1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
# TESTING OF MULTIPLE AUTHENTICATION PLUG-INS
OpenVPN 2.x can support loading and authenticating users through multiple
plug-ins at the same time. But it can only support a single plug-in doing
deferred authentication. However, a plug-in supporting deferred
authentication may be accompanied by other authentication plug-ins **not**
doing deferred authentication.
This is a test script useful to test the various combinations and order of
plug-in execution.
The configuration files are expected to be used from the root of the build
directory.
To build the needed authentication plug-in, run:
make -C sample/sample-plugins
## Test configs
* Client config
verb 4
dev tun
client
remote x.x.x.x
ca sample/sample-keys/ca.crt
cert sample/sample-keys/client.crt
key sample/sample-keys/client.key
auth-user-pass
* Base server config (`base-server.conf`)
verb 4
dev tun
server 10.8.0.0 255.255.255.0
dh none
ca sample/sample-keys/ca.crt
cert sample/sample-keys/server.crt
key sample/sample-keys/server.key
## Test cases
### Test: *sanity-1*
This tests the basic authentication with an instant answer.
config base-server.conf
plugin multi-auth.so S1.1 0 foo bar
#### Expected results
- Username/password `foo`/`bar`: **PASS**
- Anything else: **FAIL**
### Test: *sanity-2*
This is similar to `sanity-1`, but does the authentication
through two plug-ins providing an instant reply.
config base-server.conf
plugin multi-auth.so S2.1 0 foo bar
plugin multi-auth.so S2.2 0 foo bar
#### Expected results
- Username/password `foo`/`bar`: **PASS**
- Anything else: **FAIL**
### Test: *sanity-3*
This is also similar to `sanity-1`, but uses deferred authentication
with a 1 second delay on the response.
plugin multi-auth.so S3.1 1000 foo bar
#### Expected results
- Username/password `foo`/`bar`: **PASS**
- Anything else: **FAIL**
### Test: *case-a*
Runs two authentications, the first one deferred by 1 second and the
second one providing an instant response.
plugin multi-auth.so A.1 1000 foo bar
plugin multi-auth.so A.2 0 foo bar
#### Expected results
- Username/password `foo`/`bar`: **PASS**
- Anything else: **FAIL**
### Test: *case-b*
This is similar to `case-a`, but the instant authentication response
is provided first before the deferred authentication.
plugin multi-auth.so B.1 0 foo bar
plugin multi-auth.so B.2 1000 test pass
#### Expected results
- **Always FAIL**
- This test should never pass, as each plug-in expects different
usernames and passwords.
### Test: *case-c*
This is similar to the two prior tests, but the authentication result
is returned instantly in both steps.
plugin multi-auth.so C.1 0 foo bar
plugin multi-auth.so C.2 0 foo2 bar2
#### Expected results
- **Always FAIL**
- This test should never pass, as each plug-in expects different
usernames and passwords.
### Test: *case-d*
This is similar to the `case-b` test, but the order of deferred
and instant response is reversed.
plugin ./multi-auth.so D.1 2000 test pass
plugin ./multi-auth.so D.2 0 foo bar
#### Expected results
- **Always FAIL**
- This test should never pass, as each plug-in expects different
usernames and passwords.
### Test: *case-e*
This test case will run two deferred authentication plug-ins. This is
**not** supported by OpenVPN, and should therefore fail instantly.
plugin ./multi-auth.so E1 1000 test1 pass1
plugin ./multi-auth.so E2 2000 test2 pass2
#### Expected results
- The OpenVPN server process should stop running
- An error about multiple deferred plug-ins being configured
should be seen in the server log.
|
