scep: sync with manual

t/venom/test_suites/wired_dot1x_eap_tls_scep/00_enable_node_cleanup_task.yml

@@ -0,0 +1 @@
+../common/enable_node_cleanup_task.yml

t/venom/test_suites/wired_dot1x_eap_tls_scep/02_restart_pfcron_service.yml

@@ -0,0 +1 @@
+../common/restart_pfcron_service.yml

t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml

@@ -12,13 +12,13 @@ testcases:
     ignore_verify_ssl: true
     body: >-
       {
-        "id": "{{.wired_dot1x_eap_tls_manual.ocsp.id}}",
-        "ocsp_enable": "{{.wired_dot1x_eap_tls_manual.ocsp.enable}}",
-        "ocsp_url": "{{.wired_dot1x_eap_tls_manual.ocsp.url}}",        
-        "ocsp_override_cert_url": "{{.wired_dot1x_eap_tls_manual.ocsp.override_cert_url}}",
-        "ocsp_softfail": "{{.wired_dot1x_eap_tls_manual.ocsp.softfail}}",
-        "ocsp_timeout": "{{.wired_dot1x_eap_tls_manual.ocsp.timeout}}",
-        "ocsp_use_nonce": "{{.wired_dot1x_eap_tls_manual.ocsp.use_nonce}}"
+        "id": "{{.wired_dot1x_eap_tls_scep.ocsp.id}}",
+        "ocsp_enable": "{{.wired_dot1x_eap_tls_scep.ocsp.enable}}",
+        "ocsp_url": "{{.wired_dot1x_eap_tls_scep.ocsp.url}}",        
+        "ocsp_override_cert_url": "{{.wired_dot1x_eap_tls_scep.ocsp.override_cert_url}}",
+        "ocsp_softfail": "{{.wired_dot1x_eap_tls_scep.ocsp.softfail}}",
+        "ocsp_timeout": "{{.wired_dot1x_eap_tls_scep.ocsp.timeout}}",
+        "ocsp_use_nonce": "{{.wired_dot1x_eap_tls_scep.ocsp.use_nonce}}"
       }
     headers:
       "Authorization": "{{.get_login_token.json.result.token}}"
@@ -35,7 +35,7 @@ testcases:
     body: >-
       {
         "id": "tls-common",
-        "ocsp": "{{.wired_dot1x_eap_tls_manual.ocsp.id}}"
+        "ocsp": "{{.wired_dot1x_eap_tls_scep.ocsp.id}}"
       }
     headers:
       "Authorization": "{{.get_login_token.json.result.token}}"

t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml

@@ -21,24 +21,24 @@ testcases:
             "actions": [
               {
                 "type": "set_role",
-                "value": "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}"
+                "value": "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id}}"
               },
               {
                 "type": "set_access_duration",
-                "value": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.access_duration}}"
+                "value": "{{.wired_dot1x_eap_tls_scep.sources.eaptls.access_duration}}"
               }
             ],
             "conditions": [
               {
                 "attribute": "radius_request.TLS-Client-Cert-Issuer",
                 "operator": "equals",
-                "value": "{{.wired_dot1x_eap_tls_manual.certs.ca.issuer}}"
+                "value": "{{.wired_dot1x_eap_tls_scep.certs.ca.issuer}}"
               }
             ]
           }
         ],
-        "description": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.description}}",
-        "id": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}",
+        "description": "{{.wired_dot1x_eap_tls_scep.sources.eaptls.description}}",
+        "id": "{{.wired_dot1x_eap_tls_scep.sources.eaptls.name}}",
         "realms": "",
         "set_access_durations_action": null,
         "type": "EAPTLS"

t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml

@@ -22,22 +22,22 @@ testcases:
           "unit": "m"
         },
         "default_psk_key": null,
-        "description": "{{.wired_dot1x_eap_tls_manual.profiles.wired.description}}",
+        "description": "{{.wired_dot1x_eap_tls_scep.profiles.wired.description}}",
         "dot1x_recompute_role_from_portal": "enabled",
         "dot1x_unset_on_unmatch": "disabled",
         "dpsk": "disabled",
         "filter": [
           {
             "type": "connection_type",
-            "match": "{{.wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_type}}"
+            "match": "{{.wired_dot1x_eap_tls_scep.profiles.wired.filters.connection_type}}"
           },
           {
             "type": "connection_sub_type",
-            "match": "{{.wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_sub_type}}"
+            "match": "{{.wired_dot1x_eap_tls_scep.profiles.wired.filters.connection_sub_type}}"
           }          
         ],
-        "filter_match_style": "any",
-        "id": "{{.wired_dot1x_eap_tls_manual.profiles.wired.id}}",
+        "filter_match_style": "all",
+        "id": "{{.wired_dot1x_eap_tls_scep.profiles.wired.id}}",
         "locale": null,
         "login_attempt_limit": 0,
         "logo": null,
@@ -54,10 +54,10 @@ testcases:
         "sms_pin_retry_limit": 0,
         "sms_request_limit": 0,
         "sources": [
-          "{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}"
+          "{{.wired_dot1x_eap_tls_scep.sources.eaptls.name}}"
         ],
         "status": "enabled",
-        "unreg_on_acct_stop": "{{.wired_dot1x_eap_tls_manual.profiles.wired.unreg_on_acct_stop}}",
+        "unreg_on_acct_stop": "{{.wired_dot1x_eap_tls_scep.profiles.wired.unreg_on_acct_stop}}",
         "vlan_pool_technique": "username_hash"
       }
     headers:

t/venom/test_suites/wired_dot1x_eap_tls_scep/60_enable_dot1x_dot1x_int.yml

@@ -0,0 +1 @@
+../../switches/common/enable_dot1x_dot1x_int.yml

t/venom/test_suites/wired_dot1x_eap_tls_scep/65_enable_dynamic_vlan.yml

@@ -0,0 +1 @@
+../../switches/common/enable_dynamic_vlan.yml

t/venom/test_suites/wired_dot1x_eap_tls_scep/70_commit_config.yml

@@ -0,0 +1 @@
+../../switches/common/commit_config.yml

t/venom/test_suites/wired_dot1x_eap_tls_scep/75_deploy_certificates_on_node01.yml

@@ -0,0 +1,16 @@
+name: Deploy certificates on node01
+testcases:
+  - name: deploy_certificates
+    steps:
+      - type: exec
+        script: |
+          /usr/bin/rsync -avz -e "ssh -o StrictHostKeyChecking=no" {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}} \
+          {{.ssh_user}}@{{.node01_mgmt_ip}}:/home/vagrant/
+
+  - name: move_certificates
+    steps:
+      - type: ssh
+        host: '{{.node01_mgmt_ip}}'
+        user: '{{.ssh_user}}'
+        command:  |
+          sudo cp -v /home/vagrant/{{.wired_dot1x_eap_tls_scep.certs.user.cn}}/* /etc/wpa_supplicant/eap_tls/

t/venom/test_suites/wired_dot1x_eap_tls_scep/80_run_wpasupplicant.yml

@@ -0,0 +1,10 @@
+name: Run wpasupplicant on node01
+testcases:
+  - name: run_wpasupplicant
+    steps:
+      - type: ssh
+        host: '{{.node01_mgmt_ip}}'
+        user: '{{.ssh_user}}'
+        command:  |
+          cd /usr/local/pf/t/venom ; \
+          sudo /usr/local/pf/t/venom/venom-wrapper.sh {{.nodes_test_suite_dir}}/wired_dot1x_eap_tls/{{.venom.testcase}}.yml

t/venom/test_suites/wired_dot1x_eap_tls_scep/90_sleep_some_time.yml

@@ -0,0 +1,6 @@
+name: Sleep some time
+testcases:
+- name: sleep_some_time
+  steps:
+  - type: exec
+    script: sleep 20

t/venom/test_suites/wired_dot1x_eap_tls_scep/91_check_radius_audit_log.yml

@@ -0,0 +1,103 @@
+name: Check RADIUS audit log
+testcases:
+- name: get_login_token
+  steps:
+  - type: get_login_token
+
+- name: get_time
+  steps:
+  - type: exec
+    script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'"
+    vars:
+      two_minutes_ago:
+        from: result.systemout
+
+# only latest search entry since two minutes that matches
+# auth_status equals Accept (to avoid Disconnect)
+# mac equals {{.node01_ens7_mac_address}}"
+# connection type of test suite connection profile
+- name: get_id_of_radius_audit_log_entry
+  steps:
+  - type: http
+    method: POST
+    url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search'
+    ignore_verify_ssl: true
+    body: >-
+      {
+        "cursor": 0,
+        "fields": [
+          "id"
+        ],
+        "sort": [
+          "created_at DESC"
+        ],        
+        "limit": 1,
+        "query": {
+          "op": "and",
+          "values": [
+            {
+              "op": "or",
+              "values": [
+                {
+                  "field": "mac",
+                  "op": "equals",
+                  "value": "{{.node01_ens7_mac_address}}"
+                }
+              ]
+            },
+            {
+              "op": "or",
+              "values": [
+                {
+                  "field": "auth_status",
+                  "op": "equals",
+                  "value": "Accept"
+                }
+              ]
+            },
+            {
+              "op": "or",
+              "values": [
+                {
+                  "field": "connection_type",
+                  "op": "equals",
+                  "value": "{{.wired_dot1x_eap_tls_scep.profiles.wired.filters.connection_type}}"
+                }
+              ]
+            },
+            {
+              "op": "or",
+              "values": [            
+                {
+                  "field": "created_at",
+                  "op": "greater_than",
+                  "value": "{{.get_time.two_minutes_ago}}"
+                }
+              ]
+            }
+          ]
+        }
+      }
+    headers:
+      "Authorization": "{{.get_login_token.json.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 200
+      - result.bodyjson.items.items0 ShouldContainKey id
+    vars:
+      id:
+        from: result.bodyjson.items.items0.id
+
+- name: check_radius_reply
+  steps:
+  - type: http
+    method: GET
+    url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_log/{{.get_id_of_radius_audit_log_entry.id}}'
+    ignore_verify_ssl: true
+    headers:
+      "Authorization": "{{.get_login_token.json.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 200
+      - result.bodyjson.item.radius_reply ShouldContainSubstring 'Tunnel-Private-Group-Id = "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.vlan_id}}"'
+      - result.bodyjson.item.profile ShouldEqual "{{.wired_dot1x_eap_tls_scep.profiles.wired.id}}"

t/venom/test_suites/wired_dot1x_eap_tls_scep/95_check_autoregister_node.yml

@@ -0,0 +1,46 @@
+name: Check autoregister node
+testcases:
+- name: get_login_token
+  steps:
+  - type: get_login_token
+
+- name: check_autoregister_node
+  steps:
+  - type: http
+    method: GET
+    url: '{{.pfserver_webadmin_url}}/api/v1/node/{{.node01_ens7_mac_address_url_encoded}}'
+    ignore_verify_ssl: true
+    headers:
+      "Authorization": "{{.get_login_token.json.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 200
+      - result.bodyjson.item.autoreg ShouldEqual yes
+      - result.bodyjson.item.category ShouldEqual "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id}}"
+      - result.bodyjson.item.pid ShouldEqual "{{.wired_dot1x_eap_tls_scep.certs.user.cn}}"
+      - result.bodyjson.item.status ShouldEqual reg
+    vars:
+      regdate:
+        from: result.bodyjson.item.regdate
+      unregdate:
+        from: result.bodyjson.item.unregdate
+
+# temp, need a feature in Venom assertion available in 1.0.0 (ShouldHappenBetween)
+# convert 5m to 5minutes
+# In order to calculate unregdate based on regdate + 5minutes using date command (next testcase)
+# - name: convert_access_duration
+#   steps:
+#   - type: exec
+#     script: |
+#       perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 -Mpf::config::util \
+#       -e 'my @times = get_translatable_time("{{.wired_dot1x_eap_tls_scep.sources.eaptls.access_duration}}"); print("$times[2]$times[1]");'
+#     vars:
+#       translatable_time:
+#         from: result.systemout
+
+# - name: check_unregdate_match_access_duration
+#   steps:
+#   - type: exec
+#     script: "date '+%Y-%m-%d %H:%M:%S' --date='{{.check_autoregister_node.regdate}} {{.convert_access_duration.translatable_time}}'"
+#     assertions:
+#       - result.systemout ShouldEqual "{{.check_autoregister_node.unregdate}}"

t/venom/test_suites/wired_dot1x_eap_tls_scep/98_check_dot1x_int_status.yml

@@ -0,0 +1,22 @@
+name: Check dot1x interface status on switch01
+testcases:
+- name: check_dot1x_int_status_on_switch01
+  steps:
+  - type: http
+    method: POST
+    basic_auth_user: "{{.switch01.api.user}}"
+    basic_auth_password: "{{.switch01.api.password}}"
+    url: '{{.switch01.api.url}}/nclu/v1/rpc'
+    ignore_verify_ssl: true
+    body: >-
+      {
+       "cmd": "show dot1x interface {{.switch01.dot1x_interface.id}} json"
+      }
+    headers:
+      "Content-Type": "application/json"
+    assertions:
+      # we didn't check MAC address on port to make this testcase reusable
+      - result.body ShouldContainSubstring "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.vlan_id}}"
+      - result.body ShouldContainSubstring TLS
+      - result.body ShouldContainSubstring AUTHORIZED
+      - result.statuscode ShouldEqual 200

t/venom/test_suites/wired_dot1x_eap_tls_scep/99_check_internet_access.yml

@@ -0,0 +1 @@
+../common/check_internet_access.yml

t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md

@@ -1,4 +1,4 @@
-# wired_dot1x_eap_tls
+# wired_dot1x_eap_tls_manual
 
 ## Requirements
 N/A
@@ -25,8 +25,6 @@ N/A
 1. Create connection profile with auto-registration, unreg_on_accounting_stop,
    EAPTLS source and specific filter
 1. Perform Checkup (common test suite)
-
-TODO:
 1. Configure 802.1X only and dynamic VLAN on dot1x interface on
    switch01
 1. Install Root CA on node01 
@@ -40,6 +38,8 @@ TODO:
 1. Check node status for node01 (common)
 1. Check VLAN assigned to node01 *on* switch01 (common)
 1. Check Internet access *on* node01 (common)
+
+TODO:
 1. Revoke certificate
 1. Kill wpasupplicant (common test suite)
 1. Rerun wpasupplicant to have a reject authentication due to revoke certificate
@@ -49,13 +49,26 @@ TODO:
 1. Check Internet access *on* node01 (common) = down
 
 ## Teardown steps
-TBD but identical to dot1x_eap_peap scenario (based on unreg_on_accounting_stop)
-
-Revoke certificates to avoid issues when you try to create a certificate that
-already exists
+1. Kill wpa_supplicant: an accounting stop will be generated if we wait
+   EAP-TIMEOUT on the switch (not the case here due to next task). Access is
+   still working until we run next task.
+1. Unconfigure switch port and dynamic VLAN on switch01
+   1. Generate a RADIUS Accounting stop message (sent by switch01) which update
+      `last_seen` attribute of node01 and unreg device based on
+      `unreg_on_accounting_stop`
+   1. Don't send a RADIUS Disconnect message
+1. Check online status of node01: should be offline due to accounting stop
+1. Check node status for node01
+1. Wait `delete_windows` + 10 seconds before running `node_cleanup` task
+1. Delete node by running `pfcron's node_cleanup` task
+1. Check node has been deleted
+1. Disable `node_cleanup` task
+1. Restart `pfcron` to take change into account
+1. Delete connection profile, EAPTLS source, OCSP profile and configuration
+1. Restart RADIUS services (common test suite)
 
-Name of CA, templates and certificates should be uniq. Not possible to revoke
-or remove CA or template.
+## Additional notes
 
-Currently, we replace built-in certificates by PKI certificates. The teardown
-doesn't put back built-in certificates.
+Reauthentication is done by switch based on `eap_reauth_period` setting to
+avoid node been unregistered when it reach unregdate and automatically deleted
+by `pfcron` without running teardown steps.

t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/00_kill_wpasupplicant.yml

@@ -0,0 +1 @@
+../../common/kill_wpasupplicant.yml

t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/05_disable_dot1x_dot1x_int.yml

@@ -0,0 +1 @@
+../../../switches/common/disable_dot1x_dot1x_int.yml

t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/07_disable_dynamic_vlan.yml

@@ -0,0 +1 @@
+../../../switches/common/disable_dynamic_vlan.yml

t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/10_commit_config.yml

@@ -0,0 +1 @@
+../../../switches/common/commit_config.yml