mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2024-09-21 10:27:19 +00:00
Allow selecting group by URL or profile
This introduces the 'select-group-by-url' config option that allows selecting an authgroup just by connecting to a dedicated URI. Signed-off-by: Marcin Ochab <marcin.ochab@gmail.com> Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This commit is contained in:
parent
72b8e19cac
commit
3f966ae8ca
3
NEWS
3
NEWS
@ -1,5 +1,8 @@
|
|||||||
* Version 1.2.5 (unreleased)
|
* Version 1.2.5 (unreleased)
|
||||||
- Bump the number of groups per account from 128 to 512 (#219)
|
- Bump the number of groups per account from 128 to 512 (#219)
|
||||||
|
- Allow connecting users to select an authgroup by appending the
|
||||||
|
group name to the URL, as in https://vpn.example.com/groupname;
|
||||||
|
this introduces the select-group-by-url config option.
|
||||||
|
|
||||||
|
|
||||||
* Version 1.2.4 (released 2024-01-22)
|
* Version 1.2.4 (released 2024-01-22)
|
||||||
|
@ -589,11 +589,22 @@ no-route = 192.168.5.0/255.255.255.0
|
|||||||
# Groups that a client is allowed to select from.
|
# Groups that a client is allowed to select from.
|
||||||
# A client may belong in multiple groups, and in certain use-cases
|
# A client may belong in multiple groups, and in certain use-cases
|
||||||
# it is needed to switch between them. For these cases the client can
|
# it is needed to switch between them. For these cases the client can
|
||||||
# select prior to authentication. Add multiple entries for multiple groups.
|
# select
|
||||||
|
# 1. during authentication via a dropdown menu
|
||||||
|
# 2. by connecting to a url like vpn.example.com/group_name
|
||||||
|
# (when select-group-by-url is true)
|
||||||
|
#
|
||||||
|
# Add multiple entries for multiple groups. Note that the
|
||||||
|
# groups are global and cannot be overridden per vhost.
|
||||||
# The group may be followed by a user-friendly name in brackets.
|
# The group may be followed by a user-friendly name in brackets.
|
||||||
#select-group = group1
|
#select-group = group1
|
||||||
#select-group = group2[My special group]
|
#select-group = group2[My special group]
|
||||||
|
|
||||||
|
# Allow easy selection of the authgroup by the user by enabling
|
||||||
|
# a URL such as vpn.example.com/group_name that the user can
|
||||||
|
# connect, that will not prompt for the group. Default is disabled.
|
||||||
|
#select-group-by-url = false
|
||||||
|
|
||||||
# The name of the (virtual) group that if selected it would assign the user
|
# The name of the (virtual) group that if selected it would assign the user
|
||||||
# to its default group.
|
# to its default group.
|
||||||
#default-select-group = DEFAULT
|
#default-select-group = DEFAULT
|
||||||
@ -668,6 +679,7 @@ no-route = 192.168.5.0/255.255.255.0
|
|||||||
# <HostEntry>
|
# <HostEntry>
|
||||||
# <HostName>VPN Server name</HostName>
|
# <HostName>VPN Server name</HostName>
|
||||||
# <HostAddress>localhost</HostAddress>
|
# <HostAddress>localhost</HostAddress>
|
||||||
|
# <UserGroup>group_name</UserGroup>
|
||||||
# </HostEntry>
|
# </HostEntry>
|
||||||
# </ServerList>
|
# </ServerList>
|
||||||
# </AnyConnectProfile>
|
# </AnyConnectProfile>
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (C) 2013-2018 Nikos Mavrogiannopoulos
|
* Copyright (C) 2013-2023 Nikos Mavrogiannopoulos
|
||||||
* Copyright (C) 2014, 2015 Red Hat, Inc.
|
* Copyright (C) 2014, 2015 Red Hat, Inc.
|
||||||
*
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify
|
* This program is free software; you can redistribute it and/or modify
|
||||||
@ -1099,6 +1099,8 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co
|
|||||||
READ_MULTI_LINE(config->network.no_routes, config->network.no_routes_size);
|
READ_MULTI_LINE(config->network.no_routes, config->network.no_routes_size);
|
||||||
} else if (strcmp(name, "default-select-group") == 0) {
|
} else if (strcmp(name, "default-select-group") == 0) {
|
||||||
READ_STRING(config->default_select_group);
|
READ_STRING(config->default_select_group);
|
||||||
|
} else if (strcmp(name, "select-group-by-url") == 0) {
|
||||||
|
READ_TF(config->select_group_by_url);
|
||||||
} else if (strcmp(name, "auto-select-group") == 0) {
|
} else if (strcmp(name, "auto-select-group") == 0) {
|
||||||
READ_TF(vhost->auto_select_group);
|
READ_TF(vhost->auto_select_group);
|
||||||
} else if (strcmp(name, "select-group") == 0) {
|
} else if (strcmp(name, "select-group") == 0) {
|
||||||
@ -1528,6 +1530,11 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
|
|||||||
fprintf(stderr, NOTESTR"%sthe cisco-client-compat option implies dtls-legacy = true; enabling\n", PREFIX_VHOST(vhost));
|
fprintf(stderr, NOTESTR"%sthe cisco-client-compat option implies dtls-legacy = true; enabling\n", PREFIX_VHOST(vhost));
|
||||||
}
|
}
|
||||||
config->dtls_legacy = 1;
|
config->dtls_legacy = 1;
|
||||||
|
|
||||||
|
if (!config->select_group_by_url && !silent) {
|
||||||
|
fprintf(stderr, NOTESTR"%sthe cisco-client-compat option implies select-group-by-url = true; enabling\n", PREFIX_VHOST(vhost));
|
||||||
|
}
|
||||||
|
config->select_group_by_url = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (config->match_dtls_and_tls) {
|
if (config->match_dtls_and_tls) {
|
||||||
|
@ -251,6 +251,7 @@ struct cfg_st {
|
|||||||
|
|
||||||
char **friendly_group_list; /* the same size as group_list_size */
|
char **friendly_group_list; /* the same size as group_list_size */
|
||||||
|
|
||||||
|
unsigned select_group_by_url;
|
||||||
char *default_select_group;
|
char *default_select_group;
|
||||||
|
|
||||||
char **custom_header;
|
char **custom_header;
|
||||||
|
@ -362,7 +362,8 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg, unsig
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (WSCONFIG(ws)->default_select_group) {
|
/* we send a list of possible groups only if user is not forcing group e.g. by url to disable dialog on client side */
|
||||||
|
if (ws->groupname[0] == 0 && WSCONFIG(ws)->default_select_group) {
|
||||||
ret = str_append_printf(&str, "<option>%s</option>\n", WSCONFIG(ws)->default_select_group);
|
ret = str_append_printf(&str, "<option>%s</option>\n", WSCONFIG(ws)->default_select_group);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
ret = -1;
|
ret = -1;
|
||||||
@ -397,15 +398,17 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg, unsig
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* we send a list of possible groups only if user is not forcing group e.g. by url to disable dialog on client side */
|
||||||
|
if (ws->groupname[0] == 0) {
|
||||||
|
for (i=0;i<WSCONFIG(ws)->group_list_size;i++) {
|
||||||
|
if (ws->groupname[0] != 0 && strcmp(ws->groupname, WSCONFIG(ws)->group_list[i]) == 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
for (i=0;i<WSCONFIG(ws)->group_list_size;i++) {
|
ret = append_group_idx(ws, &str, i);
|
||||||
if (ws->groupname[0] != 0 && strcmp(ws->groupname, WSCONFIG(ws)->group_list[i]) == 0)
|
if (ret < 0) {
|
||||||
continue;
|
ret = -1;
|
||||||
|
goto cleanup;
|
||||||
ret = append_group_idx(ws, &str, i);
|
}
|
||||||
if (ret < 0) {
|
|
||||||
ret = -1;
|
|
||||||
goto cleanup;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ret = str_append_str(&str, "</select>\n");
|
ret = str_append_str(&str, "</select>\n");
|
||||||
@ -1467,15 +1470,26 @@ int post_auth_handler(worker_st * ws, unsigned http_ver)
|
|||||||
if (ws->auth_state == S_AUTH_INACTIVE) {
|
if (ws->auth_state == S_AUTH_INACTIVE) {
|
||||||
SecAuthInitMsg ireq = SEC_AUTH_INIT_MSG__INIT;
|
SecAuthInitMsg ireq = SEC_AUTH_INIT_MSG__INIT;
|
||||||
|
|
||||||
ret = parse_reply(ws, req->body, req->body_length,
|
/* If the URL is not a known one and more than a character, we parse it as a group indicator */
|
||||||
GROUPNAME_FIELD, sizeof(GROUPNAME_FIELD)-1,
|
if (WSCONFIG(ws)->select_group_by_url != 0 &&
|
||||||
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
|
http_post_known_service_check(ws, req->url) == NULL && strlen(req->url) > 1) {
|
||||||
&groupname);
|
groupname = talloc_strdup(ws->req.body, req->url+1);
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
ret = parse_reply(ws, req->body, req->body_length,
|
ret = parse_reply(ws, req->body, req->body_length,
|
||||||
GROUPNAME_FIELD2, sizeof(GROUPNAME_FIELD2)-1,
|
GROUPNAME_FIELD, sizeof(GROUPNAME_FIELD)-1,
|
||||||
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
|
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
|
||||||
&groupname);
|
&groupname);
|
||||||
|
|
||||||
|
if (ret < 0) {
|
||||||
|
ret = parse_reply(ws, req->body, req->body_length,
|
||||||
|
GROUPNAME_FIELD2, sizeof(GROUPNAME_FIELD2)-1,
|
||||||
|
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
|
||||||
|
&groupname);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
|
@ -726,7 +726,7 @@ url_handler_fn http_get_url_handler(const char *url)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
url_handler_fn http_post_url_handler(struct worker_st *ws, const char *url)
|
url_handler_fn http_post_known_service_check(struct worker_st *ws, const char *url)
|
||||||
{
|
{
|
||||||
const struct known_urls_st *p;
|
const struct known_urls_st *p;
|
||||||
unsigned len = strlen(url);
|
unsigned len = strlen(url);
|
||||||
@ -751,6 +751,18 @@ url_handler_fn http_post_url_handler(struct worker_st *ws, const char *url)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
url_handler_fn http_post_url_handler(struct worker_st *ws, const char *url)
|
||||||
|
{
|
||||||
|
url_handler_fn h;
|
||||||
|
|
||||||
|
h = http_post_known_service_check(ws, url);
|
||||||
|
if (h == NULL && ws->auth_state == S_AUTH_INACTIVE) {
|
||||||
|
return post_auth_handler;
|
||||||
|
}
|
||||||
|
|
||||||
|
return h;
|
||||||
|
}
|
||||||
|
|
||||||
int http_url_cb(http_parser * parser, const char *at, size_t length)
|
int http_url_cb(http_parser * parser, const char *at, size_t length)
|
||||||
{
|
{
|
||||||
struct worker_st *ws = parser->data;
|
struct worker_st *ws = parser->data;
|
||||||
|
@ -379,6 +379,7 @@ unsigned valid_hostname(const char *host);
|
|||||||
|
|
||||||
url_handler_fn http_get_url_handler(const char *url);
|
url_handler_fn http_get_url_handler(const char *url);
|
||||||
url_handler_fn http_post_url_handler(worker_st * ws, const char *url);
|
url_handler_fn http_post_url_handler(worker_st * ws, const char *url);
|
||||||
|
url_handler_fn http_post_known_service_check(worker_st * ws, const char *url);
|
||||||
|
|
||||||
int complete_vpn_info(worker_st * ws,
|
int complete_vpn_info(worker_st * ws,
|
||||||
struct vpn_st* vinfo);
|
struct vpn_st* vinfo);
|
||||||
|
@ -29,7 +29,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
|
|||||||
data/haproxy-connect.cfg data/test-haproxy-connect.config scripts/vpnc-script \
|
data/haproxy-connect.cfg data/test-haproxy-connect.config scripts/vpnc-script \
|
||||||
data/test-traffic.config data/test-compression-lzs.config data/test-compression-lz4.config \
|
data/test-traffic.config data/test-compression-lzs.config data/test-compression-lz4.config \
|
||||||
certs/crl.pem server-cert-rsa-pss data/test-gssapi-opt-cert.config data/test-ciphers.config \
|
certs/crl.pem server-cert-rsa-pss data/test-gssapi-opt-cert.config data/test-ciphers.config \
|
||||||
cipher-common.sh data/config-per-group.config data/group-config/tost \
|
cipher-common.sh data/config-per-group.config data/config-per-group-url-cert.config \
|
||||||
|
data/config-per-group-url-pass.config data/group-config/tost \
|
||||||
data/raddb/access_reject data/raddb/accounting_response data/raddb/access_challenge data/raddb/acct_users \
|
data/raddb/access_reject data/raddb/accounting_response data/raddb/access_challenge data/raddb/acct_users \
|
||||||
data/raddb/clients.conf data/raddb/radiusd.conf.in data/raddb/users \
|
data/raddb/clients.conf data/raddb/radiusd.conf.in data/raddb/users \
|
||||||
data/radiusclient/dictionary data/radiusclient/radiusclient.conf \
|
data/radiusclient/dictionary data/radiusclient/radiusclient.conf \
|
||||||
@ -40,7 +41,7 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
|
|||||||
connect-ios-script data/apple-ios.config certs/kerberos-cert.pem \
|
connect-ios-script data/apple-ios.config certs/kerberos-cert.pem \
|
||||||
data/kdc.conf data/krb5.conf data/k5.KERBEROS.TEST data/kadm5.acl \
|
data/kdc.conf data/krb5.conf data/k5.KERBEROS.TEST data/kadm5.acl \
|
||||||
data/ipv6-iface.config data/no-route-default.config data/no-route-group.config \
|
data/ipv6-iface.config data/no-route-default.config data/no-route-group.config \
|
||||||
data/group-config/group1 data/test-namespace-listen.config data/disconnect-user.config \
|
data/group-config/group1 data/group-config/group2 data/test-namespace-listen.config data/disconnect-user.config \
|
||||||
data/disconnect-user2.config data/ping-leases.config data/haproxy-proxyproto.config \
|
data/disconnect-user2.config data/ping-leases.config data/haproxy-proxyproto.config \
|
||||||
data/haproxy-proxyproto.cfg scripts/proxy-connectscript data/haproxy-proxyproto-v1.config \
|
data/haproxy-proxyproto.cfg scripts/proxy-connectscript data/haproxy-proxyproto-v1.config \
|
||||||
data/haproxy-proxyproto-v1.cfg scripts/proxy-connectscript-v1 data/test-multiple-client-ip.config \
|
data/haproxy-proxyproto-v1.cfg scripts/proxy-connectscript-v1 data/test-multiple-client-ip.config \
|
||||||
@ -76,7 +77,9 @@ endif
|
|||||||
dist_check_SCRIPTS += traffic lz4-compression lzs-compression \
|
dist_check_SCRIPTS += traffic lz4-compression lzs-compression \
|
||||||
aes256-cipher aes128-cipher oc-aes256-gcm-cipher oc-aes128-gcm-cipher \
|
aes256-cipher aes128-cipher oc-aes256-gcm-cipher oc-aes128-gcm-cipher \
|
||||||
test-config-per-group ac-aes128-gcm-cipher ac-aes256-gcm-cipher \
|
test-config-per-group ac-aes128-gcm-cipher ac-aes256-gcm-cipher \
|
||||||
no-dtls-cipher psk-negotiate psk-negotiate-match test-multiple-client-ip
|
no-dtls-cipher psk-negotiate psk-negotiate-match test-multiple-client-ip \
|
||||||
|
test-config-per-group-url-pass test-config-per-group-url-cert
|
||||||
|
|
||||||
if RADIUS_ENABLED
|
if RADIUS_ENABLED
|
||||||
dist_check_SCRIPTS += radius
|
dist_check_SCRIPTS += radius
|
||||||
endif
|
endif
|
||||||
|
180
tests/data/config-per-group-url-cert.config
Normal file
180
tests/data/config-per-group-url-cert.config
Normal file
@ -0,0 +1,180 @@
|
|||||||
|
# User authentication method. Could be set multiple times and in that case
|
||||||
|
# all should succeed.
|
||||||
|
# Options: certificate, pam.
|
||||||
|
auth = "certificate"
|
||||||
|
#auth = "plain[@SRCDIR@/data/test1.passwd]"
|
||||||
|
#auth = "pam"
|
||||||
|
|
||||||
|
select-group = group1
|
||||||
|
select-group = group2
|
||||||
|
select-group-by-url = true
|
||||||
|
|
||||||
|
isolate-workers = false
|
||||||
|
max-ban-score = 0
|
||||||
|
|
||||||
|
# A banner to be displayed on clients
|
||||||
|
#banner = "Welcome"
|
||||||
|
|
||||||
|
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
|
||||||
|
#listen-host = @ADDRESS@
|
||||||
|
|
||||||
|
# Limit the number of clients. Unset or set to zero for unlimited.
|
||||||
|
#max-clients = 1024
|
||||||
|
max-clients = 16
|
||||||
|
|
||||||
|
# Limit the number of client connections to one every X milliseconds
|
||||||
|
# (X is the provided value). Set to zero for no limit.
|
||||||
|
#rate-limit-ms = 100
|
||||||
|
|
||||||
|
# Limit the number of identical clients (i.e., users connecting multiple times)
|
||||||
|
# Unset or set to zero for unlimited.
|
||||||
|
max-same-clients = 2
|
||||||
|
|
||||||
|
# TCP and UDP port number
|
||||||
|
tcp-port = @PORT@
|
||||||
|
udp-port = @PORT@
|
||||||
|
|
||||||
|
# Keepalive in seconds
|
||||||
|
keepalive = 32400
|
||||||
|
|
||||||
|
# Dead peer detection in seconds
|
||||||
|
dpd = 440
|
||||||
|
|
||||||
|
# MTU discovery (DPD must be enabled)
|
||||||
|
try-mtu-discovery = false
|
||||||
|
|
||||||
|
# The key and the certificates of the server
|
||||||
|
# The key may be a file, or any URL supported by GnuTLS (e.g.,
|
||||||
|
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
|
||||||
|
# or pkcs11:object=my-vpn-key;object-type=private)
|
||||||
|
#
|
||||||
|
# There may be multiple certificate and key pairs and each key
|
||||||
|
# should correspond to the preceding certificate.
|
||||||
|
server-cert = @SRCDIR@/certs/server-cert.pem
|
||||||
|
server-key = @SRCDIR@/certs/server-key.pem
|
||||||
|
|
||||||
|
# Diffie-Hellman parameters. Only needed if you require support
|
||||||
|
# for the DHE ciphersuites (by default this server supports ECDHE).
|
||||||
|
# Can be generated using:
|
||||||
|
# certtool --generate-dh-params --outfile /path/to/dh.pem
|
||||||
|
#dh-params = /path/to/dh.pem
|
||||||
|
|
||||||
|
# If you have a certificate from a CA that provides an OCSP
|
||||||
|
# service you may provide a fresh OCSP status response within
|
||||||
|
# the TLS handshake. That will prevent the client from connecting
|
||||||
|
# independently on the OCSP server.
|
||||||
|
# You can update this response periodically using:
|
||||||
|
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
|
||||||
|
# Make sure that you replace the following file in an atomic way.
|
||||||
|
#ocsp-response = /path/to/ocsp.der
|
||||||
|
|
||||||
|
# In case PKCS #11 or TPM keys are used the PINs should be available
|
||||||
|
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
|
||||||
|
# root key).
|
||||||
|
#pin-file = /path/to/pin.txt
|
||||||
|
#srk-pin-file = /path/to/srkpin.txt
|
||||||
|
|
||||||
|
# The Certificate Authority that will be used
|
||||||
|
# to verify clients if certificate authentication
|
||||||
|
# is set.
|
||||||
|
ca-cert = @SRCDIR@/certs/ca.pem
|
||||||
|
|
||||||
|
# The object identifier that will be used to read the user ID in the client certificate.
|
||||||
|
# The object identifier should be part of the certificate's DN
|
||||||
|
# Useful OIDs are:
|
||||||
|
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
|
||||||
|
cert-user-oid = 0.9.2342.19200300.100.1.1
|
||||||
|
|
||||||
|
# The object identifier that will be used to read the user group in the client
|
||||||
|
# certificate. The object identifier should be part of the certificate's DN
|
||||||
|
# Useful OIDs are:
|
||||||
|
# OU (organizational unit) = 2.5.4.11
|
||||||
|
cert-group-oid = 2.5.4.11
|
||||||
|
|
||||||
|
# A revocation list of ca-cert is set
|
||||||
|
#crl = /path/to/crl.pem
|
||||||
|
|
||||||
|
# GnuTLS priority string
|
||||||
|
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
|
||||||
|
|
||||||
|
# To enforce perfect forward secrecy (PFS) on the main channel.
|
||||||
|
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
|
||||||
|
|
||||||
|
# The time (in seconds) that a client is allowed to stay connected prior
|
||||||
|
# to authentication
|
||||||
|
auth-timeout = 40
|
||||||
|
|
||||||
|
# The time (in seconds) that a client is not allowed to reconnect after
|
||||||
|
# a failed authentication attempt.
|
||||||
|
#min-reauth-time = 2
|
||||||
|
|
||||||
|
# Script to call when a client connects and obtains an IP
|
||||||
|
# Parameters are passed on the environment.
|
||||||
|
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
|
||||||
|
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
||||||
|
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
|
||||||
|
# may be "connect" or "disconnect".
|
||||||
|
#connect-script = /usr/bin/myscript
|
||||||
|
#disconnect-script = /usr/bin/myscript
|
||||||
|
|
||||||
|
# UTMP
|
||||||
|
#use-utmp = true
|
||||||
|
use-occtl = true
|
||||||
|
|
||||||
|
# The default server directory. Does not require any devices present.
|
||||||
|
#chroot-dir = /path/to/chroot
|
||||||
|
|
||||||
|
socket-file = ./ocserv-socket
|
||||||
|
|
||||||
|
occtl-socket-file = @OCCTL_SOCKET@
|
||||||
|
|
||||||
|
# The user the worker processes will be run as. It should be
|
||||||
|
# unique (no other services run as this user).
|
||||||
|
run-as-user = @USERNAME@
|
||||||
|
run-as-group = @GROUP@
|
||||||
|
|
||||||
|
# Network settings
|
||||||
|
|
||||||
|
device = vpns
|
||||||
|
|
||||||
|
# The default domain to be advertised
|
||||||
|
default-domain = example.com
|
||||||
|
|
||||||
|
ipv4-network = @VPNNET@
|
||||||
|
|
||||||
|
ipv6-network = @VPNNET6@
|
||||||
|
|
||||||
|
# Use the keyword local to advertise the local P-t-P address as DNS server
|
||||||
|
ipv4-dns = 192.168.1.1
|
||||||
|
|
||||||
|
# The NBNS server (if any)
|
||||||
|
#ipv4-nbns = 192.168.2.3
|
||||||
|
|
||||||
|
# Prior to leasing any IP from the pool ping it to verify that
|
||||||
|
# it is not in use by another (unrelated to this server) host.
|
||||||
|
ping-leases = false
|
||||||
|
|
||||||
|
# Leave empty to assign the default MTU of the device
|
||||||
|
# mtu =
|
||||||
|
|
||||||
|
route = @ROUTE1@
|
||||||
|
#route = 192.168.5.0/255.255.255.0
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following options are for (experimental) AnyConnect client
|
||||||
|
# compatibility. They are only available if the server is built
|
||||||
|
# with --enable-anyconnect
|
||||||
|
#
|
||||||
|
|
||||||
|
# Client profile xml. A sample file exists in doc/profile.xml.
|
||||||
|
# This file must be accessible from inside the worker's chroot.
|
||||||
|
# The profile is ignored by the openconnect client.
|
||||||
|
#user-profile = profile.xml
|
||||||
|
|
||||||
|
# Unless set to false it is required for clients to present their
|
||||||
|
# certificate even if they are authenticating via a previously granted
|
||||||
|
# cookie. Legacy CISCO clients do not do that, and thus this option
|
||||||
|
# should be set for them.
|
||||||
|
cisco-client-compat = true
|
||||||
|
|
||||||
|
config-per-group = @SRCDIR@/data/group-config/
|
180
tests/data/config-per-group-url-pass.config
Normal file
180
tests/data/config-per-group-url-pass.config
Normal file
@ -0,0 +1,180 @@
|
|||||||
|
# User authentication method. Could be set multiple times and in that case
|
||||||
|
# all should succeed.
|
||||||
|
# Options: certificate, pam.
|
||||||
|
#auth = "certificate"
|
||||||
|
auth = "plain[@SRCDIR@/data/test1.passwd]"
|
||||||
|
#auth = "pam"
|
||||||
|
|
||||||
|
select-group = group1
|
||||||
|
select-group = group2
|
||||||
|
select-group-by-url = true
|
||||||
|
|
||||||
|
isolate-workers = false
|
||||||
|
max-ban-score = 0
|
||||||
|
|
||||||
|
# A banner to be displayed on clients
|
||||||
|
#banner = "Welcome"
|
||||||
|
|
||||||
|
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
|
||||||
|
#listen-host = @ADDRESS@
|
||||||
|
|
||||||
|
# Limit the number of clients. Unset or set to zero for unlimited.
|
||||||
|
#max-clients = 1024
|
||||||
|
max-clients = 16
|
||||||
|
|
||||||
|
# Limit the number of client connections to one every X milliseconds
|
||||||
|
# (X is the provided value). Set to zero for no limit.
|
||||||
|
#rate-limit-ms = 100
|
||||||
|
|
||||||
|
# Limit the number of identical clients (i.e., users connecting multiple times)
|
||||||
|
# Unset or set to zero for unlimited.
|
||||||
|
max-same-clients = 2
|
||||||
|
|
||||||
|
# TCP and UDP port number
|
||||||
|
tcp-port = @PORT@
|
||||||
|
udp-port = @PORT@
|
||||||
|
|
||||||
|
# Keepalive in seconds
|
||||||
|
keepalive = 32400
|
||||||
|
|
||||||
|
# Dead peer detection in seconds
|
||||||
|
dpd = 440
|
||||||
|
|
||||||
|
# MTU discovery (DPD must be enabled)
|
||||||
|
try-mtu-discovery = false
|
||||||
|
|
||||||
|
# The key and the certificates of the server
|
||||||
|
# The key may be a file, or any URL supported by GnuTLS (e.g.,
|
||||||
|
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
|
||||||
|
# or pkcs11:object=my-vpn-key;object-type=private)
|
||||||
|
#
|
||||||
|
# There may be multiple certificate and key pairs and each key
|
||||||
|
# should correspond to the preceding certificate.
|
||||||
|
server-cert = @SRCDIR@/certs/server-cert.pem
|
||||||
|
server-key = @SRCDIR@/certs/server-key.pem
|
||||||
|
|
||||||
|
# Diffie-Hellman parameters. Only needed if you require support
|
||||||
|
# for the DHE ciphersuites (by default this server supports ECDHE).
|
||||||
|
# Can be generated using:
|
||||||
|
# certtool --generate-dh-params --outfile /path/to/dh.pem
|
||||||
|
#dh-params = /path/to/dh.pem
|
||||||
|
|
||||||
|
# If you have a certificate from a CA that provides an OCSP
|
||||||
|
# service you may provide a fresh OCSP status response within
|
||||||
|
# the TLS handshake. That will prevent the client from connecting
|
||||||
|
# independently on the OCSP server.
|
||||||
|
# You can update this response periodically using:
|
||||||
|
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
|
||||||
|
# Make sure that you replace the following file in an atomic way.
|
||||||
|
#ocsp-response = /path/to/ocsp.der
|
||||||
|
|
||||||
|
# In case PKCS #11 or TPM keys are used the PINs should be available
|
||||||
|
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
|
||||||
|
# root key).
|
||||||
|
#pin-file = /path/to/pin.txt
|
||||||
|
#srk-pin-file = /path/to/srkpin.txt
|
||||||
|
|
||||||
|
# The Certificate Authority that will be used
|
||||||
|
# to verify clients if certificate authentication
|
||||||
|
# is set.
|
||||||
|
ca-cert = @SRCDIR@/certs/ca.pem
|
||||||
|
|
||||||
|
# The object identifier that will be used to read the user ID in the client certificate.
|
||||||
|
# The object identifier should be part of the certificate's DN
|
||||||
|
# Useful OIDs are:
|
||||||
|
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
|
||||||
|
cert-user-oid = 0.9.2342.19200300.100.1.1
|
||||||
|
|
||||||
|
# The object identifier that will be used to read the user group in the client
|
||||||
|
# certificate. The object identifier should be part of the certificate's DN
|
||||||
|
# Useful OIDs are:
|
||||||
|
# OU (organizational unit) = 2.5.4.11
|
||||||
|
cert-group-oid = 2.5.4.11
|
||||||
|
|
||||||
|
# A revocation list of ca-cert is set
|
||||||
|
#crl = /path/to/crl.pem
|
||||||
|
|
||||||
|
# GnuTLS priority string
|
||||||
|
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
|
||||||
|
|
||||||
|
# To enforce perfect forward secrecy (PFS) on the main channel.
|
||||||
|
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
|
||||||
|
|
||||||
|
# The time (in seconds) that a client is allowed to stay connected prior
|
||||||
|
# to authentication
|
||||||
|
auth-timeout = 40
|
||||||
|
|
||||||
|
# The time (in seconds) that a client is not allowed to reconnect after
|
||||||
|
# a failed authentication attempt.
|
||||||
|
#min-reauth-time = 2
|
||||||
|
|
||||||
|
# Script to call when a client connects and obtains an IP
|
||||||
|
# Parameters are passed on the environment.
|
||||||
|
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
|
||||||
|
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
||||||
|
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
|
||||||
|
# may be "connect" or "disconnect".
|
||||||
|
#connect-script = /usr/bin/myscript
|
||||||
|
#disconnect-script = /usr/bin/myscript
|
||||||
|
|
||||||
|
# UTMP
|
||||||
|
#use-utmp = true
|
||||||
|
use-occtl = true
|
||||||
|
|
||||||
|
# The default server directory. Does not require any devices present.
|
||||||
|
#chroot-dir = /path/to/chroot
|
||||||
|
|
||||||
|
socket-file = ./ocserv-socket
|
||||||
|
|
||||||
|
occtl-socket-file = @OCCTL_SOCKET@
|
||||||
|
|
||||||
|
# The user the worker processes will be run as. It should be
|
||||||
|
# unique (no other services run as this user).
|
||||||
|
run-as-user = @USERNAME@
|
||||||
|
run-as-group = @GROUP@
|
||||||
|
|
||||||
|
# Network settings
|
||||||
|
|
||||||
|
device = vpns
|
||||||
|
|
||||||
|
# The default domain to be advertised
|
||||||
|
default-domain = example.com
|
||||||
|
|
||||||
|
ipv4-network = @VPNNET@
|
||||||
|
|
||||||
|
ipv6-network = @VPNNET6@
|
||||||
|
|
||||||
|
# Use the keyword local to advertise the local P-t-P address as DNS server
|
||||||
|
ipv4-dns = 192.168.1.1
|
||||||
|
|
||||||
|
# The NBNS server (if any)
|
||||||
|
#ipv4-nbns = 192.168.2.3
|
||||||
|
|
||||||
|
# Prior to leasing any IP from the pool ping it to verify that
|
||||||
|
# it is not in use by another (unrelated to this server) host.
|
||||||
|
ping-leases = false
|
||||||
|
|
||||||
|
# Leave empty to assign the default MTU of the device
|
||||||
|
# mtu =
|
||||||
|
|
||||||
|
route = @ROUTE1@
|
||||||
|
#route = 192.168.5.0/255.255.255.0
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following options are for (experimental) AnyConnect client
|
||||||
|
# compatibility. They are only available if the server is built
|
||||||
|
# with --enable-anyconnect
|
||||||
|
#
|
||||||
|
|
||||||
|
# Client profile xml. A sample file exists in doc/profile.xml.
|
||||||
|
# This file must be accessible from inside the worker's chroot.
|
||||||
|
# The profile is ignored by the openconnect client.
|
||||||
|
#user-profile = profile.xml
|
||||||
|
|
||||||
|
# Unless set to false it is required for clients to present their
|
||||||
|
# certificate even if they are authenticating via a previously granted
|
||||||
|
# cookie. Legacy CISCO clients do not do that, and thus this option
|
||||||
|
# should be set for them.
|
||||||
|
cisco-client-compat = true
|
||||||
|
|
||||||
|
config-per-group = @SRCDIR@/data/group-config/
|
2
tests/data/group-config/group2
Normal file
2
tests/data/group-config/group2
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
route = 1.1.1.0/24
|
||||||
|
ipv4-dns = 1.1.1.1
|
197
tests/test-config-per-group-url-cert
Executable file
197
tests/test-config-per-group-url-cert
Executable file
@ -0,0 +1,197 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Copyright (C) 2018 Nikos Mavrogiannopoulos and Marcin Ochab
|
||||||
|
#
|
||||||
|
# This file is part of ocserv.
|
||||||
|
#
|
||||||
|
# ocserv is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU General Public License as published by the
|
||||||
|
# Free Software Foundation; either version 2 of the License, or (at
|
||||||
|
# your option) any later version.
|
||||||
|
#
|
||||||
|
# ocserv is distributed in the hope that it will be useful, but
|
||||||
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
# General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
# This tests whether connecting to the VPN via a group on the URL works
|
||||||
|
|
||||||
|
OCCTL="${OCCTL:-../src/occtl/occtl}"
|
||||||
|
SERV="${SERV:-../src/ocserv}"
|
||||||
|
srcdir=${srcdir:-.}
|
||||||
|
PIDFILE=ocserv-pid.$$.tmp
|
||||||
|
CLIPID=oc-pid.$$.tmp
|
||||||
|
PATH=${PATH}:/usr/sbin
|
||||||
|
IP=$(which ip)
|
||||||
|
OUTFILE=traffic.$$.tmp
|
||||||
|
|
||||||
|
. `dirname $0`/common.sh
|
||||||
|
|
||||||
|
eval "${GETPORT}"
|
||||||
|
|
||||||
|
if test -z "${IP}";then
|
||||||
|
echo "no IP tool is present"
|
||||||
|
exit 77
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "$(id -u)" != "0";then
|
||||||
|
echo "This test must be run as root"
|
||||||
|
exit 77
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Testing ocserv connection via haproxy... "
|
||||||
|
|
||||||
|
function finish {
|
||||||
|
set +e
|
||||||
|
echo " * Cleaning up..."
|
||||||
|
test -n "${PIDFILE}" && kill $(cat ${PIDFILE}) && rm -f ${PIDFILE} >/dev/null 2>&1
|
||||||
|
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
|
||||||
|
test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
|
||||||
|
test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
|
||||||
|
rm -f ${OUTFILE} 2>&1
|
||||||
|
}
|
||||||
|
trap finish EXIT
|
||||||
|
|
||||||
|
# server address
|
||||||
|
ADDRESS=10.204.3.1
|
||||||
|
CLI_ADDRESS=10.204.4.1
|
||||||
|
VPNNET=192.168.14.0/24
|
||||||
|
VPNADDR=192.168.14.1
|
||||||
|
VPNNET6=fd91:6d87:7344:dc6a:dc15::/112
|
||||||
|
VPNADDR6=fd91:6d87:7344:dc6a:dc15::1
|
||||||
|
OCCTL_SOCKET=./occtl-cpg-$$.socket
|
||||||
|
ROUTE1=192.168.14.0/24
|
||||||
|
USERNAME=test
|
||||||
|
PASSWORD=test
|
||||||
|
|
||||||
|
. `dirname $0`/ns.sh
|
||||||
|
|
||||||
|
# Run servers
|
||||||
|
update_config config-per-group-url-cert.config
|
||||||
|
if test "$VERBOSE" = 1;then
|
||||||
|
DEBUG="-d 6"
|
||||||
|
fi
|
||||||
|
|
||||||
|
${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} &
|
||||||
|
|
||||||
|
sleep 4
|
||||||
|
|
||||||
|
echo " * Connecting with user selecting group1 by url..."
|
||||||
|
( ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT}/group1 -u ${USERNAME} --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b )
|
||||||
|
if test $? != 0;then
|
||||||
|
echo "Could not connect to server"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo " * Pinging remote address..."
|
||||||
|
set -e
|
||||||
|
${CMDNS1} ping -c 3 ${VPNADDR} >/dev/null 2>&1
|
||||||
|
|
||||||
|
echo " * Pinging remote IPV6 address..."
|
||||||
|
${CMDNS1} ping -6 -c 3 ${VPNADDR6} >/dev/null 2>&1
|
||||||
|
set +e
|
||||||
|
|
||||||
|
echo " * Checking connected user in occtl output..."
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||||
|
if test $? != 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||||
|
echo "occtl didn't find connected user!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
|
||||||
|
if test $? != 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl didn't find connected user!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
cat $OUTFILE
|
||||||
|
|
||||||
|
echo " * Checking connected user settings in occtl output..."
|
||||||
|
grep "DNS: 1.1.1.1" ${OUTFILE} >/dev/null
|
||||||
|
if test $? = 0;then
|
||||||
|
cat $OUTFILE
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't the right DNS address!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
grep "1.1.1.0/24" ${OUTFILE}|grep Routes >/dev/null
|
||||||
|
if test $? = 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't the right routes!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
grep "No-routes: 192.168.98.0" ${OUTFILE} >/dev/null
|
||||||
|
if test $? != 0;then
|
||||||
|
cat $OUTFILE
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't the right No-routes!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
echo " * Connecting with user selecting group2 by url..."
|
||||||
|
( ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT}/group2 -u ${USERNAME} --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b )
|
||||||
|
|
||||||
|
if test $? != 0;then
|
||||||
|
echo "Could not connect to server"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo " * Pinging remote address..."
|
||||||
|
set -e
|
||||||
|
${CMDNS1} ping -c 3 ${VPNADDR} >/dev/null 2>&1
|
||||||
|
|
||||||
|
echo " * Pinging remote IPV6 address..."
|
||||||
|
${CMDNS1} ping -6 -c 3 ${VPNADDR6} >/dev/null 2>&1
|
||||||
|
set +e
|
||||||
|
|
||||||
|
echo " * Checking connected user in occtl output..."
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||||
|
if test $? != 0;then
|
||||||
|
echo "occtl didn't find connected user!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo " * Checking connected user in occtl output..."
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
|
||||||
|
if test $? != 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl didn't find connected user!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
cat $OUTFILE
|
||||||
|
|
||||||
|
echo " * Checking connected user settings in occtl output..."
|
||||||
|
grep "DNS: 1\.1\.1\.1" ${OUTFILE} >/dev/null
|
||||||
|
if test $? != 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't the right DNS address!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
grep "1\.1\.1\.0/255\.255\.255\.0" ${OUTFILE}|grep Routes >/dev/null
|
||||||
|
if test $? != 0;then
|
||||||
|
cat $OUTFILE
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't the right routes!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
grep ${CLI_ADDRESS} ${OUTFILE}
|
||||||
|
if test $? != 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't find client address!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
188
tests/test-config-per-group-url-pass
Executable file
188
tests/test-config-per-group-url-pass
Executable file
@ -0,0 +1,188 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Copyright (C) 2018 Nikos Mavrogiannopoulos and Marcin Ochab
|
||||||
|
#
|
||||||
|
# This file is part of ocserv.
|
||||||
|
#
|
||||||
|
# ocserv is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU General Public License as published by the
|
||||||
|
# Free Software Foundation; either version 2 of the License, or (at
|
||||||
|
# your option) any later version.
|
||||||
|
#
|
||||||
|
# ocserv is distributed in the hope that it will be useful, but
|
||||||
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
# General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
# This tests operation/traffic under compression (lzs or lz4).
|
||||||
|
|
||||||
|
OCCTL="${OCCTL:-../src/occtl/occtl}"
|
||||||
|
SERV="${SERV:-../src/ocserv}"
|
||||||
|
srcdir=${srcdir:-.}
|
||||||
|
PIDFILE=ocserv-pid.$$.tmp
|
||||||
|
CLIPID=oc-pid.$$.tmp
|
||||||
|
PATH=${PATH}:/usr/sbin
|
||||||
|
IP=$(which ip)
|
||||||
|
OUTFILE=traffic.$$.tmp
|
||||||
|
|
||||||
|
. `dirname $0`/common.sh
|
||||||
|
|
||||||
|
eval "${GETPORT}"
|
||||||
|
|
||||||
|
if test -z "${IP}";then
|
||||||
|
echo "no IP tool is present"
|
||||||
|
exit 77
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "$(id -u)" != "0";then
|
||||||
|
echo "This test must be run as root"
|
||||||
|
exit 77
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Testing ocserv connection via haproxy... "
|
||||||
|
|
||||||
|
function finish {
|
||||||
|
set +e
|
||||||
|
echo " * Cleaning up..."
|
||||||
|
test -n "${PIDFILE}" && kill $(cat ${PIDFILE}) && rm -f ${PIDFILE} >/dev/null 2>&1
|
||||||
|
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
|
||||||
|
test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
|
||||||
|
test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
|
||||||
|
rm -f ${OUTFILE} 2>&1
|
||||||
|
}
|
||||||
|
trap finish EXIT
|
||||||
|
|
||||||
|
# server address
|
||||||
|
ADDRESS=10.204.5.1
|
||||||
|
CLI_ADDRESS=10.204.6.1
|
||||||
|
VPNNET=192.168.24.0/24
|
||||||
|
VPNADDR=192.168.24.1
|
||||||
|
VPNNET6=fd91:6d87:7344:dc6a:dc16::/112
|
||||||
|
VPNADDR6=fd91:6d87:7344:dc6a:dc16::1
|
||||||
|
OCCTL_SOCKET=./occtl-cpg-$$.socket
|
||||||
|
ROUTE1=192.168.24.0/24
|
||||||
|
USERNAME=test
|
||||||
|
PASSWORD=test
|
||||||
|
|
||||||
|
. `dirname $0`/ns.sh
|
||||||
|
|
||||||
|
# Run servers
|
||||||
|
update_config config-per-group-url-pass.config
|
||||||
|
if test "$VERBOSE" = 1;then
|
||||||
|
DEBUG="-d 6"
|
||||||
|
fi
|
||||||
|
|
||||||
|
${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} &
|
||||||
|
|
||||||
|
sleep 4
|
||||||
|
|
||||||
|
echo " * Connecting with user selecting group1 by url..."
|
||||||
|
(echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT}/group1 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
|
||||||
|
if test $? != 0;then
|
||||||
|
echo "Could not connect to server"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
set -e
|
||||||
|
${CMDNS1} ping -c 3 ${VPNADDR} >/dev/null 2>&1
|
||||||
|
|
||||||
|
${CMDNS1} ping -6 -c 3 ${VPNADDR6} >/dev/null 2>&1
|
||||||
|
set +e
|
||||||
|
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||||
|
if test $? != 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||||
|
echo "occtl didn't find connected user!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
|
||||||
|
if test $? != 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl didn't find connected user!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
cat $OUTFILE
|
||||||
|
|
||||||
|
grep "DNS: 1.1.1.1" ${OUTFILE} >/dev/null
|
||||||
|
if test $? = 0;then
|
||||||
|
cat $OUTFILE
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't the right DNS address!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
grep "1.1.1.0/24" ${OUTFILE}|grep Routes >/dev/null
|
||||||
|
if test $? = 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't the right routes!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
grep "No-routes: 192.168.98.0" ${OUTFILE} >/dev/null
|
||||||
|
if test $? != 0;then
|
||||||
|
cat $OUTFILE
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't the right No-routes!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
echo " * Connecting with user selecting group2 by url..."
|
||||||
|
(echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT}/group2 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
|
||||||
|
|
||||||
|
if test $? != 0;then
|
||||||
|
echo "Could not connect to server"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
set -e
|
||||||
|
${CMDNS1} ping -c 3 ${VPNADDR} >/dev/null 2>&1
|
||||||
|
|
||||||
|
${CMDNS1} ping -6 -c 3 ${VPNADDR6} >/dev/null 2>&1
|
||||||
|
set +e
|
||||||
|
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
|
||||||
|
if test $? != 0;then
|
||||||
|
echo "occtl didn't find connected user!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
|
||||||
|
if test $? != 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl didn't find connected user!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
cat $OUTFILE
|
||||||
|
|
||||||
|
grep "DNS: 1\.1\.1\.1" ${OUTFILE} >/dev/null
|
||||||
|
if test $? != 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't the right DNS address!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
grep "1\.1\.1\.0/255\.255\.255\.0" ${OUTFILE}|grep Routes >/dev/null
|
||||||
|
if test $? != 0;then
|
||||||
|
cat $OUTFILE
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't the right routes!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
grep ${CLI_ADDRESS} ${OUTFILE}
|
||||||
|
if test $? != 0;then
|
||||||
|
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||||
|
echo "occtl show user didn't find client address!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
Loading…
Reference in New Issue
Block a user