From d1aa3a3c5b5c6bed554b8b760ac8b01d19061345 Mon Sep 17 00:00:00 2001 From: nqb Date: Tue, 19 Oct 2021 08:33:49 +0200 Subject: [PATCH 01/14] draft new tests --- .../dot1x_eap_tls/playbooks/run_tests.yml | 6 +- .../00_create_pki.yml | 0 .../10_enable_ocsp.yml | 0 .../36_restart_radius_services.yml | 0 .../37_enable_dynamic_vlan.yml | 1 + .../40_commit_config.yml | 1 + .../41_restart_haproxy-admin_service.yml | 0 .../42_restart_haproxy-portal_service.yml | 0 .../45_create_eaptls_source.yml | 0 .../45_run_wpasupplicant.yml | 10 + .../50_create_connection_profile.yml | 0 .../50_sleep_some_time.yml | 6 + .../55_check_radius_audit_log.yml | 103 ++++++ .../55_perform_checkup.yml | 0 .../60_check_autoregister_node.yml | 46 +++ .../60_enable_dot1x_dot1x_int.yml | 1 + .../65_check_dot1x_int_status.yml | 1 + .../70_check_internet_access.yml | 1 + .../TESTSUITE.md | 0 .../teardown/90_teardown.yml | 0 .../teardown/95_restart_radius_services | 0 .../00_create_pki.yml | 347 ++++++++++++++++++ .../10_enable_ocsp.yml | 44 +++ .../36_restart_radius_services.yml | 1 + .../41_restart_haproxy-admin_service.yml | 1 + .../42_restart_haproxy-portal_service.yml | 1 + .../45_create_eaptls_source.yml | 50 +++ .../50_create_connection_profile.yml | 67 ++++ .../55_perform_checkup.yml | 1 + .../dot1x_eap_tls_pfpki_scep/TESTSUITE.md | 61 +++ .../teardown/90_teardown.yml | 59 +++ .../teardown/95_restart_radius_services | 1 + 32 files changed, 807 insertions(+), 2 deletions(-) rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/00_create_pki.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/10_enable_ocsp.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/36_restart_radius_services.yml (100%) create mode 120000 t/venom/test_suites/dot1x_eap_tls_pfpki_manual/37_enable_dynamic_vlan.yml create mode 120000 t/venom/test_suites/dot1x_eap_tls_pfpki_manual/40_commit_config.yml rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/41_restart_haproxy-admin_service.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/42_restart_haproxy-portal_service.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/45_create_eaptls_source.yml (100%) create mode 100644 t/venom/test_suites/dot1x_eap_tls_pfpki_manual/45_run_wpasupplicant.yml rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/50_create_connection_profile.yml (100%) create mode 100644 t/venom/test_suites/dot1x_eap_tls_pfpki_manual/50_sleep_some_time.yml create mode 100644 t/venom/test_suites/dot1x_eap_tls_pfpki_manual/55_check_radius_audit_log.yml rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/55_perform_checkup.yml (100%) create mode 100644 t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_check_autoregister_node.yml create mode 120000 t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_enable_dot1x_dot1x_int.yml create mode 120000 t/venom/test_suites/dot1x_eap_tls_pfpki_manual/65_check_dot1x_int_status.yml create mode 120000 t/venom/test_suites/dot1x_eap_tls_pfpki_manual/70_check_internet_access.yml rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/TESTSUITE.md (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/teardown/90_teardown.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki => dot1x_eap_tls_pfpki_manual}/teardown/95_restart_radius_services (100%) create mode 100644 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/00_create_pki.yml create mode 100644 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/10_enable_ocsp.yml create mode 120000 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/36_restart_radius_services.yml create mode 120000 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/41_restart_haproxy-admin_service.yml create mode 120000 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/42_restart_haproxy-portal_service.yml create mode 100644 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/45_create_eaptls_source.yml create mode 100644 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/50_create_connection_profile.yml create mode 120000 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/55_perform_checkup.yml create mode 100644 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/TESTSUITE.md create mode 100644 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/90_teardown.yml create mode 120000 t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/95_restart_radius_services diff --git a/t/venom/scenarios/dot1x_eap_tls/playbooks/run_tests.yml b/t/venom/scenarios/dot1x_eap_tls/playbooks/run_tests.yml index ee62dc2f16fd..b2d5ae3a5ec3 100644 --- a/t/venom/scenarios/dot1x_eap_tls/playbooks/run_tests.yml +++ b/t/venom/scenarios/dot1x_eap_tls/playbooks/run_tests.yml @@ -7,8 +7,10 @@ test_suites: - configurator - global_config - - dot1x_eap_tls_pfpki - - dot1x_eap_tls_pfpki/teardown + - dot1x_eap_tls_pfpki_manual + - dot1x_eap_tls_pfpki_manual/teardown + - dot1x_eap_tls_pfpki_scep + - dot1x_eap_tls_pfpki_scep/teardown - global_teardown tasks: diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/00_create_pki.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/00_create_pki.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/00_create_pki.yml rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/00_create_pki.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/10_enable_ocsp.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/10_enable_ocsp.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/10_enable_ocsp.yml rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/10_enable_ocsp.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/36_restart_radius_services.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/36_restart_radius_services.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/36_restart_radius_services.yml rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/36_restart_radius_services.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/37_enable_dynamic_vlan.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/37_enable_dynamic_vlan.yml new file mode 120000 index 000000000000..319d06587edc --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/37_enable_dynamic_vlan.yml @@ -0,0 +1 @@ +../../switches/common/enable_dynamic_vlan.yml \ No newline at end of file diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/40_commit_config.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/40_commit_config.yml new file mode 120000 index 000000000000..c50e5362c2ec --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/40_commit_config.yml @@ -0,0 +1 @@ +../../switches/common/commit_config.yml \ No newline at end of file diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/41_restart_haproxy-admin_service.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/41_restart_haproxy-admin_service.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/41_restart_haproxy-admin_service.yml rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/41_restart_haproxy-admin_service.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/42_restart_haproxy-portal_service.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/42_restart_haproxy-portal_service.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/42_restart_haproxy-portal_service.yml rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/42_restart_haproxy-portal_service.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/45_create_eaptls_source.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/45_create_eaptls_source.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/45_create_eaptls_source.yml rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/45_create_eaptls_source.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/45_run_wpasupplicant.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/45_run_wpasupplicant.yml new file mode 100644 index 000000000000..b1417fc7b363 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/45_run_wpasupplicant.yml @@ -0,0 +1,10 @@ +name: Run wpasupplicant on node01 +testcases: + - name: run_wpasupplicant + steps: + - type: ssh + host: '{{.node01_mgmt_ip}}' + user: '{{.ssh_user}}' + command: | + cd /usr/local/pf/t/venom ; \ + sudo /usr/local/pf/t/venom/venom-wrapper.sh {{.nodes_test_suite_dir}}/dot1x_eap_peap/{{.venom.testcase}}.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/50_create_connection_profile.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/50_create_connection_profile.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/50_create_connection_profile.yml rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/50_create_connection_profile.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/50_sleep_some_time.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/50_sleep_some_time.yml new file mode 100644 index 000000000000..d85895d1579d --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/50_sleep_some_time.yml @@ -0,0 +1,6 @@ +name: Sleep some time +testcases: +- name: sleep_some_time + steps: + - type: exec + script: sleep 20 diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/55_check_radius_audit_log.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/55_check_radius_audit_log.yml new file mode 100644 index 000000000000..45dfbcd4bd14 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/55_check_radius_audit_log.yml @@ -0,0 +1,103 @@ +name: Check RADIUS audit log +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: get_time + steps: + - type: exec + script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" + vars: + two_minutes_ago: + from: result.systemout + +# only latest search entry since two minutes that matches +# auth_status equals Accept (to avoid Disconnect) +# mac equals {{.node01_ens7_mac_address}}" +# connection type of test suite connection profile +- name: get_id_of_radius_audit_log_entry + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' + ignore_verify_ssl: true + body: >- + { + "cursor": 0, + "fields": [ + "id" + ], + "sort": [ + "created_at DESC" + ], + "limit": 1, + "query": { + "op": "and", + "values": [ + { + "op": "or", + "values": [ + { + "field": "mac", + "op": "equals", + "value": "{{.node01_ens7_mac_address}}" + } + ] + }, + { + "op": "or", + "values": [ + { + "field": "auth_status", + "op": "equals", + "value": "Accept" + } + ] + }, + { + "op": "or", + "values": [ + { + "field": "connection_type", + "op": "equals", + "value": "{{.dot1x_eap_peap.profiles.wired.filters.connection_type}}" + } + ] + }, + { + "op": "or", + "values": [ + { + "field": "created_at", + "op": "greater_than", + "value": "{{.get_time.two_minutes_ago}}" + } + ] + } + ] + } + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + - result.bodyjson.items.items0 ShouldContainKey id + vars: + id: + from: result.bodyjson.items.items0.id + +- name: check_radius_reply + steps: + - type: http + method: GET + url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_log/{{.get_id_of_radius_audit_log_entry.id}}' + ignore_verify_ssl: true + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + - result.bodyjson.item.radius_reply ShouldContainSubstring 'Tunnel-Private-Group-Id = "{{.dot1x_eap_peap.roles.ad_user.vlan_id}}"' + - result.bodyjson.item.profile ShouldEqual "{{.dot1x_eap_peap.profiles.wired.id}}" diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/55_perform_checkup.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/55_perform_checkup.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/55_perform_checkup.yml rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/55_perform_checkup.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_check_autoregister_node.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_check_autoregister_node.yml new file mode 100644 index 000000000000..0d856fcae701 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_check_autoregister_node.yml @@ -0,0 +1,46 @@ +name: Check autoregister node +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: check_autoregister_node + steps: + - type: http + method: GET + url: '{{.pfserver_webadmin_url}}/api/v1/node/{{.node01_ens7_mac_address_url_encoded}}' + ignore_verify_ssl: true + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + - result.bodyjson.item.autoreg ShouldEqual yes + - result.bodyjson.item.category ShouldEqual "{{.dot1x_eap_peap.roles.ad_user.id}}" + - result.bodyjson.item.pid ShouldEqual "{{.ad_domain_user}}" + - result.bodyjson.item.status ShouldEqual reg + vars: + regdate: + from: result.bodyjson.item.regdate + unregdate: + from: result.bodyjson.item.unregdate + +# temp, need a feature in Venom assertion available in 1.0.0 (ShouldHappenBetween) +# convert 5m to 5minutes +# In order to calculate unregdate based on regdate + 5minutes using date command (next testcase) +# - name: convert_access_duration +# steps: +# - type: exec +# script: | +# perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 -Mpf::config::util \ +# -e 'my @times = get_translatable_time("{{.dot1x_eap_peap.sources.ad_user.access_duration}}"); print("$times[2]$times[1]");' +# vars: +# translatable_time: +# from: result.systemout + +# - name: check_unregdate_match_access_duration +# steps: +# - type: exec +# script: "date '+%Y-%m-%d %H:%M:%S' --date='{{.check_autoregister_node.regdate}} {{.convert_access_duration.translatable_time}}'" +# assertions: +# - result.systemout ShouldEqual "{{.check_autoregister_node.unregdate}}" diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_enable_dot1x_dot1x_int.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_enable_dot1x_dot1x_int.yml new file mode 120000 index 000000000000..c96f44af6cba --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_enable_dot1x_dot1x_int.yml @@ -0,0 +1 @@ +../../switches/common/enable_dot1x_dot1x_int.yml \ No newline at end of file diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/65_check_dot1x_int_status.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/65_check_dot1x_int_status.yml new file mode 120000 index 000000000000..224ebd0ae2a3 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/65_check_dot1x_int_status.yml @@ -0,0 +1 @@ +../../switches/common/check_dot1x_int_status.yml \ No newline at end of file diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/70_check_internet_access.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/70_check_internet_access.yml new file mode 120000 index 000000000000..f77d3de5caae --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/70_check_internet_access.yml @@ -0,0 +1 @@ +../common/check_internet_access.yml \ No newline at end of file diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/TESTSUITE.md b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/TESTSUITE.md similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/TESTSUITE.md rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/TESTSUITE.md diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/teardown/90_teardown.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/teardown/90_teardown.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/teardown/90_teardown.yml rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/teardown/90_teardown.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki/teardown/95_restart_radius_services b/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/teardown/95_restart_radius_services similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki/teardown/95_restart_radius_services rename to t/venom/test_suites/dot1x_eap_tls_pfpki_manual/teardown/95_restart_radius_services diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/00_create_pki.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/00_create_pki.yml new file mode 100644 index 000000000000..1b3dd17ac6a1 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/00_create_pki.yml @@ -0,0 +1,347 @@ +name: Create PKI +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: create_root_ca + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/pki/cas' + ignore_verify_ssl: true + body: >- + { + "cn": "{{.dot1x_eap_tls_pfpki.certs.ca.cn}}", + "mail": "{{.dot1x_eap_tls_pfpki.certs.ca.mail}}", + "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", + "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", + "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", + "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", + "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", + "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", + "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "key_usage": "", + "extended_key_usage": "", + "days": "{{.dot1x_eap_tls_pfpki.certs.validity}}", + "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", + "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + vars: + ca_id: + from: result.bodyjson.items.items0.id + +### RADIUS certificate part +- name: create_pf_radius_cert_template + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/pki/profiles' + ignore_verify_ssl: true + body: >- + { + "ca_id": "{{.create_root_ca.ca_id}}", + "name": "{{.dot1x_eap_tls_pfpki.templates.radius.name}}", + "validity": "{{.dot1x_eap_tls_pfpki.certs.validity}}", + "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", + "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "key_usage": "", + "extended_key_usage": "1", + "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", + "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", + "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", + "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", + "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", + "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", + "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + vars: + profile_id: + from: result.bodyjson.items.items0.id + +- name: create_pf_radius_cert + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/pki/certs' + ignore_verify_ssl: true + body: >- + { + "profile_id": "{{.create_pf_radius_cert_template.profile_id}}", + "cn": "{{.dot1x_eap_tls_pfpki.certs.radius.cn}}", + "mail": "{{.dot1x_eap_tls_pfpki.certs.radius.mail}}", + "dns_names": "{{.dot1x_eap_tls_pfpki.certs.radius.dns_names}}", + "ip_addresses": "{{.dot1x_eap_tls_pfpki.certs.radius.ip_addresses}}" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + vars: + serial_number: + from: result.bodyjson.items.items0.id + +- name: create_temp_directory + steps: + - type: exec + script: "mktemp -d" + vars: + temp_dir: + from: result.systemout + +- name: download_radius_p12_file + steps: + - type: exec + script: | + curl -k --output {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 \ + http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_radius_cert.serial_number}}/download/secret + +- name: extract_ca_certificate + steps: + - type: exec + script: | + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt -passin pass:secret + +- name: extract_radius_certificate + steps: + - type: exec + script: | + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.crt -passin pass:secret + +- name: extract_radius_key + steps: + - type: exec + script: | + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.key -passin pass:secret + +- name: install_ca_cert + steps: + - type: exec + script: "cp {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" + +- name: install_radius_cert + steps: + - type: exec + script: "cp {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" + +- name: install_radius_key + steps: + - type: exec + script: "cp {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" + +### HTTP certificate part +- name: create_pf_http_cert_template + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/pki/profiles' + ignore_verify_ssl: true + body: >- + { + "ca_id": "{{.create_root_ca.ca_id}}", + "name": "{{.dot1x_eap_tls_pfpki.templates.http.name}}", + "validity": "{{.dot1x_eap_tls_pfpki.certs.validity}}", + "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", + "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "key_usage": "", + "extended_key_usage": "1", + "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", + "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", + "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", + "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", + "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", + "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", + "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + vars: + profile_id: + from: result.bodyjson.items.items0.id + +- name: create_pf_http_cert + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/pki/certs' + ignore_verify_ssl: true + body: >- + { + "profile_id": "{{.create_pf_http_cert_template.profile_id}}", + "cn": "{{.dot1x_eap_tls_pfpki.certs.http.cn}}", + "mail": "{{.dot1x_eap_tls_pfpki.certs.http.mail}}", + "dns_names": "{{.dot1x_eap_tls_pfpki.certs.http.dns_names}}", + "ip_addresses": "{{.dot1x_eap_tls_pfpki.certs.http.ip_addresses}}" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + vars: + serial_number: + from: result.bodyjson.items.items0.id + +- name: create_temp_directory + steps: + - type: exec + script: "mktemp -d" + vars: + temp_dir: + from: result.systemout + +- name: download_http_p12_file + steps: + - type: exec + script: | + curl -k --output {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 \ + http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_http_cert.serial_number}}/download/secret + +- name: extract_ca_certificate + steps: + - type: exec + script: | + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt -passin pass:secret + +- name: extract_http_certificate + steps: + - type: exec + script: | + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.crt -passin pass:secret + +- name: extract_http_key + steps: + - type: exec + script: | + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.key -passin pass:secret + +- name: install_http_cert_portal + steps: + - type: exec + script: | + cat {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.crt \ + {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem + +- name: install_http_cert_webadmin + steps: + - type: exec + script: "cat {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" + +- name: install_http_key_webadmin + steps: + - type: exec + script: "cat {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" + + +### User certificate part +- name: create_user_cert_template + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/pki/profiles' + ignore_verify_ssl: true + body: >- + { + "ca_id": "{{.create_root_ca.ca_id}}", + "name": "{{.dot1x_eap_tls_pfpki.templates.user.name}}", + "validity": "{{.dot1x_eap_tls_pfpki.certs.validity}}", + "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", + "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "key_usage": "", + "extended_key_usage": "2", + "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", + "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", + "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", + "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", + "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", + "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", + "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}", + "scep_enabled": "{{.dot1x_eap_tls_pfpki.certs.user.scep_enabled}}", + "scep_challenge_password": "{{.dot1x_eap_tls_pfpki.certs.user.scep_challenge_password}}", + "scep_days_before_renewal": "{{.dot1x_eap_tls_pfpki.certs.user.scep_days_before_renewal}}" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + vars: + profile_id: + from: result.bodyjson.items.items0.id + +- name: create_user_cert + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/pki/certs' + ignore_verify_ssl: true + body: >- + { + "profile_id": "{{.create_user_cert_template.profile_id}}", + "cn": "{{.dot1x_eap_tls_pfpki.certs.user.cn}}", + "mail": "{{.dot1x_eap_tls_pfpki.certs.user.mail}}" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + vars: + serial_number: + from: result.bodyjson.items.items0.id + +- name: create_temp_directory + steps: + - type: exec + script: "mktemp -d" + vars: + temp_dir: + from: result.systemout + +- name: download_user_p12_file + steps: + - type: exec + script: | + curl -k --output {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 \ + http://127.0.0.1:22225/api/v1/pki/cert/{{.create_user_cert.serial_number}}/download/secret + +- name: extract_ca_certificate + steps: + - type: exec + script: | + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt -passin pass:secret + +- name: extract_user_certificate + steps: + - type: exec + script: | + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.crt -passin pass:secret + +- name: extract_user_key + steps: + - type: exec + script: | + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.key -passin pass:secret diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/10_enable_ocsp.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/10_enable_ocsp.yml new file mode 100644 index 000000000000..4f8d47b9045d --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/10_enable_ocsp.yml @@ -0,0 +1,44 @@ +name: Enable OCSP +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: create_ocsp_profile + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profiles' + ignore_verify_ssl: true + body: >- + { + "id": "{{.dot1x_eap_tls_pfpki.ocsp.id}}", + "ocsp_enable": "{{.dot1x_eap_tls_pfpki.ocsp.enable}}", + "ocsp_url": "{{.dot1x_eap_tls_pfpki.ocsp.url}}", + "ocsp_override_cert_url": "{{.dot1x_eap_tls_pfpki.ocsp.override_cert_url}}", + "ocsp_softfail": "{{.dot1x_eap_tls_pfpki.ocsp.softfail}}", + "ocsp_timeout": "{{.dot1x_eap_tls_pfpki.ocsp.timeout}}", + "ocsp_use_nonce": "{{.dot1x_eap_tls_pfpki.ocsp.use_nonce}}" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 201 + +- name: update_tls_common_profile + steps: + - type: http + method: PATCH + url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/tls_profile/tls-common' + ignore_verify_ssl: true + body: >- + { + "id": "tls-common", + "ocsp": "{{.dot1x_eap_tls_pfpki.ocsp.id}}" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/36_restart_radius_services.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/36_restart_radius_services.yml new file mode 120000 index 000000000000..196d8544cdd7 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/36_restart_radius_services.yml @@ -0,0 +1 @@ +../common/restart_radius_services.yml \ No newline at end of file diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/41_restart_haproxy-admin_service.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/41_restart_haproxy-admin_service.yml new file mode 120000 index 000000000000..35c102501be8 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/41_restart_haproxy-admin_service.yml @@ -0,0 +1 @@ +../common/restart_haproxy_admin.yml \ No newline at end of file diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/42_restart_haproxy-portal_service.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/42_restart_haproxy-portal_service.yml new file mode 120000 index 000000000000..a82e709633d8 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/42_restart_haproxy-portal_service.yml @@ -0,0 +1 @@ +../common/restart_haproxy_portal.yml \ No newline at end of file diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/45_create_eaptls_source.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/45_create_eaptls_source.yml new file mode 100644 index 000000000000..03dcc348dcdf --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/45_create_eaptls_source.yml @@ -0,0 +1,50 @@ +name: Create EAP-TLS source +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: create_eaptls_source + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/config/sources' + ignore_verify_ssl: true + body: >- + { + "administration_rules": null, + "authentication_rules": [ + { + "id": "check_issuer", + "description": null, + "match": "all", + "actions": [ + { + "type": "set_role", + "value": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}" + }, + { + "type": "set_access_duration", + "value": "{{.dot1x_eap_tls_pfpki.sources.eaptls.access_duration}}" + } + ], + "conditions": [ + { + "attribute": "radius_request.TLS-Client-Cert-Issuer", + "operator": "equals", + "value": "{{.dot1x_eap_tls_pfpki.certs.ca.issuer}}" + } + ] + } + ], + "description": "{{.dot1x_eap_tls_pfpki.sources.eaptls.description}}", + "id": "{{.dot1x_eap_tls_pfpki.sources.eaptls.name}}", + "realms": "", + "set_access_durations_action": null, + "type": "EAPTLS" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 201 diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/50_create_connection_profile.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/50_create_connection_profile.yml new file mode 100644 index 000000000000..3578221c3834 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/50_create_connection_profile.yml @@ -0,0 +1,67 @@ +name: Create connection profile +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: create_dot1x_eap_tls_connection_profile + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profiles' + ignore_verify_ssl: true + body: >- + { + "access_registration_when_registered": null, + "advanced_filter": null, + "always_use_redirecturl": null, + "autoregister": "enabled", + "billing_tiers": null, + "block_interval": { + "interval": "10", + "unit": "m" + }, + "default_psk_key": null, + "description": "{{.dot1x_eap_tls_pfpki.profiles.wired.description}}", + "dot1x_recompute_role_from_portal": "enabled", + "dot1x_unset_on_unmatch": "disabled", + "dpsk": "disabled", + "filter": [ + { + "type": "connection_type", + "match": "{{.dot1x_eap_tls_pfpki.profiles.wired.filters.connection_type}}" + }, + { + "type": "connection_sub_type", + "match": "{{.dot1x_eap_tls_pfpki.profiles.wired.filters.connection_sub_type}}" + } + ], + "filter_match_style": "any", + "id": "{{.dot1x_eap_tls_pfpki.profiles.wired.id}}", + "locale": null, + "login_attempt_limit": 0, + "logo": null, + "mac_auth_recompute_role_from_portal": "disabled", + "network_logoff": null, + "network_logoff_popup": null, + "preregistration": null, + "provisioners": null, + "redirecturl": null, + "reuse_dot1x_credentials": null, + "root_module": "default_policy", + "scans": null, + "self_service": null, + "sms_pin_retry_limit": 0, + "sms_request_limit": 0, + "sources": [ + "{{.dot1x_eap_tls_pfpki.sources.eaptls.name}}" + ], + "status": "enabled", + "unreg_on_acct_stop": "{{.dot1x_eap_tls_pfpki.profiles.wired.unreg_on_acct_stop}}", + "vlan_pool_technique": "username_hash" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 201 diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/55_perform_checkup.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/55_perform_checkup.yml new file mode 120000 index 000000000000..82ff1ac6e6c7 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/55_perform_checkup.yml @@ -0,0 +1 @@ +../common/perform_checkup.yml \ No newline at end of file diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/TESTSUITE.md b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/TESTSUITE.md new file mode 100644 index 000000000000..8e3c253f1763 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/TESTSUITE.md @@ -0,0 +1,61 @@ +# dot1x_eap_tls_pfpki + +## Requirements +N/A + +### Global config steps +1. Create dot1x_eap_tls role + +## Scenario steps +1. Create Root CA +1. Create RADIUS server certificate template +1. Create Web server certificate template +1. Create user certificate template +1. Generate RADIUS server certificate to be used by RADIUS services +1. Generate Web server certificate to be used by web admin and captive portal +1. Generate user certificate to be used by node01 with EAP-TLS +1. Install Root CA + RADIUS server certificates (public certificate and + private key) on PacketFence +1. Configure OCSP to check certificate revocation against pfpki +1. Restart radiusd services +1. Install Root CA + Web server certificates (public certificate and private key) on PacketFence +1. Restart web services (only haproxy-portal and haproxy-admin) +1. Create EAPTLS source with conditions on user certificate that assign + dot1x_eap_tls +1. Create connection profile with auto-registration, unreg_on_accounting_stop, + EAPTLS source and specific filter +1. Perform Checkup (common test suite) + +TODO: +1. Configure 802.1X only and dynamic VLAN on dot1x interface on + switch01 +1. Install Root CA on node01 +1. Install user certificates (public certificate and private key) on node01 + with following paths: + - ca_cert: /etc/wpa_supplicant/eap_tls/ca.pem + - client_cert: /etc/wpa_supplicant/eap_tls/client.pem + - private_key: /etc/wpa_supplicant/eap_tls/client.key +1. Start wpa_supplicant *on* node01 with eap_tls configuration +1. Check RADIUS audit log for node01 (common) +1. Check node status for node01 (common) +1. Check VLAN assigned to node01 *on* switch01 (common) +1. Check Internet access *on* node01 (common) +1. Revoke certificate +1. Kill wpasupplicant (common test suite) +1. Rerun wpasupplicant to have a reject authentication due to revoke certificate +1. Check RADIUS audit log for node01 (common) = reject +1. Check node status for node01 (common) = registered +1. Check VLAN assigned to node01 *on* switch01 (common) = NOT AUTHORIZED +1. Check Internet access *on* node01 (common) = down + +## Teardown steps +TBD but identical to dot1x_eap_peap scenario (based on unreg_on_accounting_stop) + +Revoke certificates to avoid issues when you try to create a certificate that +already exists + +Name of CA, templates and certificates should be uniq. Not possible to revoke +or remove CA or template. + +Currently, we replace built-in certificates by PKI certificates. The teardown +doesn't put back built-in certificates. diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/90_teardown.yml b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/90_teardown.yml new file mode 100644 index 000000000000..cdbdbf00327d --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/90_teardown.yml @@ -0,0 +1,59 @@ +name: Teardown +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: delete_connection_profile + steps: + - type: http + method: DELETE + url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.dot1x_eap_tls_pfpki.profiles.wired.id}}' + ignore_verify_ssl: true + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + +- name: delete_source + steps: + - type: http + method: DELETE + url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.dot1x_eap_tls_pfpki.sources.eaptls.name}}' + ignore_verify_ssl: true + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + + +- name: disable_ocsp + steps: + - type: http + method: PATCH + url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/tls_profile/tls-common' + ignore_verify_ssl: true + body: >- + { + "id": "tls-common", + "ocsp": "default" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + +- name: delete_ocsp_profile + steps: + - type: http + method: DELETE + url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.dot1x_eap_tls_pfpki.ocsp.id}}' + ignore_verify_ssl: true + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/95_restart_radius_services b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/95_restart_radius_services new file mode 120000 index 000000000000..0aff22c94f90 --- /dev/null +++ b/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/95_restart_radius_services @@ -0,0 +1 @@ +../../common/restart_radius_services.yml \ No newline at end of file From 996a7745bb1a8fa280581db1be60c44157576da6 Mon Sep 17 00:00:00 2001 From: nqb Date: Wed, 20 Oct 2021 22:16:49 +0200 Subject: [PATCH 02/14] manual: copy and extract client cert in specific directory --- .../dot1x_eap_tls/playbooks/run_tests.yml | 8 +++---- .../00_create_pki.yml | 21 ++++++++----------- .../10_enable_ocsp.yml | 0 .../36_restart_radius_services.yml | 0 .../41_restart_haproxy-admin_service.yml | 0 .../42_restart_haproxy-portal_service.yml | 0 .../45_create_eaptls_source.yml | 0 .../50_create_connection_profile.yml | 0 .../55_perform_checkup.yml | 0 .../60_enable_dot1x_dot1x_int.yml | 0 .../65_enable_dynamic_vlan.yml} | 0 .../70_commit_config.yml} | 0 .../75_deploy_certificates_on_node01.yml | 16 ++++++++++++++ .../80_run_wpasupplicant.yml} | 0 .../90_sleep_some_time.yml} | 0 .../91_check_radius_audit_log.yml} | 0 .../95_check_autoregister_node.yml} | 0 .../98_check_dot1x_int_status.yml} | 0 .../99_check_internet_access.yml} | 0 .../TESTSUITE.md | 4 ++-- .../teardown/90_teardown.yml | 0 .../teardown/95_restart_radius_services | 0 .../00_create_pki.yml | 0 .../10_enable_ocsp.yml | 0 .../36_restart_radius_services.yml | 0 .../41_restart_haproxy-admin_service.yml | 0 .../42_restart_haproxy-portal_service.yml | 0 .../45_create_eaptls_source.yml | 0 .../50_create_connection_profile.yml | 0 .../55_perform_checkup.yml | 0 .../TESTSUITE.md | 0 .../teardown/90_teardown.yml | 0 .../teardown/95_restart_radius_services | 0 t/venom/vars/all.yml | 4 ++++ 34 files changed, 35 insertions(+), 18 deletions(-) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_manual}/00_create_pki.yml (92%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_manual}/10_enable_ocsp.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_manual}/36_restart_radius_services.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_manual}/41_restart_haproxy-admin_service.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_manual}/42_restart_haproxy-portal_service.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_manual}/45_create_eaptls_source.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_manual}/50_create_connection_profile.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_manual}/55_perform_checkup.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_manual}/60_enable_dot1x_dot1x_int.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual/37_enable_dynamic_vlan.yml => wired_dot1x_eap_tls_manual/65_enable_dynamic_vlan.yml} (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual/40_commit_config.yml => wired_dot1x_eap_tls_manual/70_commit_config.yml} (100%) create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual/45_run_wpasupplicant.yml => wired_dot1x_eap_tls_manual/80_run_wpasupplicant.yml} (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual/50_sleep_some_time.yml => wired_dot1x_eap_tls_manual/90_sleep_some_time.yml} (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual/55_check_radius_audit_log.yml => wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml} (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual/60_check_autoregister_node.yml => wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml} (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual/65_check_dot1x_int_status.yml => wired_dot1x_eap_tls_manual/98_check_dot1x_int_status.yml} (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual/70_check_internet_access.yml => wired_dot1x_eap_tls_manual/99_check_internet_access.yml} (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_manual}/TESTSUITE.md (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_manual}/teardown/90_teardown.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_manual}/teardown/95_restart_radius_services (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_scep}/00_create_pki.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_scep}/10_enable_ocsp.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_scep}/36_restart_radius_services.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_scep}/41_restart_haproxy-admin_service.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_scep}/42_restart_haproxy-portal_service.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_scep}/45_create_eaptls_source.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_scep}/50_create_connection_profile.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_scep}/55_perform_checkup.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_manual => wired_dot1x_eap_tls_scep}/TESTSUITE.md (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_scep}/teardown/90_teardown.yml (100%) rename t/venom/test_suites/{dot1x_eap_tls_pfpki_scep => wired_dot1x_eap_tls_scep}/teardown/95_restart_radius_services (100%) diff --git a/t/venom/scenarios/dot1x_eap_tls/playbooks/run_tests.yml b/t/venom/scenarios/dot1x_eap_tls/playbooks/run_tests.yml index b2d5ae3a5ec3..6c3478cbc712 100644 --- a/t/venom/scenarios/dot1x_eap_tls/playbooks/run_tests.yml +++ b/t/venom/scenarios/dot1x_eap_tls/playbooks/run_tests.yml @@ -7,10 +7,10 @@ test_suites: - configurator - global_config - - dot1x_eap_tls_pfpki_manual - - dot1x_eap_tls_pfpki_manual/teardown - - dot1x_eap_tls_pfpki_scep - - dot1x_eap_tls_pfpki_scep/teardown + - wired_dot1x_eap_tls_manual + - wired_dot1x_eap_tls_manual/teardown + - wired_dot1x_eap_tls_scep + - wired_dot1x_eap_tls_scep/teardown - global_teardown tasks: diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/00_create_pki.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/00_create_pki.yml similarity index 92% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/00_create_pki.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/00_create_pki.yml index 1b3dd17ac6a1..0cdaa03e854f 100644 --- a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/00_create_pki.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/00_create_pki.yml @@ -310,38 +310,35 @@ testcases: serial_number: from: result.bodyjson.items.items0.id -- name: create_temp_directory +- name: create_client_directory steps: - type: exec - script: "mktemp -d" - vars: - temp_dir: - from: result.systemout + script: "mkdir -p {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}}" - name: download_user_p12_file steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 \ + curl -k --output {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_user_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}}.p12 -cacerts -nokeys \ + -out {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}}/ca.pem -passin pass:secret - name: extract_user_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}}.p12 -clcerts -nokeys \ + -out {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}}/client.pem -passin pass:secret - name: extract_user_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}}.p12 -nocerts -nodes \ + -out {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}}/client.key -passin pass:secret diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/10_enable_ocsp.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/10_enable_ocsp.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/10_enable_ocsp.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/10_enable_ocsp.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/36_restart_radius_services.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/36_restart_radius_services.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/36_restart_radius_services.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/36_restart_radius_services.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/41_restart_haproxy-admin_service.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/41_restart_haproxy-admin_service.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/41_restart_haproxy-admin_service.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/41_restart_haproxy-admin_service.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/42_restart_haproxy-portal_service.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/42_restart_haproxy-portal_service.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/42_restart_haproxy-portal_service.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/42_restart_haproxy-portal_service.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/45_create_eaptls_source.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/45_create_eaptls_source.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/45_create_eaptls_source.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/45_create_eaptls_source.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/50_create_connection_profile.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/50_create_connection_profile.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/55_perform_checkup.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/55_perform_checkup.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/55_perform_checkup.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/55_perform_checkup.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_enable_dot1x_dot1x_int.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/60_enable_dot1x_dot1x_int.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_enable_dot1x_dot1x_int.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/60_enable_dot1x_dot1x_int.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/37_enable_dynamic_vlan.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/65_enable_dynamic_vlan.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/37_enable_dynamic_vlan.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/65_enable_dynamic_vlan.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/40_commit_config.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/70_commit_config.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/40_commit_config.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/70_commit_config.yml diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml new file mode 100644 index 000000000000..0da736f044e4 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml @@ -0,0 +1,16 @@ +name: Deploy certificates on node01 +testcases: + - name: deploy_certificates + steps: + - type: exec + script: | + scp -r {{.wired_dot1x_eap_tls_manual.paths.client_directory}} {{.ssh_user}}@{{.node01_mgmt_ip}}:/home/vagrant/ + + - name: move_certificates + steps: + - type: ssh + host: '{{.node01_mgmt_ip}}' + user: '{{.ssh_user}}' + command: | + sudo cp -v /home/vagrant/{{.wired_dot1x_eap_tls_manual.paths.client_directory}} /etc/wpa_supplicant/eap_tls/ + diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/45_run_wpasupplicant.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/80_run_wpasupplicant.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/45_run_wpasupplicant.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/80_run_wpasupplicant.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/50_sleep_some_time.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/90_sleep_some_time.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/50_sleep_some_time.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/90_sleep_some_time.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/55_check_radius_audit_log.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/55_check_radius_audit_log.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_check_autoregister_node.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/60_check_autoregister_node.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/65_check_dot1x_int_status.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/98_check_dot1x_int_status.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/65_check_dot1x_int_status.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/98_check_dot1x_int_status.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/70_check_internet_access.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/99_check_internet_access.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/70_check_internet_access.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/99_check_internet_access.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/TESTSUITE.md b/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/TESTSUITE.md rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md index 8e3c253f1763..fc4515dfcbf6 100644 --- a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/TESTSUITE.md +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md @@ -25,10 +25,10 @@ N/A 1. Create connection profile with auto-registration, unreg_on_accounting_stop, EAPTLS source and specific filter 1. Perform Checkup (common test suite) - -TODO: 1. Configure 802.1X only and dynamic VLAN on dot1x interface on switch01 + +TODO: 1. Install Root CA on node01 1. Install user certificates (public certificate and private key) on node01 with following paths: diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/teardown/90_teardown.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/90_teardown.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/teardown/90_teardown.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/90_teardown.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/teardown/95_restart_radius_services b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/95_restart_radius_services similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/teardown/95_restart_radius_services rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/95_restart_radius_services diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/00_create_pki.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/00_create_pki.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/10_enable_ocsp.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/10_enable_ocsp.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/36_restart_radius_services.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/36_restart_radius_services.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/36_restart_radius_services.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/36_restart_radius_services.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/41_restart_haproxy-admin_service.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/41_restart_haproxy-admin_service.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/41_restart_haproxy-admin_service.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/41_restart_haproxy-admin_service.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/42_restart_haproxy-portal_service.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/42_restart_haproxy-portal_service.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/42_restart_haproxy-portal_service.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/42_restart_haproxy-portal_service.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/45_create_eaptls_source.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/45_create_eaptls_source.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/50_create_connection_profile.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/50_create_connection_profile.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/55_perform_checkup.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/55_perform_checkup.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/55_perform_checkup.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/55_perform_checkup.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_manual/TESTSUITE.md b/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_manual/TESTSUITE.md rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/90_teardown.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/90_teardown.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml diff --git a/t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/95_restart_radius_services b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/95_restart_radius_services similarity index 100% rename from t/venom/test_suites/dot1x_eap_tls_pfpki_scep/teardown/95_restart_radius_services rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/95_restart_radius_services diff --git a/t/venom/vars/all.yml b/t/venom/vars/all.yml index 1b562f47a6f9..8e800117bcce 100644 --- a/t/venom/vars/all.yml +++ b/t/venom/vars/all.yml @@ -364,6 +364,9 @@ dot1x_eap_tls_pfpki.profiles.wired.filters.connection_type: Ethernet-EAP dot1x_eap_tls_pfpki.profiles.wired.filters.connection_sub_type: EAP-TLS dot1x_eap_tls_pfpki.profiles.wired.unreg_on_acct_stop: enabled +wired_dot1x_eap_tls_manual.paths.clients_directory: /root/client_certificates +wired_dot1x_eap_tls_manual.paths.per_client_directory: {{.wired_dot1x_eap_tls_manual.paths.clients_directory}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}} + ################################################################################ # pfdhcplistener_single_tenant test suite specific variables ################################################################################ @@ -394,3 +397,4 @@ pfdhcplistener_multi_tenant.nodes.node11.dhcp_fingerprint: 1,2,3,4 pfdhcplistener_multi_tenant.nodes.node11.dhcp_vendor: test # need to be a network not already attached to PacketFence server pfdhcplistener_multi_tenant.nodes.node11.dhcp_server: 10.10.10.1 + From 66c288e1c482d455b460bf1b65b1657aac2a7fec Mon Sep 17 00:00:00 2001 From: nqb Date: Wed, 20 Oct 2021 23:24:59 +0200 Subject: [PATCH 03/14] manual: deployment and check --- addons/vagrant/playbooks/nodes/pre_prov/packages.yml | 1 + t/venom/nodes/wired_dot1x_eap_tls/run_wpasupplicant.yml | 9 +++++++++ .../50_create_connection_profile.yml | 2 +- .../75_deploy_certificates_on_node01.yml | 5 ++--- .../wired_dot1x_eap_tls_manual/80_run_wpasupplicant.yml | 2 +- t/venom/vars/all.yml | 2 +- 6 files changed, 15 insertions(+), 6 deletions(-) create mode 100644 t/venom/nodes/wired_dot1x_eap_tls/run_wpasupplicant.yml diff --git a/addons/vagrant/playbooks/nodes/pre_prov/packages.yml b/addons/vagrant/playbooks/nodes/pre_prov/packages.yml index c43d527582f9..7ecddbd8cfb4 100644 --- a/addons/vagrant/playbooks/nodes/pre_prov/packages.yml +++ b/addons/vagrant/playbooks/nodes/pre_prov/packages.yml @@ -34,6 +34,7 @@ - packetfence-test - wpasupplicant - sscep + - rsync roles: - role: inverse_inc.gitlab_buildpkg_tools diff --git a/t/venom/nodes/wired_dot1x_eap_tls/run_wpasupplicant.yml b/t/venom/nodes/wired_dot1x_eap_tls/run_wpasupplicant.yml new file mode 100644 index 000000000000..304e9fcc70ca --- /dev/null +++ b/t/venom/nodes/wired_dot1x_eap_tls/run_wpasupplicant.yml @@ -0,0 +1,9 @@ +name: Run wpasupplicant for EAP-TLS +testcases: +- name: run_wpasupplicant_eap_peap + steps: + - type: exec + script: "sudo wpa_supplicant -c /etc/wpa_supplicant/eap_tls/eap_tls.conf -D wired -i ens7 -B" + timeout: 10 + assertions: + - result.systemout ShouldContainSubstring "Successfully initialized wpa_supplicant" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml index 3578221c3834..c3973a64f5a0 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml @@ -36,7 +36,7 @@ testcases: "match": "{{.dot1x_eap_tls_pfpki.profiles.wired.filters.connection_sub_type}}" } ], - "filter_match_style": "any", + "filter_match_style": "all", "id": "{{.dot1x_eap_tls_pfpki.profiles.wired.id}}", "locale": null, "login_attempt_limit": 0, diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml index 0da736f044e4..6843932e86b0 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml @@ -4,7 +4,7 @@ testcases: steps: - type: exec script: | - scp -r {{.wired_dot1x_eap_tls_manual.paths.client_directory}} {{.ssh_user}}@{{.node01_mgmt_ip}}:/home/vagrant/ + /usr/bin/rsync -avz {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}} {{.ssh_user}}@{{.node01_mgmt_ip}}:/home/vagrant/ - name: move_certificates steps: @@ -12,5 +12,4 @@ testcases: host: '{{.node01_mgmt_ip}}' user: '{{.ssh_user}}' command: | - sudo cp -v /home/vagrant/{{.wired_dot1x_eap_tls_manual.paths.client_directory}} /etc/wpa_supplicant/eap_tls/ - + sudo cp -v /home/vagrant/{{.dot1x_eap_tls_pfpki.certs.user.cn}}/* /etc/wpa_supplicant/eap_tls/ diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/80_run_wpasupplicant.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/80_run_wpasupplicant.yml index b1417fc7b363..7fa9e188f1a9 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/80_run_wpasupplicant.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/80_run_wpasupplicant.yml @@ -7,4 +7,4 @@ testcases: user: '{{.ssh_user}}' command: | cd /usr/local/pf/t/venom ; \ - sudo /usr/local/pf/t/venom/venom-wrapper.sh {{.nodes_test_suite_dir}}/dot1x_eap_peap/{{.venom.testcase}}.yml + sudo /usr/local/pf/t/venom/venom-wrapper.sh {{.nodes_test_suite_dir}}/wired_dot1x_eap_tls/{{.venom.testcase}}.yml diff --git a/t/venom/vars/all.yml b/t/venom/vars/all.yml index 8e800117bcce..947a4fe8b73d 100644 --- a/t/venom/vars/all.yml +++ b/t/venom/vars/all.yml @@ -365,7 +365,7 @@ dot1x_eap_tls_pfpki.profiles.wired.filters.connection_sub_type: EAP-TLS dot1x_eap_tls_pfpki.profiles.wired.unreg_on_acct_stop: enabled wired_dot1x_eap_tls_manual.paths.clients_directory: /root/client_certificates -wired_dot1x_eap_tls_manual.paths.per_client_directory: {{.wired_dot1x_eap_tls_manual.paths.clients_directory}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}} +wired_dot1x_eap_tls_manual.paths.per_client_directory: '{{.wired_dot1x_eap_tls_manual.paths.clients_directory}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}' ################################################################################ # pfdhcplistener_single_tenant test suite specific variables From 945bdb86c999d9b95e27db048839b165abc1f6ec Mon Sep 17 00:00:00 2001 From: nqb Date: Wed, 20 Oct 2021 23:27:42 +0200 Subject: [PATCH 04/14] manual: rename vars --- .../10_create_roles.yml | 6 +- .../15_create_network_devices.yml | 8 +- .../global_config/00_create_roles.yml | 6 +- .../15_create_network_devices.yml | 8 +- .../00_create_pki.yml | 158 ++++++++-------- .../10_enable_ocsp.yml | 16 +- .../45_create_eaptls_source.yml | 10 +- .../50_create_connection_profile.yml | 12 +- .../75_deploy_certificates_on_node01.yml | 2 +- .../91_check_radius_audit_log.yml | 6 +- .../wired_dot1x_eap_tls_manual/TESTSUITE.md | 2 +- .../teardown/90_teardown.yml | 6 +- .../00_create_pki.yml | 172 +++++++++--------- .../10_enable_ocsp.yml | 16 +- .../45_create_eaptls_source.yml | 10 +- .../50_create_connection_profile.yml | 12 +- .../wired_dot1x_eap_tls_scep/TESTSUITE.md | 2 +- .../teardown/90_teardown.yml | 6 +- t/venom/vars/all.yml | 98 +++++----- 19 files changed, 278 insertions(+), 278 deletions(-) diff --git a/t/venom/pfservers/global_config_multi_tenant/10_create_roles.yml b/t/venom/pfservers/global_config_multi_tenant/10_create_roles.yml index d5285d0d5751..0fe3dc41b1ed 100644 --- a/t/venom/pfservers/global_config_multi_tenant/10_create_roles.yml +++ b/t/venom/pfservers/global_config_multi_tenant/10_create_roles.yml @@ -61,7 +61,7 @@ testcases: assertions: - result.statuscode ShouldEqual 201 -- name: create_dot1x_eap_tls_pfpki_role +- name: create_wired_dot1x_eap_tls_role steps: - type: http method: POST @@ -69,9 +69,9 @@ testcases: ignore_verify_ssl: true body: >- { - "id":"{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}", + "id":"{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}", "max_nodes_per_pid":0, - "notes":"{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.notes}}" + "notes":"{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.notes}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/pfservers/global_config_multi_tenant/15_create_network_devices.yml b/t/venom/pfservers/global_config_multi_tenant/15_create_network_devices.yml index b3f79331fa3e..1a7dcc90f415 100644 --- a/t/venom/pfservers/global_config_multi_tenant/15_create_network_devices.yml +++ b/t/venom/pfservers/global_config_multi_tenant/15_create_network_devices.yml @@ -107,10 +107,10 @@ testcases: "{{.wired_mac_auth.roles.headless_device.id}}Role": null, "{{.wired_mac_auth.roles.headless_device.id}}Url": null, "{{.wired_mac_auth.roles.headless_device.id}}Vlan": "{{.wired_mac_auth.roles.headless_device.vlan_id}}", - "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}AccessList": null, - "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}Role": null, - "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}Url": null, - "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}", + "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}AccessList": null, + "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Role": null, + "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Url": null, + "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}", "voiceAccessList": null, "voiceRole": null, "voiceUrl": null, diff --git a/t/venom/test_suites/global_config/00_create_roles.yml b/t/venom/test_suites/global_config/00_create_roles.yml index 08946b136d67..4d489b98e761 100644 --- a/t/venom/test_suites/global_config/00_create_roles.yml +++ b/t/venom/test_suites/global_config/00_create_roles.yml @@ -61,7 +61,7 @@ testcases: assertions: - result.statuscode ShouldEqual 201 -- name: create_dot1x_eap_tls_pfpki_role +- name: create_wired_dot1x_eap_tls_role steps: - type: http method: POST @@ -69,9 +69,9 @@ testcases: ignore_verify_ssl: true body: >- { - "id":"{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}", + "id":"{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}", "max_nodes_per_pid":0, - "notes":"{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.notes}}" + "notes":"{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.notes}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/global_config/15_create_network_devices.yml b/t/venom/test_suites/global_config/15_create_network_devices.yml index 2e7b211846ec..00f8b235089d 100644 --- a/t/venom/test_suites/global_config/15_create_network_devices.yml +++ b/t/venom/test_suites/global_config/15_create_network_devices.yml @@ -106,10 +106,10 @@ testcases: "{{.wired_mac_auth.roles.headless_device.id}}Role": null, "{{.wired_mac_auth.roles.headless_device.id}}Url": null, "{{.wired_mac_auth.roles.headless_device.id}}Vlan": "{{.wired_mac_auth.roles.headless_device.vlan_id}}", - "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}AccessList": null, - "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}Role": null, - "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}Url": null, - "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}", + "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}AccessList": null, + "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Role": null, + "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Url": null, + "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}", "voiceAccessList": null, "voiceRole": null, "voiceUrl": null, diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/00_create_pki.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/00_create_pki.yml index 0cdaa03e854f..7d620a26631c 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/00_create_pki.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/00_create_pki.yml @@ -12,20 +12,20 @@ testcases: ignore_verify_ssl: true body: >- { - "cn": "{{.dot1x_eap_tls_pfpki.certs.ca.cn}}", - "mail": "{{.dot1x_eap_tls_pfpki.certs.ca.mail}}", - "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", - "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", - "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", - "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", - "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", - "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", - "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "cn": "{{.wired_dot1x_eap_tls.certs.ca.cn}}", + "mail": "{{.wired_dot1x_eap_tls.certs.ca.mail}}", + "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls.certs.country}}", + "state": "{{.wired_dot1x_eap_tls.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", + "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", "key_usage": "", "extended_key_usage": "", - "days": "{{.dot1x_eap_tls_pfpki.certs.validity}}", - "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", - "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}" + "days": "{{.wired_dot1x_eap_tls.certs.validity}}", + "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", + "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -46,19 +46,19 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.dot1x_eap_tls_pfpki.templates.radius.name}}", - "validity": "{{.dot1x_eap_tls_pfpki.certs.validity}}", - "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", - "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls.templates.radius.name}}", + "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", "key_usage": "", "extended_key_usage": "1", - "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", - "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", - "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", - "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", - "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", - "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", - "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}" + "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls.certs.country}}", + "state": "{{.wired_dot1x_eap_tls.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -78,10 +78,10 @@ testcases: body: >- { "profile_id": "{{.create_pf_radius_cert_template.profile_id}}", - "cn": "{{.dot1x_eap_tls_pfpki.certs.radius.cn}}", - "mail": "{{.dot1x_eap_tls_pfpki.certs.radius.mail}}", - "dns_names": "{{.dot1x_eap_tls_pfpki.certs.radius.dns_names}}", - "ip_addresses": "{{.dot1x_eap_tls_pfpki.certs.radius.ip_addresses}}" + "cn": "{{.wired_dot1x_eap_tls.certs.radius.cn}}", + "mail": "{{.wired_dot1x_eap_tls.certs.radius.mail}}", + "dns_names": "{{.wired_dot1x_eap_tls.certs.radius.dns_names}}", + "ip_addresses": "{{.wired_dot1x_eap_tls.certs.radius.ip_addresses}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -104,44 +104,44 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_radius_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt -passin pass:secret - name: extract_radius_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.crt -passin pass:secret - name: extract_radius_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.key -passin pass:secret - name: install_ca_cert steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" - name: install_radius_cert steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" - name: install_radius_key steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" ### HTTP certificate part - name: create_pf_http_cert_template @@ -153,19 +153,19 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.dot1x_eap_tls_pfpki.templates.http.name}}", - "validity": "{{.dot1x_eap_tls_pfpki.certs.validity}}", - "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", - "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls.templates.http.name}}", + "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", "key_usage": "", "extended_key_usage": "1", - "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", - "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", - "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", - "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", - "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", - "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", - "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}" + "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls.certs.country}}", + "state": "{{.wired_dot1x_eap_tls.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -185,10 +185,10 @@ testcases: body: >- { "profile_id": "{{.create_pf_http_cert_template.profile_id}}", - "cn": "{{.dot1x_eap_tls_pfpki.certs.http.cn}}", - "mail": "{{.dot1x_eap_tls_pfpki.certs.http.mail}}", - "dns_names": "{{.dot1x_eap_tls_pfpki.certs.http.dns_names}}", - "ip_addresses": "{{.dot1x_eap_tls_pfpki.certs.http.ip_addresses}}" + "cn": "{{.wired_dot1x_eap_tls.certs.http.cn}}", + "mail": "{{.wired_dot1x_eap_tls.certs.http.mail}}", + "dns_names": "{{.wired_dot1x_eap_tls.certs.http.dns_names}}", + "ip_addresses": "{{.wired_dot1x_eap_tls.certs.http.ip_addresses}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -211,46 +211,46 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_http_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt -passin pass:secret - name: extract_http_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt -passin pass:secret - name: extract_http_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key -passin pass:secret - name: install_http_cert_portal steps: - type: exec script: | - cat {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.crt \ - {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem + cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt \ + {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem - name: install_http_cert_webadmin steps: - type: exec - script: "cat {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" + script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" - name: install_http_key_webadmin steps: - type: exec - script: "cat {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" + script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" ### User certificate part @@ -263,22 +263,22 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.dot1x_eap_tls_pfpki.templates.user.name}}", - "validity": "{{.dot1x_eap_tls_pfpki.certs.validity}}", - "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", - "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls.templates.user.name}}", + "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", "key_usage": "", "extended_key_usage": "2", - "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", - "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", - "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", - "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", - "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", - "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", - "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}", - "scep_enabled": "{{.dot1x_eap_tls_pfpki.certs.user.scep_enabled}}", - "scep_challenge_password": "{{.dot1x_eap_tls_pfpki.certs.user.scep_challenge_password}}", - "scep_days_before_renewal": "{{.dot1x_eap_tls_pfpki.certs.user.scep_days_before_renewal}}" + "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls.certs.country}}", + "state": "{{.wired_dot1x_eap_tls.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}", + "scep_enabled": "{{.wired_dot1x_eap_tls.certs.user.scep_enabled}}", + "scep_challenge_password": "{{.wired_dot1x_eap_tls.certs.user.scep_challenge_password}}", + "scep_days_before_renewal": "{{.wired_dot1x_eap_tls.certs.user.scep_days_before_renewal}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -298,8 +298,8 @@ testcases: body: >- { "profile_id": "{{.create_user_cert_template.profile_id}}", - "cn": "{{.dot1x_eap_tls_pfpki.certs.user.cn}}", - "mail": "{{.dot1x_eap_tls_pfpki.certs.user.mail}}" + "cn": "{{.wired_dot1x_eap_tls.certs.user.cn}}", + "mail": "{{.wired_dot1x_eap_tls.certs.user.mail}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/10_enable_ocsp.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/10_enable_ocsp.yml index 4f8d47b9045d..2f7ea777b4fc 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/10_enable_ocsp.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/10_enable_ocsp.yml @@ -12,13 +12,13 @@ testcases: ignore_verify_ssl: true body: >- { - "id": "{{.dot1x_eap_tls_pfpki.ocsp.id}}", - "ocsp_enable": "{{.dot1x_eap_tls_pfpki.ocsp.enable}}", - "ocsp_url": "{{.dot1x_eap_tls_pfpki.ocsp.url}}", - "ocsp_override_cert_url": "{{.dot1x_eap_tls_pfpki.ocsp.override_cert_url}}", - "ocsp_softfail": "{{.dot1x_eap_tls_pfpki.ocsp.softfail}}", - "ocsp_timeout": "{{.dot1x_eap_tls_pfpki.ocsp.timeout}}", - "ocsp_use_nonce": "{{.dot1x_eap_tls_pfpki.ocsp.use_nonce}}" + "id": "{{.wired_dot1x_eap_tls.ocsp.id}}", + "ocsp_enable": "{{.wired_dot1x_eap_tls.ocsp.enable}}", + "ocsp_url": "{{.wired_dot1x_eap_tls.ocsp.url}}", + "ocsp_override_cert_url": "{{.wired_dot1x_eap_tls.ocsp.override_cert_url}}", + "ocsp_softfail": "{{.wired_dot1x_eap_tls.ocsp.softfail}}", + "ocsp_timeout": "{{.wired_dot1x_eap_tls.ocsp.timeout}}", + "ocsp_use_nonce": "{{.wired_dot1x_eap_tls.ocsp.use_nonce}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -35,7 +35,7 @@ testcases: body: >- { "id": "tls-common", - "ocsp": "{{.dot1x_eap_tls_pfpki.ocsp.id}}" + "ocsp": "{{.wired_dot1x_eap_tls.ocsp.id}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/45_create_eaptls_source.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/45_create_eaptls_source.yml index 03dcc348dcdf..c132d8cec476 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/45_create_eaptls_source.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/45_create_eaptls_source.yml @@ -21,24 +21,24 @@ testcases: "actions": [ { "type": "set_role", - "value": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}" + "value": "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}" }, { "type": "set_access_duration", - "value": "{{.dot1x_eap_tls_pfpki.sources.eaptls.access_duration}}" + "value": "{{.wired_dot1x_eap_tls.sources.eaptls.access_duration}}" } ], "conditions": [ { "attribute": "radius_request.TLS-Client-Cert-Issuer", "operator": "equals", - "value": "{{.dot1x_eap_tls_pfpki.certs.ca.issuer}}" + "value": "{{.wired_dot1x_eap_tls.certs.ca.issuer}}" } ] } ], - "description": "{{.dot1x_eap_tls_pfpki.sources.eaptls.description}}", - "id": "{{.dot1x_eap_tls_pfpki.sources.eaptls.name}}", + "description": "{{.wired_dot1x_eap_tls.sources.eaptls.description}}", + "id": "{{.wired_dot1x_eap_tls.sources.eaptls.name}}", "realms": "", "set_access_durations_action": null, "type": "EAPTLS" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml index c3973a64f5a0..bc4a2c24245f 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml @@ -22,22 +22,22 @@ testcases: "unit": "m" }, "default_psk_key": null, - "description": "{{.dot1x_eap_tls_pfpki.profiles.wired.description}}", + "description": "{{.wired_dot1x_eap_tls.profiles.wired.description}}", "dot1x_recompute_role_from_portal": "enabled", "dot1x_unset_on_unmatch": "disabled", "dpsk": "disabled", "filter": [ { "type": "connection_type", - "match": "{{.dot1x_eap_tls_pfpki.profiles.wired.filters.connection_type}}" + "match": "{{.wired_dot1x_eap_tls.profiles.wired.filters.connection_type}}" }, { "type": "connection_sub_type", - "match": "{{.dot1x_eap_tls_pfpki.profiles.wired.filters.connection_sub_type}}" + "match": "{{.wired_dot1x_eap_tls.profiles.wired.filters.connection_sub_type}}" } ], "filter_match_style": "all", - "id": "{{.dot1x_eap_tls_pfpki.profiles.wired.id}}", + "id": "{{.wired_dot1x_eap_tls.profiles.wired.id}}", "locale": null, "login_attempt_limit": 0, "logo": null, @@ -54,10 +54,10 @@ testcases: "sms_pin_retry_limit": 0, "sms_request_limit": 0, "sources": [ - "{{.dot1x_eap_tls_pfpki.sources.eaptls.name}}" + "{{.wired_dot1x_eap_tls.sources.eaptls.name}}" ], "status": "enabled", - "unreg_on_acct_stop": "{{.dot1x_eap_tls_pfpki.profiles.wired.unreg_on_acct_stop}}", + "unreg_on_acct_stop": "{{.wired_dot1x_eap_tls.profiles.wired.unreg_on_acct_stop}}", "vlan_pool_technique": "username_hash" } headers: diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml index 6843932e86b0..eec5f1b21301 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml @@ -12,4 +12,4 @@ testcases: host: '{{.node01_mgmt_ip}}' user: '{{.ssh_user}}' command: | - sudo cp -v /home/vagrant/{{.dot1x_eap_tls_pfpki.certs.user.cn}}/* /etc/wpa_supplicant/eap_tls/ + sudo cp -v /home/vagrant/{{.wired_dot1x_eap_tls.certs.user.cn}}/* /etc/wpa_supplicant/eap_tls/ diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml index 45dfbcd4bd14..abccafa922c8 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml @@ -61,7 +61,7 @@ testcases: { "field": "connection_type", "op": "equals", - "value": "{{.dot1x_eap_peap.profiles.wired.filters.connection_type}}" + "value": "{{.wired_dot1x_eap_tls.profiles.wired.filters.connection_type}}" } ] }, @@ -99,5 +99,5 @@ testcases: "Content-Type": "application/json" assertions: - result.statuscode ShouldEqual 200 - - result.bodyjson.item.radius_reply ShouldContainSubstring 'Tunnel-Private-Group-Id = "{{.dot1x_eap_peap.roles.ad_user.vlan_id}}"' - - result.bodyjson.item.profile ShouldEqual "{{.dot1x_eap_peap.profiles.wired.id}}" + - result.bodyjson.item.radius_reply ShouldContainSubstring 'Tunnel-Private-Group-Id = "{{.wired_dot1x_eap_tls.roles.ad_user.vlan_id}}"' + - result.bodyjson.item.profile ShouldEqual "{{.wired_dot1x_eap_tls.profiles.wired.id}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md b/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md index fc4515dfcbf6..a4c0899bbd63 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md @@ -1,4 +1,4 @@ -# dot1x_eap_tls_pfpki +# wired_dot1x_eap_tls ## Requirements N/A diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/90_teardown.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/90_teardown.yml index cdbdbf00327d..5c171990583a 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/90_teardown.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/90_teardown.yml @@ -8,7 +8,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.dot1x_eap_tls_pfpki.profiles.wired.id}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.wired_dot1x_eap_tls.profiles.wired.id}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -20,7 +20,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.dot1x_eap_tls_pfpki.sources.eaptls.name}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.wired_dot1x_eap_tls.sources.eaptls.name}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -50,7 +50,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.dot1x_eap_tls_pfpki.ocsp.id}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.wired_dot1x_eap_tls.ocsp.id}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml index 1b3dd17ac6a1..f63fee19f375 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml @@ -12,20 +12,20 @@ testcases: ignore_verify_ssl: true body: >- { - "cn": "{{.dot1x_eap_tls_pfpki.certs.ca.cn}}", - "mail": "{{.dot1x_eap_tls_pfpki.certs.ca.mail}}", - "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", - "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", - "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", - "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", - "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", - "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", - "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "cn": "{{.wired_dot1x_eap_tls.certs.ca.cn}}", + "mail": "{{.wired_dot1x_eap_tls.certs.ca.mail}}", + "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls.certs.country}}", + "state": "{{.wired_dot1x_eap_tls.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", + "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", "key_usage": "", "extended_key_usage": "", - "days": "{{.dot1x_eap_tls_pfpki.certs.validity}}", - "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", - "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}" + "days": "{{.wired_dot1x_eap_tls.certs.validity}}", + "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", + "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -46,19 +46,19 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.dot1x_eap_tls_pfpki.templates.radius.name}}", - "validity": "{{.dot1x_eap_tls_pfpki.certs.validity}}", - "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", - "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls.templates.radius.name}}", + "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", "key_usage": "", "extended_key_usage": "1", - "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", - "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", - "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", - "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", - "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", - "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", - "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}" + "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls.certs.country}}", + "state": "{{.wired_dot1x_eap_tls.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -78,10 +78,10 @@ testcases: body: >- { "profile_id": "{{.create_pf_radius_cert_template.profile_id}}", - "cn": "{{.dot1x_eap_tls_pfpki.certs.radius.cn}}", - "mail": "{{.dot1x_eap_tls_pfpki.certs.radius.mail}}", - "dns_names": "{{.dot1x_eap_tls_pfpki.certs.radius.dns_names}}", - "ip_addresses": "{{.dot1x_eap_tls_pfpki.certs.radius.ip_addresses}}" + "cn": "{{.wired_dot1x_eap_tls.certs.radius.cn}}", + "mail": "{{.wired_dot1x_eap_tls.certs.radius.mail}}", + "dns_names": "{{.wired_dot1x_eap_tls.certs.radius.dns_names}}", + "ip_addresses": "{{.wired_dot1x_eap_tls.certs.radius.ip_addresses}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -104,44 +104,44 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_radius_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt -passin pass:secret - name: extract_radius_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.crt -passin pass:secret - name: extract_radius_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.key -passin pass:secret - name: install_ca_cert steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" - name: install_radius_cert steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" - name: install_radius_key steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" ### HTTP certificate part - name: create_pf_http_cert_template @@ -153,19 +153,19 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.dot1x_eap_tls_pfpki.templates.http.name}}", - "validity": "{{.dot1x_eap_tls_pfpki.certs.validity}}", - "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", - "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls.templates.http.name}}", + "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", "key_usage": "", "extended_key_usage": "1", - "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", - "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", - "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", - "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", - "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", - "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", - "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}" + "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls.certs.country}}", + "state": "{{.wired_dot1x_eap_tls.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -185,10 +185,10 @@ testcases: body: >- { "profile_id": "{{.create_pf_http_cert_template.profile_id}}", - "cn": "{{.dot1x_eap_tls_pfpki.certs.http.cn}}", - "mail": "{{.dot1x_eap_tls_pfpki.certs.http.mail}}", - "dns_names": "{{.dot1x_eap_tls_pfpki.certs.http.dns_names}}", - "ip_addresses": "{{.dot1x_eap_tls_pfpki.certs.http.ip_addresses}}" + "cn": "{{.wired_dot1x_eap_tls.certs.http.cn}}", + "mail": "{{.wired_dot1x_eap_tls.certs.http.mail}}", + "dns_names": "{{.wired_dot1x_eap_tls.certs.http.dns_names}}", + "ip_addresses": "{{.wired_dot1x_eap_tls.certs.http.ip_addresses}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -211,46 +211,46 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_http_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt -passin pass:secret - name: extract_http_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt -passin pass:secret - name: extract_http_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key -passin pass:secret - name: install_http_cert_portal steps: - type: exec script: | - cat {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.crt \ - {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem + cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt \ + {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem - name: install_http_cert_webadmin steps: - type: exec - script: "cat {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" + script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" - name: install_http_key_webadmin steps: - type: exec - script: "cat {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" + script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" ### User certificate part @@ -263,22 +263,22 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.dot1x_eap_tls_pfpki.templates.user.name}}", - "validity": "{{.dot1x_eap_tls_pfpki.certs.validity}}", - "key_type": "{{.dot1x_eap_tls_pfpki.certs.key_type}}", - "digest": "{{.dot1x_eap_tls_pfpki.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls.templates.user.name}}", + "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", "key_usage": "", "extended_key_usage": "2", - "key_size": "{{.dot1x_eap_tls_pfpki.certs.key_size}}", - "organisational_unit": "{{.dot1x_eap_tls_pfpki.certs.organisational_unit}}", - "organisation": "{{.dot1x_eap_tls_pfpki.certs.organisation}}", - "country": "{{.dot1x_eap_tls_pfpki.certs.country}}", - "state": "{{.dot1x_eap_tls_pfpki.certs.state}}", - "locality": "{{.dot1x_eap_tls_pfpki.certs.locality}}", - "ocsp_url": "{{.dot1x_eap_tls_pfpki.certs.ocsp_url}}", - "scep_enabled": "{{.dot1x_eap_tls_pfpki.certs.user.scep_enabled}}", - "scep_challenge_password": "{{.dot1x_eap_tls_pfpki.certs.user.scep_challenge_password}}", - "scep_days_before_renewal": "{{.dot1x_eap_tls_pfpki.certs.user.scep_days_before_renewal}}" + "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls.certs.country}}", + "state": "{{.wired_dot1x_eap_tls.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}", + "scep_enabled": "{{.wired_dot1x_eap_tls.certs.user.scep_enabled}}", + "scep_challenge_password": "{{.wired_dot1x_eap_tls.certs.user.scep_challenge_password}}", + "scep_days_before_renewal": "{{.wired_dot1x_eap_tls.certs.user.scep_days_before_renewal}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -298,8 +298,8 @@ testcases: body: >- { "profile_id": "{{.create_user_cert_template.profile_id}}", - "cn": "{{.dot1x_eap_tls_pfpki.certs.user.cn}}", - "mail": "{{.dot1x_eap_tls_pfpki.certs.user.mail}}" + "cn": "{{.wired_dot1x_eap_tls.certs.user.cn}}", + "mail": "{{.wired_dot1x_eap_tls.certs.user.mail}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -322,26 +322,26 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_user_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt -passin pass:secret - name: extract_user_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.crt -passin pass:secret - name: extract_user_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.key -passin pass:secret diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml index 4f8d47b9045d..2f7ea777b4fc 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml @@ -12,13 +12,13 @@ testcases: ignore_verify_ssl: true body: >- { - "id": "{{.dot1x_eap_tls_pfpki.ocsp.id}}", - "ocsp_enable": "{{.dot1x_eap_tls_pfpki.ocsp.enable}}", - "ocsp_url": "{{.dot1x_eap_tls_pfpki.ocsp.url}}", - "ocsp_override_cert_url": "{{.dot1x_eap_tls_pfpki.ocsp.override_cert_url}}", - "ocsp_softfail": "{{.dot1x_eap_tls_pfpki.ocsp.softfail}}", - "ocsp_timeout": "{{.dot1x_eap_tls_pfpki.ocsp.timeout}}", - "ocsp_use_nonce": "{{.dot1x_eap_tls_pfpki.ocsp.use_nonce}}" + "id": "{{.wired_dot1x_eap_tls.ocsp.id}}", + "ocsp_enable": "{{.wired_dot1x_eap_tls.ocsp.enable}}", + "ocsp_url": "{{.wired_dot1x_eap_tls.ocsp.url}}", + "ocsp_override_cert_url": "{{.wired_dot1x_eap_tls.ocsp.override_cert_url}}", + "ocsp_softfail": "{{.wired_dot1x_eap_tls.ocsp.softfail}}", + "ocsp_timeout": "{{.wired_dot1x_eap_tls.ocsp.timeout}}", + "ocsp_use_nonce": "{{.wired_dot1x_eap_tls.ocsp.use_nonce}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -35,7 +35,7 @@ testcases: body: >- { "id": "tls-common", - "ocsp": "{{.dot1x_eap_tls_pfpki.ocsp.id}}" + "ocsp": "{{.wired_dot1x_eap_tls.ocsp.id}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml index 03dcc348dcdf..c132d8cec476 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml @@ -21,24 +21,24 @@ testcases: "actions": [ { "type": "set_role", - "value": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}" + "value": "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}" }, { "type": "set_access_duration", - "value": "{{.dot1x_eap_tls_pfpki.sources.eaptls.access_duration}}" + "value": "{{.wired_dot1x_eap_tls.sources.eaptls.access_duration}}" } ], "conditions": [ { "attribute": "radius_request.TLS-Client-Cert-Issuer", "operator": "equals", - "value": "{{.dot1x_eap_tls_pfpki.certs.ca.issuer}}" + "value": "{{.wired_dot1x_eap_tls.certs.ca.issuer}}" } ] } ], - "description": "{{.dot1x_eap_tls_pfpki.sources.eaptls.description}}", - "id": "{{.dot1x_eap_tls_pfpki.sources.eaptls.name}}", + "description": "{{.wired_dot1x_eap_tls.sources.eaptls.description}}", + "id": "{{.wired_dot1x_eap_tls.sources.eaptls.name}}", "realms": "", "set_access_durations_action": null, "type": "EAPTLS" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml index 3578221c3834..fda494a0502e 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml @@ -22,22 +22,22 @@ testcases: "unit": "m" }, "default_psk_key": null, - "description": "{{.dot1x_eap_tls_pfpki.profiles.wired.description}}", + "description": "{{.wired_dot1x_eap_tls.profiles.wired.description}}", "dot1x_recompute_role_from_portal": "enabled", "dot1x_unset_on_unmatch": "disabled", "dpsk": "disabled", "filter": [ { "type": "connection_type", - "match": "{{.dot1x_eap_tls_pfpki.profiles.wired.filters.connection_type}}" + "match": "{{.wired_dot1x_eap_tls.profiles.wired.filters.connection_type}}" }, { "type": "connection_sub_type", - "match": "{{.dot1x_eap_tls_pfpki.profiles.wired.filters.connection_sub_type}}" + "match": "{{.wired_dot1x_eap_tls.profiles.wired.filters.connection_sub_type}}" } ], "filter_match_style": "any", - "id": "{{.dot1x_eap_tls_pfpki.profiles.wired.id}}", + "id": "{{.wired_dot1x_eap_tls.profiles.wired.id}}", "locale": null, "login_attempt_limit": 0, "logo": null, @@ -54,10 +54,10 @@ testcases: "sms_pin_retry_limit": 0, "sms_request_limit": 0, "sources": [ - "{{.dot1x_eap_tls_pfpki.sources.eaptls.name}}" + "{{.wired_dot1x_eap_tls.sources.eaptls.name}}" ], "status": "enabled", - "unreg_on_acct_stop": "{{.dot1x_eap_tls_pfpki.profiles.wired.unreg_on_acct_stop}}", + "unreg_on_acct_stop": "{{.wired_dot1x_eap_tls.profiles.wired.unreg_on_acct_stop}}", "vlan_pool_technique": "username_hash" } headers: diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md b/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md index 8e3c253f1763..17a0b7000b70 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md @@ -1,4 +1,4 @@ -# dot1x_eap_tls_pfpki +# wired_dot1x_eap_tls ## Requirements N/A diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml index cdbdbf00327d..5c171990583a 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml @@ -8,7 +8,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.dot1x_eap_tls_pfpki.profiles.wired.id}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.wired_dot1x_eap_tls.profiles.wired.id}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -20,7 +20,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.dot1x_eap_tls_pfpki.sources.eaptls.name}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.wired_dot1x_eap_tls.sources.eaptls.name}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -50,7 +50,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.dot1x_eap_tls_pfpki.ocsp.id}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.wired_dot1x_eap_tls.ocsp.id}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/vars/all.yml b/t/venom/vars/all.yml index 947a4fe8b73d..803736e05888 100644 --- a/t/venom/vars/all.yml +++ b/t/venom/vars/all.yml @@ -294,78 +294,78 @@ captive_portal.profiles.locales4: it_IT captive_portal.reg.url: 'https://{{.configurator.interfaces.reg.ip}}/captive-portal' ################################################################################ -# dot1x_eap_tls_pfpki test suite specific variables +# wired_dot1x_eap_tls test suite specific variables ################################################################################ ### General settings for certs -dot1x_eap_tls_pfpki.certs.validity: 750 -dot1x_eap_tls_pfpki.certs.key_size: 2048 -dot1x_eap_tls_pfpki.certs.key_type: 1 -dot1x_eap_tls_pfpki.certs.digest: 4 -dot1x_eap_tls_pfpki.certs.country: CA -dot1x_eap_tls_pfpki.certs.state: Quebec -dot1x_eap_tls_pfpki.certs.locality: Montreal -dot1x_eap_tls_pfpki.certs.organisation: Inverse -dot1x_eap_tls_pfpki.certs.organisational_unit: PacketFence -dot1x_eap_tls_pfpki.certs.ocsp_url: 'https://127.0.0.1:22225/api/v1/pki/ocsp' +wired_dot1x_eap_tls.certs.validity: 750 +wired_dot1x_eap_tls.certs.key_size: 2048 +wired_dot1x_eap_tls.certs.key_type: 1 +wired_dot1x_eap_tls.certs.digest: 4 +wired_dot1x_eap_tls.certs.country: CA +wired_dot1x_eap_tls.certs.state: Quebec +wired_dot1x_eap_tls.certs.locality: Montreal +wired_dot1x_eap_tls.certs.organisation: Inverse +wired_dot1x_eap_tls.certs.organisational_unit: PacketFence +wired_dot1x_eap_tls.certs.ocsp_url: 'https://127.0.0.1:22225/api/v1/pki/ocsp' # CA -dot1x_eap_tls_pfpki.certs.ca.cn: InverseCA -dot1x_eap_tls_pfpki.certs.ca.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls.certs.ca.cn: InverseCA +wired_dot1x_eap_tls.certs.ca.mail: '{{.configurator.email}}' -dot1x_eap_tls_pfpki.certs.ca.issuer: "/C={{.dot1x_eap_tls_pfpki.certs.country}}/ST={{.dot1x_eap_tls_pfpki.certs.state}}/L={{.dot1x_eap_tls_pfpki.certs.locality}}/O={{.dot1x_eap_tls_pfpki.certs.organisation}}/OU={{.dot1x_eap_tls_pfpki.certs.organisational_unit}}/CN={{.dot1x_eap_tls_pfpki.certs.ca.cn}}" +wired_dot1x_eap_tls.certs.ca.issuer: "/C={{.wired_dot1x_eap_tls.certs.country}}/ST={{.wired_dot1x_eap_tls.certs.state}}/L={{.wired_dot1x_eap_tls.certs.locality}}/O={{.wired_dot1x_eap_tls.certs.organisation}}/OU={{.wired_dot1x_eap_tls.certs.organisational_unit}}/CN={{.wired_dot1x_eap_tls.certs.ca.cn}}" ### Templates -dot1x_eap_tls_pfpki.templates.radius.name: '{{.dot1x_eap_tls_pfpki.certs.ca.cn}}_radius' -dot1x_eap_tls_pfpki.templates.http.name: '{{.dot1x_eap_tls_pfpki.certs.ca.cn}}_http' -dot1x_eap_tls_pfpki.templates.user.name: '{{.dot1x_eap_tls_pfpki.certs.ca.cn}}_user' +wired_dot1x_eap_tls.templates.radius.name: '{{.wired_dot1x_eap_tls.certs.ca.cn}}_radius' +wired_dot1x_eap_tls.templates.http.name: '{{.wired_dot1x_eap_tls.certs.ca.cn}}_http' +wired_dot1x_eap_tls.templates.user.name: '{{.wired_dot1x_eap_tls.certs.ca.cn}}_user' # RADIUS cert -dot1x_eap_tls_pfpki.certs.radius.cn: '{{.dot1x_eap_tls_pfpki.templates.radius.name}}_cert' -dot1x_eap_tls_pfpki.certs.radius.mail: '{{.configurator.email}}' -dot1x_eap_tls_pfpki.certs.radius.dns_names: '{{.configurator.hostname}}.{{.configurator.domain}}' -dot1x_eap_tls_pfpki.certs.radius.ip_addresses: '{{.configurator.interfaces.mgmt.ip}}' +wired_dot1x_eap_tls.certs.radius.cn: '{{.wired_dot1x_eap_tls.templates.radius.name}}_cert' +wired_dot1x_eap_tls.certs.radius.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls.certs.radius.dns_names: '{{.configurator.hostname}}.{{.configurator.domain}}' +wired_dot1x_eap_tls.certs.radius.ip_addresses: '{{.configurator.interfaces.mgmt.ip}}' # HTTP cert -dot1x_eap_tls_pfpki.certs.http.cn: '{{.dot1x_eap_tls_pfpki.templates.http.name}}_cert' -dot1x_eap_tls_pfpki.certs.http.mail: '{{.configurator.email}}' -dot1x_eap_tls_pfpki.certs.http.dns_names: '{{.configurator.hostname}}.{{.configurator.domain}},packetfence.example.lan' -dot1x_eap_tls_pfpki.certs.http.ip_addresses: '{{.configurator.interfaces.mgmt.ip}},66.70.255.147,{{.configurator.interfaces.reg.ip}},{{.configurator.interfaces.iso.ip}}' +wired_dot1x_eap_tls.certs.http.cn: '{{.wired_dot1x_eap_tls.templates.http.name}}_cert' +wired_dot1x_eap_tls.certs.http.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls.certs.http.dns_names: '{{.configurator.hostname}}.{{.configurator.domain}},packetfence.example.lan' +wired_dot1x_eap_tls.certs.http.ip_addresses: '{{.configurator.interfaces.mgmt.ip}},66.70.255.147,{{.configurator.interfaces.reg.ip}},{{.configurator.interfaces.iso.ip}}' # User cert -dot1x_eap_tls_pfpki.certs.user.cn: '{{.dot1x_eap_tls_pfpki.templates.user.name}}_cert' -dot1x_eap_tls_pfpki.certs.user.mail: '{{.configurator.email}}' -dot1x_eap_tls_pfpki.certs.user.scep_enabled: 1 -dot1x_eap_tls_pfpki.certs.user.scep_challenge_password: secret -dot1x_eap_tls_pfpki.certs.user.scep_days_before_renewal: 7 +wired_dot1x_eap_tls.certs.user.cn: '{{.wired_dot1x_eap_tls.templates.user.name}}_cert' +wired_dot1x_eap_tls.certs.user.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls.certs.user.scep_enabled: 1 +wired_dot1x_eap_tls.certs.user.scep_challenge_password: secret +wired_dot1x_eap_tls.certs.user.scep_days_before_renewal: 7 # OCSP config -dot1x_eap_tls_pfpki.ocsp.id: ocsp_from_cert -dot1x_eap_tls_pfpki.ocsp.enable: yes -dot1x_eap_tls_pfpki.ocsp.url: "" -dot1x_eap_tls_pfpki.ocsp.override_cert_url: no -dot1x_eap_tls_pfpki.ocsp.softfail: no -dot1x_eap_tls_pfpki.ocsp.timeout: 0 -dot1x_eap_tls_pfpki.ocsp.use_nonce: yes +wired_dot1x_eap_tls.ocsp.id: ocsp_from_cert +wired_dot1x_eap_tls.ocsp.enable: yes +wired_dot1x_eap_tls.ocsp.url: "" +wired_dot1x_eap_tls.ocsp.override_cert_url: no +wired_dot1x_eap_tls.ocsp.softfail: no +wired_dot1x_eap_tls.ocsp.timeout: 0 +wired_dot1x_eap_tls.ocsp.use_nonce: yes # Roles -dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id: dot1x_eap_tls -dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.notes: 802.1x role for PacketFence PKI -dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id: 100 +wired_dot1x_eap_tls.roles.dot1x_eap_tls.id: dot1x_eap_tls +wired_dot1x_eap_tls.roles.dot1x_eap_tls.notes: 802.1x role for PacketFence PKI +wired_dot1x_eap_tls.roles.dot1x_eap_tls.vlan_id: 100 # Sources -dot1x_eap_tls_pfpki.sources.eaptls.name: 'eaptls' -dot1x_eap_tls_pfpki.sources.eaptls.description: 'EAP-TLS source' -dot1x_eap_tls_pfpki.sources.eaptls.access_duration: '{{.access_duration.default_choice}}' +wired_dot1x_eap_tls.sources.eaptls.name: 'eaptls' +wired_dot1x_eap_tls.sources.eaptls.description: 'EAP-TLS source' +wired_dot1x_eap_tls.sources.eaptls.access_duration: '{{.access_duration.default_choice}}' # Connection profiles -dot1x_eap_tls_pfpki.profiles.wired.id: catch_dot1x_wired_eap_tls -dot1x_eap_tls_pfpki.profiles.wired.description: 802.1X wired EAP-TLS -dot1x_eap_tls_pfpki.profiles.wired.filters.connection_type: Ethernet-EAP -dot1x_eap_tls_pfpki.profiles.wired.filters.connection_sub_type: EAP-TLS -dot1x_eap_tls_pfpki.profiles.wired.unreg_on_acct_stop: enabled +wired_dot1x_eap_tls.profiles.wired.id: catch_dot1x_wired_eap_tls +wired_dot1x_eap_tls.profiles.wired.description: 802.1X wired EAP-TLS +wired_dot1x_eap_tls.profiles.wired.filters.connection_type: Ethernet-EAP +wired_dot1x_eap_tls.profiles.wired.filters.connection_sub_type: EAP-TLS +wired_dot1x_eap_tls.profiles.wired.unreg_on_acct_stop: enabled wired_dot1x_eap_tls_manual.paths.clients_directory: /root/client_certificates -wired_dot1x_eap_tls_manual.paths.per_client_directory: '{{.wired_dot1x_eap_tls_manual.paths.clients_directory}}/{{.dot1x_eap_tls_pfpki.certs.user.cn}}' +wired_dot1x_eap_tls_manual.paths.per_client_directory: '{{.wired_dot1x_eap_tls_manual.paths.clients_directory}}/{{.wired_dot1x_eap_tls.certs.user.cn}}' ################################################################################ # pfdhcplistener_single_tenant test suite specific variables From 5527be41ad2fe48153174ebc0d7ca7a7abf4948d Mon Sep 17 00:00:00 2001 From: nqb Date: Wed, 20 Oct 2021 23:36:39 +0200 Subject: [PATCH 05/14] manual: adjust checks --- t/venom/switches/common/check_dot1x_int_status.yml | 5 ++--- .../91_check_radius_audit_log.yml | 2 +- .../95_check_autoregister_node.yml | 6 +++--- t/venom/vars/all.yml | 3 +++ 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/t/venom/switches/common/check_dot1x_int_status.yml b/t/venom/switches/common/check_dot1x_int_status.yml index 47e53b93f0f3..58116d06ab67 100644 --- a/t/venom/switches/common/check_dot1x_int_status.yml +++ b/t/venom/switches/common/check_dot1x_int_status.yml @@ -16,8 +16,7 @@ testcases: "Content-Type": "application/json" assertions: # we didn't check MAC address on port to make this testcase reusable - - result.body ShouldContainSubstring "{{.dot1x_eap_peap.roles.ad_user.vlan_id}}" - - result.body ShouldContainSubstring PEAP - - result.body ShouldContainSubstring "{{.ad_domain_user}}" + - result.body ShouldContainSubstring "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.vlan_id}}" + - result.body ShouldContainSubstring TLS - result.body ShouldContainSubstring AUTHORIZED - result.statuscode ShouldEqual 200 diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml index abccafa922c8..1b3e2797f3fe 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml @@ -99,5 +99,5 @@ testcases: "Content-Type": "application/json" assertions: - result.statuscode ShouldEqual 200 - - result.bodyjson.item.radius_reply ShouldContainSubstring 'Tunnel-Private-Group-Id = "{{.wired_dot1x_eap_tls.roles.ad_user.vlan_id}}"' + - result.bodyjson.item.radius_reply ShouldContainSubstring 'Tunnel-Private-Group-Id = "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.vlan_id}}"' - result.bodyjson.item.profile ShouldEqual "{{.wired_dot1x_eap_tls.profiles.wired.id}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml index 0d856fcae701..f0492418d30c 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml @@ -16,8 +16,8 @@ testcases: assertions: - result.statuscode ShouldEqual 200 - result.bodyjson.item.autoreg ShouldEqual yes - - result.bodyjson.item.category ShouldEqual "{{.dot1x_eap_peap.roles.ad_user.id}}" - - result.bodyjson.item.pid ShouldEqual "{{.ad_domain_user}}" + - result.bodyjson.item.category ShouldEqual "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}" + - result.bodyjson.item.pid ShouldEqual "{{.wired_dot1x_eap_tls.certs.user.cn}}" - result.bodyjson.item.status ShouldEqual reg vars: regdate: @@ -33,7 +33,7 @@ testcases: # - type: exec # script: | # perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 -Mpf::config::util \ -# -e 'my @times = get_translatable_time("{{.dot1x_eap_peap.sources.ad_user.access_duration}}"); print("$times[2]$times[1]");' +# -e 'my @times = get_translatable_time("{{.wired_dot1x_eap_tls.sources.eaptls.access_duration}}"); print("$times[2]$times[1]");' # vars: # translatable_time: # from: result.systemout diff --git a/t/venom/vars/all.yml b/t/venom/vars/all.yml index 803736e05888..db1ec891ec39 100644 --- a/t/venom/vars/all.yml +++ b/t/venom/vars/all.yml @@ -364,9 +364,12 @@ wired_dot1x_eap_tls.profiles.wired.filters.connection_type: Ethernet-EAP wired_dot1x_eap_tls.profiles.wired.filters.connection_sub_type: EAP-TLS wired_dot1x_eap_tls.profiles.wired.unreg_on_acct_stop: enabled +# wired_dot1x_eap_tls_manual wired_dot1x_eap_tls_manual.paths.clients_directory: /root/client_certificates wired_dot1x_eap_tls_manual.paths.per_client_directory: '{{.wired_dot1x_eap_tls_manual.paths.clients_directory}}/{{.wired_dot1x_eap_tls.certs.user.cn}}' +# wired_dot1x_eap_tls_scep + ################################################################################ # pfdhcplistener_single_tenant test suite specific variables ################################################################################ From 723655406d4d3932e6e1b2d30eb736ec9ed727e6 Mon Sep 17 00:00:00 2001 From: nqb Date: Wed, 20 Oct 2021 23:51:48 +0200 Subject: [PATCH 06/14] manual: teardown --- .../00_enable_node_cleanup_task.yml | 1 + .../02_restart_pfcron_service.yml | 1 + .../{00_create_pki.yml => 05_create_pki.yml} | 0 .../wired_dot1x_eap_tls_manual/TESTSUITE.md | 6 ++--- .../teardown/00_kill_wpasupplicant.yml | 1 + .../teardown/05_disable_dot1x_dot1x_int.yml | 1 + .../teardown/07_disable_dynamic_vlan.yml | 1 + .../teardown/10_commit_config.yml | 1 + .../12_check_offline_status_node01.yml | 1 + .../teardown/15_check_unregistered_node.yml | 22 +++++++++++++++++++ .../teardown/17_sleep_delete_windows.yml | 1 + ...delete_node01_with_pfcron_node_cleanup.yml | 5 +++++ .../teardown/25_check_node01_deleted.yml | 1 + .../teardown/30_disable_node_cleanup_task.yml | 1 + .../teardown/35_restart_pfcron_service.yml | 1 + 15 files changed, 41 insertions(+), 3 deletions(-) create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/00_enable_node_cleanup_task.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/02_restart_pfcron_service.yml rename t/venom/test_suites/wired_dot1x_eap_tls_manual/{00_create_pki.yml => 05_create_pki.yml} (100%) create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/00_kill_wpasupplicant.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/05_disable_dot1x_dot1x_int.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/07_disable_dynamic_vlan.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/10_commit_config.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/12_check_offline_status_node01.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/15_check_unregistered_node.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/17_sleep_delete_windows.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/20_delete_node01_with_pfcron_node_cleanup.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/25_check_node01_deleted.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/30_disable_node_cleanup_task.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/35_restart_pfcron_service.yml diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/00_enable_node_cleanup_task.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/00_enable_node_cleanup_task.yml new file mode 120000 index 000000000000..ae3857b0486b --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/00_enable_node_cleanup_task.yml @@ -0,0 +1 @@ +../common/enable_node_cleanup_task.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/02_restart_pfcron_service.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/02_restart_pfcron_service.yml new file mode 120000 index 000000000000..7d7621c12032 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/02_restart_pfcron_service.yml @@ -0,0 +1 @@ +../common/restart_pfcron_service.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/00_create_pki.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/05_create_pki.yml similarity index 100% rename from t/venom/test_suites/wired_dot1x_eap_tls_manual/00_create_pki.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_manual/05_create_pki.yml diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md b/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md index a4c0899bbd63..7a8da84bfb6a 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md @@ -1,4 +1,4 @@ -# wired_dot1x_eap_tls +# wired_dot1x_eap_tls_manual ## Requirements N/A @@ -27,8 +27,6 @@ N/A 1. Perform Checkup (common test suite) 1. Configure 802.1X only and dynamic VLAN on dot1x interface on switch01 - -TODO: 1. Install Root CA on node01 1. Install user certificates (public certificate and private key) on node01 with following paths: @@ -40,6 +38,8 @@ TODO: 1. Check node status for node01 (common) 1. Check VLAN assigned to node01 *on* switch01 (common) 1. Check Internet access *on* node01 (common) + +TODO: 1. Revoke certificate 1. Kill wpasupplicant (common test suite) 1. Rerun wpasupplicant to have a reject authentication due to revoke certificate diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/00_kill_wpasupplicant.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/00_kill_wpasupplicant.yml new file mode 120000 index 000000000000..dab406f34cf5 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/00_kill_wpasupplicant.yml @@ -0,0 +1 @@ +../../common/kill_wpasupplicant.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/05_disable_dot1x_dot1x_int.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/05_disable_dot1x_dot1x_int.yml new file mode 120000 index 000000000000..f5c4d00658ec --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/05_disable_dot1x_dot1x_int.yml @@ -0,0 +1 @@ +../../../switches/common/disable_dot1x_dot1x_int.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/07_disable_dynamic_vlan.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/07_disable_dynamic_vlan.yml new file mode 120000 index 000000000000..f1ced8cf3bd9 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/07_disable_dynamic_vlan.yml @@ -0,0 +1 @@ +../../../switches/common/disable_dynamic_vlan.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/10_commit_config.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/10_commit_config.yml new file mode 120000 index 000000000000..16a870fe5e74 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/10_commit_config.yml @@ -0,0 +1 @@ +../../../switches/common/commit_config.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/12_check_offline_status_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/12_check_offline_status_node01.yml new file mode 120000 index 000000000000..bf9fac803482 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/12_check_offline_status_node01.yml @@ -0,0 +1 @@ +../../common/check_offline_status_node01.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/15_check_unregistered_node.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/15_check_unregistered_node.yml new file mode 100644 index 000000000000..a805a6621edf --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/15_check_unregistered_node.yml @@ -0,0 +1,22 @@ +name: Check unregistered node +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: check_unregistered_node + steps: + - type: http + method: GET + url: '{{.pfserver_webadmin_url}}/api/v1/node/{{.node01_ens7_mac_address_url_encoded}}' + ignore_verify_ssl: true + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + - result.bodyjson.item.autoreg ShouldEqual no + - result.bodyjson.item.status ShouldEqual unreg + - result.bodyjson.item.regdate ShouldEqual "0000-00-00 00:00:00" + - result.bodyjson.item.unregdate ShouldEqual "0000-00-00 00:00:00" + diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/17_sleep_delete_windows.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/17_sleep_delete_windows.yml new file mode 120000 index 000000000000..28340473f7fc --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/17_sleep_delete_windows.yml @@ -0,0 +1 @@ +../../common/sleep_delete_windows.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/20_delete_node01_with_pfcron_node_cleanup.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/20_delete_node01_with_pfcron_node_cleanup.yml new file mode 100644 index 000000000000..915e56964beb --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/20_delete_node01_with_pfcron_node_cleanup.yml @@ -0,0 +1,5 @@ +name: Delete node01 by running pfcron node_cleanup task +testcases: +- name: delete_node01_with_pfcron_node_cleanup + steps: + - script: /usr/local/pf/bin/pfcmd pfcron node_cleanup diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/25_check_node01_deleted.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/25_check_node01_deleted.yml new file mode 120000 index 000000000000..035ce72733b2 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/25_check_node01_deleted.yml @@ -0,0 +1 @@ +../../common/check_node01_deleted.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/30_disable_node_cleanup_task.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/30_disable_node_cleanup_task.yml new file mode 120000 index 000000000000..3e811dfacdb9 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/30_disable_node_cleanup_task.yml @@ -0,0 +1 @@ +../../common/disable_node_cleanup_task.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/35_restart_pfcron_service.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/35_restart_pfcron_service.yml new file mode 120000 index 000000000000..49543dc3fc59 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/35_restart_pfcron_service.yml @@ -0,0 +1 @@ +../../common/restart_pfcron_service.yml \ No newline at end of file From 9ee2ec210e1f7fc21c5fe4357da18c567a6f77e8 Mon Sep 17 00:00:00 2001 From: nqb Date: Thu, 21 Oct 2021 07:20:22 +0200 Subject: [PATCH 07/14] manual: disable StrictHostKeyChecking during rsync Necessary, Venom executor do the same. --- .../75_deploy_certificates_on_node01.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml index eec5f1b21301..d7e1d8b0f53b 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml @@ -4,7 +4,8 @@ testcases: steps: - type: exec script: | - /usr/bin/rsync -avz {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}} {{.ssh_user}}@{{.node01_mgmt_ip}}:/home/vagrant/ + /usr/bin/rsync -avz -e "ssh -o StrictHostKeyChecking=no" {{.wired_dot1x_eap_tls_manual.paths.per_client_directory}} \ + {{.ssh_user}}@{{.node01_mgmt_ip}}:/home/vagrant/ - name: move_certificates steps: From f2de72ab8b26af82c824709b4814bde08cb0466e Mon Sep 17 00:00:00 2001 From: nqb Date: Thu, 21 Oct 2021 14:07:37 +0200 Subject: [PATCH 08/14] create vars for each PKI suite --- .../10_create_roles.yml | 6 +- .../15_create_network_devices.yml | 8 +- .../common/check_dot1x_int_status.yml | 2 +- .../global_config/00_create_roles.yml | 6 +- .../15_create_network_devices.yml | 8 +- .../05_create_pki.yml | 158 ++++++++-------- .../10_enable_ocsp.yml | 16 +- .../45_create_eaptls_source.yml | 10 +- .../50_create_connection_profile.yml | 12 +- .../75_deploy_certificates_on_node01.yml | 2 +- .../91_check_radius_audit_log.yml | 6 +- .../95_check_autoregister_node.yml | 6 +- .../teardown/90_teardown.yml | 6 +- .../00_create_pki.yml | 172 +++++++++--------- .../10_enable_ocsp.yml | 16 +- .../45_create_eaptls_source.yml | 10 +- .../50_create_connection_profile.yml | 12 +- .../teardown/90_teardown.yml | 6 +- t/venom/vars/all.yml | 171 +++++++++++------ 19 files changed, 351 insertions(+), 282 deletions(-) diff --git a/t/venom/pfservers/global_config_multi_tenant/10_create_roles.yml b/t/venom/pfservers/global_config_multi_tenant/10_create_roles.yml index 0fe3dc41b1ed..8d3ae42e1e22 100644 --- a/t/venom/pfservers/global_config_multi_tenant/10_create_roles.yml +++ b/t/venom/pfservers/global_config_multi_tenant/10_create_roles.yml @@ -61,7 +61,7 @@ testcases: assertions: - result.statuscode ShouldEqual 201 -- name: create_wired_dot1x_eap_tls_role +- name: create_wired_dot1x_eap_tls_manual.role steps: - type: http method: POST @@ -69,9 +69,9 @@ testcases: ignore_verify_ssl: true body: >- { - "id":"{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}", + "id":"{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}", "max_nodes_per_pid":0, - "notes":"{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.notes}}" + "notes":"{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.notes}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/pfservers/global_config_multi_tenant/15_create_network_devices.yml b/t/venom/pfservers/global_config_multi_tenant/15_create_network_devices.yml index 1a7dcc90f415..bd7bb867d145 100644 --- a/t/venom/pfservers/global_config_multi_tenant/15_create_network_devices.yml +++ b/t/venom/pfservers/global_config_multi_tenant/15_create_network_devices.yml @@ -107,10 +107,10 @@ testcases: "{{.wired_mac_auth.roles.headless_device.id}}Role": null, "{{.wired_mac_auth.roles.headless_device.id}}Url": null, "{{.wired_mac_auth.roles.headless_device.id}}Vlan": "{{.wired_mac_auth.roles.headless_device.vlan_id}}", - "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}AccessList": null, - "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Role": null, - "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Url": null, - "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}", + "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}AccessList": null, + "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Role": null, + "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Url": null, + "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}", "voiceAccessList": null, "voiceRole": null, "voiceUrl": null, diff --git a/t/venom/switches/common/check_dot1x_int_status.yml b/t/venom/switches/common/check_dot1x_int_status.yml index 58116d06ab67..edad1c754b93 100644 --- a/t/venom/switches/common/check_dot1x_int_status.yml +++ b/t/venom/switches/common/check_dot1x_int_status.yml @@ -16,7 +16,7 @@ testcases: "Content-Type": "application/json" assertions: # we didn't check MAC address on port to make this testcase reusable - - result.body ShouldContainSubstring "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.vlan_id}}" + - result.body ShouldContainSubstring "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.vlan_id}}" - result.body ShouldContainSubstring TLS - result.body ShouldContainSubstring AUTHORIZED - result.statuscode ShouldEqual 200 diff --git a/t/venom/test_suites/global_config/00_create_roles.yml b/t/venom/test_suites/global_config/00_create_roles.yml index 4d489b98e761..2d0ec36d9b41 100644 --- a/t/venom/test_suites/global_config/00_create_roles.yml +++ b/t/venom/test_suites/global_config/00_create_roles.yml @@ -61,7 +61,7 @@ testcases: assertions: - result.statuscode ShouldEqual 201 -- name: create_wired_dot1x_eap_tls_role +- name: create_wired_dot1x_eap_tls_manual.role steps: - type: http method: POST @@ -69,9 +69,9 @@ testcases: ignore_verify_ssl: true body: >- { - "id":"{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}", + "id":"{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}", "max_nodes_per_pid":0, - "notes":"{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.notes}}" + "notes":"{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.notes}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/global_config/15_create_network_devices.yml b/t/venom/test_suites/global_config/15_create_network_devices.yml index 00f8b235089d..607fa3384995 100644 --- a/t/venom/test_suites/global_config/15_create_network_devices.yml +++ b/t/venom/test_suites/global_config/15_create_network_devices.yml @@ -106,10 +106,10 @@ testcases: "{{.wired_mac_auth.roles.headless_device.id}}Role": null, "{{.wired_mac_auth.roles.headless_device.id}}Url": null, "{{.wired_mac_auth.roles.headless_device.id}}Vlan": "{{.wired_mac_auth.roles.headless_device.vlan_id}}", - "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}AccessList": null, - "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Role": null, - "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Url": null, - "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}", + "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}AccessList": null, + "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Role": null, + "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Url": null, + "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}", "voiceAccessList": null, "voiceRole": null, "voiceUrl": null, diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/05_create_pki.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/05_create_pki.yml index 7d620a26631c..7cd1f2366518 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/05_create_pki.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/05_create_pki.yml @@ -12,20 +12,20 @@ testcases: ignore_verify_ssl: true body: >- { - "cn": "{{.wired_dot1x_eap_tls.certs.ca.cn}}", - "mail": "{{.wired_dot1x_eap_tls.certs.ca.mail}}", - "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls.certs.country}}", - "state": "{{.wired_dot1x_eap_tls.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", - "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", + "cn": "{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}", + "mail": "{{.wired_dot1x_eap_tls_manual.certs.ca.mail}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", + "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", "key_usage": "", "extended_key_usage": "", - "days": "{{.wired_dot1x_eap_tls.certs.validity}}", - "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", - "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" + "days": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", + "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -46,19 +46,19 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.wired_dot1x_eap_tls.templates.radius.name}}", - "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", - "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls_manual.templates.radius.name}}", + "validity": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", "key_usage": "", "extended_key_usage": "1", - "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", - "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls.certs.country}}", - "state": "{{.wired_dot1x_eap_tls.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", - "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" + "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -78,10 +78,10 @@ testcases: body: >- { "profile_id": "{{.create_pf_radius_cert_template.profile_id}}", - "cn": "{{.wired_dot1x_eap_tls.certs.radius.cn}}", - "mail": "{{.wired_dot1x_eap_tls.certs.radius.mail}}", - "dns_names": "{{.wired_dot1x_eap_tls.certs.radius.dns_names}}", - "ip_addresses": "{{.wired_dot1x_eap_tls.certs.radius.ip_addresses}}" + "cn": "{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}", + "mail": "{{.wired_dot1x_eap_tls_manual.certs.radius.mail}}", + "dns_names": "{{.wired_dot1x_eap_tls_manual.certs.radius.dns_names}}", + "ip_addresses": "{{.wired_dot1x_eap_tls_manual.certs.radius.ip_addresses}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -104,44 +104,44 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_radius_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt -passin pass:secret - name: extract_radius_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.crt -passin pass:secret - name: extract_radius_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.key -passin pass:secret - name: install_ca_cert steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" - name: install_radius_cert steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" - name: install_radius_key steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" ### HTTP certificate part - name: create_pf_http_cert_template @@ -153,19 +153,19 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.wired_dot1x_eap_tls.templates.http.name}}", - "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", - "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls_manual.templates.http.name}}", + "validity": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", "key_usage": "", "extended_key_usage": "1", - "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", - "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls.certs.country}}", - "state": "{{.wired_dot1x_eap_tls.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", - "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" + "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -185,10 +185,10 @@ testcases: body: >- { "profile_id": "{{.create_pf_http_cert_template.profile_id}}", - "cn": "{{.wired_dot1x_eap_tls.certs.http.cn}}", - "mail": "{{.wired_dot1x_eap_tls.certs.http.mail}}", - "dns_names": "{{.wired_dot1x_eap_tls.certs.http.dns_names}}", - "ip_addresses": "{{.wired_dot1x_eap_tls.certs.http.ip_addresses}}" + "cn": "{{.wired_dot1x_eap_tls_manual.certs.http.cn}}", + "mail": "{{.wired_dot1x_eap_tls_manual.certs.http.mail}}", + "dns_names": "{{.wired_dot1x_eap_tls_manual.certs.http.dns_names}}", + "ip_addresses": "{{.wired_dot1x_eap_tls_manual.certs.http.ip_addresses}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -211,46 +211,46 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_http_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt -passin pass:secret - name: extract_http_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.crt -passin pass:secret - name: extract_http_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.key -passin pass:secret - name: install_http_cert_portal steps: - type: exec script: | - cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt \ - {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem + cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.crt \ + {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem - name: install_http_cert_webadmin steps: - type: exec - script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" + script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" - name: install_http_key_webadmin steps: - type: exec - script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" + script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" ### User certificate part @@ -263,22 +263,22 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.wired_dot1x_eap_tls.templates.user.name}}", - "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", - "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls_manual.templates.user.name}}", + "validity": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", "key_usage": "", "extended_key_usage": "2", - "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", - "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls.certs.country}}", - "state": "{{.wired_dot1x_eap_tls.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", - "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}", - "scep_enabled": "{{.wired_dot1x_eap_tls.certs.user.scep_enabled}}", - "scep_challenge_password": "{{.wired_dot1x_eap_tls.certs.user.scep_challenge_password}}", - "scep_days_before_renewal": "{{.wired_dot1x_eap_tls.certs.user.scep_days_before_renewal}}" + "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}", + "scep_enabled": "{{.wired_dot1x_eap_tls_manual.certs.user.scep_enabled}}", + "scep_challenge_password": "{{.wired_dot1x_eap_tls_manual.certs.user.scep_challenge_password}}", + "scep_days_before_renewal": "{{.wired_dot1x_eap_tls_manual.certs.user.scep_days_before_renewal}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -298,8 +298,8 @@ testcases: body: >- { "profile_id": "{{.create_user_cert_template.profile_id}}", - "cn": "{{.wired_dot1x_eap_tls.certs.user.cn}}", - "mail": "{{.wired_dot1x_eap_tls.certs.user.mail}}" + "cn": "{{.wired_dot1x_eap_tls_manual.certs.user.cn}}", + "mail": "{{.wired_dot1x_eap_tls_manual.certs.user.mail}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/10_enable_ocsp.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/10_enable_ocsp.yml index 2f7ea777b4fc..7cab8860dcda 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/10_enable_ocsp.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/10_enable_ocsp.yml @@ -12,13 +12,13 @@ testcases: ignore_verify_ssl: true body: >- { - "id": "{{.wired_dot1x_eap_tls.ocsp.id}}", - "ocsp_enable": "{{.wired_dot1x_eap_tls.ocsp.enable}}", - "ocsp_url": "{{.wired_dot1x_eap_tls.ocsp.url}}", - "ocsp_override_cert_url": "{{.wired_dot1x_eap_tls.ocsp.override_cert_url}}", - "ocsp_softfail": "{{.wired_dot1x_eap_tls.ocsp.softfail}}", - "ocsp_timeout": "{{.wired_dot1x_eap_tls.ocsp.timeout}}", - "ocsp_use_nonce": "{{.wired_dot1x_eap_tls.ocsp.use_nonce}}" + "id": "{{.wired_dot1x_eap_tls_manual.ocsp.id}}", + "ocsp_enable": "{{.wired_dot1x_eap_tls_manual.ocsp.enable}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_manual.ocsp.url}}", + "ocsp_override_cert_url": "{{.wired_dot1x_eap_tls_manual.ocsp.override_cert_url}}", + "ocsp_softfail": "{{.wired_dot1x_eap_tls_manual.ocsp.softfail}}", + "ocsp_timeout": "{{.wired_dot1x_eap_tls_manual.ocsp.timeout}}", + "ocsp_use_nonce": "{{.wired_dot1x_eap_tls_manual.ocsp.use_nonce}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -35,7 +35,7 @@ testcases: body: >- { "id": "tls-common", - "ocsp": "{{.wired_dot1x_eap_tls.ocsp.id}}" + "ocsp": "{{.wired_dot1x_eap_tls_manual.ocsp.id}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/45_create_eaptls_source.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/45_create_eaptls_source.yml index c132d8cec476..7fb00c3fc52c 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/45_create_eaptls_source.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/45_create_eaptls_source.yml @@ -21,24 +21,24 @@ testcases: "actions": [ { "type": "set_role", - "value": "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}" + "value": "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}" }, { "type": "set_access_duration", - "value": "{{.wired_dot1x_eap_tls.sources.eaptls.access_duration}}" + "value": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.access_duration}}" } ], "conditions": [ { "attribute": "radius_request.TLS-Client-Cert-Issuer", "operator": "equals", - "value": "{{.wired_dot1x_eap_tls.certs.ca.issuer}}" + "value": "{{.wired_dot1x_eap_tls_manual.certs.ca.issuer}}" } ] } ], - "description": "{{.wired_dot1x_eap_tls.sources.eaptls.description}}", - "id": "{{.wired_dot1x_eap_tls.sources.eaptls.name}}", + "description": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.description}}", + "id": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}", "realms": "", "set_access_durations_action": null, "type": "EAPTLS" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml index bc4a2c24245f..cbeabf737910 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/50_create_connection_profile.yml @@ -22,22 +22,22 @@ testcases: "unit": "m" }, "default_psk_key": null, - "description": "{{.wired_dot1x_eap_tls.profiles.wired.description}}", + "description": "{{.wired_dot1x_eap_tls_manual.profiles.wired.description}}", "dot1x_recompute_role_from_portal": "enabled", "dot1x_unset_on_unmatch": "disabled", "dpsk": "disabled", "filter": [ { "type": "connection_type", - "match": "{{.wired_dot1x_eap_tls.profiles.wired.filters.connection_type}}" + "match": "{{.wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_type}}" }, { "type": "connection_sub_type", - "match": "{{.wired_dot1x_eap_tls.profiles.wired.filters.connection_sub_type}}" + "match": "{{.wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_sub_type}}" } ], "filter_match_style": "all", - "id": "{{.wired_dot1x_eap_tls.profiles.wired.id}}", + "id": "{{.wired_dot1x_eap_tls_manual.profiles.wired.id}}", "locale": null, "login_attempt_limit": 0, "logo": null, @@ -54,10 +54,10 @@ testcases: "sms_pin_retry_limit": 0, "sms_request_limit": 0, "sources": [ - "{{.wired_dot1x_eap_tls.sources.eaptls.name}}" + "{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}" ], "status": "enabled", - "unreg_on_acct_stop": "{{.wired_dot1x_eap_tls.profiles.wired.unreg_on_acct_stop}}", + "unreg_on_acct_stop": "{{.wired_dot1x_eap_tls_manual.profiles.wired.unreg_on_acct_stop}}", "vlan_pool_technique": "username_hash" } headers: diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml index d7e1d8b0f53b..0deb6feaade3 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/75_deploy_certificates_on_node01.yml @@ -13,4 +13,4 @@ testcases: host: '{{.node01_mgmt_ip}}' user: '{{.ssh_user}}' command: | - sudo cp -v /home/vagrant/{{.wired_dot1x_eap_tls.certs.user.cn}}/* /etc/wpa_supplicant/eap_tls/ + sudo cp -v /home/vagrant/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}/* /etc/wpa_supplicant/eap_tls/ diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml index 1b3e2797f3fe..a4f4152a5e9b 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml @@ -61,7 +61,7 @@ testcases: { "field": "connection_type", "op": "equals", - "value": "{{.wired_dot1x_eap_tls.profiles.wired.filters.connection_type}}" + "value": "{{.wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_type}}" } ] }, @@ -99,5 +99,5 @@ testcases: "Content-Type": "application/json" assertions: - result.statuscode ShouldEqual 200 - - result.bodyjson.item.radius_reply ShouldContainSubstring 'Tunnel-Private-Group-Id = "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.vlan_id}}"' - - result.bodyjson.item.profile ShouldEqual "{{.wired_dot1x_eap_tls.profiles.wired.id}}" + - result.bodyjson.item.radius_reply ShouldContainSubstring 'Tunnel-Private-Group-Id = "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.vlan_id}}"' + - result.bodyjson.item.profile ShouldEqual "{{.wired_dot1x_eap_tls_manual.profiles.wired.id}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml index f0492418d30c..894f6672ea45 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/95_check_autoregister_node.yml @@ -16,8 +16,8 @@ testcases: assertions: - result.statuscode ShouldEqual 200 - result.bodyjson.item.autoreg ShouldEqual yes - - result.bodyjson.item.category ShouldEqual "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}" - - result.bodyjson.item.pid ShouldEqual "{{.wired_dot1x_eap_tls.certs.user.cn}}" + - result.bodyjson.item.category ShouldEqual "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}" + - result.bodyjson.item.pid ShouldEqual "{{.wired_dot1x_eap_tls_manual.certs.user.cn}}" - result.bodyjson.item.status ShouldEqual reg vars: regdate: @@ -33,7 +33,7 @@ testcases: # - type: exec # script: | # perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 -Mpf::config::util \ -# -e 'my @times = get_translatable_time("{{.wired_dot1x_eap_tls.sources.eaptls.access_duration}}"); print("$times[2]$times[1]");' +# -e 'my @times = get_translatable_time("{{.wired_dot1x_eap_tls_manual.sources.eaptls.access_duration}}"); print("$times[2]$times[1]");' # vars: # translatable_time: # from: result.systemout diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/90_teardown.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/90_teardown.yml index 5c171990583a..e537554be66b 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/90_teardown.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/teardown/90_teardown.yml @@ -8,7 +8,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.wired_dot1x_eap_tls.profiles.wired.id}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.wired_dot1x_eap_tls_manual.profiles.wired.id}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -20,7 +20,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.wired_dot1x_eap_tls.sources.eaptls.name}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -50,7 +50,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.wired_dot1x_eap_tls.ocsp.id}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.wired_dot1x_eap_tls_manual.ocsp.id}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml index f63fee19f375..94e29c9ce248 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml @@ -12,20 +12,20 @@ testcases: ignore_verify_ssl: true body: >- { - "cn": "{{.wired_dot1x_eap_tls.certs.ca.cn}}", - "mail": "{{.wired_dot1x_eap_tls.certs.ca.mail}}", - "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls.certs.country}}", - "state": "{{.wired_dot1x_eap_tls.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", - "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", + "cn": "{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}", + "mail": "{{.wired_dot1x_eap_tls_manual.certs.ca.mail}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", + "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", "key_usage": "", "extended_key_usage": "", - "days": "{{.wired_dot1x_eap_tls.certs.validity}}", - "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", - "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" + "days": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", + "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -46,19 +46,19 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.wired_dot1x_eap_tls.templates.radius.name}}", - "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", - "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls_manual.templates.radius.name}}", + "validity": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", "key_usage": "", "extended_key_usage": "1", - "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", - "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls.certs.country}}", - "state": "{{.wired_dot1x_eap_tls.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", - "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" + "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -78,10 +78,10 @@ testcases: body: >- { "profile_id": "{{.create_pf_radius_cert_template.profile_id}}", - "cn": "{{.wired_dot1x_eap_tls.certs.radius.cn}}", - "mail": "{{.wired_dot1x_eap_tls.certs.radius.mail}}", - "dns_names": "{{.wired_dot1x_eap_tls.certs.radius.dns_names}}", - "ip_addresses": "{{.wired_dot1x_eap_tls.certs.radius.ip_addresses}}" + "cn": "{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}", + "mail": "{{.wired_dot1x_eap_tls_manual.certs.radius.mail}}", + "dns_names": "{{.wired_dot1x_eap_tls_manual.certs.radius.dns_names}}", + "ip_addresses": "{{.wired_dot1x_eap_tls_manual.certs.radius.ip_addresses}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -104,44 +104,44 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_radius_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt -passin pass:secret - name: extract_radius_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.crt -passin pass:secret - name: extract_radius_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.key -passin pass:secret - name: install_ca_cert steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" - name: install_radius_cert steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" - name: install_radius_key steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" ### HTTP certificate part - name: create_pf_http_cert_template @@ -153,19 +153,19 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.wired_dot1x_eap_tls.templates.http.name}}", - "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", - "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls_manual.templates.http.name}}", + "validity": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", "key_usage": "", "extended_key_usage": "1", - "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", - "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls.certs.country}}", - "state": "{{.wired_dot1x_eap_tls.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", - "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}" + "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -185,10 +185,10 @@ testcases: body: >- { "profile_id": "{{.create_pf_http_cert_template.profile_id}}", - "cn": "{{.wired_dot1x_eap_tls.certs.http.cn}}", - "mail": "{{.wired_dot1x_eap_tls.certs.http.mail}}", - "dns_names": "{{.wired_dot1x_eap_tls.certs.http.dns_names}}", - "ip_addresses": "{{.wired_dot1x_eap_tls.certs.http.ip_addresses}}" + "cn": "{{.wired_dot1x_eap_tls_manual.certs.http.cn}}", + "mail": "{{.wired_dot1x_eap_tls_manual.certs.http.mail}}", + "dns_names": "{{.wired_dot1x_eap_tls_manual.certs.http.dns_names}}", + "ip_addresses": "{{.wired_dot1x_eap_tls_manual.certs.http.ip_addresses}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -211,46 +211,46 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_http_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt -passin pass:secret - name: extract_http_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.crt -passin pass:secret - name: extract_http_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.key -passin pass:secret - name: install_http_cert_portal steps: - type: exec script: | - cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt \ - {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem + cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.crt \ + {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem - name: install_http_cert_webadmin steps: - type: exec - script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" + script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" - name: install_http_key_webadmin steps: - type: exec - script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" + script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" ### User certificate part @@ -263,22 +263,22 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.wired_dot1x_eap_tls.templates.user.name}}", - "validity": "{{.wired_dot1x_eap_tls.certs.validity}}", - "key_type": "{{.wired_dot1x_eap_tls.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls_manual.templates.user.name}}", + "validity": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", "key_usage": "", "extended_key_usage": "2", - "key_size": "{{.wired_dot1x_eap_tls.certs.key_size}}", - "organisational_unit": "{{.wired_dot1x_eap_tls.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls.certs.country}}", - "state": "{{.wired_dot1x_eap_tls.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls.certs.locality}}", - "ocsp_url": "{{.wired_dot1x_eap_tls.certs.ocsp_url}}", - "scep_enabled": "{{.wired_dot1x_eap_tls.certs.user.scep_enabled}}", - "scep_challenge_password": "{{.wired_dot1x_eap_tls.certs.user.scep_challenge_password}}", - "scep_days_before_renewal": "{{.wired_dot1x_eap_tls.certs.user.scep_days_before_renewal}}" + "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}", + "scep_enabled": "{{.wired_dot1x_eap_tls_manual.certs.user.scep_enabled}}", + "scep_challenge_password": "{{.wired_dot1x_eap_tls_manual.certs.user.scep_challenge_password}}", + "scep_days_before_renewal": "{{.wired_dot1x_eap_tls_manual.certs.user.scep_days_before_renewal}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -298,8 +298,8 @@ testcases: body: >- { "profile_id": "{{.create_user_cert_template.profile_id}}", - "cn": "{{.wired_dot1x_eap_tls.certs.user.cn}}", - "mail": "{{.wired_dot1x_eap_tls.certs.user.mail}}" + "cn": "{{.wired_dot1x_eap_tls_manual.certs.user.cn}}", + "mail": "{{.wired_dot1x_eap_tls_manual.certs.user.mail}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -322,26 +322,26 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_user_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt -passin pass:secret - name: extract_user_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.crt -passin pass:secret - name: extract_user_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls.certs.user.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.key -passin pass:secret diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml index 2f7ea777b4fc..7cab8860dcda 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml @@ -12,13 +12,13 @@ testcases: ignore_verify_ssl: true body: >- { - "id": "{{.wired_dot1x_eap_tls.ocsp.id}}", - "ocsp_enable": "{{.wired_dot1x_eap_tls.ocsp.enable}}", - "ocsp_url": "{{.wired_dot1x_eap_tls.ocsp.url}}", - "ocsp_override_cert_url": "{{.wired_dot1x_eap_tls.ocsp.override_cert_url}}", - "ocsp_softfail": "{{.wired_dot1x_eap_tls.ocsp.softfail}}", - "ocsp_timeout": "{{.wired_dot1x_eap_tls.ocsp.timeout}}", - "ocsp_use_nonce": "{{.wired_dot1x_eap_tls.ocsp.use_nonce}}" + "id": "{{.wired_dot1x_eap_tls_manual.ocsp.id}}", + "ocsp_enable": "{{.wired_dot1x_eap_tls_manual.ocsp.enable}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_manual.ocsp.url}}", + "ocsp_override_cert_url": "{{.wired_dot1x_eap_tls_manual.ocsp.override_cert_url}}", + "ocsp_softfail": "{{.wired_dot1x_eap_tls_manual.ocsp.softfail}}", + "ocsp_timeout": "{{.wired_dot1x_eap_tls_manual.ocsp.timeout}}", + "ocsp_use_nonce": "{{.wired_dot1x_eap_tls_manual.ocsp.use_nonce}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -35,7 +35,7 @@ testcases: body: >- { "id": "tls-common", - "ocsp": "{{.wired_dot1x_eap_tls.ocsp.id}}" + "ocsp": "{{.wired_dot1x_eap_tls_manual.ocsp.id}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml index c132d8cec476..7fb00c3fc52c 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml @@ -21,24 +21,24 @@ testcases: "actions": [ { "type": "set_role", - "value": "{{.wired_dot1x_eap_tls.roles.dot1x_eap_tls.id}}" + "value": "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}" }, { "type": "set_access_duration", - "value": "{{.wired_dot1x_eap_tls.sources.eaptls.access_duration}}" + "value": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.access_duration}}" } ], "conditions": [ { "attribute": "radius_request.TLS-Client-Cert-Issuer", "operator": "equals", - "value": "{{.wired_dot1x_eap_tls.certs.ca.issuer}}" + "value": "{{.wired_dot1x_eap_tls_manual.certs.ca.issuer}}" } ] } ], - "description": "{{.wired_dot1x_eap_tls.sources.eaptls.description}}", - "id": "{{.wired_dot1x_eap_tls.sources.eaptls.name}}", + "description": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.description}}", + "id": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}", "realms": "", "set_access_durations_action": null, "type": "EAPTLS" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml index fda494a0502e..39899b69a625 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml @@ -22,22 +22,22 @@ testcases: "unit": "m" }, "default_psk_key": null, - "description": "{{.wired_dot1x_eap_tls.profiles.wired.description}}", + "description": "{{.wired_dot1x_eap_tls_manual.profiles.wired.description}}", "dot1x_recompute_role_from_portal": "enabled", "dot1x_unset_on_unmatch": "disabled", "dpsk": "disabled", "filter": [ { "type": "connection_type", - "match": "{{.wired_dot1x_eap_tls.profiles.wired.filters.connection_type}}" + "match": "{{.wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_type}}" }, { "type": "connection_sub_type", - "match": "{{.wired_dot1x_eap_tls.profiles.wired.filters.connection_sub_type}}" + "match": "{{.wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_sub_type}}" } ], "filter_match_style": "any", - "id": "{{.wired_dot1x_eap_tls.profiles.wired.id}}", + "id": "{{.wired_dot1x_eap_tls_manual.profiles.wired.id}}", "locale": null, "login_attempt_limit": 0, "logo": null, @@ -54,10 +54,10 @@ testcases: "sms_pin_retry_limit": 0, "sms_request_limit": 0, "sources": [ - "{{.wired_dot1x_eap_tls.sources.eaptls.name}}" + "{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}" ], "status": "enabled", - "unreg_on_acct_stop": "{{.wired_dot1x_eap_tls.profiles.wired.unreg_on_acct_stop}}", + "unreg_on_acct_stop": "{{.wired_dot1x_eap_tls_manual.profiles.wired.unreg_on_acct_stop}}", "vlan_pool_technique": "username_hash" } headers: diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml index 5c171990583a..e537554be66b 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml @@ -8,7 +8,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.wired_dot1x_eap_tls.profiles.wired.id}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.wired_dot1x_eap_tls_manual.profiles.wired.id}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -20,7 +20,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.wired_dot1x_eap_tls.sources.eaptls.name}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -50,7 +50,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.wired_dot1x_eap_tls.ocsp.id}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.wired_dot1x_eap_tls_manual.ocsp.id}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/vars/all.yml b/t/venom/vars/all.yml index db1ec891ec39..c10fb9cf926f 100644 --- a/t/venom/vars/all.yml +++ b/t/venom/vars/all.yml @@ -294,81 +294,150 @@ captive_portal.profiles.locales4: it_IT captive_portal.reg.url: 'https://{{.configurator.interfaces.reg.ip}}/captive-portal' ################################################################################ -# wired_dot1x_eap_tls test suite specific variables +# wired_dot1x_eap_tls_manual test suite specific variables ################################################################################ ### General settings for certs -wired_dot1x_eap_tls.certs.validity: 750 -wired_dot1x_eap_tls.certs.key_size: 2048 -wired_dot1x_eap_tls.certs.key_type: 1 -wired_dot1x_eap_tls.certs.digest: 4 -wired_dot1x_eap_tls.certs.country: CA -wired_dot1x_eap_tls.certs.state: Quebec -wired_dot1x_eap_tls.certs.locality: Montreal -wired_dot1x_eap_tls.certs.organisation: Inverse -wired_dot1x_eap_tls.certs.organisational_unit: PacketFence -wired_dot1x_eap_tls.certs.ocsp_url: 'https://127.0.0.1:22225/api/v1/pki/ocsp' +wired_dot1x_eap_tls_manual.certs.validity: 750 +wired_dot1x_eap_tls_manual.certs.key_size: 2048 +wired_dot1x_eap_tls_manual.certs.key_type: 1 +wired_dot1x_eap_tls_manual.certs.digest: 4 +wired_dot1x_eap_tls_manual.certs.country: CA +wired_dot1x_eap_tls_manual.certs.state: Quebec +wired_dot1x_eap_tls_manual.certs.locality: Montreal +wired_dot1x_eap_tls_manual.certs.organisation: Inverse +wired_dot1x_eap_tls_manual.certs.organisational_unit: PacketFence +wired_dot1x_eap_tls_manual.certs.ocsp_url: 'https://127.0.0.1:22225/api/v1/pki/ocsp' # CA -wired_dot1x_eap_tls.certs.ca.cn: InverseCA -wired_dot1x_eap_tls.certs.ca.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls_manual.certs.ca.cn: InverseCA1 +wired_dot1x_eap_tls_manual.certs.ca.mail: '{{.configurator.email}}' -wired_dot1x_eap_tls.certs.ca.issuer: "/C={{.wired_dot1x_eap_tls.certs.country}}/ST={{.wired_dot1x_eap_tls.certs.state}}/L={{.wired_dot1x_eap_tls.certs.locality}}/O={{.wired_dot1x_eap_tls.certs.organisation}}/OU={{.wired_dot1x_eap_tls.certs.organisational_unit}}/CN={{.wired_dot1x_eap_tls.certs.ca.cn}}" +wired_dot1x_eap_tls_manual.certs.ca.issuer: "/C={{.wired_dot1x_eap_tls_manual.certs.country}}/ST={{.wired_dot1x_eap_tls_manual.certs.state}}/L={{.wired_dot1x_eap_tls_manual.certs.locality}}/O={{.wired_dot1x_eap_tls_manual.certs.organisation}}/OU={{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}/CN={{.wired_dot1x_eap_tls_manual.certs.ca.cn}}" ### Templates -wired_dot1x_eap_tls.templates.radius.name: '{{.wired_dot1x_eap_tls.certs.ca.cn}}_radius' -wired_dot1x_eap_tls.templates.http.name: '{{.wired_dot1x_eap_tls.certs.ca.cn}}_http' -wired_dot1x_eap_tls.templates.user.name: '{{.wired_dot1x_eap_tls.certs.ca.cn}}_user' +wired_dot1x_eap_tls_manual.templates.radius.name: '{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}_radius' +wired_dot1x_eap_tls_manual.templates.http.name: '{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}_http' +wired_dot1x_eap_tls_manual.templates.user.name: '{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}_user' # RADIUS cert -wired_dot1x_eap_tls.certs.radius.cn: '{{.wired_dot1x_eap_tls.templates.radius.name}}_cert' -wired_dot1x_eap_tls.certs.radius.mail: '{{.configurator.email}}' -wired_dot1x_eap_tls.certs.radius.dns_names: '{{.configurator.hostname}}.{{.configurator.domain}}' -wired_dot1x_eap_tls.certs.radius.ip_addresses: '{{.configurator.interfaces.mgmt.ip}}' +wired_dot1x_eap_tls_manual.certs.radius.cn: '{{.wired_dot1x_eap_tls_manual.templates.radius.name}}_cert' +wired_dot1x_eap_tls_manual.certs.radius.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls_manual.certs.radius.dns_names: '{{.configurator.hostname}}.{{.configurator.domain}}' +wired_dot1x_eap_tls_manual.certs.radius.ip_addresses: '{{.configurator.interfaces.mgmt.ip}}' # HTTP cert -wired_dot1x_eap_tls.certs.http.cn: '{{.wired_dot1x_eap_tls.templates.http.name}}_cert' -wired_dot1x_eap_tls.certs.http.mail: '{{.configurator.email}}' -wired_dot1x_eap_tls.certs.http.dns_names: '{{.configurator.hostname}}.{{.configurator.domain}},packetfence.example.lan' -wired_dot1x_eap_tls.certs.http.ip_addresses: '{{.configurator.interfaces.mgmt.ip}},66.70.255.147,{{.configurator.interfaces.reg.ip}},{{.configurator.interfaces.iso.ip}}' +wired_dot1x_eap_tls_manual.certs.http.cn: '{{.wired_dot1x_eap_tls_manual.templates.http.name}}_cert' +wired_dot1x_eap_tls_manual.certs.http.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls_manual.certs.http.dns_names: '{{.configurator.hostname}}.{{.configurator.domain}},packetfence.example.lan' +wired_dot1x_eap_tls_manual.certs.http.ip_addresses: '{{.configurator.interfaces.mgmt.ip}},66.70.255.147,{{.configurator.interfaces.reg.ip}},{{.configurator.interfaces.iso.ip}}' # User cert -wired_dot1x_eap_tls.certs.user.cn: '{{.wired_dot1x_eap_tls.templates.user.name}}_cert' -wired_dot1x_eap_tls.certs.user.mail: '{{.configurator.email}}' -wired_dot1x_eap_tls.certs.user.scep_enabled: 1 -wired_dot1x_eap_tls.certs.user.scep_challenge_password: secret -wired_dot1x_eap_tls.certs.user.scep_days_before_renewal: 7 +wired_dot1x_eap_tls_manual.certs.user.cn: '{{.wired_dot1x_eap_tls_manual.templates.user.name}}_cert' +wired_dot1x_eap_tls_manual.certs.user.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls_manual.certs.user.scep_enabled: 1 +wired_dot1x_eap_tls_manual.certs.user.scep_challenge_password: secret +wired_dot1x_eap_tls_manual.certs.user.scep_days_before_renewal: 7 # OCSP config -wired_dot1x_eap_tls.ocsp.id: ocsp_from_cert -wired_dot1x_eap_tls.ocsp.enable: yes -wired_dot1x_eap_tls.ocsp.url: "" -wired_dot1x_eap_tls.ocsp.override_cert_url: no -wired_dot1x_eap_tls.ocsp.softfail: no -wired_dot1x_eap_tls.ocsp.timeout: 0 -wired_dot1x_eap_tls.ocsp.use_nonce: yes +wired_dot1x_eap_tls_manual.ocsp.id: ocsp_from_cert +wired_dot1x_eap_tls_manual.ocsp.enable: yes +wired_dot1x_eap_tls_manual.ocsp.url: "" +wired_dot1x_eap_tls_manual.ocsp.override_cert_url: no +wired_dot1x_eap_tls_manual.ocsp.softfail: no +wired_dot1x_eap_tls_manual.ocsp.timeout: 0 +wired_dot1x_eap_tls_manual.ocsp.use_nonce: yes # Roles -wired_dot1x_eap_tls.roles.dot1x_eap_tls.id: dot1x_eap_tls -wired_dot1x_eap_tls.roles.dot1x_eap_tls.notes: 802.1x role for PacketFence PKI -wired_dot1x_eap_tls.roles.dot1x_eap_tls.vlan_id: 100 +wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id: dot1x_eap_tls +wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.notes: 802.1x role for PacketFence PKI +wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.vlan_id: 100 # Sources -wired_dot1x_eap_tls.sources.eaptls.name: 'eaptls' -wired_dot1x_eap_tls.sources.eaptls.description: 'EAP-TLS source' -wired_dot1x_eap_tls.sources.eaptls.access_duration: '{{.access_duration.default_choice}}' +wired_dot1x_eap_tls_manual.sources.eaptls.name: 'eaptls' +wired_dot1x_eap_tls_manual.sources.eaptls.description: 'EAP-TLS source' +wired_dot1x_eap_tls_manual.sources.eaptls.access_duration: '{{.access_duration.default_choice}}' # Connection profiles -wired_dot1x_eap_tls.profiles.wired.id: catch_dot1x_wired_eap_tls -wired_dot1x_eap_tls.profiles.wired.description: 802.1X wired EAP-TLS -wired_dot1x_eap_tls.profiles.wired.filters.connection_type: Ethernet-EAP -wired_dot1x_eap_tls.profiles.wired.filters.connection_sub_type: EAP-TLS -wired_dot1x_eap_tls.profiles.wired.unreg_on_acct_stop: enabled +wired_dot1x_eap_tls_manual.profiles.wired.id: catch_dot1x_wired_eap_tls +wired_dot1x_eap_tls_manual.profiles.wired.description: 802.1X wired EAP-TLS +wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_type: Ethernet-EAP +wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_sub_type: EAP-TLS +wired_dot1x_eap_tls_manual.profiles.wired.unreg_on_acct_stop: enabled -# wired_dot1x_eap_tls_manual +# Path to client certificates wired_dot1x_eap_tls_manual.paths.clients_directory: /root/client_certificates -wired_dot1x_eap_tls_manual.paths.per_client_directory: '{{.wired_dot1x_eap_tls_manual.paths.clients_directory}}/{{.wired_dot1x_eap_tls.certs.user.cn}}' +wired_dot1x_eap_tls_manual.paths.per_client_directory: '{{.wired_dot1x_eap_tls_manual.paths.clients_directory}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}' -# wired_dot1x_eap_tls_scep +################################################################################ +# wired_dot1x_eap_tls_scep test suite specific variables +################################################################################ +### General settings for certs +wired_dot1x_eap_tls_scep.certs.validity: 750 +wired_dot1x_eap_tls_scep.certs.key_size: 2048 +wired_dot1x_eap_tls_scep.certs.key_type: 1 +wired_dot1x_eap_tls_scep.certs.digest: 4 +wired_dot1x_eap_tls_scep.certs.country: CA +wired_dot1x_eap_tls_scep.certs.state: Quebec +wired_dot1x_eap_tls_scep.certs.locality: Montreal +wired_dot1x_eap_tls_scep.certs.organisation: Inverse +wired_dot1x_eap_tls_scep.certs.organisational_unit: PacketFence +wired_dot1x_eap_tls_scep.certs.ocsp_url: 'https://127.0.0.1:22225/api/v1/pki/ocsp' + +# CA +wired_dot1x_eap_tls_scep.certs.ca.cn: InverseCA2 +wired_dot1x_eap_tls_scep.certs.ca.mail: '{{.configurator.email}}' + +wired_dot1x_eap_tls_scep.certs.ca.issuer: "/C={{.wired_dot1x_eap_tls_scep.certs.country}}/ST={{.wired_dot1x_eap_tls_scep.certs.state}}/L={{.wired_dot1x_eap_tls_scep.certs.locality}}/O={{.wired_dot1x_eap_tls_scep.certs.organisation}}/OU={{.wired_dot1x_eap_tls_scep.certs.organisational_unit}}/CN={{.wired_dot1x_eap_tls_scep.certs.ca.cn}}" + +### Templates +wired_dot1x_eap_tls_scep.templates.radius.name: '{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}_radius' +wired_dot1x_eap_tls_scep.templates.http.name: '{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}_http' +wired_dot1x_eap_tls_scep.templates.user.name: '{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}_user' + +# RADIUS cert +wired_dot1x_eap_tls_scep.certs.radius.cn: '{{.wired_dot1x_eap_tls_scep.templates.radius.name}}_cert' +wired_dot1x_eap_tls_scep.certs.radius.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls_scep.certs.radius.dns_names: '{{.configurator.hostname}}.{{.configurator.domain}}' +wired_dot1x_eap_tls_scep.certs.radius.ip_addresses: '{{.configurator.interfaces.mgmt.ip}}' + +# HTTP cert +wired_dot1x_eap_tls_scep.certs.http.cn: '{{.wired_dot1x_eap_tls_scep.templates.http.name}}_cert' +wired_dot1x_eap_tls_scep.certs.http.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls_scep.certs.http.dns_names: '{{.configurator.hostname}}.{{.configurator.domain}},packetfence.example.lan' +wired_dot1x_eap_tls_scep.certs.http.ip_addresses: '{{.configurator.interfaces.mgmt.ip}},66.70.255.147,{{.configurator.interfaces.reg.ip}},{{.configurator.interfaces.iso.ip}}' + +# User cert +wired_dot1x_eap_tls_scep.certs.user.cn: '{{.wired_dot1x_eap_tls_scep.templates.user.name}}_cert' +wired_dot1x_eap_tls_scep.certs.user.mail: '{{.configurator.email}}' +wired_dot1x_eap_tls_scep.certs.user.scep_enabled: 1 +wired_dot1x_eap_tls_scep.certs.user.scep_challenge_password: secret +wired_dot1x_eap_tls_scep.certs.user.scep_days_before_renewal: 7 + +# OCSP config +wired_dot1x_eap_tls_scep.ocsp.id: ocsp_from_cert +wired_dot1x_eap_tls_scep.ocsp.enable: yes +wired_dot1x_eap_tls_scep.ocsp.url: "" +wired_dot1x_eap_tls_scep.ocsp.override_cert_url: no +wired_dot1x_eap_tls_scep.ocsp.softfail: no +wired_dot1x_eap_tls_scep.ocsp.timeout: 0 +wired_dot1x_eap_tls_scep.ocsp.use_nonce: yes + +# Roles +wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id: dot1x_eap_tls +wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.notes: 802.1x role for PacketFence PKI +wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.vlan_id: 100 + +# Sources +wired_dot1x_eap_tls_scep.sources.eaptls.name: 'eaptls' +wired_dot1x_eap_tls_scep.sources.eaptls.description: 'EAP-TLS source' +wired_dot1x_eap_tls_scep.sources.eaptls.access_duration: '{{.access_duration.default_choice}}' + +# Connection profiles +wired_dot1x_eap_tls_scep.profiles.wired.id: catch_dot1x_wired_eap_tls +wired_dot1x_eap_tls_scep.profiles.wired.description: 802.1X wired EAP-TLS +wired_dot1x_eap_tls_scep.profiles.wired.filters.connection_type: Ethernet-EAP +wired_dot1x_eap_tls_scep.profiles.wired.filters.connection_sub_type: EAP-TLS +wired_dot1x_eap_tls_scep.profiles.wired.unreg_on_acct_stop: enabled ################################################################################ # pfdhcplistener_single_tenant test suite specific variables From 885b855e5ddbda147ba588e0ffd8b712ad5cbfe2 Mon Sep 17 00:00:00 2001 From: nqb Date: Thu, 21 Oct 2021 15:54:52 +0200 Subject: [PATCH 09/14] manual: update description --- .../wired_dot1x_eap_tls_manual/TESTSUITE.md | 29 ++++++++++++++----- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md b/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md index 7a8da84bfb6a..6e0fb884b733 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md @@ -49,13 +49,26 @@ TODO: 1. Check Internet access *on* node01 (common) = down ## Teardown steps -TBD but identical to dot1x_eap_peap scenario (based on unreg_on_accounting_stop) +1. Kill wpa_supplicant: an accounting stop will be generated if we wait + EAP-TIMEOUT on the switch (not the case here due to next task). Access is + still working until we run next task. +1. Unconfigure switch port and dynamic VLAN on switch01 + 1. Generate a RADIUS Accounting stop message (sent by switch01) which update + `last_seen` attribute of node01 and unreg device based on + `unreg_on_accounting_stop` + 1. Don't send a RADIUS Disconnect message +1. Check online status of node01: should be offline due to accounting stop +1. Check node status for node01 +1. Wait `delete_windows` + 10 seconds before running `node_cleanup` task +1. Delete node by running `pfcron's node_cleanup` task +1. Check node has been deleted +1. Disable `node_cleanup` task +1. Restart `pfcron` to take change into account +1. Delete connection profile, EAPTLS source, OCSP profile and configuration +1. Restart RADIUS services (common test suite) -Revoke certificates to avoid issues when you try to create a certificate that -already exists +## Additional notes -Name of CA, templates and certificates should be uniq. Not possible to revoke -or remove CA or template. - -Currently, we replace built-in certificates by PKI certificates. The teardown -doesn't put back built-in certificates. +Reauthentication is done by switch based on `eap_reauth_period` setting to +avoid node been unregistered when it reach unregdate and automatically deleted +by `pfcron` without running teardown steps. From aabfd341b8739eb20a68d8a7863bf35f8d200afb Mon Sep 17 00:00:00 2001 From: nqb Date: Thu, 21 Oct 2021 15:57:39 +0200 Subject: [PATCH 10/14] scep: sync with manual --- .../00_enable_node_cleanup_task.yml | 1 + .../02_restart_pfcron_service.yml | 1 + .../{00_create_pki.yml => 05_create_pki.yml} | 179 +++++++++--------- .../10_enable_ocsp.yml | 16 +- .../45_create_eaptls_source.yml | 10 +- .../50_create_connection_profile.yml | 14 +- .../60_enable_dot1x_dot1x_int.yml | 1 + .../65_enable_dynamic_vlan.yml | 1 + .../70_commit_config.yml | 1 + .../75_deploy_certificates_on_node01.yml | 16 ++ .../80_run_wpasupplicant.yml | 10 + .../90_sleep_some_time.yml | 6 + .../91_check_radius_audit_log.yml | 103 ++++++++++ .../95_check_autoregister_node.yml | 46 +++++ .../98_check_dot1x_int_status.yml | 22 +++ .../99_check_internet_access.yml | 1 + .../wired_dot1x_eap_tls_scep/TESTSUITE.md | 35 ++-- .../teardown/00_kill_wpasupplicant.yml | 1 + .../teardown/05_disable_dot1x_dot1x_int.yml | 1 + .../teardown/07_disable_dynamic_vlan.yml | 1 + .../teardown/10_commit_config.yml | 1 + .../12_check_offline_status_node01.yml | 1 + .../teardown/15_check_unregistered_node.yml | 22 +++ .../teardown/17_sleep_delete_windows.yml | 1 + ...delete_node01_with_pfcron_node_cleanup.yml | 5 + .../teardown/25_check_node01_deleted.yml | 1 + .../teardown/30_disable_node_cleanup_task.yml | 1 + .../teardown/35_restart_pfcron_service.yml | 1 + .../teardown/90_teardown.yml | 6 +- 29 files changed, 380 insertions(+), 125 deletions(-) create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/00_enable_node_cleanup_task.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/02_restart_pfcron_service.yml rename t/venom/test_suites/wired_dot1x_eap_tls_scep/{00_create_pki.yml => 05_create_pki.yml} (52%) create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/60_enable_dot1x_dot1x_int.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/65_enable_dynamic_vlan.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/70_commit_config.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/75_deploy_certificates_on_node01.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/80_run_wpasupplicant.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/90_sleep_some_time.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/91_check_radius_audit_log.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/95_check_autoregister_node.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/98_check_dot1x_int_status.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/99_check_internet_access.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/00_kill_wpasupplicant.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/05_disable_dot1x_dot1x_int.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/07_disable_dynamic_vlan.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/10_commit_config.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/12_check_offline_status_node01.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/15_check_unregistered_node.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/17_sleep_delete_windows.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/20_delete_node01_with_pfcron_node_cleanup.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/25_check_node01_deleted.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/30_disable_node_cleanup_task.yml create mode 120000 t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/35_restart_pfcron_service.yml diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_enable_node_cleanup_task.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_enable_node_cleanup_task.yml new file mode 120000 index 000000000000..ae3857b0486b --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_enable_node_cleanup_task.yml @@ -0,0 +1 @@ +../common/enable_node_cleanup_task.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/02_restart_pfcron_service.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/02_restart_pfcron_service.yml new file mode 120000 index 000000000000..7d7621c12032 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/02_restart_pfcron_service.yml @@ -0,0 +1 @@ +../common/restart_pfcron_service.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml similarity index 52% rename from t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml rename to t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml index 94e29c9ce248..ac23402d4e8f 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/00_create_pki.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml @@ -12,20 +12,20 @@ testcases: ignore_verify_ssl: true body: >- { - "cn": "{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}", - "mail": "{{.wired_dot1x_eap_tls_manual.certs.ca.mail}}", - "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", - "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", - "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", + "cn": "{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}", + "mail": "{{.wired_dot1x_eap_tls_scep.certs.ca.mail}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_scep.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_scep.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_scep.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_scep.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_scep.certs.locality}}", + "key_type": "{{.wired_dot1x_eap_tls_scep.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_scep.certs.digest}}", "key_usage": "", "extended_key_usage": "", - "days": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", - "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", - "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}" + "days": "{{.wired_dot1x_eap_tls_scep.certs.validity}}", + "key_size": "{{.wired_dot1x_eap_tls_scep.certs.key_size}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_scep.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -46,19 +46,19 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.wired_dot1x_eap_tls_manual.templates.radius.name}}", - "validity": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", - "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls_scep.templates.radius.name}}", + "validity": "{{.wired_dot1x_eap_tls_scep.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls_scep.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_scep.certs.digest}}", "key_usage": "", "extended_key_usage": "1", - "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", - "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", - "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", - "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}" + "key_size": "{{.wired_dot1x_eap_tls_scep.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_scep.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_scep.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_scep.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_scep.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_scep.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_scep.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -78,10 +78,10 @@ testcases: body: >- { "profile_id": "{{.create_pf_radius_cert_template.profile_id}}", - "cn": "{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}", - "mail": "{{.wired_dot1x_eap_tls_manual.certs.radius.mail}}", - "dns_names": "{{.wired_dot1x_eap_tls_manual.certs.radius.dns_names}}", - "ip_addresses": "{{.wired_dot1x_eap_tls_manual.certs.radius.ip_addresses}}" + "cn": "{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}", + "mail": "{{.wired_dot1x_eap_tls_scep.certs.radius.mail}}", + "dns_names": "{{.wired_dot1x_eap_tls_scep.certs.radius.dns_names}}", + "ip_addresses": "{{.wired_dot1x_eap_tls_scep.certs.radius.ip_addresses}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -104,44 +104,44 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_radius_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}.crt -passin pass:secret - name: extract_radius_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.crt -passin pass:secret - name: extract_radius_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.key -passin pass:secret - name: install_ca_cert steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}.crt /usr/local/pf/raddb/certs/ca.pem" - name: install_radius_cert steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.crt /usr/local/pf/raddb/certs/server.crt" - name: install_radius_key steps: - type: exec - script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" + script: "cp {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.key /usr/local/pf/raddb/certs/server.key" ### HTTP certificate part - name: create_pf_http_cert_template @@ -153,19 +153,19 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.wired_dot1x_eap_tls_manual.templates.http.name}}", - "validity": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", - "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls_scep.templates.http.name}}", + "validity": "{{.wired_dot1x_eap_tls_scep.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls_scep.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_scep.certs.digest}}", "key_usage": "", "extended_key_usage": "1", - "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", - "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", - "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", - "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}" + "key_size": "{{.wired_dot1x_eap_tls_scep.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_scep.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_scep.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_scep.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_scep.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_scep.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_scep.certs.ocsp_url}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -185,10 +185,10 @@ testcases: body: >- { "profile_id": "{{.create_pf_http_cert_template.profile_id}}", - "cn": "{{.wired_dot1x_eap_tls_manual.certs.http.cn}}", - "mail": "{{.wired_dot1x_eap_tls_manual.certs.http.mail}}", - "dns_names": "{{.wired_dot1x_eap_tls_manual.certs.http.dns_names}}", - "ip_addresses": "{{.wired_dot1x_eap_tls_manual.certs.http.ip_addresses}}" + "cn": "{{.wired_dot1x_eap_tls_scep.certs.http.cn}}", + "mail": "{{.wired_dot1x_eap_tls_scep.certs.http.mail}}", + "dns_names": "{{.wired_dot1x_eap_tls_scep.certs.http.dns_names}}", + "ip_addresses": "{{.wired_dot1x_eap_tls_scep.certs.http.ip_addresses}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -211,46 +211,46 @@ testcases: steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 \ + curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_pf_http_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.p12 -cacerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}.crt -passin pass:secret - name: extract_http_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.p12 -clcerts -nokeys \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.crt -passin pass:secret - name: extract_http_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.p12 -nocerts -nodes \ + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.key -passin pass:secret - name: install_http_cert_portal steps: - type: exec script: | - cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.crt \ - {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem + cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.crt \ + {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.pem - name: install_http_cert_webadmin steps: - type: exec - script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" + script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.crt > /usr/local/pf/conf/ssl/server.crt" - name: install_http_key_webadmin steps: - type: exec - script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" + script: "cat {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.key > /usr/local/pf/conf/ssl/server.key" ### User certificate part @@ -263,22 +263,22 @@ testcases: body: >- { "ca_id": "{{.create_root_ca.ca_id}}", - "name": "{{.wired_dot1x_eap_tls_manual.templates.user.name}}", - "validity": "{{.wired_dot1x_eap_tls_manual.certs.validity}}", - "key_type": "{{.wired_dot1x_eap_tls_manual.certs.key_type}}", - "digest": "{{.wired_dot1x_eap_tls_manual.certs.digest}}", + "name": "{{.wired_dot1x_eap_tls_scep.templates.user.name}}", + "validity": "{{.wired_dot1x_eap_tls_scep.certs.validity}}", + "key_type": "{{.wired_dot1x_eap_tls_scep.certs.key_type}}", + "digest": "{{.wired_dot1x_eap_tls_scep.certs.digest}}", "key_usage": "", "extended_key_usage": "2", - "key_size": "{{.wired_dot1x_eap_tls_manual.certs.key_size}}", - "organisational_unit": "{{.wired_dot1x_eap_tls_manual.certs.organisational_unit}}", - "organisation": "{{.wired_dot1x_eap_tls_manual.certs.organisation}}", - "country": "{{.wired_dot1x_eap_tls_manual.certs.country}}", - "state": "{{.wired_dot1x_eap_tls_manual.certs.state}}", - "locality": "{{.wired_dot1x_eap_tls_manual.certs.locality}}", - "ocsp_url": "{{.wired_dot1x_eap_tls_manual.certs.ocsp_url}}", - "scep_enabled": "{{.wired_dot1x_eap_tls_manual.certs.user.scep_enabled}}", - "scep_challenge_password": "{{.wired_dot1x_eap_tls_manual.certs.user.scep_challenge_password}}", - "scep_days_before_renewal": "{{.wired_dot1x_eap_tls_manual.certs.user.scep_days_before_renewal}}" + "key_size": "{{.wired_dot1x_eap_tls_scep.certs.key_size}}", + "organisational_unit": "{{.wired_dot1x_eap_tls_scep.certs.organisational_unit}}", + "organisation": "{{.wired_dot1x_eap_tls_scep.certs.organisation}}", + "country": "{{.wired_dot1x_eap_tls_scep.certs.country}}", + "state": "{{.wired_dot1x_eap_tls_scep.certs.state}}", + "locality": "{{.wired_dot1x_eap_tls_scep.certs.locality}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_scep.certs.ocsp_url}}", + "scep_enabled": "{{.wired_dot1x_eap_tls_scep.certs.user.scep_enabled}}", + "scep_challenge_password": "{{.wired_dot1x_eap_tls_scep.certs.user.scep_challenge_password}}", + "scep_days_before_renewal": "{{.wired_dot1x_eap_tls_scep.certs.user.scep_days_before_renewal}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -298,8 +298,8 @@ testcases: body: >- { "profile_id": "{{.create_user_cert_template.profile_id}}", - "cn": "{{.wired_dot1x_eap_tls_manual.certs.user.cn}}", - "mail": "{{.wired_dot1x_eap_tls_manual.certs.user.mail}}" + "cn": "{{.wired_dot1x_eap_tls_scep.certs.user.cn}}", + "mail": "{{.wired_dot1x_eap_tls_scep.certs.user.mail}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -310,38 +310,35 @@ testcases: serial_number: from: result.bodyjson.items.items0.id -- name: create_temp_directory +- name: create_client_directory steps: - type: exec - script: "mktemp -d" - vars: - temp_dir: - from: result.systemout + script: "mkdir -p {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}" - name: download_user_p12_file steps: - type: exec script: | - curl -k --output {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.p12 \ + curl -k --output {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}.p12 \ http://127.0.0.1:22225/api/v1/pki/cert/{{.create_user_cert.serial_number}}/download/secret - name: extract_ca_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.ca.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}.p12 -cacerts -nokeys \ + -out {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}/ca.pem -passin pass:secret - name: extract_user_certificate steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.crt -passin pass:secret + openssl pkcs12 -in {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}.p12 -clcerts -nokeys \ + -out {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}/client.pem -passin pass:secret - name: extract_user_key steps: - type: exec script: | - openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_manual.certs.user.cn}}.key -passin pass:secret + openssl pkcs12 -in {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}.p12 -nocerts -nodes \ + -out {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}/client.key -passin pass:secret diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml index 7cab8860dcda..1840d314a107 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/10_enable_ocsp.yml @@ -12,13 +12,13 @@ testcases: ignore_verify_ssl: true body: >- { - "id": "{{.wired_dot1x_eap_tls_manual.ocsp.id}}", - "ocsp_enable": "{{.wired_dot1x_eap_tls_manual.ocsp.enable}}", - "ocsp_url": "{{.wired_dot1x_eap_tls_manual.ocsp.url}}", - "ocsp_override_cert_url": "{{.wired_dot1x_eap_tls_manual.ocsp.override_cert_url}}", - "ocsp_softfail": "{{.wired_dot1x_eap_tls_manual.ocsp.softfail}}", - "ocsp_timeout": "{{.wired_dot1x_eap_tls_manual.ocsp.timeout}}", - "ocsp_use_nonce": "{{.wired_dot1x_eap_tls_manual.ocsp.use_nonce}}" + "id": "{{.wired_dot1x_eap_tls_scep.ocsp.id}}", + "ocsp_enable": "{{.wired_dot1x_eap_tls_scep.ocsp.enable}}", + "ocsp_url": "{{.wired_dot1x_eap_tls_scep.ocsp.url}}", + "ocsp_override_cert_url": "{{.wired_dot1x_eap_tls_scep.ocsp.override_cert_url}}", + "ocsp_softfail": "{{.wired_dot1x_eap_tls_scep.ocsp.softfail}}", + "ocsp_timeout": "{{.wired_dot1x_eap_tls_scep.ocsp.timeout}}", + "ocsp_use_nonce": "{{.wired_dot1x_eap_tls_scep.ocsp.use_nonce}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -35,7 +35,7 @@ testcases: body: >- { "id": "tls-common", - "ocsp": "{{.wired_dot1x_eap_tls_manual.ocsp.id}}" + "ocsp": "{{.wired_dot1x_eap_tls_scep.ocsp.id}}" } headers: "Authorization": "{{.get_login_token.json.result.token}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml index 7fb00c3fc52c..e6a22859a07f 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/45_create_eaptls_source.yml @@ -21,24 +21,24 @@ testcases: "actions": [ { "type": "set_role", - "value": "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}" + "value": "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id}}" }, { "type": "set_access_duration", - "value": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.access_duration}}" + "value": "{{.wired_dot1x_eap_tls_scep.sources.eaptls.access_duration}}" } ], "conditions": [ { "attribute": "radius_request.TLS-Client-Cert-Issuer", "operator": "equals", - "value": "{{.wired_dot1x_eap_tls_manual.certs.ca.issuer}}" + "value": "{{.wired_dot1x_eap_tls_scep.certs.ca.issuer}}" } ] } ], - "description": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.description}}", - "id": "{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}", + "description": "{{.wired_dot1x_eap_tls_scep.sources.eaptls.description}}", + "id": "{{.wired_dot1x_eap_tls_scep.sources.eaptls.name}}", "realms": "", "set_access_durations_action": null, "type": "EAPTLS" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml index 39899b69a625..a26cc9ef81ef 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/50_create_connection_profile.yml @@ -22,22 +22,22 @@ testcases: "unit": "m" }, "default_psk_key": null, - "description": "{{.wired_dot1x_eap_tls_manual.profiles.wired.description}}", + "description": "{{.wired_dot1x_eap_tls_scep.profiles.wired.description}}", "dot1x_recompute_role_from_portal": "enabled", "dot1x_unset_on_unmatch": "disabled", "dpsk": "disabled", "filter": [ { "type": "connection_type", - "match": "{{.wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_type}}" + "match": "{{.wired_dot1x_eap_tls_scep.profiles.wired.filters.connection_type}}" }, { "type": "connection_sub_type", - "match": "{{.wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_sub_type}}" + "match": "{{.wired_dot1x_eap_tls_scep.profiles.wired.filters.connection_sub_type}}" } ], - "filter_match_style": "any", - "id": "{{.wired_dot1x_eap_tls_manual.profiles.wired.id}}", + "filter_match_style": "all", + "id": "{{.wired_dot1x_eap_tls_scep.profiles.wired.id}}", "locale": null, "login_attempt_limit": 0, "logo": null, @@ -54,10 +54,10 @@ testcases: "sms_pin_retry_limit": 0, "sms_request_limit": 0, "sources": [ - "{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}" + "{{.wired_dot1x_eap_tls_scep.sources.eaptls.name}}" ], "status": "enabled", - "unreg_on_acct_stop": "{{.wired_dot1x_eap_tls_manual.profiles.wired.unreg_on_acct_stop}}", + "unreg_on_acct_stop": "{{.wired_dot1x_eap_tls_scep.profiles.wired.unreg_on_acct_stop}}", "vlan_pool_technique": "username_hash" } headers: diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/60_enable_dot1x_dot1x_int.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/60_enable_dot1x_dot1x_int.yml new file mode 120000 index 000000000000..c96f44af6cba --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/60_enable_dot1x_dot1x_int.yml @@ -0,0 +1 @@ +../../switches/common/enable_dot1x_dot1x_int.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/65_enable_dynamic_vlan.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/65_enable_dynamic_vlan.yml new file mode 120000 index 000000000000..319d06587edc --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/65_enable_dynamic_vlan.yml @@ -0,0 +1 @@ +../../switches/common/enable_dynamic_vlan.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/70_commit_config.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/70_commit_config.yml new file mode 120000 index 000000000000..c50e5362c2ec --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/70_commit_config.yml @@ -0,0 +1 @@ +../../switches/common/commit_config.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_deploy_certificates_on_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_deploy_certificates_on_node01.yml new file mode 100644 index 000000000000..991095dbb02a --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_deploy_certificates_on_node01.yml @@ -0,0 +1,16 @@ +name: Deploy certificates on node01 +testcases: + - name: deploy_certificates + steps: + - type: exec + script: | + /usr/bin/rsync -avz -e "ssh -o StrictHostKeyChecking=no" {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}} \ + {{.ssh_user}}@{{.node01_mgmt_ip}}:/home/vagrant/ + + - name: move_certificates + steps: + - type: ssh + host: '{{.node01_mgmt_ip}}' + user: '{{.ssh_user}}' + command: | + sudo cp -v /home/vagrant/{{.wired_dot1x_eap_tls_scep.certs.user.cn}}/* /etc/wpa_supplicant/eap_tls/ diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/80_run_wpasupplicant.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/80_run_wpasupplicant.yml new file mode 100644 index 000000000000..7fa9e188f1a9 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/80_run_wpasupplicant.yml @@ -0,0 +1,10 @@ +name: Run wpasupplicant on node01 +testcases: + - name: run_wpasupplicant + steps: + - type: ssh + host: '{{.node01_mgmt_ip}}' + user: '{{.ssh_user}}' + command: | + cd /usr/local/pf/t/venom ; \ + sudo /usr/local/pf/t/venom/venom-wrapper.sh {{.nodes_test_suite_dir}}/wired_dot1x_eap_tls/{{.venom.testcase}}.yml diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/90_sleep_some_time.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/90_sleep_some_time.yml new file mode 100644 index 000000000000..d85895d1579d --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/90_sleep_some_time.yml @@ -0,0 +1,6 @@ +name: Sleep some time +testcases: +- name: sleep_some_time + steps: + - type: exec + script: sleep 20 diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/91_check_radius_audit_log.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/91_check_radius_audit_log.yml new file mode 100644 index 000000000000..742b0da1e4e8 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/91_check_radius_audit_log.yml @@ -0,0 +1,103 @@ +name: Check RADIUS audit log +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: get_time + steps: + - type: exec + script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" + vars: + two_minutes_ago: + from: result.systemout + +# only latest search entry since two minutes that matches +# auth_status equals Accept (to avoid Disconnect) +# mac equals {{.node01_ens7_mac_address}}" +# connection type of test suite connection profile +- name: get_id_of_radius_audit_log_entry + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' + ignore_verify_ssl: true + body: >- + { + "cursor": 0, + "fields": [ + "id" + ], + "sort": [ + "created_at DESC" + ], + "limit": 1, + "query": { + "op": "and", + "values": [ + { + "op": "or", + "values": [ + { + "field": "mac", + "op": "equals", + "value": "{{.node01_ens7_mac_address}}" + } + ] + }, + { + "op": "or", + "values": [ + { + "field": "auth_status", + "op": "equals", + "value": "Accept" + } + ] + }, + { + "op": "or", + "values": [ + { + "field": "connection_type", + "op": "equals", + "value": "{{.wired_dot1x_eap_tls_scep.profiles.wired.filters.connection_type}}" + } + ] + }, + { + "op": "or", + "values": [ + { + "field": "created_at", + "op": "greater_than", + "value": "{{.get_time.two_minutes_ago}}" + } + ] + } + ] + } + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + - result.bodyjson.items.items0 ShouldContainKey id + vars: + id: + from: result.bodyjson.items.items0.id + +- name: check_radius_reply + steps: + - type: http + method: GET + url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_log/{{.get_id_of_radius_audit_log_entry.id}}' + ignore_verify_ssl: true + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + - result.bodyjson.item.radius_reply ShouldContainSubstring 'Tunnel-Private-Group-Id = "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.vlan_id}}"' + - result.bodyjson.item.profile ShouldEqual "{{.wired_dot1x_eap_tls_scep.profiles.wired.id}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/95_check_autoregister_node.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/95_check_autoregister_node.yml new file mode 100644 index 000000000000..94c271d80f88 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/95_check_autoregister_node.yml @@ -0,0 +1,46 @@ +name: Check autoregister node +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: check_autoregister_node + steps: + - type: http + method: GET + url: '{{.pfserver_webadmin_url}}/api/v1/node/{{.node01_ens7_mac_address_url_encoded}}' + ignore_verify_ssl: true + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + - result.bodyjson.item.autoreg ShouldEqual yes + - result.bodyjson.item.category ShouldEqual "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id}}" + - result.bodyjson.item.pid ShouldEqual "{{.wired_dot1x_eap_tls_scep.certs.user.cn}}" + - result.bodyjson.item.status ShouldEqual reg + vars: + regdate: + from: result.bodyjson.item.regdate + unregdate: + from: result.bodyjson.item.unregdate + +# temp, need a feature in Venom assertion available in 1.0.0 (ShouldHappenBetween) +# convert 5m to 5minutes +# In order to calculate unregdate based on regdate + 5minutes using date command (next testcase) +# - name: convert_access_duration +# steps: +# - type: exec +# script: | +# perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 -Mpf::config::util \ +# -e 'my @times = get_translatable_time("{{.wired_dot1x_eap_tls_scep.sources.eaptls.access_duration}}"); print("$times[2]$times[1]");' +# vars: +# translatable_time: +# from: result.systemout + +# - name: check_unregdate_match_access_duration +# steps: +# - type: exec +# script: "date '+%Y-%m-%d %H:%M:%S' --date='{{.check_autoregister_node.regdate}} {{.convert_access_duration.translatable_time}}'" +# assertions: +# - result.systemout ShouldEqual "{{.check_autoregister_node.unregdate}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/98_check_dot1x_int_status.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/98_check_dot1x_int_status.yml new file mode 100644 index 000000000000..d320e21289bc --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/98_check_dot1x_int_status.yml @@ -0,0 +1,22 @@ +name: Check dot1x interface status on switch01 +testcases: +- name: check_dot1x_int_status_on_switch01 + steps: + - type: http + method: POST + basic_auth_user: "{{.switch01.api.user}}" + basic_auth_password: "{{.switch01.api.password}}" + url: '{{.switch01.api.url}}/nclu/v1/rpc' + ignore_verify_ssl: true + body: >- + { + "cmd": "show dot1x interface {{.switch01.dot1x_interface.id}} json" + } + headers: + "Content-Type": "application/json" + assertions: + # we didn't check MAC address on port to make this testcase reusable + - result.body ShouldContainSubstring "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.vlan_id}}" + - result.body ShouldContainSubstring TLS + - result.body ShouldContainSubstring AUTHORIZED + - result.statuscode ShouldEqual 200 diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/99_check_internet_access.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/99_check_internet_access.yml new file mode 120000 index 000000000000..f77d3de5caae --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/99_check_internet_access.yml @@ -0,0 +1 @@ +../common/check_internet_access.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md b/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md index 17a0b7000b70..6e0fb884b733 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md @@ -1,4 +1,4 @@ -# wired_dot1x_eap_tls +# wired_dot1x_eap_tls_manual ## Requirements N/A @@ -25,8 +25,6 @@ N/A 1. Create connection profile with auto-registration, unreg_on_accounting_stop, EAPTLS source and specific filter 1. Perform Checkup (common test suite) - -TODO: 1. Configure 802.1X only and dynamic VLAN on dot1x interface on switch01 1. Install Root CA on node01 @@ -40,6 +38,8 @@ TODO: 1. Check node status for node01 (common) 1. Check VLAN assigned to node01 *on* switch01 (common) 1. Check Internet access *on* node01 (common) + +TODO: 1. Revoke certificate 1. Kill wpasupplicant (common test suite) 1. Rerun wpasupplicant to have a reject authentication due to revoke certificate @@ -49,13 +49,26 @@ TODO: 1. Check Internet access *on* node01 (common) = down ## Teardown steps -TBD but identical to dot1x_eap_peap scenario (based on unreg_on_accounting_stop) - -Revoke certificates to avoid issues when you try to create a certificate that -already exists +1. Kill wpa_supplicant: an accounting stop will be generated if we wait + EAP-TIMEOUT on the switch (not the case here due to next task). Access is + still working until we run next task. +1. Unconfigure switch port and dynamic VLAN on switch01 + 1. Generate a RADIUS Accounting stop message (sent by switch01) which update + `last_seen` attribute of node01 and unreg device based on + `unreg_on_accounting_stop` + 1. Don't send a RADIUS Disconnect message +1. Check online status of node01: should be offline due to accounting stop +1. Check node status for node01 +1. Wait `delete_windows` + 10 seconds before running `node_cleanup` task +1. Delete node by running `pfcron's node_cleanup` task +1. Check node has been deleted +1. Disable `node_cleanup` task +1. Restart `pfcron` to take change into account +1. Delete connection profile, EAPTLS source, OCSP profile and configuration +1. Restart RADIUS services (common test suite) -Name of CA, templates and certificates should be uniq. Not possible to revoke -or remove CA or template. +## Additional notes -Currently, we replace built-in certificates by PKI certificates. The teardown -doesn't put back built-in certificates. +Reauthentication is done by switch based on `eap_reauth_period` setting to +avoid node been unregistered when it reach unregdate and automatically deleted +by `pfcron` without running teardown steps. diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/00_kill_wpasupplicant.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/00_kill_wpasupplicant.yml new file mode 120000 index 000000000000..dab406f34cf5 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/00_kill_wpasupplicant.yml @@ -0,0 +1 @@ +../../common/kill_wpasupplicant.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/05_disable_dot1x_dot1x_int.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/05_disable_dot1x_dot1x_int.yml new file mode 120000 index 000000000000..f5c4d00658ec --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/05_disable_dot1x_dot1x_int.yml @@ -0,0 +1 @@ +../../../switches/common/disable_dot1x_dot1x_int.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/07_disable_dynamic_vlan.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/07_disable_dynamic_vlan.yml new file mode 120000 index 000000000000..f1ced8cf3bd9 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/07_disable_dynamic_vlan.yml @@ -0,0 +1 @@ +../../../switches/common/disable_dynamic_vlan.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/10_commit_config.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/10_commit_config.yml new file mode 120000 index 000000000000..16a870fe5e74 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/10_commit_config.yml @@ -0,0 +1 @@ +../../../switches/common/commit_config.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/12_check_offline_status_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/12_check_offline_status_node01.yml new file mode 120000 index 000000000000..bf9fac803482 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/12_check_offline_status_node01.yml @@ -0,0 +1 @@ +../../common/check_offline_status_node01.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/15_check_unregistered_node.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/15_check_unregistered_node.yml new file mode 100644 index 000000000000..a805a6621edf --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/15_check_unregistered_node.yml @@ -0,0 +1,22 @@ +name: Check unregistered node +testcases: +- name: get_login_token + steps: + - type: get_login_token + +- name: check_unregistered_node + steps: + - type: http + method: GET + url: '{{.pfserver_webadmin_url}}/api/v1/node/{{.node01_ens7_mac_address_url_encoded}}' + ignore_verify_ssl: true + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 200 + - result.bodyjson.item.autoreg ShouldEqual no + - result.bodyjson.item.status ShouldEqual unreg + - result.bodyjson.item.regdate ShouldEqual "0000-00-00 00:00:00" + - result.bodyjson.item.unregdate ShouldEqual "0000-00-00 00:00:00" + diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/17_sleep_delete_windows.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/17_sleep_delete_windows.yml new file mode 120000 index 000000000000..28340473f7fc --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/17_sleep_delete_windows.yml @@ -0,0 +1 @@ +../../common/sleep_delete_windows.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/20_delete_node01_with_pfcron_node_cleanup.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/20_delete_node01_with_pfcron_node_cleanup.yml new file mode 100644 index 000000000000..915e56964beb --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/20_delete_node01_with_pfcron_node_cleanup.yml @@ -0,0 +1,5 @@ +name: Delete node01 by running pfcron node_cleanup task +testcases: +- name: delete_node01_with_pfcron_node_cleanup + steps: + - script: /usr/local/pf/bin/pfcmd pfcron node_cleanup diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/25_check_node01_deleted.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/25_check_node01_deleted.yml new file mode 120000 index 000000000000..035ce72733b2 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/25_check_node01_deleted.yml @@ -0,0 +1 @@ +../../common/check_node01_deleted.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/30_disable_node_cleanup_task.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/30_disable_node_cleanup_task.yml new file mode 120000 index 000000000000..3e811dfacdb9 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/30_disable_node_cleanup_task.yml @@ -0,0 +1 @@ +../../common/disable_node_cleanup_task.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/35_restart_pfcron_service.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/35_restart_pfcron_service.yml new file mode 120000 index 000000000000..49543dc3fc59 --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/35_restart_pfcron_service.yml @@ -0,0 +1 @@ +../../common/restart_pfcron_service.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml index e537554be66b..69871706cada 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/teardown/90_teardown.yml @@ -8,7 +8,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.wired_dot1x_eap_tls_manual.profiles.wired.id}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/connection_profile/{{.wired_dot1x_eap_tls_scep.profiles.wired.id}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -20,7 +20,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.wired_dot1x_eap_tls_manual.sources.eaptls.name}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/source/{{.wired_dot1x_eap_tls_scep.sources.eaptls.name}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" @@ -50,7 +50,7 @@ testcases: steps: - type: http method: DELETE - url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.wired_dot1x_eap_tls_manual.ocsp.id}}' + url: '{{.pfserver_webadmin_url}}/api/v1/config/radiusd/ocsp_profile/{{.wired_dot1x_eap_tls_scep.ocsp.id}}' ignore_verify_ssl: true headers: "Authorization": "{{.get_login_token.json.result.token}}" From 98e5c8e9185cc749b32766c794262ebde67b2498 Mon Sep 17 00:00:00 2001 From: nqb Date: Thu, 21 Oct 2021 16:54:03 +0200 Subject: [PATCH 11/14] scep: get cert with sscep --- .../run_sscep_on_node01.yml | 69 +++++++++++++++++++ .../05_create_pki.yml | 54 --------------- .../75_deploy_certificates_on_node01.yml | 16 ----- .../75_run_sscep_on_node01.yml | 10 +++ 4 files changed, 79 insertions(+), 70 deletions(-) create mode 100644 t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml delete mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/75_deploy_certificates_on_node01.yml create mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/75_run_sscep_on_node01.yml diff --git a/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml b/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml new file mode 100644 index 000000000000..3f5c0c7ed50a --- /dev/null +++ b/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml @@ -0,0 +1,69 @@ +name: Run SSCEP on node01 +testcases: +- name: create_temp_directory + steps: + - type: exec + script: "mktemp -d" + info: '{{.result.systemout}}' + vars: + temp_dir: + from: result.systemout + +- name: generate_private_key_without_passphrase + steps: + - type: exec + script: | + ( _fd="{{.create_temp_directory.temp_dir}}/client.key" ; _len="2048" ; \ + openssl genrsa -out ${_fd} ${_len} ) + +- name: generate_csr_config + steps: + - type: exec + script: | + cat > {{.create_temp_directory.temp_dir}}/client.cnf << EOF + [req] + default_bits = 2048 + prompt = no + default_md = sha256 + distinguished_name = dn + attributes = req_attributes + + [ req_attributes ] + challengePassword = secret + + # only CN is kept by pfpki + [ dn ] + C=FR + ST=Radius + L=Somewhere + O=Example Inc. + CN={{.wired_dot1x_eap_tls_manual.certs.user.cn}} + EOF + +- name: generate_csr_with_challenge + steps: + - type: exec + script: | + ( _fd="{{.create_temp_directory.temp_dir}}/client.key" ; _fd_csr="{{.create_temp_directory.temp_dir}}/client.csr" ; \ + openssl req -out ${_fd_csr} -new -key ${_fd} -config {{.create_temp_directory.temp_dir}}/client.cnf ) + +- name: get_ca_cert_using_sscep + steps: + - type: exec + script: | + sscep getca -u http://{{.pfserver_mgmt_ip}}/scep/{{.wired_dot1x_eap_tls_scep.templates.user.name}} \ + -c {{.create_temp_directory.temp_dir}}/ca.pem -i {{.wired_dot1x_eap_tls_scep.certs.ca.cn}} -v -d + +- name: get_client_cert_using_sscep + steps: + - type: exec + script: | + sscep enroll -c {{.create_temp_directory.temp_dir}}/ca.pem -k {{.create_temp_directory.temp_dir}}/client.key \ + -r {{.create_temp_directory.temp_dir}}/client.csr \ + -u http://{{.pfserver_mgmt_ip}}/scep/{{.wired_dot1x_eap_tls_scep.templates.user.name}} -l {{.create_temp_directory.temp_dir}}/client.pem -v -d -S sha1 -E aes + +- name: move_certificates + steps: + - type: exec + script: | + sudo cp -v {{.create_temp_directory.temp_dir}}/* /etc/wpa_supplicant/eap_tls/ diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml index ac23402d4e8f..735adf6dc5a0 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml @@ -288,57 +288,3 @@ testcases: vars: profile_id: from: result.bodyjson.items.items0.id - -- name: create_user_cert - steps: - - type: http - method: POST - url: '{{.pfserver_webadmin_url}}/api/v1/pki/certs' - ignore_verify_ssl: true - body: >- - { - "profile_id": "{{.create_user_cert_template.profile_id}}", - "cn": "{{.wired_dot1x_eap_tls_scep.certs.user.cn}}", - "mail": "{{.wired_dot1x_eap_tls_scep.certs.user.mail}}" - } - headers: - "Authorization": "{{.get_login_token.json.result.token}}" - "Content-Type": "application/json" - assertions: - - result.statuscode ShouldEqual 200 - vars: - serial_number: - from: result.bodyjson.items.items0.id - -- name: create_client_directory - steps: - - type: exec - script: "mkdir -p {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}" - -- name: download_user_p12_file - steps: - - type: exec - script: | - curl -k --output {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}.p12 \ - http://127.0.0.1:22225/api/v1/pki/cert/{{.create_user_cert.serial_number}}/download/secret - -- name: extract_ca_certificate - steps: - - type: exec - script: | - openssl pkcs12 -in {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}.p12 -cacerts -nokeys \ - -out {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}/ca.pem -passin pass:secret - -- name: extract_user_certificate - steps: - - type: exec - script: | - openssl pkcs12 -in {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}.p12 -clcerts -nokeys \ - -out {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}/client.pem -passin pass:secret - -- name: extract_user_key - steps: - - type: exec - script: | - openssl pkcs12 -in {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}.p12 -nocerts -nodes \ - -out {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}}/client.key -passin pass:secret diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_deploy_certificates_on_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_deploy_certificates_on_node01.yml deleted file mode 100644 index 991095dbb02a..000000000000 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_deploy_certificates_on_node01.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Deploy certificates on node01 -testcases: - - name: deploy_certificates - steps: - - type: exec - script: | - /usr/bin/rsync -avz -e "ssh -o StrictHostKeyChecking=no" {{.wired_dot1x_eap_tls_scep.paths.per_client_directory}} \ - {{.ssh_user}}@{{.node01_mgmt_ip}}:/home/vagrant/ - - - name: move_certificates - steps: - - type: ssh - host: '{{.node01_mgmt_ip}}' - user: '{{.ssh_user}}' - command: | - sudo cp -v /home/vagrant/{{.wired_dot1x_eap_tls_scep.certs.user.cn}}/* /etc/wpa_supplicant/eap_tls/ diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_run_sscep_on_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_run_sscep_on_node01.yml new file mode 100644 index 000000000000..72da2f1957bc --- /dev/null +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_run_sscep_on_node01.yml @@ -0,0 +1,10 @@ +name: Run SSCEP on node01 +testcases: + - name: run_sscep_on_node01 + steps: + - type: ssh + host: '{{.node01_mgmt_ip}}' + user: '{{.ssh_user}}' + command: | + cd /usr/local/pf/t/venom ; \ + sudo VENOM_COMMON_FLAGS='--var pfserver_mgmt_ip={{.pfserver_mgmt_ip}}' /usr/local/pf/t/venom/venom-wrapper.sh {{.nodes_test_suite_dir}}/wired_dot1x_eap_tls/{{.venom.testcase}}.yml From 02c83a9e6fc490f965121d1887a4702e5157dc0a Mon Sep 17 00:00:00 2001 From: nqb Date: Mon, 25 Oct 2021 09:01:46 +0200 Subject: [PATCH 12/14] manual and scep: update roles --- .../global_config/00_create_roles.yml | 21 ++++++++++++++++++- .../15_create_network_devices.yml | 6 +++++- t/venom/vars/all.yml | 4 ++-- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/t/venom/test_suites/global_config/00_create_roles.yml b/t/venom/test_suites/global_config/00_create_roles.yml index 2d0ec36d9b41..f32e8ef3efbe 100644 --- a/t/venom/test_suites/global_config/00_create_roles.yml +++ b/t/venom/test_suites/global_config/00_create_roles.yml @@ -61,7 +61,7 @@ testcases: assertions: - result.statuscode ShouldEqual 201 -- name: create_wired_dot1x_eap_tls_manual.role +- name: create_wired_dot1x_eap_tls_manual_role steps: - type: http method: POST @@ -78,3 +78,22 @@ testcases: "Content-Type": "application/json" assertions: - result.statuscode ShouldEqual 201 + +- name: create_wired_dot1x_eap_tls_scep_role + steps: + - type: http + method: POST + url: '{{.pfserver_webadmin_url}}/api/v1/config/roles' + ignore_verify_ssl: true + body: >- + { + "id":"{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id}}", + "max_nodes_per_pid":0, + "notes":"{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.notes}}" + } + headers: + "Authorization": "{{.get_login_token.json.result.token}}" + "Content-Type": "application/json" + assertions: + - result.statuscode ShouldEqual 201 + diff --git a/t/venom/test_suites/global_config/15_create_network_devices.yml b/t/venom/test_suites/global_config/15_create_network_devices.yml index 607fa3384995..f3ea71dd4dbe 100644 --- a/t/venom/test_suites/global_config/15_create_network_devices.yml +++ b/t/venom/test_suites/global_config/15_create_network_devices.yml @@ -109,7 +109,11 @@ testcases: "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}AccessList": null, "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Role": null, "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Url": null, - "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}", + "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Vlan": "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.vlan_id}}", + "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id}}AccessList": null, + "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id}}Role": null, + "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id}}Url": null, + "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id}}Vlan": "{{.wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.vlan_id}}", "voiceAccessList": null, "voiceRole": null, "voiceUrl": null, diff --git a/t/venom/vars/all.yml b/t/venom/vars/all.yml index c10fb9cf926f..ee17d7e04922 100644 --- a/t/venom/vars/all.yml +++ b/t/venom/vars/all.yml @@ -348,7 +348,7 @@ wired_dot1x_eap_tls_manual.ocsp.timeout: 0 wired_dot1x_eap_tls_manual.ocsp.use_nonce: yes # Roles -wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id: dot1x_eap_tls +wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id: dot1x_eap_tls_manual wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.notes: 802.1x role for PacketFence PKI wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.vlan_id: 100 @@ -423,7 +423,7 @@ wired_dot1x_eap_tls_scep.ocsp.timeout: 0 wired_dot1x_eap_tls_scep.ocsp.use_nonce: yes # Roles -wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id: dot1x_eap_tls +wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.id: dot1x_eap_tls_scep wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.notes: 802.1x role for PacketFence PKI wired_dot1x_eap_tls_scep.roles.dot1x_eap_tls.vlan_id: 100 From 3c053676b1866f955154d729505f24871eeb7b77 Mon Sep 17 00:00:00 2001 From: nqb Date: Mon, 25 Oct 2021 12:07:37 +0200 Subject: [PATCH 13/14] minor adjustments --- t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml | 2 +- .../test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md | 4 +++- t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md | 8 +++++--- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml b/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml index 3f5c0c7ed50a..739b3d9ef8db 100644 --- a/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml +++ b/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml @@ -29,7 +29,7 @@ testcases: attributes = req_attributes [ req_attributes ] - challengePassword = secret + challengePassword = {{.wired_dot1x_eap_tls_manual.certs.user.scep_challenge_password}} # only CN is kept by pfpki [ dn ] diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md b/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md index 6e0fb884b733..50a4657bdb0b 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/TESTSUITE.md @@ -4,7 +4,7 @@ N/A ### Global config steps -1. Create dot1x_eap_tls role +1. Create dot1x_eap_tls_manual role ## Scenario steps 1. Create Root CA @@ -40,6 +40,8 @@ N/A 1. Check Internet access *on* node01 (common) TODO: +1. Install certificates (HTTP and RADIUS), generated by pfpki, using API (in + place of command line) 1. Revoke certificate 1. Kill wpasupplicant (common test suite) 1. Rerun wpasupplicant to have a reject authentication due to revoke certificate diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md b/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md index 6e0fb884b733..c272b35487d4 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/TESTSUITE.md @@ -1,10 +1,10 @@ -# wired_dot1x_eap_tls_manual +# wired_dot1x_eap_tls_scep ## Requirements N/A ### Global config steps -1. Create dot1x_eap_tls role +1. Create dot1x_eap_tls_scep role ## Scenario steps 1. Create Root CA @@ -27,7 +27,7 @@ N/A 1. Perform Checkup (common test suite) 1. Configure 802.1X only and dynamic VLAN on dot1x interface on switch01 -1. Install Root CA on node01 +1. Get CA and client certificates using SCEP on node01 1. Install user certificates (public certificate and private key) on node01 with following paths: - ca_cert: /etc/wpa_supplicant/eap_tls/ca.pem @@ -40,6 +40,8 @@ N/A 1. Check Internet access *on* node01 (common) TODO: +1. Install certificates (HTTP and RADIUS), generated by pfpki, using API (in + place of command line) 1. Revoke certificate 1. Kill wpasupplicant (common test suite) 1. Rerun wpasupplicant to have a reject authentication due to revoke certificate From 0572bab4692b270826a0b4c5d23a178e31dfd86e Mon Sep 17 00:00:00 2001 From: nqb Date: Mon, 25 Oct 2021 16:09:50 +0200 Subject: [PATCH 14/14] fix typos --- t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml | 2 +- .../wired_dot1x_eap_tls_scep/75_run_sscep_on_node01.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml b/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml index 739b3d9ef8db..9e50ce63660c 100644 --- a/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml +++ b/t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml @@ -37,7 +37,7 @@ testcases: ST=Radius L=Somewhere O=Example Inc. - CN={{.wired_dot1x_eap_tls_manual.certs.user.cn}} + CN={{.wired_dot1x_eap_tls_scep.certs.user.cn}} EOF - name: generate_csr_with_challenge diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_run_sscep_on_node01.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_run_sscep_on_node01.yml index 72da2f1957bc..7e2534c8fa2e 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_run_sscep_on_node01.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/75_run_sscep_on_node01.yml @@ -7,4 +7,4 @@ testcases: user: '{{.ssh_user}}' command: | cd /usr/local/pf/t/venom ; \ - sudo VENOM_COMMON_FLAGS='--var pfserver_mgmt_ip={{.pfserver_mgmt_ip}}' /usr/local/pf/t/venom/venom-wrapper.sh {{.nodes_test_suite_dir}}/wired_dot1x_eap_tls/{{.venom.testcase}}.yml + sudo VENOM_COMMON_FLAGS='--format=tap --var pfserver_mgmt_ip={{.pfserver_mgmt_ip}}' /usr/local/pf/t/venom/venom-wrapper.sh {{.nodes_test_suite_dir}}/wired_dot1x_eap_tls/{{.venom.testcase}}.yml