From 3cb0b5f1e182b58d7611d064d7b674b05b5729a1 Mon Sep 17 00:00:00 2001 From: Fabien COMBERNOUS Date: Tue, 23 Oct 2018 23:46:06 +0200 Subject: [PATCH] tests real vpn client/server setup --- .travis.yml | 42 +++---- README.md | 15 +-- spec/acceptance/01_openvpn_server_spec.rb | 60 ---------- spec/acceptance/02_openvpn_client.rb | 51 --------- spec/acceptance/openvpn_spec.rb | 127 ++++++++++++++++++++++ spec/spec_helper_acceptance.rb | 30 ++++- 6 files changed, 179 insertions(+), 146 deletions(-) delete mode 100644 spec/acceptance/01_openvpn_server_spec.rb delete mode 100644 spec/acceptance/02_openvpn_client.rb create mode 100644 spec/acceptance/openvpn_spec.rb diff --git a/.travis.yml b/.travis.yml index 3566dc8f..7461249d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -28,127 +28,127 @@ matrix: - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=ubuntu1804-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=ubuntu1804-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-ubuntu1804-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=ubuntu1804-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=ubuntu1804-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-ubuntu1804-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=ubuntu1804-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=ubuntu1804-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-ubuntu1804-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=ubuntu1604-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=ubuntu1604-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-ubuntu1604-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=ubuntu1604-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=ubuntu1604-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-ubuntu1604-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=ubuntu1604-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=ubuntu1604-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-ubuntu1604-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=ubuntu1404-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=ubuntu1404-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-ubuntu1604-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=ubuntu1404-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=ubuntu1404-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-ubuntu1604-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=ubuntu1404-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=ubuntu1404-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-ubuntu1604-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=centos7-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=centos7-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-centos7-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=centos7-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=centos7-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-centos7-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=centos7-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=centos7-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-centos7-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=centos6-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=centos6-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-centos7-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=centos6-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=centos6-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-centos7-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=centos6-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=centos6-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-centos7-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=debian9-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=debian9-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-debian9-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=debian9-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=debian9-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-debian9-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=debian9-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=debian9-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-debian9-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=debian8-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=debian8-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-debian8-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=debian8-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=debian8-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-debian8-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required - rvm: 2.5.1 bundler_args: --without development release dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=debian8-64{hypervisor=docker} CHECK=beaker + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6-nightly BEAKER_debug=true BEAKER_setfile=debian8-64vpnserver.ma{hypervisor=docker\,hostname=vpnserver}-debian8-64vpnclienta.a{hypervisor=docker\,hostname=vpnclienta} CHECK=beaker services: docker sudo: required branches: diff --git a/README.md b/README.md index 8ff7b948..40faa200 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,6 @@ Puppet module to manage OpenVPN servers and clients. * Debian * CentOS * RedHat -* Amazon ## Dependencies - [puppetlabs-concat 3.0.0+](https://github.com/puppetlabs/puppetlabs-concat) @@ -34,7 +33,7 @@ Puppet module to manage OpenVPN servers and clients. ## Puppet -* Version >= 4.7.1 +* Version >= 4.25.0 ## Example @@ -126,8 +125,7 @@ Don't forget the sysctl directive ```net.ipv4.ip_forward```! ## Encryption Choices -This module provides certain default parameters for the openvpn encryption -settings. +This module provides certain default parameters for the openvpn encryption settings. These settings have been applied in line with current "best practices" but no guarantee is given for their saftey and they could change in future. @@ -169,7 +167,6 @@ This setting also affects the size of the dhparam file. > 2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. As the size of the key will have an impact on speed, I leave the choice to use 2048, 3072 or 4096 bits RSA key. 4096 bits is what's most used and recommened today, but 3072 bits is still good. - ### Cipher The default data channel cipher is now set to `AES-256-CBC` @@ -180,18 +177,16 @@ OpenVPN was setting its default value to `BF-CBC`. In newer versions of OpenVPN it warns that this is no longer a secure cipher. The OpenVPN documentation recommends using this setting. - - ### tls_cipher The default tls_cipher option is now set to: `TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256` ##### Why -Details of these ciphers and their uses can be found in the documentation links -above. - +Details of these ciphers and their uses can be found in the documentation links above. +Note : TLS ciphers suites shipped with OSes ubuntu14.04 and debian8 are too old compared to our default values. +If these OSes hosts the server with clients more moderns, you will probably have to use custom value for option `tls_cipher`. ## Contributions diff --git a/spec/acceptance/01_openvpn_server_spec.rb b/spec/acceptance/01_openvpn_server_spec.rb deleted file mode 100644 index 8ed58cb4..00000000 --- a/spec/acceptance/01_openvpn_server_spec.rb +++ /dev/null @@ -1,60 +0,0 @@ -require 'spec_helper_acceptance' - -case fact('osfamily') -when 'RedHat' - server_crt = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/issued/server.crt' -when 'Debian' - server_crt = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/server.crt' -end - -describe 'server defined type' do - context 'with basics parameters' do - it 'installs openvpn server idempotently' do - pp = %( - openvpn::server { 'test_openvpn_server': - country => 'CO', - province => 'ST', - city => 'A city', - organization => 'FOO', - email => 'bar@foo.org', - server => '10.0.0.0 255.255.255.0', - local => '', - } - ) - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: true) - end - - describe file('/etc/openvpn/test_openvpn_server/easy-rsa/keys') do - it { is_expected.to be_directory } - end - - describe file('/etc/openvpn/test_openvpn_server/easy-rsa/vars') do - it { is_expected.to be_file } - it { is_expected.to contain 'export EASY_RSA="/etc/openvpn/test_openvpn_server/easy-rsa"' } - it { is_expected.to contain '_COUNTRY="CO"' } - it { is_expected.to contain '_PROVINCE="ST"' } - it { is_expected.to contain '_CITY="A city"' } - it { is_expected.to contain '_ORG="FOO"' } - it { is_expected.to contain '_EMAIL="bar@foo.org"' } - end - - describe file(server_crt.to_s) do - it { is_expected.to be_file } - it { is_expected.to contain 'Issuer: C=CO, ST=ST, L=A city, O=FOO, ' } - end - - describe process('openvpn') do - it { is_expected.to be_running } - end - - describe port(1194) do - it { is_expected.to be_listening.with('tcp') } - end - - describe command('ip link show tun0') do - its(:stdout) { is_expected.to match %r{.* tun0: .*} } - its(:exit_status) { is_expected.to eq 0 } - end - end -end diff --git a/spec/acceptance/02_openvpn_client.rb b/spec/acceptance/02_openvpn_client.rb deleted file mode 100644 index f75f83ac..00000000 --- a/spec/acceptance/02_openvpn_client.rb +++ /dev/null @@ -1,51 +0,0 @@ -require 'spec_helper_acceptance' - -case fact('osfamily') -when 'RedHat' - key_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/private' - crt_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/issued' - index_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys' -when 'Debian' - key_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys' - crt_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys' - index_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys' -end - -describe 'client defined type' do - context 'with basics parameters' do - it 'configure openvpn client idempotently' do - pp = %( - openvpn::server { 'test_openvpn_server': - country => 'CO', - province => 'ST', - city => 'A city', - organization => 'FOO', - email => 'bar@foo.org', - server => '10.0.0.0 255.255.255.0', - local => '', - } - - openvpn::client { 'client1' : - server => 'test_openvpn_server', - require => Openvpn::Server['test_openvpn_server'], - } - ) - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: true) - end - - describe file("#{key_path}/client1.key") do - it { is_expected.to be_file } - end - - describe file("#{crt_path}/client1.crt") do - it { is_expected.to be_file } - it { is_expected.to contain 'Issuer: C=CO, ST=ST, L=A city, O=FOO, ' } - end - - describe file("#{index_path}/index.txt") do - it { is_expected.to be_file } - it { is_expected.to contain 'CN=client1' } - end - end -end diff --git a/spec/acceptance/openvpn_spec.rb b/spec/acceptance/openvpn_spec.rb new file mode 100644 index 00000000..3d518057 --- /dev/null +++ b/spec/acceptance/openvpn_spec.rb @@ -0,0 +1,127 @@ +require 'spec_helper_acceptance' + +case fact('osfamily') +when 'RedHat' + server_crt = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/issued/server.crt' + key_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/private' + crt_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/issued' + index_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys' +when 'Debian' + server_crt = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/server.crt' + key_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys' + crt_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys' + index_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys' +end + +# All-terrain tls ciphers are used to be able to works with all supported OSes. +# Default value is with ciphers too recents for old OSes like ubuntu 14.04. +describe 'server defined type' do + context 'with basics parameters' do + it 'installs openvpn server idempotently' do + pp = %( + openvpn::server { 'test_openvpn_server': + country => 'CO', + province => 'ST', + city => 'A city', + organization => 'FOO', + email => 'bar@foo.org', + server => '10.0.0.0 255.255.255.0', + local => '', + management => true, + tls_cipher => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA', + } + ) + apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) + apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: true) + end + it 'creates openvpn client certificate idempotently' do + pp = %( + openvpn::server { 'test_openvpn_server': + country => 'CO', + province => 'ST', + city => 'A city', + organization => 'FOO', + email => 'bar@foo.org', + server => '10.0.0.0 255.255.255.0', + local => '', + management => true, + tls_cipher => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA', + } + + openvpn::client { 'vpnclienta' : + server => 'test_openvpn_server', + require => Openvpn::Server['test_openvpn_server'], + remote_host => $facts['networking']['ip'], + tls_cipher => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA', + } + ) + apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) + apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: true) + end + + describe file('/etc/openvpn/test_openvpn_server/easy-rsa/keys') do + it { is_expected.to be_directory } + end + + describe file('/etc/openvpn/test_openvpn_server/easy-rsa/vars') do + it { is_expected.to be_file } + it { is_expected.to contain 'export EASY_RSA="/etc/openvpn/test_openvpn_server/easy-rsa"' } + it { is_expected.to contain '_COUNTRY="CO"' } + it { is_expected.to contain '_PROVINCE="ST"' } + it { is_expected.to contain '_CITY="A city"' } + it { is_expected.to contain '_ORG="FOO"' } + it { is_expected.to contain '_EMAIL="bar@foo.org"' } + end + + describe file(server_crt.to_s) do + it { is_expected.to be_file } + it { is_expected.to contain 'Issuer: C=CO, ST=ST, L=A city, O=FOO, ' } + end + + describe process('openvpn') do + it { is_expected.to be_running } + end + + describe port(1194) do + it { is_expected.to be_listening.with('tcp') } + end + + describe command('ip link show tun0') do + its(:stdout) { is_expected.to match %r{.* tun0: .*} } + its(:exit_status) { is_expected.to eq 0 } + end + + describe file("#{key_path}/vpnclienta.key") do + it { is_expected.to be_file } + end + + describe file("#{crt_path}/vpnclienta.crt") do + it { is_expected.to be_file } + it { is_expected.to contain 'Issuer: C=CO, ST=ST, L=A city, O=FOO, ' } + end + + describe file("#{index_path}/index.txt") do + it { is_expected.to be_file } + it { is_expected.to contain 'CN=vpnclienta' } + end + + describe file('/etc/openvpn/test_openvpn_server/download-configs/vpnclienta.tar.gz') do + it { is_expected.to be_file } + its(:size) { is_expected.to be > 500 } + end + + it 'permits to setup a vpn client' do + scp_from(hosts_as('vpnserver'), '/etc/openvpn/test_openvpn_server/download-configs/vpnclienta.tar.gz', '.') + scp_to(hosts_as('vpnclienta'), 'vpnclienta.tar.gz', '/tmp') + on(hosts_as('vpnclienta'), 'tar xvfz /tmp/vpnclienta.tar.gz -C /etc/openvpn') + on(hosts_as('vpnclienta'), 'mv /etc/openvpn/vpnclienta/* /etc/openvpn/') + on(hosts_as('vpnclienta'), 'systemctl enable openvpn@vpnclienta') + on(hosts_as('vpnclienta'), 'systemctl restart openvpn@vpnclienta') + end + + describe command('echo status |nc -w 1 localhost 7505') do + its(:stdout) { is_expected.to match %r{.*vpnclienta.*} } + its(:exit_status) { is_expected.to eq 0 } + end + end +end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 7b880b4c..3bb45f46 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -10,11 +10,33 @@ RSpec.configure do |c| # Configure all nodes in nodeset c.before :suite do - hosts.each do |host| - if fact('os.family') == 'RedHat' - install_module_from_forge('stahnma-epel', '>= 1.3.0 < 2.0.0') - apply_manifest_on(host, 'include ::epel', catch_failures: true) + hosts.each do |_host| + case fact('os.family') + when 'RedHat' + install_module_from_forge_on(hosts_as('agent'), 'stahnma-epel', '>= 1.3.0 < 2.0.0') + apply_manifest_on(hosts_as('agent'), 'include ::epel', catch_failures: true) + + install_server_packages = %( + package { ['nc'] : + ensure => present, + } + ) + when 'Debian' + install_server_packages = %( + package { ['netcat-openbsd'] : + ensure => present, + } + ) end + + install_client_packages = %( + package { ['tar','openvpn'] : + ensure => present, + } + ) + + apply_manifest_on(hosts_as('vpnserver'), install_server_packages, catch_failures: true) + apply_manifest_on(hosts_as('vpnclienta'), install_client_packages, catch_failures: true) end end end