use by another (unrelated to this server) host.
|
||||
ping-leases = false
|
||||
|
||||
# Leave empty to assign the default MTU of the device
|
||||
# mtu =
|
||||
|
||||
route = @ROUTE1@
|
||||
#route = 192.168.5.0/255.255.255.0
|
||||
|
||||
#
|
||||
# The following options are for (experimental) AnyConnect client
|
||||
# compatibility. They are only available if the server is built
|
||||
# with --enable-anyconnect
|
||||
#
|
||||
|
||||
# Client profile xml. A sample file exists in doc/profile.xml.
|
||||
# This file must be accessible from inside the worker's chroot.
|
||||
# The profile is ignored by the openconnect client.
|
||||
#user-profile = profile.xml
|
||||
|
||||
# Unless set to false it is required for clients to present their
|
||||
# certificate even if they are authenticating via a previously granted
|
||||
# cookie. Legacy CISCO clients do not do that, and thus this option
|
||||
# should be set for them.
|
||||
cisco-client-compat = true
|
||||
|
||||
config-per-group = @SRCDIR@/data/group-config/
|
2
tests/data/group-config/group2
Normal file
2
tests/data/group-config/group2
Normal file
@ -0,0 +1,2 @@
|
||||
route = 1.1.1.0/24
|
||||
ipv4-dns = 1.1.1.1
|
197
tests/test-config-per-group-url-cert
Executable file
197
tests/test-config-per-group-url-cert
Executable file
@ -0,0 +1,197 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Copyright (C) 2018 Nikos Mavrogiannopoulos and Marcin Ochab
|
||||
#
|
||||
# This file is part of ocserv.
|
||||
#
|
||||
# ocserv is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by the
|
||||
# Free Software Foundation; either version 2 of the License, or (at
|
||||
# your option) any later version.
|
||||
#
|
||||
# ocserv is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
# This tests whether connecting to the VPN via a group on the URL works
|
||||
|
||||
OCCTL="${OCCTL:-../src/occtl/occtl}"
|
||||
SERV="${SERV:-../src/ocserv}"
|
||||
srcdir=${srcdir:-.}
|
||||
PIDFILE=ocserv-pid.$$.tmp
|
||||
CLIPID=oc-pid.$$.tmp
|
||||
PATH=${PATH}:/usr/sbin
|
||||
IP=$(which ip)
|
||||
OUTFILE=traffic.$$.tmp
|
||||
|
||||
. `dirname $0`/common.sh
|
||||
|
||||
eval "${GETPORT}"
|
||||
|
||||
if test -z "${IP}";then
|
||||
echo "no IP tool is present"
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if test "$(id -u)" != "0";then
|
||||
echo "This test must be run as root"
|
||||
exit 77
|
||||
fi
|
||||
|
||||
echo "Testing ocserv connection via haproxy... "
|
||||
|
||||
function finish {
|
||||
set +e
|
||||
echo " * Cleaning up..."
|
||||
test -n "${PIDFILE}" && kill $(cat ${PIDFILE}) && rm -f ${PIDFILE} >/dev/null 2>&1
|
||||
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
|
||||
test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
|
||||
test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
|
||||
rm -f ${OUTFILE} 2>&1
|
||||
}
|
||||
trap finish EXIT
|
||||
|
||||
# server address
|
||||
ADDRESS=10.204.3.1
|
||||
CLI_ADDRESS=10.204.4.1
|
||||
VPNNET=192.168.14.0/24
|
||||
VPNADDR=192.168.14.1
|
||||
VPNNET6=fd91:6d87:7344:dc6a:dc15::/112
|
||||
VPNADDR6=fd91:6d87:7344:dc6a:dc15::1
|
||||
OCCTL_SOCKET=./occtl-cpg-$$.socket
|
||||
ROUTE1=192.168.14.0/24
|
||||
USERNAME=test
|
||||
PASSWORD=test
|
||||
|
||||
. `dirname $0`/ns.sh
|
||||
|
||||
# Run servers
|
||||
update_config config-per-group-url-cert.config
|
||||
if test "$VERBOSE" = 1;then
|
||||
DEBUG="-d 6"
|
||||
fi
|
||||
|
||||
${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} &
|
||||
|
||||
sleep 4
|
||||
|
||||
echo " * Connecting with user selecting group1 by url..."
|
||||
( ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT}/group1 -u ${USERNAME} --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b )
|
||||
if test $? != 0;then
|
||||
echo "Could not connect to server"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo " * Pinging remote address..."
|
||||
set -e
|
||||
${CMDNS1} ping -c 3 ${VPNADDR} >/dev/null 2>&1
|
||||
|
||||
echo " * Pinging remote IPV6 address..."
|
||||
${CMDNS1} ping -6 -c 3 ${VPNADDR6} >/dev/null 2>&1
|
||||
set +e
|
||||
|
||||
echo " * Checking connected user in occtl output..."
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||
echo "occtl didn't find connected user!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl didn't find connected user!"
|
||||
exit 1
|
||||
fi
|
||||
cat $OUTFILE
|
||||
|
||||
echo " * Checking connected user settings in occtl output..."
|
||||
grep "DNS: 1.1.1.1" ${OUTFILE} >/dev/null
|
||||
if test $? = 0;then
|
||||
cat $OUTFILE
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't the right DNS address!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
grep "1.1.1.0/24" ${OUTFILE}|grep Routes >/dev/null
|
||||
if test $? = 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't the right routes!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
grep "No-routes: 192.168.98.0" ${OUTFILE} >/dev/null
|
||||
if test $? != 0;then
|
||||
cat $OUTFILE
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't the right No-routes!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
|
||||
sleep 2
|
||||
|
||||
echo " * Connecting with user selecting group2 by url..."
|
||||
( ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT}/group2 -u ${USERNAME} --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b )
|
||||
|
||||
if test $? != 0;then
|
||||
echo "Could not connect to server"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo " * Pinging remote address..."
|
||||
set -e
|
||||
${CMDNS1} ping -c 3 ${VPNADDR} >/dev/null 2>&1
|
||||
|
||||
echo " * Pinging remote IPV6 address..."
|
||||
${CMDNS1} ping -6 -c 3 ${VPNADDR6} >/dev/null 2>&1
|
||||
set +e
|
||||
|
||||
echo " * Checking connected user in occtl output..."
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||
if test $? != 0;then
|
||||
echo "occtl didn't find connected user!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo " * Checking connected user in occtl output..."
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl didn't find connected user!"
|
||||
exit 1
|
||||
fi
|
||||
cat $OUTFILE
|
||||
|
||||
echo " * Checking connected user settings in occtl output..."
|
||||
grep "DNS: 1\.1\.1\.1" ${OUTFILE} >/dev/null
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't the right DNS address!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
grep "1\.1\.1\.0/255\.255\.255\.0" ${OUTFILE}|grep Routes >/dev/null
|
||||
if test $? != 0;then
|
||||
cat $OUTFILE
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't the right routes!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
grep ${CLI_ADDRESS} ${OUTFILE}
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't find client address!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exit 0
|
188
tests/test-config-per-group-url-pass
Executable file
188
tests/test-config-per-group-url-pass
Executable file
@ -0,0 +1,188 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Copyright (C) 2018 Nikos Mavrogiannopoulos and Marcin Ochab
|
||||
#
|
||||
# This file is part of ocserv.
|
||||
#
|
||||
# ocserv is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by the
|
||||
# Free Software Foundation; either version 2 of the License, or (at
|
||||
# your option) any later version.
|
||||
#
|
||||
# ocserv is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
# This tests operation/traffic under compression (lzs or lz4).
|
||||
|
||||
OCCTL="${OCCTL:-../src/occtl/occtl}"
|
||||
SERV="${SERV:-../src/ocserv}"
|
||||
srcdir=${srcdir:-.}
|
||||
PIDFILE=ocserv-pid.$$.tmp
|
||||
CLIPID=oc-pid.$$.tmp
|
||||
PATH=${PATH}:/usr/sbin
|
||||
IP=$(which ip)
|
||||
OUTFILE=traffic.$$.tmp
|
||||
|
||||
. `dirname $0`/common.sh
|
||||
|
||||
eval "${GETPORT}"
|
||||
|
||||
if test -z "${IP}";then
|
||||
echo "no IP tool is present"
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if test "$(id -u)" != "0";then
|
||||
echo "This test must be run as root"
|
||||
exit 77
|
||||
fi
|
||||
|
||||
echo "Testing ocserv connection via haproxy... "
|
||||
|
||||
function finish {
|
||||
set +e
|
||||
echo " * Cleaning up..."
|
||||
test -n "${PIDFILE}" && kill $(cat ${PIDFILE}) && rm -f ${PIDFILE} >/dev/null 2>&1
|
||||
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
|
||||
test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
|
||||
test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
|
||||
rm -f ${OUTFILE} 2>&1
|
||||
}
|
||||
trap finish EXIT
|
||||
|
||||
# server address
|
||||
ADDRESS=10.204.5.1
|
||||
CLI_ADDRESS=10.204.6.1
|
||||
VPNNET=192.168.24.0/24
|
||||
VPNADDR=192.168.24.1
|
||||
VPNNET6=fd91:6d87:7344:dc6a:dc16::/112
|
||||
VPNADDR6=fd91:6d87:7344:dc6a:dc16::1
|
||||
OCCTL_SOCKET=./occtl-cpg-$$.socket
|
||||
ROUTE1=192.168.24.0/24
|
||||
USERNAME=test
|
||||
PASSWORD=test
|
||||
|
||||
. `dirname $0`/ns.sh
|
||||
|
||||
# Run servers
|
||||
update_config config-per-group-url-pass.config
|
||||
if test "$VERBOSE" = 1;then
|
||||
DEBUG="-d 6"
|
||||
fi
|
||||
|
||||
${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} &
|
||||
|
||||
sleep 4
|
||||
|
||||
echo " * Connecting with user selecting group1 by url..."
|
||||
(echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT}/group1 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
|
||||
if test $? != 0;then
|
||||
echo "Could not connect to server"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
set -e
|
||||
${CMDNS1} ping -c 3 ${VPNADDR} >/dev/null 2>&1
|
||||
|
||||
${CMDNS1} ping -6 -c 3 ${VPNADDR6} >/dev/null 2>&1
|
||||
set +e
|
||||
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||
echo "occtl didn't find connected user!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl didn't find connected user!"
|
||||
exit 1
|
||||
fi
|
||||
cat $OUTFILE
|
||||
|
||||
grep "DNS: 1.1.1.1" ${OUTFILE} >/dev/null
|
||||
if test $? = 0;then
|
||||
cat $OUTFILE
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't the right DNS address!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
grep "1.1.1.0/24" ${OUTFILE}|grep Routes >/dev/null
|
||||
if test $? = 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't the right routes!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
grep "No-routes: 192.168.98.0" ${OUTFILE} >/dev/null
|
||||
if test $? != 0;then
|
||||
cat $OUTFILE
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't the right No-routes!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
|
||||
sleep 2
|
||||
|
||||
echo " * Connecting with user selecting group2 by url..."
|
||||
(echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT}/group2 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
|
||||
|
||||
if test $? != 0;then
|
||||
echo "Could not connect to server"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
set -e
|
||||
${CMDNS1} ping -c 3 ${VPNADDR} >/dev/null 2>&1
|
||||
|
||||
${CMDNS1} ping -6 -c 3 ${VPNADDR6} >/dev/null 2>&1
|
||||
set +e
|
||||
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||
if test $? != 0;then
|
||||
echo "occtl didn't find connected user!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl didn't find connected user!"
|
||||
exit 1
|
||||
fi
|
||||
cat $OUTFILE
|
||||
|
||||
grep "DNS: 1\.1\.1\.1" ${OUTFILE} >/dev/null
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't the right DNS address!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
grep "1\.1\.1\.0/255\.255\.255\.0" ${OUTFILE}|grep Routes >/dev/null
|
||||
if test $? != 0;then
|
||||
cat $OUTFILE
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't the right routes!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
grep ${CLI_ADDRESS} ${OUTFILE}
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't find client address!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exit 0
|
Loading…
Reference in New Issue
Block a user