Chromium Code Reviews Chromium Code Reviews
Issue 6765030:
Add automated StrongSwan test (Closed)
Base URL: ssh://gitrw.chromium.org:9222/autotest.git@master| OLD | NEW |
|---|---|
| 1 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. | 1 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
| 2 # Use of this source code is governed by a BSD-style license that can be | 2 # Use of this source code is governed by a BSD-style license that can be |
| 3 # found in the LICENSE file. | 3 # found in the LICENSE file. |
| 4 | 4 |
| 5 import logging, re, time | 5 import logging, re, time |
| 6 from autotest_lib.client.common_lib import error | 6 from autotest_lib.client.common_lib import error |
| 7 | 7 |
| 8 class LinuxServer(object): | 8 class LinuxServer(object): |
| 9 """ | 9 """ |
| 10 Linux Server: A machine which hosts network services. | 10 Linux Server: A machine which hosts network services. |
| 11 | 11 |
| 12 """ | 12 """ |
| 13 | 13 |
| 14 def __init__(self, server, params): | 14 def __init__(self, server, wifi_ip): |
| 15 self.server = server # Server host. | 15 self.server = server # Server host. |
| 16 self.vpn_kind = None | 16 self.vpn_kind = None |
| 17 self.conf = {} | 17 self.wifi_ip = wifi_ip |
| 18 self.openvpn_config = {} | |
| 18 | 19 |
| 19 def vpn_server_config(self, params): | 20 def vpn_server_config(self, params): |
| 20 """ Configure & launch the server side of the VPN. | 21 """ Configure & launch the server side of the VPN. |
| 21 | 22 |
| 22 Parameters, in 'params': | 23 Parameters, in 'params': |
| 23 | 24 |
| 24 kind : required | 25 kind : required |
| 25 | 26 |
| 26 The kind of VPN which should be configured and | 27 The kind of VPN which should be configured and |
| 27 launched. | 28 launched. |
| 28 | 29 |
| 29 Valid values: | 30 Valid values: |
| 30 | 31 |
| 31 openvpn | 32 openvpn |
| 33 l2tpipsec (StrongSwan PSK or certificates) | |
| 32 | 34 |
| 33 config: required | 35 config: required |
| 34 | 36 |
| 35 The configuration information associated with | 37 The configuration information associated with |
| 36 the VPN server. | 38 the VPN server. |
| 37 | 39 |
| 38 This is a dict which contains key/value pairs | 40 This is a dict which contains key/value pairs |
| 39 representing the VPN's configuration. | 41 representing the VPN's configuration. |
| 40 | 42 |
| 41 The values stored in the 'config' param must all be | 43 The values stored in the 'config' param must all be |
| 42 supported by the specified VPN kind. | 44 supported by the specified VPN kind. |
| 43 """ | 45 """ |
| 44 self.vpn_server_kill({}) # Must be first. Relies on self.vpn_kind. | 46 self.vpn_server_kill({}) # Must be first. Relies on self.vpn_kind. |
| 45 | |
| 46 self.vpn_kind = params.get('kind', None) | 47 self.vpn_kind = params.get('kind', None) |
| 47 | 48 |
| 48 # Read configuration information & create server configuration file. | |
| 49 # | |
| 50 # As VPN kinds other than 'openvpn' are supported, and | |
| 51 # since 'self.conf' is cummulative, perhaps there should be | |
| 52 # a method which will clear 'self.conf'; different types of | |
| 53 # VPN will likely not have the same configuration | |
| 54 # parameters. This is only really needed if a test is | |
| 55 # written to switch between two differents kinds of VPN. | |
| 56 for k, v in params.get('config', {}).iteritems(): | |
| 57 self.conf[k] = v | |
| 58 self.server.run("cat <<EOF >%s\n%s\nEOF\n" % | |
| 59 ('/tmp/vpn-server.conf', '\n'.join( | |
| 60 "%s %s" % kv for kv in self.conf.iteritems()))) | |
| 61 | |
| 62 # Launch specified VPN server. | 49 # Launch specified VPN server. |
| 63 if self.vpn_kind is None: | 50 if self.vpn_kind is None: |
| 64 raise error.TestFail('No VPN kind specified for this test.'); | 51 raise error.TestFail('No VPN kind specified for this test.') |
| 65 elif self.vpn_kind == 'openvpn': | 52 elif self.vpn_kind == 'openvpn': |
| 66 self.server.run("/usr/sbin/openvpn --config /tmp/vpn-server.conf &") | 53 # Read config information & create server configuration file. |
| 54 for k, v in params.get('config', {}).iteritems(): | |
| 55 self.openvpn_config[k] = v | |
| 56 self.server.run("cat <<EOF >/tmp/vpn-server.conf\n%s\nEOF\n" % | |
| 57 ('\n'.join( "%s %s" % kv for kv in | |
| 58 self.openvpn_config.iteritems()))) | |
| 59 self.server.run("/usr/sbin/openvpn " | |
| 60 "--config /tmp/vpn-server.conf &") | |
| 61 elif self.vpn_kind == 'l2tpipsec': # aka 'strongswan' | |
| 62 | |
| 63 configs = { "/etc/ipsec.conf" : | |
| 64 "config setup\n" | |
| 65 " charonstart=no\n" | |
| 66 " plutostart=yes\n" | |
| 67 " plutodebug=%(@plutodebug@)s\n" | |
| 68 "conn L2TP\n" | |
| 69 " keyexchange=ikev1\n" | |
| 70 " authby=psk\n" | |
| 71 " pfs=no\n" | |
| 72 " rekey=no\n" | |
| 73 " left=%(@local-listen-ip@)s\n" | |
|
kmixter1
2011/04/05 21:51:33
I assume this is the IP that the wired interface i
| |
| 74 " leftprotoport=17/1701\n" | |
| 75 " right=%%any\n" | |
| 76 " rightprotoport=17/%%any\n" | |
| 77 " auto=add\n", | |
| 78 | |
| 79 "/etc/ipsec.secrets" : | |
| 80 "%(@ipsec-secrets@)s %%any : PSK \"password\"", | |
| 81 | |
| 82 "/etc/xl2tpd/xl2tpd.conf" : | |
| 83 "[global]\n" | |
| 84 "\n" | |
| 85 "[lns default]\n" | |
| 86 " ip range = 192.168.1.128-192.168.1.254\n" | |
|
kmixter1
2011/04/05 21:51:33
Is it ok to assume these addresses and the local i
| |
| 87 " local ip = 192.168.1.99\n" | |
| 88 " require chap = yes\n" | |
| 89 " refuse pap = yes\n" | |
| 90 " require authentication = yes\n" | |
| 91 " name = LinuxVPNserver\n" | |
| 92 " ppp debug = yes\n" | |
| 93 " pppoptfile = /etc/ppp/options.xl2tpd\n" | |
| 94 " length bit = yes\n", | |
| 95 | |
| 96 # XXX: or /etc/xl2tpd/xl2tp-secrets? | |
|
kmixter1
2011/04/05 21:51:33
remove?
kmixter1
2011/04/07 07:07:23
In my build of xl2tpd it uses l2tp-secrets.
| |
| 97 "/etc/xl2tpd/xl2tp-secrets" : | |
| 98 "* them l2tp-secret", | |
| 99 | |
| 100 # XXX: or /etc/xl2tpd/l2tp-secrets? | |
|
kmixter1
2011/04/05 21:51:33
remove?
| |
| 101 "/etc/xl2tpd/l2tp-secrets" : | |
| 102 "* them l2tp-secret", | |
| 103 | |
| 104 "/etc/ppp/chap-secrets" : | |
| 105 "chapuser * chapsecret *", | |
| 106 | |
| 107 "/etc/ppp/options.xl2tpd" : | |
| 108 "ipcp-accept-local\n" | |
| 109 "ipcp-accept-remote\n" | |
| 110 "ms-dns 192.168.1.1\n" | |
|
kmixter1
2011/04/05 21:51:33
Please remove these ms-dns and ms-wins lines since
| |
| 111 "ms-dns 192.168.1.3\n" | |
| 112 "ms-wins 192.168.1.2\n" | |
| 113 "ms-wins 192.168.1.4\n" | |
| 114 "noccp\n" | |
| 115 "auth\n" | |
| 116 "crtscts\n" | |
| 117 "idle 1800\n" | |
| 118 "mtu 1410\n" | |
| 119 "mru 1410\n" | |
| 120 "nodefaultroute\n" | |
| 121 "debug\n" | |
| 122 "lock\n" | |
| 123 "proxyarp\n" | |
| 124 "connect-delay 5000\n" | |
| 125 } | |
| 126 | |
| 127 replacements = params.get("replacements", {}) | |
| 128 if False: | |
| 129 # Using Wifi does not work, yet. | |
| 130 replacements["@local-listen-ip@"] = self.wifi_ip | |
| 131 replacements["@ipsec-secrets@"] = self.wifi_ip | |
| 132 else: | |
| 133 # Works, but does not use WiFi. | |
| 134 replacements["@local-listen-ip@"] = self.server.ip | |
| 135 replacements["@ipsec-secrets@"] = self.server.ip | |
| 136 | |
| 137 for cfg, template in configs.iteritems(): | |
| 138 contents = template % (replacements) | |
| 139 self.server.run("cat <<EOF >%s\n%s\nEOF\n" % (cfg, contents)) | |
| 140 | |
| 141 self.server.run("/usr/sbin/ipsec start") | |
| 142 | |
| 143 # Restart xl2tpd to ensure use of newly-created config files. | |
| 144 self.server.run("sh /etc/init.d/xl2tpd restart") | |
| 67 else: | 145 else: |
| 68 raise error.TestFail('(internal error): No config case ' | 146 raise error.TestFail('(internal error): No config case ' |
| 69 'for VPN kind (%s)' % self.vpn_kind) | 147 'for VPN kind (%s)' % self.vpn_kind) |
| 70 | 148 |
| 71 def vpn_server_kill(self, params): | 149 def vpn_server_kill(self, params): |
| 72 """ Kill the VPN server. """ | 150 """ Kill the VPN server. """ |
| 73 if self.vpn_kind is not None: | 151 if self.vpn_kind is not None: |
| 74 if self.vpn_kind == 'openvpn': | 152 if self.vpn_kind == 'openvpn': |
| 75 self.server.run("pkill /usr/sbin/openvpn") | 153 self.server.run("pkill /usr/sbin/openvpn") |
| 154 elif self.vpn_kind == 'l2tpipsec': # aka 'strongswan' | |
|
kmixter1
2011/04/05 21:51:33
again, strongswan != l2tpipsec. strongswan == ips
| |
| 155 self.server.run("/usr/sbin/ipsec stop") | |
| 76 else: | 156 else: |
| 77 raise error.TestFail('(internal error): No kill case ' | 157 raise error.TestFail('(internal error): No kill case ' |
| 78 'for VPN kind (%s)' % self.vpn_kind) | 158 'for VPN kind (%s)' % self.vpn_kind) |
| 79 self.vpn_kind = None; | 159 self.vpn_kind = None |
| OLD | NEW |
