From 517ad6aeb25b146d41f7acd5dc53ca35e4f42212 Mon Sep 17 00:00:00 2001 From: Fabio Napoleoni Date: Wed, 10 Feb 2016 01:27:26 +0100 Subject: [PATCH] Implemented tests for 2 factor authentication --- tests/otp.sh | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100755 tests/otp.sh diff --git a/tests/otp.sh b/tests/otp.sh new file mode 100755 index 0000000..80b54ec --- /dev/null +++ b/tests/otp.sh @@ -0,0 +1,81 @@ +#!/bin/bash +set -ex +OVPN_DATA=basic-data +CLIENT=travis-client +IMG=kylemanna/openvpn +OTP_USER=otp +# Function to fail +abort() { cat <<< "$@" 1>&2; exit 1; } + +# +# Create a docker container with the config data +# +docker run --name $OVPN_DATA -v /etc/openvpn busybox + +ip addr ls +SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) +# Configure server with two factor authentication +docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2 + +# nopass is insecure +docker run --volumes-from $OVPN_DATA --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass + +docker run --volumes-from $OVPN_DATA --rm -it $IMG easyrsa build-client-full $CLIENT nopass + +# Generate OTP credentials for user named test, should return QR code for test user +docker run --volumes-from $OVPN_DATA --rm -it $IMG ovpn_otp_user $OTP_USER | tee client/qrcode.txt +# Ensure a chart link is printed in client OTP configuration +grep 'https://www.google.com/chart' client/qrcode.txt || abort 'Link to chart not generated' +grep 'Your new secret key is:' client/qrcode.txt || abort 'Secret key is missing' +# Extract an emergency code from textual output, grepping for line and trimming spaces +OTP_TOKEN=$(grep -A1 'Your emergency scratch codes are' client/qrcode.txt | tail -1 | tr -d '[[:space:]]') +# Token should be present +if [ -z $OTP_TOKEN ]; then + abort "QR Emergency Code not detected" +fi + +# Store authentication credentials in config file and tell openvpn to use them +echo -e "$OTP_USER\n$OTP_TOKEN" > client/credentials.txt + +# Override the auth-user-pass directive to use a credentials file +docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee client/config.ovpn + +# +# Fire up the server +# +sudo iptables -N DOCKER +sudo iptables -I FORWARD -j DOCKER +# run in shell bg to get logs +docker run --name "ovpn-test" --volumes-from $OVPN_DATA --rm -p 1194:1194/udp --privileged $IMG & + +#for i in $(seq 10); do +# SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}') +# test -n "$SERV_IP" && break +#done +#sed -ie s:SERV_IP:$SERV_IP:g client/config.ovpn + +# +# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT +# the host as it confuses itself: +# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194" +# +docker run --rm --net=host --privileged --volume $PWD/client:/client $IMG /client/wait-for-connect.sh + +# +# Client either connected or timed out, kill server +# +kill %1 + +# +# Celebrate +# +cat < + ----------- + \ ^__^ + \ (oo)\_______ + (__)\ )\/\\ + ||----w | + || || +EOF