From patchwork Fri Jun 7 11:06:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "flichtenheld (Code Review)" X-Patchwork-Id: 3726 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:ab0:35cb:0:b0:80b:5e01:e51f with SMTP id x11csp950912uat; Fri, 7 Jun 2024 04:07:21 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUFJzvoprjfrwqKWLz/pyHRGtNUa0YRWldRqxoYtpYRiZvSW50V2f8tml6m1hCTMiQPk551El0UVQYiCwLmB5jlr0XGA+I= X-Google-Smtp-Source: AGHT+IEcdxSwWy8qk4LiUv2Izel5WD56DyuD6FkXK0fOH7v9bZyLYylfhiLaAUHcBbfDebWoGibD X-Received: by 2002:a62:8458:0:b0:704:13ae:4e39 with SMTP id d2e1a72fcca58-70413ae5253mr961919b3a.0.1717758441072; Fri, 07 Jun 2024 04:07:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1717758441; cv=none; d=google.com; s=arc-20160816; b=zfKHnvQWCBMoW3b5kn8LifYbHKwydGuS9EfA7MsG4j/yJpGOtm9C9aozR9r7K3pUFP b2N/rWiBWcxflT3LmdZMAZZrvJNAtJHzKn/PO0fk0UvXmF6e6lVCbxPIPZbeIVTV6/xH gceo0Tn2afFeKFFkfna2AjJp6czchxBnqTkcuwEwD2/GjrhVgjFGcZ120PEGIgOrMmJQ uOtIpyX8L9PueiG21xmnk8R72BY2YtqQFDlNeYZ5nFaGej5/ZXhde0Wd9nzsBUc4cMkm 7mlCxVEpY6tfoscYaCNnk8bsqpdZ2zd3Rzzxzy5tATGzAXRBUKAQHbJxcW1F4ArgGYMb +x+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=VK/l8QGimYvdDs5100io875LoR41edglpH+zt8UW6ss=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=z/TY6JMR3Q/wUa0DlgeCv79BW/FBXO3c/pou161GMwRBnDQ0tJKeXK1zBUdSnN4XtT MjJmwx3tLBqElnwUUyGUgGqkkbhX7DEINwSNqtvUXaBjYIOky0HleekJwKEjJNLcYsg+ HplPU6GMsxWGdRTJvG0hbHf0YloUda7f9ai+MrqZU0XTwBzHJuco43QwUpCEXmIgQlmV PaZTEBszX72vB/rFMQG8Bk0CqjtXbp4U+Hl9bhyYtpKLtbNSoK/UIPUd9t8ftg8tqrII eoQqxJNJey9dWRw/7v27Ui9nF9GnKJHgSw9mhxFSCqBCRYhsgHRcLalOapyltiXUf0dR 1m+Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Ht+d/d5Q"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="gAC+/87e"; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=AWiKVD6P; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 41be03b00d2f7-6de2a18407dsi2877945a12.789.2024.06.07.04.07.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Jun 2024 04:07:21 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Ht+d/d5Q"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="gAC+/87e"; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=AWiKVD6P; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sFXQr-0004nd-8r; Fri, 07 Jun 2024 11:06:54 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sFXQp-0004nM-UU for openvpn-devel@lists.sourceforge.net; Fri, 07 Jun 2024 11:06:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jg1SFoWw6wOzIsOpe0PzI01+VpmXtH6UHgM2QBtjcaQ=; b=Ht+d/d5Qph24iCVxtiaMQSwyao 9sLdzSRZlCw5+GmOCCzxgqXOE6GJna4qHOCscoticLILzQIljXtKJImaKDR1l9f313+DNCKM18+7V KuNGlkz1/MfTtCuKX5iD3CmfGQo8k5DtiFRQ6yT+pEwNgp8nR+XEfiiy37tn/U+IjW/w=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=jg1SFoWw6wOzIsOpe0PzI01+VpmXtH6UHgM2QBtjcaQ=; b=g AC+/87esbHq6/qJJ1AUHqbGL3TkAhCel9PypL5XY3I9nv69dpxpdaaogkB6/QLCP33gsYLJ4RAonC KvOKbnnlCZDilHpj2mi+EmDD4WPGjaXQhMKi2d8jPK8U9KeoZpB3c6IHeYw9AymiFF1Fhn7Jk60O0 Li5SEK2FsyURh830=; Received: from mail-lf1-f54.google.com ([209.85.167.54]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1sFXQo-0003TP-AN for openvpn-devel@lists.sourceforge.net; Fri, 07 Jun 2024 11:06:53 +0000 Received: by mail-lf1-f54.google.com with SMTP id 2adb3069b0e04-52b8b638437so2241864e87.3 for ; Fri, 07 Jun 2024 04:06:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1717758403; x=1718363203; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=jg1SFoWw6wOzIsOpe0PzI01+VpmXtH6UHgM2QBtjcaQ=; b=AWiKVD6Py4qdnBERczwudJ8PTgavyDf00PQueR8gSjSlcno475vh3/iioU9dek7dcm qVwrJfabkfdzwysh7GTpCXDNR2rrLXcPg0Qw33iOmR/bG99PkPM9/1eRq0NYkgB4wM6k T3M/I3qU1dmEjphzVLuRgLznL031dZVl1OCupN4wTuAzDM/4uoKzb3b2RMqTQl8iR4Yj LMGboXb4nry08RI5aoJ/q6xVWp/evciNbDOkuSEDL0tiTCVAEsZkwEbZp785HOaBOAJH zYQx2DWMg0he1eW/5B1s2hmRi9IJ/iNDEgze7oK7seljs6q/slkY5y4PtW3v4LkdC3GU r8IA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717758403; x=1718363203; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jg1SFoWw6wOzIsOpe0PzI01+VpmXtH6UHgM2QBtjcaQ=; b=MY+DtJM/LFdsMOxjr2tXDQg13sgjVDNt5+qlPQ5Y5vBPx8ZEItbexFOKpYRh2vRPmy XoleXdCe5lxPQGbb8/zJbetM4cHboVJb8iH2LVCYVqoMJw9ffmcsIGOiOXFLxgnzLQPv 6n2+YHDgtlslPh8nYAguwUciX6XYqNq0iHdu1tqfvY4GShlJFUwyaFrejATeAHixzR50 FGbqIHuR/tTeplGfmxRY8DOD4Qe2JoSSm6L6FaRaTVyx/e/hK/TBik1/9RvU3nd9PLXF ayhz2lMRRvYS0Ju6+EnpWJ9YCoGPxyUK/J9nRVzkdS/S5JU6BqiDKxQ5HXCixvyczjkE btrA== X-Gm-Message-State: AOJu0Yx3ryjMxW1wBhiAlCNrZzLdjRM3or5GJGadaP7s5MxmLBK8/khd KgeQGnhHP2Gl/4mcUCDQFrEJt2GdQpkpHyyqVpc26JPosKVE7qDTayqSl+0UNuEdFNJHMKQyi2A H X-Received: by 2002:a05:6512:3b0c:b0:52b:c14f:4f84 with SMTP id 2adb3069b0e04-52bc14f506emr653797e87.21.1717758402046; Fri, 07 Jun 2024 04:06:42 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-35ef5d478b8sm3760905f8f.26.2024.06.07.04.06.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Jun 2024 04:06:41 -0700 (PDT) From: "mattock (Code Review)" X-Google-Original-From: "mattock (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 7 Jun 2024 11:06:40 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I1b54da258c7d15551b6c3de7522a0d19afdb66de X-Gerrit-Change-Number: 663 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 4a01f14eb7f3fb3f36217c15d27fc1ce52a8b63c References: Message-ID: <361cb52b57320f43f1f9b2f68c20cda4a436dda7-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.54 listed in list.dnswl.org] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: makefile.am] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.167.54 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.167.54 listed in bl.score.senderscore.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.54 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1sFXQo-0003TP-AN Subject: [Openvpn-devel] [L] Change in openvpn[master]: Add t_server_null test suite X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: samuli@openvpn.net, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1801200275252093025?= X-GMAIL-MSGID: =?utf-8?q?1801200275252093025?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/663?usp=email to review the following change. Change subject: Add t_server_null test suite ...................................................................... Add t_server_null test suite Change-Id: I1b54da258c7d15551b6c3de7522a0d19afdb66de Signed-off-by: Samuli Seppänen --- M .gitignore A doc/t_server_null.rst M tests/Makefile.am A tests/null_client_up.sh A tests/t_server_null.rc-sample A tests/t_server_null.sh A tests/t_server_null_client.sh A tests/t_server_null_default.rc A tests/t_server_null_server.sh A tests/t_server_null_stress.sh 10 files changed, 566 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/63/663/1 diff --git a/.gitignore b/.gitignore index 92d65bf..db8bb73 100644 --- a/.gitignore +++ b/.gitignore @@ -55,6 +55,7 @@ tests/t_client.sh tests/t_client-*-20??????-??????/ +tests/t_server_null.rc t_client.rc t_client_ips.rc tests/unit_tests/**/*_testdriver diff --git a/doc/t_server_null.rst b/doc/t_server_null.rst new file mode 100644 index 0000000..233e659 --- /dev/null +++ b/doc/t_server_null.rst @@ -0,0 +1,146 @@ +Notes for the --dev null test suite +=================================== + +Introduction +------------ + +The *--dev null test suite* is primary targeted at testing client connections +to the "just compiled" version of OpenVPN. The name is derived from "null" +device type in OpenVPN. In particular, when *--dev null --ifconfig-noexec* is +used in OpenVPN client configuration one does not need to run OpenVPN with root +privileges because interface, routing, etc. configuration is not done at all. +This is still enough to ensure that the OpenVPN client can connect to a server +instance. + +The main features of the test suite: + +* Parallelized for fairly high performance +* Mostly operating-system agnostic +* Tested on Fedora Linux 38 and FreeBSD 14 +* Should be POSIX shell compliant but uses Bash now +* Uses the sample certificates and keys +* Supports running multiple servers and clients +* Supports running servers directly as root and with sudo +* Supports using different OpenVPN client versions + + * The "current" (just compiled) version + * Any other OpenVPN versions that is present on the filesystem + +* Support testing for success as well as failure +* Test cases (client configurations) and server setups (server configurations) are stored in a configuration file, i.e. data and code have been separated +* Configuration file format is nearly identical to t_client.rc configuration +* Supports a set of default tests, overriding default test settings and adding local tests + +Prerequisites +------------- + +Running the test suite requires the following: + +* *bash* for running the tests +* root-level privileges for launching the servers + + * run as root + * a privilege escalation tool (sudo, doas, su) and the permission to become root + +Technical implementation +------------------------ + +The test suite is completely parallelized to allow running a large number of +server and client combinations quickly. + +A normal test run looks like this: + +#. Server instances start +#. Brief wait +#. Client instances start +#. Tests run +#. Client instances stop +#. Brief wait +#. Server instances stop + +The tests suite is launched via "make check": + +* make check + + * t_server_null.sh + + * t_server_null_server.sh + + * Launches the compiled OpenVPN server instances as root (if necessary with sudo or su) in the background. The servers are killed using their management interface once all clients have exited. + + * t_server_null_client.sh + + * Waits until servers have launched. Then launch all clients, wait for them to exit and then check test results by parsing the client log files. Each client kills itself after some delay using an "--up" script. + +Note that "make check" moves on once *t_server_null_client.sh* has exited. At +that point *t_server_null_server.sh* is still running, because it exists only +after waiting a few seconds for more client connections to potentially appear. +This is a feature and not a bug, but means that launching "make check" runs too +quickly might cause test failures or unexpected behavior such as leftover +OpenVPN server processes. + +Configuration +------------- + +The test suite reads its configuration from two files: + +* *tests/t_server_null_defaults.rc:* default test configuration that should work on any system +* *tests/t_server_null.rc:* a local configuration file; can be used to add additional tests or override settings from the default test configuration. Must be present or tests will be skipped, but can be an empty file. + +The configuration syntax is very similar to *t_client.rc*. New server instances can be +defined like this:: + + SERVER_NAME_5="t_server_null_server-11195_udp" + SERVER_MGMT_PORT_5="11195" + SERVER_EXEC_5="${SERVER_EXEC}" + SERVER_CONF_5="${SERVER_CONF_BASE} --lport 11195 --proto udp --management 127.0.0.1 ${SERVER_MGMT_PORT_5}" + +In this case the server instance identifier is **5**. Variables such as +*SERVER_EXEC* and *SERVER_CONF_BASE* are defined in +*t_server_null_defaults.rc*. To enable this server instance add it to the +server list:: + + TEST_SERVER_LIST="1 2 5" + +The client instances are added similarly:: + + TEST_NAME_9="t_server_null_client.sh-openvpn_current_udp_custom" + SHOULD_PASS_9="yes" + CLIENT_EXEC_9="${CLIENT_EXEC}" + CLIENT_CONF_9="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" + +In this case the test identifier is **9**. *CLIENT_EXEC* and *CLIENT_CONF_BASE* +are defined in *t_server_null_defaults.rc*. The variable *SHOULD_PASS* +determines that this particular test is supposed to succeed and not fail. To +enable this client instance add it to the test list:: + + TEST_RUN_LIST="1 2 5 9" + +Stress-testing the --dev null test suite +---------------------------------------- + +It is very easy to introduce subtle, difficult to debug issues to the --dev +null tests when you make changes to it. These issues can be difficult to spot: +based on practical experience a bad change can make the test failure rate go +from 0% (normal) to anywhere between 1% and 20%. You can spot these issues with +the provided stress-test script, *t_server_null_stress.sh*. It calls *make check* +over and over again in a loop and when failures occur it saves the output under +*tests/make-check*. + +To follow the test flow on Linux you can run this while stress-testing:: + + watch -n 0.5 "ps aux|grep -E '(openvpn|t_server_null_server.sh)'|grep -vE '(suppress|grep|tail)'" + +Regarding privilege escalation +------------------------------ + +The --dev null test servers need to be launched as root. Either run the tests +as root directly, or configure a privilege escalation tool of your choice in +*t_server_null.rc*. For example, to use sudo:: + + SUDO_EXEC=`which sudo` + RUN_SUDO="${SUDO_EXEC} -E" + +If you do stress-testing with *t_server_null_stress.sh* make sure your +privilege escalation authorization does not time out: if it does, then a +reauthorization prompt will interrupt your tests. diff --git a/tests/Makefile.am b/tests/Makefile.am index 5e9ad0a..f26b3b8 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -15,10 +15,10 @@ SUBDIRS = unit_tests AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING) System Tests' -LOG_DRIVER = $(SHELL) $(top_srcdir)/forked-test-driver +SH_LOG_DRIVER = $(SHELL) $(top_srcdir)/forked-test-driver if !WIN32 -test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh +test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh t_server_null.sh check_PROGRAMS = ntlm_support if HAVE_SITNL @@ -27,6 +27,7 @@ endif TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" +TEST_EXTENSIONS = .sh TESTS = $(test_scripts) dist_noinst_SCRIPTS = \ @@ -34,8 +35,14 @@ t_cltsrv-down.sh \ t_lpback.sh \ t_net.sh \ + t_server_null.sh \ + t_server_null_client.sh \ + t_server_null_server.sh \ + t_server_null_default.rc \ update_t_client_ips.sh +t_client.log: t_server_null.log + dist_noinst_DATA = \ t_client.rc-sample diff --git a/tests/null_client_up.sh b/tests/null_client_up.sh new file mode 100755 index 0000000..d4df0c6 --- /dev/null +++ b/tests/null_client_up.sh @@ -0,0 +1,11 @@ +#!/bin/sh +# +# Stop the parent process (openvpn) gracefully after a small delay + +# Determine the OpenVPN PID from its pid file. This works reliably even when +# the OpenVPN process is backgrounded for parallel tests. +MY_PPID=`cat $pid` + +# Allow OpenVPN to finish initializing while waiting in the background and then +# killing the process gracefully. +(sleep 5 ; kill -15 $MY_PPID) & diff --git a/tests/t_server_null.rc-sample b/tests/t_server_null.rc-sample new file mode 100644 index 0000000..28c3773 --- /dev/null +++ b/tests/t_server_null.rc-sample @@ -0,0 +1,15 @@ +# Uncomment to run tests with sudo +#SUDO_EXEC=`which sudo` +#RUN_SUDO="${SUDO_EXEC} -E" + +TEST_RUN_LIST="1 2 3 10 11" + +TEST_NAME_10="t_server_null_client.sh-openvpn_2_6_8_udp" +SHOULD_PASS_10="yes" +CLIENT_EXEC_10="/usr/sbin/openvpn" +CLIENT_CONF_10="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" + +TEST_NAME_11="t_server_null_client.sh-openvpn_2_6_8_tcp" +SHOULD_PASS_11="yes" +CLIENT_EXEC_11="/usr/sbin/openvpn" +CLIENT_CONF_11="${CLIENT_CONF_BASE} --remote 127.0.0.1 1195 tcp --proto tcp" diff --git a/tests/t_server_null.sh b/tests/t_server_null.sh new file mode 100755 index 0000000..7ad843a --- /dev/null +++ b/tests/t_server_null.sh @@ -0,0 +1,74 @@ +#!/usr/bin/env bash +# +TSERVER_NULL_SKIP_RC="${TSERVER_NULL_SKIP_RC:-77}" + +if ! [ -r "./t_server_null.rc" ] ; then + echo "$0: cannot find './t_server_null.rc. SKIPPING TEST.'" >&2 + exit "${TSERVER_NULL_SKIP_RC}" +fi + +. ./t_server_null.rc + +export KILL_EXEC=`which kill` +if [ $? -ne 0 ]; then + echo "$0: kill not found in \$PATH" >&2 + exit "${TSERVER_NULL_SKIP_RC}" +fi + +# Ensure PREFER_KSU is in a known state +PREFER_KSU="${PREFER_KSU:-0}" + +# make sure we have permissions to run ifconfig/route from OpenVPN +# can't use "id -u" here - doesn't work on Solaris +ID=`id` +if expr "$ID" : "uid=0" >/dev/null +then : +else + if [ "${PREFER_KSU}" -eq 1 ]; + then + # Check if we have a valid kerberos ticket + klist -l 1>/dev/null 2>/dev/null + if [ $? -ne 0 ]; + then + # No kerberos ticket found, skip ksu and fallback to RUN_SUDO + PREFER_KSU=0 + echo "$0: No Kerberos ticket available. Will not use ksu." + else + RUN_SUDO="ksu -q -e" + fi + fi + + if [ -z "$RUN_SUDO" ] + then + echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 + echo " must be set correctly in 't_server_null.rc'. SKIP." >&2 + exit "${TSERVER_NULL_SKIP_RC}" + else + # Run a no-op command with privilege escalation (e.g. sudo) so that + # we (hopefully) do not have to ask the users password during the test. + if $RUN_SUDO $KILL_EXEC -0 $$ + then + echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good." + else + echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2 + exit "${TSERVER_NULL_SKIP_RC}" + fi + fi +fi + +srcdir="${srcdir:-.}" + + +if [ -z "${RUN_SUDO}" ]; then + "${srcdir}/t_server_null_server.sh" & +else + $RUN_SUDO "${srcdir}/t_server_null_server.sh" & +fi + +"${srcdir}/t_server_null_client.sh" + +# When running make jobs in parallel ("make -j check") we need to ensure +# that this script does not exit before all --dev null servers are dead and +# their network interfaces are gone. Otherwise t_client.sh will fail because +# pre and post ifconfig output does not match. +wait diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh new file mode 100755 index 0000000..aa71f08 --- /dev/null +++ b/tests/t_server_null_client.sh @@ -0,0 +1,132 @@ +#!/usr/bin/env bash + +launch_client() { + local test_name=$1 + local log="${test_name}.log" + local pid="${test_name}.pid" + local client_exec=$2 + local client_conf=$3 + + # Ensure that old log and pid files are gone + rm -f "${log}" "${pid}" + + "${client_exec}" \ + $client_conf \ + --writepid "${pid}" \ + --setenv pid $pid \ + --log "${log}" & +} + +wait_for_results() { + tests_running="yes" + + # Wait a bit to allow an OpenVPN client process to create a pidfile to + # prevent exiting too early + sleep 1 + + while [ "${tests_running}" == "yes" ]; do + tests_running="no" + for t in $test_names; do + if [ -f "${t}.pid" ]; then + tests_running="yes" + fi + done + + if [ "${tests_running}" == "yes" ]; then + echo "Clients still running" + sleep 1 + fi + done +} + +get_client_test_result() { + local test_name=$1 + local should_pass=$2 + local log="${test_name}.log" + + grep "Initialization Sequence Completed" "${log}" > /dev/null + local exit_code=$? + + if [ $exit_code -eq 0 ] && [ "${should_pass}" = "yes" ]; then + echo "PASS ${test_name}" + elif [ $exit_code -eq 1 ] && [ "${should_pass}" = "no" ]; then + echo "PASS ${test_name} (test failure)" + elif [ $exit_code -eq 0 ] && [ "${should_pass}" = "no" ]; then + echo "FAIL ${test_name} (test failure)" + cat "${log}" + retval=1 + elif [ $exit_code -eq 1 ] && [ "${should_pass}" = "yes" ]; then + echo "FAIL ${test_name}" + cat "${log}" + retval=1 + fi +} + +# Load basic/default tests +. ${srcdir}/t_server_null_default.rc || exit 1 + +# Load additional local tests, if any +test -r ./t_server_null.rc && . ./t_server_null.rc + +# Return value for the entire test suite. Gets set to 1 if any test fails. +export retval=0 + +# Wait until servers are up. This check is based on the presence of processes +# matching the PIDs in each servers PID files +count=0 +server_max_wait=15 +while [ $count -lt $server_max_wait ]; do + server_pids="" + for i in `(set -o posix; set)|grep 'SERVER_NAME_'|cut -d "=" -f 2`; do + server_pid=`cat "${i}.pid"` + server_pids="${server_pids} ${server_pid}" + done + + server_count=`echo ${server_pids}|wc -w` + servers_up=`ps -p $server_pids|sed '1d'|wc -l` + + echo "OpenVPN test servers up: ${servers_up}/${server_count}" + + if [ $servers_up -ge $server_count ]; then + retval=0 + break + else + ((count++)) + sleep 1 + fi + + if [ $count -eq $server_max_wait ]; then + retval=1 + fi +done + +# Wait a while to let server processes to settle down +sleep 1 + +# Launch OpenVPN clients. While at it, construct a list of test names. The list +# is used later to determine when all OpenVPN clients have exited and it is +# safe to check the test results. +test_names="" +for SUF in $TEST_RUN_LIST +do + eval test_name=\"\$TEST_NAME_$SUF\" + eval client_exec=\"\$CLIENT_EXEC_$SUF\" + eval client_conf=\"\$CLIENT_CONF_$SUF\" + + test_names="${test_names} ${test_name}" + launch_client "${test_name}" "${client_exec}" "${client_conf}" +done + +# Wait until all OpenVPN clients have exited +wait_for_results + +# Check test results +for SUF in $TEST_RUN_LIST +do + eval test_name=\"\$TEST_NAME_$SUF\" + eval should_pass=\"\$SHOULD_PASS_$SUF\" + + get_client_test_result "${test_name}" $should_pass +done + +exit $retval diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc new file mode 100755 index 0000000..63b6bcd --- /dev/null +++ b/tests/t_server_null_default.rc @@ -0,0 +1,66 @@ +# Notes regarding --dev null server and client configurations: +# +# The t_server_null_server.sh exits when all client pid files have gone +# missing. That is the most reliable and fastest way to detect client +# disconnections in the "everything runs on localhost" context. Checking server +# status files for client connections works, but introduces long delays as +# --explicit-exit-notify does not seem to work on all client configurations. +# This means that, by default, there is about 1 minute delay before the server +# purges clients that have already exited and have not reported back. +# +srcdir="${srcdir:-.}" +top_builddir="${top_builddir:-..}" +sample_keys="${srcdir}/../sample/sample-keys" + +DH="${sample_keys}/dh2048.pem" +CA="${sample_keys}/ca.crt" +CLIENT_CERT="${sample_keys}/client.crt" +CLIENT_KEY="${sample_keys}/client.key" +SERVER_CERT="${sample_keys}/server.crt" +SERVER_KEY="${sample_keys}/server.key" +TA="${sample_keys}/ta.key" + +# Test server configurations +MAX_CLIENTS="10" +CLIENT_MATCH="Test-Client" +SERVER_EXEC="${top_builddir}/src/openvpn/openvpn" +SERVER_BASE_OPTS="--daemon --local 127.0.0.1 --dev tun --topology subnet --server 10.29.41.0 255.255.255.0 --max-clients $MAX_CLIENTS --persist-tun --verb 3" +SERVER_CIPHER_OPTS="" +SERVER_CERT_OPTS="--ca ${CA} --dh ${DH} --cert ${SERVER_CERT} --key ${SERVER_KEY} --tls-auth ${TA} 0" +SERVER_CONF_BASE="${SERVER_BASE_OPTS} ${SERVER_CIPHER_OPTS} ${SERVER_CERT_OPTS}" + +TEST_SERVER_LIST="1 2" + +SERVER_NAME_1="t_server_null_server-1194_udp" +SERVER_MGMT_PORT_1="11194" +SERVER_EXEC_1="${SERVER_EXEC}" +SERVER_CONF_1="${SERVER_CONF_BASE} --lport 1194 --proto udp --management 127.0.0.1 ${SERVER_MGMT_PORT_1}" + +SERVER_NAME_2="t_server_null_server-1195_tcp" +SERVER_MGMT_PORT_2="11195" +SERVER_EXEC_2="${SERVER_EXEC}" +SERVER_CONF_2="${SERVER_CONF_BASE} --lport 1195 --proto tcp --management 127.0.0.1 ${SERVER_MGMT_PORT_2}" + +# Test client configurations +CLIENT_EXEC="${top_builddir}/src/openvpn/openvpn" +CLIENT_BASE_OPTS="--client --dev null --ifconfig-noexec --nobind --remote-cert-tls server --persist-tun --verb 3 --resolv-retry infinite --connect-retry-max 3 --server-poll-timeout 5 --explicit-exit-notify 3 --script-security 2 --up ${srcdir}/null_client_up.sh" +CLIENT_CIPHER_OPTS="" +CLIENT_CERT_OPTS="--ca ${CA} --cert ${CLIENT_CERT} --key ${CLIENT_KEY} --tls-auth ${TA} 1" + +TEST_RUN_LIST="1 2 3" +CLIENT_CONF_BASE="${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}" + +TEST_NAME_1="t_server_null_client.sh-openvpn_current_udp" +SHOULD_PASS_1="yes" +CLIENT_EXEC_1="${CLIENT_EXEC}" +CLIENT_CONF_1="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" + +TEST_NAME_2="t_server_null_client.sh-openvpn_current_tcp" +SHOULD_PASS_2="yes" +CLIENT_EXEC_2="${CLIENT_EXEC}" +CLIENT_CONF_2="${CLIENT_CONF_BASE} --remote 127.0.0.1 1195 tcp --proto tcp" + +TEST_NAME_3="t_server_null_client.sh-openvpn_current_udp_fail" +SHOULD_PASS_3="no" +CLIENT_EXEC_3="${CLIENT_EXEC}" +CLIENT_CONF_3="${CLIENT_CONF_BASE} --remote 127.0.0.1 11194 udp --proto udp" diff --git a/tests/t_server_null_server.sh b/tests/t_server_null_server.sh new file mode 100755 index 0000000..02ff728 --- /dev/null +++ b/tests/t_server_null_server.sh @@ -0,0 +1,80 @@ +#!/usr/bin/env bash + +launch_server() { + local server_name=$1 + local server_exec=$2 + local server_conf=$3 + local log="${server_name}.log" + local status="${server_name}.status" + local pid="${server_name}.pid" + + + # Ensure that old status, log and pid files are gone + rm -f "${status}" "${log}" "${pid}" + + "${server_exec}" \ + $server_conf \ + --status "${status}" 1 \ + --log "${log}" \ + --writepid "${pid}" \ + --explicit-exit-notify 3 + +} + +# Load base/default configuration +. "${srcdir}/t_server_null_default.rc" || exit 1 + +# Load local configuration, if any +test -r ./t_server_null.rc && . ./t_server_null.rc + +# Launch test servers +for SUF in $TEST_SERVER_LIST +do + eval server_name=\"\$SERVER_NAME_$SUF\" + eval server_exec=\"\$SERVER_EXEC_$SUF\" + eval server_conf=\"\$SERVER_CONF_$SUF\" + + launch_server "${server_name}" "${server_exec}" "${server_conf}" +done + +# Create a list of server pid files so that servers can be killed at the end of +# the test run. +# +export server_pid_files="" +for SUF in $TEST_SERVER_LIST +do + eval server_name=\"\$SERVER_NAME_$SUF\" + server_pid_files="${server_pid_files} ./${server_name}.pid" +done + +# Wait until clients are no more, based on the presence of their pid files. +# Based on practical testing we have to wait at least four seconds to avoid +# accidentally exiting too early. +count=0 +maxcount=4 +while [ $count -le $maxcount ]; do + ls t_server_null_client.sh*.pid > /dev/null 2>&1 + + if [ $? -eq 0 ]; then + count=0 + sleep 1 + else + ((count++)) + sleep 1 + fi +done + +echo "All clients have disconnected from all servers" + +for PID_FILE in $server_pid_files +do + SERVER_PID=`cat $PID_FILE` + $KILL_EXEC $SERVER_PID + + # Make sure that the server processes are truly dead before exiting + while : + do + ps -p $SERVER_PID > /dev/null || break + sleep 0.2 + done +done diff --git a/tests/t_server_null_stress.sh b/tests/t_server_null_stress.sh new file mode 100755 index 0000000..3dc17d9 --- /dev/null +++ b/tests/t_server_null_stress.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash +# +# Run this stress test as root to avoid sudo authorization from timing out. + +count=0 + +. ./t_server_null_default.rc + +export pid_files="" +for SUF in $TEST_SERVER_LIST +do + eval server_name=\"\$SERVER_NAME_$SUF\" + pid_files="${pid_files} ./${server_name}.pid" +done + +LOG_BASEDIR="make-check" +mkdir -p "${LOG_BASEDIR}" + +while [ $count -lt 100 ]; do + count=$(( count + 1 )) + make check TESTS=t_server_null.sh SUBDIRS= > /dev/null 2>&1 + retval=$? + + echo "Iteration ${count}: return value ${retval}" >> "${LOG_BASEDIR}/make-check.log" + if [ $retval -ne 0 ]; then + DIR="${LOG_BASEDIR}/make-check-${count}" + mkdir -p "${DIR}" + cp t_server_null*.log "${DIR}/" + cp test-suite.log "${DIR}/" + ps aux|grep openvpn|grep -vE '(suppress|grep)' > "${DIR}/psaux" + fi +done