Merge pull request #612 from kylemanna/km/fix-tests
Fix build and tests
This commit is contained in:
commit
dfd1708159
|
@ -7,7 +7,7 @@ LABEL maintainer="Kyle Manna <kyle@kylemanna.com>"
|
|||
|
||||
# Testing: pamtester
|
||||
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
|
||||
apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
|
||||
apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester libqrencode && \
|
||||
ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
|
||||
rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
|
||||
|
||||
|
|
|
@ -15,6 +15,10 @@ source "$OPENVPN/ovpn_env.sh"
|
|||
# Specify "nopass" as arg[2] to make the CA insecure (not recommended!)
|
||||
nopass=$1
|
||||
|
||||
# EasyRSA 3.0.7 introduced checks for $EASYRSA_VARS_FILE existence
|
||||
# in the init-pki script
|
||||
touch $EASYRSA_VARS_FILE
|
||||
|
||||
# Provides a sufficient warning before erasing pre-existing files
|
||||
easyrsa init-pki
|
||||
|
||||
|
|
|
@ -28,6 +28,7 @@ if [ "$2" == "interactive" ]; then
|
|||
# Always use time base OTP otherwise storage for counters must be configured somewhere in volume
|
||||
google-authenticator --time-based --force -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator
|
||||
else
|
||||
# Skip confirmation if not running in interctive mode. Essential for integration tests.
|
||||
google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
|
||||
-l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator
|
||||
fi
|
||||
-l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator --no-confirm
|
||||
fi
|
||||
|
|
|
@ -22,7 +22,6 @@ if [ -z "$EASYRSA_PKI" ]; then
|
|||
fi
|
||||
|
||||
cn="$1"
|
||||
parm="$2"
|
||||
|
||||
if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
|
||||
echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
|
||||
|
@ -37,25 +36,4 @@ revoke_client_certificate(){
|
|||
chmod 644 "$OPENVPN/crl.pem"
|
||||
}
|
||||
|
||||
remove_files(){
|
||||
rm -v "$EASYRSA_PKI/issued/${1}.crt"
|
||||
rm -v "$EASYRSA_PKI/private/${1}.key"
|
||||
rm -v "$EASYRSA_PKI/reqs/${1}.req"
|
||||
}
|
||||
|
||||
case "$parm" in
|
||||
"remove")
|
||||
revoke_client_certificate "$cn"
|
||||
remove_files "$cn"
|
||||
;;
|
||||
"" | "keep")
|
||||
revoke_client_certificate "$cn"
|
||||
;;
|
||||
*)
|
||||
echo "When revoking a client certificate, this script let you choose if you want to remove the corresponding crt, key and req files." >&2
|
||||
echo "Pease note that the removal of those files is required if you want to generate a new client certificate using the revoked certificate's CN." >&2
|
||||
echo " 1. keep (default): Keep the files." >&2
|
||||
echo " 2. remove: Remove the files." >&2
|
||||
echo "Please specify one of those options as second parameter." >&2
|
||||
;;
|
||||
esac
|
||||
revoke_client_certificate "$cn"
|
||||
|
|
|
@ -24,9 +24,6 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT
|
|||
#
|
||||
# Fire up the server
|
||||
#
|
||||
sudo iptables -N DOCKER || echo 'Firewall already configured'
|
||||
sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured'
|
||||
# run in shell bg to get logs
|
||||
docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
|
||||
|
||||
#for i in $(seq 10); do
|
||||
|
|
|
@ -34,8 +34,6 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_
|
|||
#
|
||||
# Fire up the server
|
||||
#
|
||||
sudo iptables -N DOCKER || echo 'Firewall already configured'
|
||||
sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured'
|
||||
|
||||
# run in shell bg to get logs
|
||||
docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
|
||||
|
|
|
@ -16,14 +16,17 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_
|
|||
docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG
|
||||
|
||||
# check default iptables rules
|
||||
docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; eval iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE'
|
||||
for i in $(seq 10); do
|
||||
docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; exec iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE' && break
|
||||
echo waiting for server start-up
|
||||
sleep 1
|
||||
done
|
||||
|
||||
# append new setupIptablesAndRouting function to config
|
||||
docker exec -ti $NAME bash -c 'echo function setupIptablesAndRouting { iptables -t nat -A POSTROUTING -m comment --comment "test"\;} >> /etc/openvpn/ovpn_env.sh'
|
||||
|
||||
# kill server in preparation to modify config
|
||||
docker kill $NAME
|
||||
docker rm $NAME
|
||||
docker rm -f $NAME
|
||||
|
||||
# check that overridden function exists and that test iptables rules is active
|
||||
docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG
|
||||
|
@ -33,6 +36,5 @@ docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; type -t setupIpt
|
|||
# kill server
|
||||
#
|
||||
|
||||
docker kill $NAME
|
||||
docker rm $NAME
|
||||
docker rm -f $NAME
|
||||
docker volume rm $OVPN_DATA
|
||||
|
|
|
@ -49,9 +49,6 @@ grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in c
|
|||
#
|
||||
# Fire up the server
|
||||
#
|
||||
sudo iptables -N DOCKER || echo 'Firewall already configured'
|
||||
sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured'
|
||||
# run in shell bg to get logs
|
||||
docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
|
||||
|
||||
#for i in $(seq 10); do
|
||||
|
|
|
@ -3,11 +3,11 @@ set -e
|
|||
|
||||
[ -n "${DEBUG+x}" ] && set -x
|
||||
|
||||
OVPN_DATA="basic-data"
|
||||
OVPN_DATA="ovpn-revoke-test-data"
|
||||
CLIENT1="travis-client1"
|
||||
CLIENT2="travis-client2"
|
||||
IMG="kylemanna/openvpn"
|
||||
NAME="ovpn-test"
|
||||
NAME="ovpn-revoke-test"
|
||||
CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")"
|
||||
SERV_IP="$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)"
|
||||
|
||||
|
@ -18,18 +18,21 @@ docker volume create --name $OVPN_DATA
|
|||
docker run --rm -v $OVPN_DATA:/etc/openvpn $IMG ovpn_genconfig -u udp://$SERV_IP
|
||||
docker run --rm -v $OVPN_DATA:/etc/openvpn -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
|
||||
|
||||
#
|
||||
# Fire up the server.
|
||||
#
|
||||
sudo iptables -N DOCKER || echo 'Firewall already configured'
|
||||
sudo iptables -I FORWARD 1 -j DOCKER
|
||||
docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN --privileged -p 1194:1194/udp --name $NAME $IMG
|
||||
# Register clean-up function
|
||||
function finish {
|
||||
# Stop the server and clean up
|
||||
docker rm -f $NAME
|
||||
docker volume rm $OVPN_DATA
|
||||
}
|
||||
trap finish EXIT
|
||||
|
||||
# Put the server in the background
|
||||
docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN -p 1194:1194/udp --name $NAME $IMG
|
||||
|
||||
#
|
||||
# Test that easy_rsa generate CRLs with 'next publish' set to 3650 days.
|
||||
#
|
||||
crl_next_update="$(docker exec $NAME openssl crl -nextupdate -noout -in /etc/openvpn/crl.pem | cut -d'=' -f2 | tr -d 'GMT')"
|
||||
crl_next_update="$(docker exec $NAME bash -c "openssl crl -nextupdate -noout -in \$EASYRSA_PKI/crl.pem | cut -d'=' -f2 | tr -d 'GMT'")"
|
||||
crl_next_update="$(date -u -d "$crl_next_update" "+%s")"
|
||||
now="$(docker exec $NAME date "+%s")"
|
||||
crl_remain="$(( $crl_next_update - $now ))"
|
||||
|
@ -44,7 +47,7 @@ fi
|
|||
#
|
||||
docker exec -it $NAME easyrsa build-client-full $CLIENT1 nopass
|
||||
docker exec -it $NAME ovpn_getclient $CLIENT1 > $CLIENT_DIR/config.ovpn
|
||||
docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1 remove"
|
||||
docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1"
|
||||
|
||||
#
|
||||
# Test that openvpn client can't connect using $CLIENT1 config.
|
||||
|
@ -59,7 +62,7 @@ fi
|
|||
#
|
||||
docker exec -it $NAME easyrsa build-client-full $CLIENT2 nopass
|
||||
docker exec -it $NAME ovpn_getclient $CLIENT2 > $CLIENT_DIR/config.ovpn
|
||||
docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2 remove"
|
||||
docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2"
|
||||
|
||||
if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
|
||||
echo "Client was able to connect after revocation test #2." >&2
|
||||
|
@ -79,13 +82,6 @@ if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net
|
|||
exit 2
|
||||
fi
|
||||
|
||||
#
|
||||
# Stop the server and clean up
|
||||
#
|
||||
docker kill $NAME && docker rm $NAME
|
||||
docker volume rm $OVPN_DATA
|
||||
sudo iptables -D FORWARD 1
|
||||
|
||||
#
|
||||
# Celebrate
|
||||
#
|
||||
|
|
Loading…
Reference in New Issue