Merge branch 'master' into dependabot/bundler/healthcheck/sinatra-4.0.0

GovWifi · Feb 9, 2024 · 5e8c4f0 · 5e8c4f0
2 parents e5c6a39 + 06a10c7
commit 5e8c4f0
Show file tree

Hide file tree

Showing 12 changed files with 80 additions and 106 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -8,7 +8,7 @@ RUN apk --update --no-cache add wpa_supplicant openssl make gcc libc-dev curl ta
 RUN wget https://github.com/FreeRADIUS/freeradius-server/releases/download/release_3_2_2/freeradius-server-3.2.2.tar.gz \
     && tar xzvf freeradius-server-3.2.2.tar.gz \
     && cd freeradius-server-3.2.2 \
-    && ./configure --sysconfdir=/etc \
+    && ./configure CPPFLAGS=-DX509_V_FLAG_PARTIAL_CHAIN=1 --sysconfdir=/etc \
     && make \
     && make install
 RUN rm -rf ./freeradius-server-3.2.2

diff --git a/Makefile b/Makefile
@@ -52,9 +52,7 @@ copy_certs:
 
 	mkdir -p $(TRUSTED_CERTIFICATES_PATH)
 
-	# cp $(CERTIFICATE_PATH)/separate_intermediate_ca.pem $(TRUSTED_CERTIFICATES_PATH)/separate_intermediate_ca.pem
 	cp $(CERTIFICATE_PATH)/intermediate_ca.pem $(TRUSTED_CERTIFICATES_PATH)/intermediate_ca.pem
-	cp $(CERTIFICATE_PATH)/root_ca.pem $(TRUSTED_CERTIFICATES_PATH)/root_ca.pem
 
 rehash_certs:
 	c_rehash $(TRUSTED_CERTIFICATES_PATH)

diff --git a/api-stubs/app.rb b/api-stubs/app.rb
@@ -17,11 +17,15 @@ class ApiStub < Sinatra::Base
     set :port, 80
   end
 
-  get "/authorize/user/*" do
-    line = AuthLine.create(line: request.path_info)
-    puts "** #{line.to_hash}"
-    content_type :json
-    { "control:Cleartext-Password": ENV["HEALTH_CHECK_PASSWORD"] }.to_json
+  get "/authorize/user/:name/*" do
+    if params["name"] == ENV["HEALTH_CHECK_IDENTITY"]
+      line = AuthLine.create(line: request.path_info)
+      puts "** #{line.to_hash}"
+      content_type :json
+      { "control:Cleartext-Password": ENV["HEALTH_CHECK_PASSWORD"] }.to_json
+    else
+      status 404
+    end
   end
 
   post "/logging/post-auth" do

diff --git a/api-stubs/spec/api-stubs_spec.rb b/api-stubs/spec/api-stubs_spec.rb
@@ -1,28 +1,39 @@
 require 'spec_helper'
 
-
 RSpec.describe ApiStub do
   describe "stubs" do
     describe "/authorize/user/:name" do
-      let(:url) { "/authorize/user/abc/def/ghi/jkl/mno" }
-      it "returns ok" do
-        get url
-        expect(last_response).to be_ok
-      end
-      it "logs the url" do
-        get url
-        expect(DB_AUTH[:lines].find(line: url)).to_not be_nil
-      end
-      it "adds one log line" do
-        expect {
+      describe "wrong username" do
+        let(:url) { "/authorize/user/wrong/abc/def" }
+        it "returns 404" do
           get url
-        }.to change(DB_AUTH[:lines], :count).by(1)
+          expect(last_response).to_not be_ok
+        end
+        it "does not adds one log line" do
+          expect {
+            get url
+          }.to_not change(DB_AUTH[:lines], :count)
+        end
       end
-      it "returns the password" do
-        allow(ENV).to receive(:[]).with('HEALTH_CHECK_PASSWORD')
-                                  .and_return('TeaCoffee')
-        get url
-        expect(last_response.body).to eq({ "control:Cleartext-Password": "TeaCoffee" }.to_json)
+      describe "correct username" do
+        let(:url) { "/authorize/user/#{ENV["HEALTH_CHECK_IDENTITY"]}/abc/def" }
+        it "returns ok" do
+          get url
+          expect(last_response).to be_ok
+        end
+        it "logs the url" do
+          get url
+          expect(DB_AUTH[:lines].find(line: url)).to_not be_nil
+        end
+        it "adds one log line" do
+          expect {
+            get url
+          }.to change(DB_AUTH[:lines], :count).by(1)
+        end
+        it "returns the password" do
+          get url
+          expect(last_response.body).to eq({ "control:Cleartext-Password": ENV["HEALTH_CHECK_PASSWORD"] }.to_json)
+        end
       end
     end
 

diff --git a/radius/mods-enabled/eap b/radius/mods-enabled/eap
@@ -21,11 +21,6 @@
 				max_entries = 255
 			}
 
-			verify {
-				tmpdir = /tmp/radiusd
-				client = "/usr/bin/openssl verify -CApath ${certdir}/trusted_certificates %{TLS-Client-Cert-Filename}"
-			}
-
 			ocsp {
 				enable = no
 				override_cert_url = yes

diff --git a/scripts/run-tests.sh b/scripts/run-tests.sh
@@ -6,19 +6,25 @@ source /usr/bin/db_utils.sh
 source /usr/bin/vars.sh
 
 (
-  cd /api-stubs
+  delete_databases
   export AUTH_DB="/tmp/auth_test.db"
   export LOGGING_DB="/tmp/logging_test.db"
   create_databases
+  cd /api-stubs
   bundle exec rspec
-  delete_databases
 )
 
+retVal=$?
+
+if [ $retVal -ne 0 ]; then
+  exit $retVal
+fi
+
 (
-  cd /api-stubs
   export AUTH_DB="/tmp/auth.db"
   export LOGGING_DB="/tmp/logging.db"
   create_databases
+  cd /api-stubs
   bundle exec rackup -o 0.0.0.0 -p 80 &
 )
 

diff --git a/test-app/Gemfile b/test-app/Gemfile
@@ -3,6 +3,7 @@
 source "http://rubygems.org"
 ruby File.read(".ruby-version").chomp
 
+gem "govwifi_eapoltest", "~> 0.2.0"
 gem "puma"
 gem "sqlite3", force_ruby_platform: true
 gem "sequel"

diff --git a/test-app/spec/_spec_helper.rb b/test-app/spec/_spec_helper.rb
@@ -1,5 +1,3 @@
-require "eapol_test_helper"
-
 # This file was generated by the `rspec --init` command. Conventionally, all
 # specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
 # The generated `.rspec` file contains `--require spec_helper` which will cause
@@ -28,7 +26,6 @@
     AuthLine.truncate
   end
 
-  config.include EapolTestHelper
   # rspec-expectations config goes here. You can use an alternate
   # assertion/expectation library such as wrong or the stdlib/minitest
   # assertions if you prefer.

diff --git a/test-app/spec/auth_spec.rb b/test-app/spec/auth_spec.rb
@@ -2,8 +2,7 @@
 require "json"
 require 'sequel'
 require 'sqlite3'
-require "commands"
-require "eapol_test_helper"
+require "govwifi_eapoltest"
 require "_spec_helper"
 
 RSpec.shared_examples "it rejects authentication attempt" do |command|
@@ -17,34 +16,36 @@
 end
 
 RSpec.describe 'test' do
+  PAP_CMD = "radtest testing password localhost 0 testing123"
+  CHAP_CMD = "radtest -t chap testing password localhost 0 testing123"
+  MSCHAP_CMD = "radtest -t mschap testing password localhost 0 testing123"
+
   it_behaves_like "it rejects authentication attempt", PAP_CMD
   it_behaves_like "it rejects authentication attempt", CHAP_CMD
   it_behaves_like "it rejects authentication attempt", MSCHAP_CMD
 
+  let(:eapol_test) { GovwifiEapoltest.new(radius_ips: ["127.0.0.1"], secret: "testing123") }
+  let(:username) { ENV.fetch("HEALTH_CHECK_IDENTITY") }
+  let(:password) { ENV.fetch("HEALTH_CHECK_PASSWORD") }
+
   it "rejects authentication with the wrong password" do
-    output = run_eapol(PEAP_MSCHAPv2_CONFIG_PATH,
-                       username: ENV.fetch("HEALTH_CHECK_IDENTITY"),
-                       password: "wrong_password")
-    expect(output).to include("FAILURE")
+    expect(eapol_test.run_peap_mschapv2(username:, password: "wrong_password")
+    ).to all have_failed
   end
 
   it "rejects authentication with the wrong username" do
-    output = run_eapol(PEAP_MSCHAPv2_CONFIG_PATH,
-                       username: "wrong_username",
-                       password: ENV.fetch("HEALTH_CHECK_PASSWORD"))
-    expect(output).to include("FAILURE")
+    expect(eapol_test.run_peap_mschapv2(username: "wrong", password:)
+    ).to all have_failed
   end
 
   it "authenticates successfully with the correct username and password" do
-    output = run_eapol(PEAP_MSCHAPv2_CONFIG_PATH,
-                       username: ENV.fetch("HEALTH_CHECK_IDENTITY"),
-                       password: ENV.fetch("HEALTH_CHECK_PASSWORD"))
-    expect(output).to include("SUCCESS")
+    expect(eapol_test.run_peap_mschapv2(username:, password:)
+    ).to all have_been_successful
   end
 
   it "logs a successful authentication attempt" do
     expect {
-      run_eapol(PEAP_MSCHAPv2_CONFIG_PATH)
+      eapol_test.run_peap_mschapv2(username:, password:)
     }.to change { LoggingLine.all.count }.by(1)
   end
 

diff --git a/test-app/spec/commands.rb b/test-app/spec/commands.rb
diff --git a/test-app/spec/eap_tls_spec.rb b/test-app/spec/eap_tls_spec.rb
@@ -2,40 +2,32 @@
 require "json"
 require 'sequel'
 require 'sqlite3'
-require "commands"
 require "_spec_helper"
 
-RSpec.describe 'test' do
+RSpec.describe 'EAP-TLS' do
+  let(:eapol_test) { GovwifiEapoltest.new(radius_ips: ["127.0.0.1"], secret: "testing123") }
+  let(:server_cert_path) { "/etc/raddb/certs/ca.pem" }
   it "accepts authentication with a valid certificate" do
-    output = run_eapol(EAP_TLS_CONFIG_PATH,
-                       client_cert_path: "/certificates/client.pem",
-                       client_key_path: "/certificates/client.key",
-                       server_cert_path: "/etc/raddb/certs/ca.pem")
-    expect(output).to include("SUCCESS")
+    expect(eapol_test.run_eap_tls(client_cert_path: "/certificates/client.pem",
+                                  client_key_path: "/certificates/client.key",
+                                  server_cert_path:)).to all have_been_successful
   end
 
   it "rejects authentication with an invalid key" do
-    output = run_eapol(EAP_TLS_CONFIG_PATH,
-                       client_cert_path: "/certificates/client.pem",
-                       client_key_path: "/certificates/root_ca.key",
-                       server_cert_path: "/etc/raddb/certs/ca.pem")
-    expect(output).to include("FAILURE")
+    expect(eapol_test.run_eap_tls(client_cert_path: "/certificates/client.pem",
+                                  client_key_path: "/certificates/root_ca.key",
+                                  server_cert_path:)).to all have_failed
   end
 
-
   it "rejects authentication with a chained certificate whose intermediate is not in the trusted certificate directory" do
-    output = run_eapol(EAP_TLS_CONFIG_PATH,
-                       client_cert_path: "/certificates/alt_combined_client.pem",
-                       client_key_path: "/certificates/alt_client.key",
-                       server_cert_path: "/etc/raddb/certs/ca.pem")
-    expect(output).to include("FAILURE")
+    expect(eapol_test.run_eap_tls(client_cert_path: "/certificates/alt_combined_client.pem",
+                                  client_key_path: "/certificates/alt_client.key",
+                                  server_cert_path:)).to all have_failed
   end
 
   it "accepts authentication with a valid chained certificate" do
-    output = run_eapol(EAP_TLS_CONFIG_PATH,
-                       client_cert_path: "/certificates/combined_client.pem",
-                       client_key_path: "/certificates/client.key",
-                       server_cert_path: "/etc/raddb/certs/ca.pem")
-    expect(output).to include("SUCCESS")
+    expect(eapol_test.run_eap_tls(client_cert_path: "/certificates/combined_client.pem",
+                                  client_key_path: "/certificates/client.key",
+                                  server_cert_path:)).to all have_been_successful
   end
 end
diff --git a/test-app/spec/eapol_test_helper.rb b/test-app/spec/eapol_test_helper.rb