Merge pull request #612 from kylemanna/km/fix-tests

Fix build and tests
kylemanna · Oct 26, 2020 · dfd1708 · dfd1708
2 parents d53043e + e8c614e
commit dfd1708
Show file tree

Hide file tree

Showing 9 changed files with 30 additions and 57 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -7,7 +7,7 @@ LABEL maintainer="Kyle Manna <kyle@kylemanna.com>"
 
 # Testing: pamtester
 RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
-    apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
+    apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester libqrencode && \
     ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
 

diff --git a/bin/ovpn_initpki b/bin/ovpn_initpki
@@ -15,6 +15,10 @@ source "$OPENVPN/ovpn_env.sh"
 # Specify "nopass" as arg[2] to make the CA insecure (not recommended!)
 nopass=$1
 
+# EasyRSA 3.0.7 introduced checks for $EASYRSA_VARS_FILE existence
+# in the init-pki script
+touch $EASYRSA_VARS_FILE
+
 # Provides a sufficient warning before erasing pre-existing files
 easyrsa init-pki
 

diff --git a/bin/ovpn_otp_user b/bin/ovpn_otp_user
@@ -28,6 +28,7 @@ if [ "$2" == "interactive" ]; then
     # Always use time base OTP otherwise storage for counters must be configured somewhere in volume
     google-authenticator --time-based --force -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator
 else
+    # Skip confirmation if not running in interctive mode. Essential for integration tests.
     google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
-        -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator
-fi
+        -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator --no-confirm
+fi
diff --git a/bin/ovpn_revokeclient b/bin/ovpn_revokeclient
@@ -22,7 +22,6 @@ if [ -z "$EASYRSA_PKI" ]; then
 fi
 
 cn="$1"
-parm="$2"
 
 if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
     echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
@@ -37,25 +36,4 @@ revoke_client_certificate(){
     chmod 644 "$OPENVPN/crl.pem"
 }
 
-remove_files(){
-    rm -v "$EASYRSA_PKI/issued/${1}.crt"
-    rm -v "$EASYRSA_PKI/private/${1}.key"
-    rm -v "$EASYRSA_PKI/reqs/${1}.req"
-}
-
-case "$parm" in
-    "remove")
-        revoke_client_certificate "$cn"
-        remove_files "$cn"
-        ;;
-    "" | "keep")
-        revoke_client_certificate "$cn"
-        ;;
-    *)
-        echo "When revoking a client certificate, this script let you choose if you want to remove the corresponding crt, key and req files." >&2
-        echo "Pease note that the removal of those files is required if you want to generate a new client certificate using the revoked certificate's CN." >&2
-        echo "    1. keep (default): Keep the files." >&2
-        echo "    2. remove: Remove the files." >&2
-        echo "Please specify one of those options as second parameter." >&2
-        ;;
-esac
+revoke_client_certificate "$cn"
diff --git a/test/tests/basic/run.sh b/test/tests/basic/run.sh
@@ -24,9 +24,6 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT
 #
 # Fire up the server
 #
-sudo iptables -N DOCKER || echo 'Firewall already configured'
-sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured'
-# run in shell bg to get logs
 docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
 
 #for i in $(seq 10); do

diff --git a/test/tests/dual-proto/run.sh b/test/tests/dual-proto/run.sh
@@ -34,8 +34,6 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_
 #
 # Fire up the server
 #
-sudo iptables -N DOCKER || echo 'Firewall already configured'
-sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured'
 
 # run in shell bg to get logs
 docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &

diff --git a/test/tests/iptables/run.sh b/test/tests/iptables/run.sh
@@ -16,14 +16,17 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_
 docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG
 
 # check default iptables rules
-docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; eval iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE'
+for i in $(seq 10); do
+    docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; exec iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE' && break
+    echo waiting for server start-up
+    sleep 1
+done
 
 # append new setupIptablesAndRouting function to config
 docker exec -ti $NAME bash -c 'echo function setupIptablesAndRouting { iptables -t nat -A POSTROUTING -m comment --comment "test"\;} >> /etc/openvpn/ovpn_env.sh'
 
 # kill server in preparation to modify config
-docker kill $NAME
-docker rm $NAME
+docker rm -f $NAME
 
 # check that overridden function exists and that test iptables rules is active
 docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG
@@ -33,6 +36,5 @@ docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; type -t setupIpt
 # kill server
 #
 
-docker kill $NAME
-docker rm $NAME
+docker rm -f $NAME
 docker volume rm $OVPN_DATA
diff --git a/test/tests/otp/run.sh b/test/tests/otp/run.sh
@@ -49,9 +49,6 @@ grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in c
 #
 # Fire up the server
 #
-sudo iptables -N DOCKER || echo 'Firewall already configured'
-sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured'
-# run in shell bg to get logs
 docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
 
 #for i in $(seq 10); do

diff --git a/test/tests/revocation/run.sh b/test/tests/revocation/run.sh
@@ -3,11 +3,11 @@ set -e
 
 [ -n "${DEBUG+x}" ] && set -x
 
-OVPN_DATA="basic-data"
+OVPN_DATA="ovpn-revoke-test-data"
 CLIENT1="travis-client1"
 CLIENT2="travis-client2"
 IMG="kylemanna/openvpn"
-NAME="ovpn-test"
+NAME="ovpn-revoke-test"
 CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")"
 SERV_IP="$(ip -4 -o addr show scope global  | awk '{print $4}' | sed -e 's:/.*::' | head -n1)"
 
@@ -18,18 +18,21 @@ docker volume create --name $OVPN_DATA
 docker run --rm -v $OVPN_DATA:/etc/openvpn $IMG ovpn_genconfig -u udp://$SERV_IP
 docker run --rm -v $OVPN_DATA:/etc/openvpn -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
 
-#
-# Fire up the server.
-#
-sudo iptables -N DOCKER || echo 'Firewall already configured'
-sudo iptables -I FORWARD 1 -j DOCKER
-docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN --privileged -p 1194:1194/udp --name $NAME $IMG
+# Register clean-up function
+function finish {
+    # Stop the server and clean up
+    docker rm -f $NAME
+    docker volume rm $OVPN_DATA
+}
+trap finish EXIT
 
+# Put the server in the background
+docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN -p 1194:1194/udp --name $NAME $IMG
 
 #
 # Test that easy_rsa generate CRLs with 'next publish' set to 3650 days.
 #
-crl_next_update="$(docker exec $NAME openssl crl -nextupdate -noout -in /etc/openvpn/crl.pem | cut -d'=' -f2 | tr -d 'GMT')"
+crl_next_update="$(docker exec $NAME bash -c "openssl crl -nextupdate -noout -in \$EASYRSA_PKI/crl.pem | cut -d'=' -f2 | tr -d 'GMT'")"
 crl_next_update="$(date -u -d "$crl_next_update" "+%s")"
 now="$(docker exec $NAME date "+%s")"
 crl_remain="$(( $crl_next_update - $now ))"
@@ -44,7 +47,7 @@ fi
 #
 docker exec -it $NAME easyrsa build-client-full $CLIENT1 nopass
 docker exec -it $NAME ovpn_getclient $CLIENT1 > $CLIENT_DIR/config.ovpn
-docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1 remove"
+docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1"
 
 #
 # Test that openvpn client can't connect using $CLIENT1 config.
@@ -59,7 +62,7 @@ fi
 #
 docker exec -it $NAME easyrsa build-client-full $CLIENT2 nopass
 docker exec -it $NAME ovpn_getclient $CLIENT2 > $CLIENT_DIR/config.ovpn
-docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2 remove"
+docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2"
 
 if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
     echo "Client was able to connect after revocation test #2." >&2
@@ -79,13 +82,6 @@ if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net
     exit 2
 fi
 
-#
-# Stop the server and clean up
-#
-docker kill $NAME && docker rm $NAME
-docker volume rm $OVPN_DATA
-sudo iptables -D FORWARD 1
-
 #
 # Celebrate
 #