From 6482a4ccb3d72773cc6d00d5fa7933fa83c4cafe Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 5 Sep 2017 18:24:31 -0700 Subject: Bug: fix vpn network problem caused by vagrant fact Boolean facts must be escaped with str2bool. This commit includes new tests to catch VPN problems like this in the future. --- puppet/modules/site_config/manifests/params.pp | 3 +- puppet/modules/site_config/manifests/setup.pp | 2 +- puppet/modules/site_openvpn/manifests/init.pp | 2 +- .../site_openvpn/templates/add_gateway_ips.sh.erb | 14 +++++++-- tests/server-tests/white-box/openvpn.rb | 36 ++++++++++++++++++++++ 5 files changed, 51 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 4627515a..2c9687a3 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -6,8 +6,7 @@ class site_config::params { $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") $environment = hiera('environment', undef) - - if $::vagrant { + if str2bool("$::vagrant") { # Depending on the backend hypervisor networking is setup differently. if $::interfaces =~ /eth1/ { # Virtualbox: Private networking creates a second interface eth1 diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index a96f87a6..bd3097fa 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -37,7 +37,7 @@ class site_config::setup { # we need to include shorewall::interface{eth0} in setup.pp so # packages can be installed during main puppetrun, even before shorewall # is configured completly - if $::vagrant { + if str2bool("$::vagrant") { include site_config::vagrant } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index f1ecefb9..ee7d6840 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -68,7 +68,7 @@ class site_openvpn { # find out the netmask in cidr format of the primary IF # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/ # we can do this using an inline_template: - $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}" + $factname_primary_netmask = "netmask_${::site_config::params::interface}" $primary_netmask = inline_template('<%= scope.lookupvar(@factname_primary_netmask) %>') # deploy dh keys diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb index e76b756b..f2d2bc70 100644 --- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -1,11 +1,21 @@ #!/bin/sh -ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/<%= @primary_netmask %> || +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q "inet <%= @openvpn_gateway_address %>/" || ip addr add <%= @openvpn_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %> +EXITCODE=$? +if [ $EXITCODE != 0 ]; then + exit $EXITCODE +fi + <% if @openvpn_second_gateway_address %> -ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> || +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q "<%= @openvpn_second_gateway_address %>/" || ip addr add <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %> + +EXITCODE=$? +if [ $EXITCODE != 0 ]; then + exit $EXITCODE +fi <% end %> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/tests/server-tests/white-box/openvpn.rb b/tests/server-tests/white-box/openvpn.rb index 4eed7eb9..adda34a9 100644 --- a/tests/server-tests/white-box/openvpn.rb +++ b/tests/server-tests/white-box/openvpn.rb @@ -13,4 +13,40 @@ class OpenVPN < LeapTest pass end + def test_02_Can_connect_to_openvpn? + # because of the way the firewall rules are currently set up, you can only + # connect to the standard 1194 openvpn port when you are connecting + # from the same host as openvpn is running on. + # + # so, this is disabled for now: + # $node['openvpn']['ports'].each {|port| ...} + # + + $node['openvpn']['protocols'].each do |protocol| + assert_openvpn_is_bound_to_port($node['openvpn']['gateway_address'], protocol, 1194) + end + pass + end + + private + + # + # asserting succeeds if openvpn appears to be correctly bound and we can + # connect to it. we don't actually try to establish a vpn connection in this + # test, we just check to see that it sort of looks like it is openvpn running + # on the port. + # + def assert_openvpn_is_bound_to_port(ip_address, protocol, port) + protocol = protocol.downcase + if protocol == 'udp' + # this sends a magic string to openvpn to attempt to start the protocol. + nc_output = `/bin/echo -e "\\x38\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" | timeout 0.5 nc -u #{ip_address} #{port}`.strip + assert !nc_output.empty?, "Could not connect to OpenVPN daemon at #{ip_address} on port #{port} (#{protocol})." + elsif protocol == 'tcp' + assert system("openssl s_client -connect #{ip_address}:#{port} 2>&1 | grep -q CONNECTED"), + "Could not connect to OpenVPN daemon at #{ip_address} on port #{port} (#{protocol})." + else + assert false, "invalid openvpn protocol #{protocol}" + end + end end -- cgit v1.2.3