Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add EAP-TLS integration tests (Manual and SCEP) #6647

Merged
merged 14 commits into from
Oct 25, 2021
Merged

Add EAP-TLS integration tests (Manual and SCEP) #6647

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
d1aa3a3
draft new tests
nqb Oct 19, 2021
996a774
manual: copy and extract client cert in specific directory
nqb Oct 20, 2021
66c288e
manual: deployment and check
nqb Oct 20, 2021
945bdb8
manual: rename vars
nqb Oct 20, 2021
5527be4
manual: adjust checks
nqb Oct 20, 2021
7236554
manual: teardown
nqb Oct 20, 2021
9ee2ec2
manual: disable StrictHostKeyChecking during rsync
nqb Oct 21, 2021
f2de72a
create vars for each PKI suite
nqb Oct 21, 2021
885b855
manual: update description
nqb Oct 21, 2021
aabfd34
scep: sync with manual
nqb Oct 21, 2021
98e5c8e
scep: get cert with sscep
nqb Oct 21, 2021
02c83a9
manual and scep: update roles
nqb Oct 25, 2021
3c05367
minor adjustments
nqb Oct 25, 2021
0572bab
fix typos
nqb Oct 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions addons/vagrant/playbooks/nodes/pre_prov/packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
- packetfence-test
- wpasupplicant
- sscep
- rsync

roles:
- role: inverse_inc.gitlab_buildpkg_tools
Expand Down
69 changes: 69 additions & 0 deletions t/venom/nodes/wired_dot1x_eap_tls/run_sscep_on_node01.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: Run SSCEP on node01
testcases:
- name: create_temp_directory
steps:
- type: exec
script: "mktemp -d"
info: '{{.result.systemout}}'
vars:
temp_dir:
from: result.systemout

- name: generate_private_key_without_passphrase
steps:
- type: exec
script: |
( _fd="{{.create_temp_directory.temp_dir}}/client.key" ; _len="2048" ; \
openssl genrsa -out ${_fd} ${_len} )

- name: generate_csr_config
steps:
- type: exec
script: |
cat > {{.create_temp_directory.temp_dir}}/client.cnf << EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
attributes = req_attributes

[ req_attributes ]
challengePassword = {{.wired_dot1x_eap_tls_manual.certs.user.scep_challenge_password}}

# only CN is kept by pfpki
[ dn ]
C=FR
ST=Radius
L=Somewhere
O=Example Inc.
CN={{.wired_dot1x_eap_tls_scep.certs.user.cn}}
EOF

- name: generate_csr_with_challenge
steps:
- type: exec
script: |
( _fd="{{.create_temp_directory.temp_dir}}/client.key" ; _fd_csr="{{.create_temp_directory.temp_dir}}/client.csr" ; \
openssl req -out ${_fd_csr} -new -key ${_fd} -config {{.create_temp_directory.temp_dir}}/client.cnf )

- name: get_ca_cert_using_sscep
steps:
- type: exec
script: |
sscep getca -u http://{{.pfserver_mgmt_ip}}/scep/{{.wired_dot1x_eap_tls_scep.templates.user.name}} \
-c {{.create_temp_directory.temp_dir}}/ca.pem -i {{.wired_dot1x_eap_tls_scep.certs.ca.cn}} -v -d

- name: get_client_cert_using_sscep
steps:
- type: exec
script: |
sscep enroll -c {{.create_temp_directory.temp_dir}}/ca.pem -k {{.create_temp_directory.temp_dir}}/client.key \
-r {{.create_temp_directory.temp_dir}}/client.csr \
-u http://{{.pfserver_mgmt_ip}}/scep/{{.wired_dot1x_eap_tls_scep.templates.user.name}} -l {{.create_temp_directory.temp_dir}}/client.pem -v -d -S sha1 -E aes

- name: move_certificates
steps:
- type: exec
script: |
sudo cp -v {{.create_temp_directory.temp_dir}}/* /etc/wpa_supplicant/eap_tls/
9 changes: 9 additions & 0 deletions t/venom/nodes/wired_dot1x_eap_tls/run_wpasupplicant.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
name: Run wpasupplicant for EAP-TLS
testcases:
- name: run_wpasupplicant_eap_peap
steps:
- type: exec
script: "sudo wpa_supplicant -c /etc/wpa_supplicant/eap_tls/eap_tls.conf -D wired -i ens7 -B"
timeout: 10
assertions:
- result.systemout ShouldContainSubstring "Successfully initialized wpa_supplicant"
6 changes: 3 additions & 3 deletions t/venom/pfservers/global_config_multi_tenant/10_create_roles.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,17 +61,17 @@ testcases:
assertions:
- result.statuscode ShouldEqual 201

- name: create_dot1x_eap_tls_pfpki_role
- name: create_wired_dot1x_eap_tls_manual.role
steps:
- type: http
method: POST
url: '{{.pfserver_webadmin_url}}/api/v1/config/roles'
ignore_verify_ssl: true
body: >-
{
"id":"{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}",
"id":"{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}",
"max_nodes_per_pid":0,
"notes":"{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.notes}}"
"notes":"{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.notes}}"
}
headers:
"Authorization": "{{.get_login_token.json.result.token}}"
Expand Down
8 changes: 4 additions & 4 deletions t/venom/pfservers/global_config_multi_tenant/15_create_network_devices.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,10 +107,10 @@ testcases:
"{{.wired_mac_auth.roles.headless_device.id}}Role": null,
"{{.wired_mac_auth.roles.headless_device.id}}Url": null,
"{{.wired_mac_auth.roles.headless_device.id}}Vlan": "{{.wired_mac_auth.roles.headless_device.vlan_id}}",
"{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}AccessList": null,
"{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}Role": null,
"{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}Url": null,
"{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}",
"{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}AccessList": null,
"{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Role": null,
"{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Url": null,
"{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.id}}Vlan": "{{.dot1x_eap_tls_pfpki.roles.dot1x_eap_tls.vlan_id}}",
"voiceAccessList": null,
"voiceRole": null,
"voiceUrl": null,
Expand Down
6 changes: 4 additions & 2 deletions t/venom/scenarios/dot1x_eap_tls/playbooks/run_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,10 @@
test_suites:
- configurator
- global_config
- dot1x_eap_tls_pfpki
- dot1x_eap_tls_pfpki/teardown
- wired_dot1x_eap_tls_manual
- wired_dot1x_eap_tls_manual/teardown
- wired_dot1x_eap_tls_scep
- wired_dot1x_eap_tls_scep/teardown
- global_teardown

tasks:
Expand Down
5 changes: 2 additions & 3 deletions t/venom/switches/common/check_dot1x_int_status.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,7 @@ testcases:
"Content-Type": "application/json"
assertions:
# we didn't check MAC address on port to make this testcase reusable
- result.body ShouldContainSubstring "{{.dot1x_eap_peap.roles.ad_user.vlan_id}}"
- result.body ShouldContainSubstring PEAP
- result.body ShouldContainSubstring "{{.ad_domain_user}}"
- result.body ShouldContainSubstring "{{.wired_dot1x_eap_tls_manual.roles.dot1x_eap_tls.vlan_id}}"
- result.body ShouldContainSubstring TLS
- result.body ShouldContainSubstring AUTHORIZED
- result.statuscode ShouldEqual 200
Loading