chore: add more plugin tests (#678)

Author: jkroepke

.golangci.yaml

@@ -181,6 +181,7 @@ linters:
         text: "^underef: could simplify.*cgo.Handle"
       - path: lib/
         linters:
+          - goconst
           - unused
       - path: lib/
         text: "fieldalignment:"

lib/openvpn-auth-oauth2/management/management.go

@@ -247,6 +247,8 @@ func (s *Server) handleManagementClient(ctx context.Context, conn net.Conn) erro
 
 scan:
 	for scanner.Scan() {
+		var cmd string
+
 		line := strings.TrimSpace(scanner.Text())
 		if line == "" {
 			continue
@@ -272,11 +274,11 @@ scan:
 
 			continue
 		case strings.HasPrefix(line, "client-auth-nt"):
-			_ = s.writeToClient("SUCCESS: client-auth command succeeded")
+			cmd = "client-auth"
 		case strings.HasPrefix(line, "client-pending-auth"):
-			_ = s.writeToClient("SUCCESS: client-pending-auth command succeeded")
+			cmd = "client-pending-auth"
 		case strings.HasPrefix(line, "client-deny"):
-			_ = s.writeToClient("SUCCESS: client-deny command succeeded")
+			cmd = "client-deny"
 		case strings.HasPrefix(line, "client-auth"):
 			for scanner.Scan() {
 				line += newline + strings.TrimSpace(scanner.Text())
@@ -286,7 +288,7 @@ scan:
 				}
 			}
 
-			_ = s.writeToClient("SUCCESS: client-auth command succeeded")
+			cmd = "client-auth"
 		default:
 			_ = s.writeToClient("ERROR: unknown command, enter 'help' for more options")
 
@@ -301,7 +303,12 @@ scan:
 				slog.Any("err", err),
 				slog.String("response", line),
 			)
+			_ = s.writeToClient(fmt.Sprintf("ERROR: %s command failed", cmd))
+		} else {
+			_ = s.writeToClient(fmt.Sprintf("SUCCESS: %s command succeeded", cmd))
+		}
 
+		if resp == nil {
 			continue
 		}
 
@@ -390,16 +397,27 @@ func (s *Server) parseResponse(response string) (*Response, error) {
 		// client-deny 0 1 "OpenVPN Client does not support SSO authentication via webauth"
 		parts := strings.SplitN(message, " ", 2)
 
+		var denyReason string
+		if len(parts) == 2 {
+			denyReason = strings.Trim(parts[1], `"`)
+		} else {
+			denyReason = "access denied"
+		}
+
 		return &Response{
 			ClientID:   uint32(clientID),
 			ClientAuth: ClientAuthDeny,
-			Message:    strings.Trim(parts[1], `"`),
+			Message:    denyReason,
 		}, nil
 	case "client-pending-auth":
 		// client-pending-auth 0 1 "WEB_AUTH::https://example.com/..." 300
 		parts := strings.SplitN(message, " ", 3)
 		if len(parts) != 3 {
-			return nil, fmt.Errorf("invalid client-pending-auth message: %s", message)
+			return &Response{
+				ClientID:   uint32(clientID),
+				ClientAuth: ClientAuthDeny,
+				Message:    "internal error",
+			}, fmt.Errorf("invalid client-pending-auth message: %s", message)
 		}
 
 		return &Response{
@@ -409,7 +427,11 @@ func (s *Server) parseResponse(response string) (*Response, error) {
 			Timeout:    parts[2],
 		}, nil
 	default:
-		return nil, fmt.Errorf("unknown response command: %s", cmd)
+		return &Response{
+			ClientID:   uint32(clientID),
+			ClientAuth: ClientAuthDeny,
+			Message:    "internal error",
+		}, fmt.Errorf("unknown response command: %s", cmd)
 	}
 }
 

lib/openvpn-auth-oauth2/management/management_test.go

@@ -5,7 +5,10 @@ import (
 	"fmt"
 	"log/slog"
 	"net"
+	"strconv"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/jkroepke/openvpn-auth-oauth2/internal/openvpn"
 	"github.com/jkroepke/openvpn-auth-oauth2/internal/utils/testutils"
@@ -48,6 +51,10 @@ func TestServer_Listen(t *testing.T) {
 			client, err := dialer.DialContext(t.Context(), tc.protocol, managementInterface.Addr().String())
 			require.NoError(t, err)
 
+			t.Cleanup(func() {
+				_ = client.Close()
+			})
+
 			clientReader := bufio.NewReader(client)
 
 			testutils.ExpectMessage(t, client, clientReader, openvpn.WelcomeBanner)
@@ -108,7 +115,7 @@ func TestServer_Listen_Invalid_Addr(t *testing.T) {
 	}
 }
 
-func TestServer_Listen_Password(t *testing.T) {
+func TestServer_Listen_Password_Correct(t *testing.T) {
 	t.Parallel()
 
 	managementInterface, err := nettest.NewLocalListener("tcp")
@@ -128,6 +135,10 @@ func TestServer_Listen_Password(t *testing.T) {
 	client, err := dialer.DialContext(t.Context(), "tcp", managementInterface.Addr().String())
 	require.NoError(t, err)
 
+	t.Cleanup(func() {
+		_ = client.Close()
+	})
+
 	clientReader := bufio.NewReader(client)
 
 	resp, err := clientReader.ReadString(':')
@@ -139,3 +150,237 @@ func TestServer_Listen_Password(t *testing.T) {
 	testutils.ExpectMessage(t, client, clientReader, openvpn.WelcomeBanner)
 	testutils.SendMessagef(t, client, "quit")
 }
+
+func TestServer_Listen_Password_Incorrect(t *testing.T) {
+	t.Parallel()
+
+	managementInterface, err := nettest.NewLocalListener("tcp")
+	require.NoError(t, err)
+
+	err = managementInterface.Close()
+	require.NoError(t, err)
+
+	managementServer := management.NewServer(slog.New(slog.DiscardHandler), testutils.Secret)
+	err = managementServer.Listen(t.Context(), fmt.Sprintf("%s://%s", managementInterface.Addr().Network(), managementInterface.Addr().String()))
+	require.NoError(t, err)
+
+	t.Cleanup(managementServer.Close)
+
+	var dialer net.Dialer
+
+	client, err := dialer.DialContext(t.Context(), "tcp", managementInterface.Addr().String())
+	require.NoError(t, err)
+
+	t.Cleanup(func() {
+		_ = client.Close()
+	})
+
+	clientReader := bufio.NewReader(client)
+
+	resp, err := clientReader.ReadString(':')
+	require.NoError(t, err)
+	require.Equal(t, "ENTER PASSWORD:", resp)
+
+	testutils.SendMessagef(t, client, testutils.Password)
+	testutils.ExpectMessage(t, client, clientReader, "ERROR: bad password")
+	testutils.SendMessagef(t, client, "quit")
+}
+
+func TestServer_AuthPendingPoller(t *testing.T) {
+	t.Parallel()
+
+	for _, tc := range []struct {
+		name    string
+		command string
+		resp    string
+		testFn  func(t *testing.T, response *management.Response)
+	}{
+		{
+			name:    "client-auth-nt",
+			command: "client-auth-nt 1 0",
+			resp:    "SUCCESS: client-auth command succeeded",
+			testFn: func(t *testing.T, response *management.Response) {
+				t.Helper()
+
+				require.Equal(t, uint32(1), response.ClientID)
+				require.Equal(t, management.ClientAuthAccept, response.ClientAuth)
+			},
+		},
+		{
+			name:    "client-auth-nt invalid",
+			command: "client-auth-nt A B",
+			resp:    "ERROR: client-auth command failed",
+		},
+		{
+			name:    "client-auth",
+			command: "client-auth 2 0\r\npush \"reneg-sec 0\"\r\nEND",
+			resp:    "SUCCESS: client-auth command succeeded",
+			testFn: func(t *testing.T, response *management.Response) {
+				t.Helper()
+
+				require.Equal(t, uint32(2), response.ClientID)
+				require.Equal(t, management.ClientAuthAccept, response.ClientAuth)
+				require.Equal(t, "push \"reneg-sec 0\"", response.ClientConfig)
+			},
+		},
+		{
+			name:    "client-deny without reason",
+			command: "client-deny 3 0",
+			resp:    "SUCCESS: client-deny command succeeded",
+			testFn: func(t *testing.T, response *management.Response) {
+				t.Helper()
+
+				require.Equal(t, uint32(3), response.ClientID)
+				require.Equal(t, management.ClientAuthDeny, response.ClientAuth)
+				require.Equal(t, "access denied", response.Message)
+			},
+		},
+		{
+			name:    "client-deny",
+			command: "client-deny 3 0 \"internal error\"",
+			resp:    "SUCCESS: client-deny command succeeded",
+			testFn: func(t *testing.T, response *management.Response) {
+				t.Helper()
+
+				require.Equal(t, uint32(3), response.ClientID)
+				require.Equal(t, management.ClientAuthDeny, response.ClientAuth)
+				require.Equal(t, "internal error", response.Message)
+			},
+		},
+		{
+			name:    "client-pending-auth",
+			command: "client-pending-auth 4 0 \"WEB_AUTH::https://sso.example.com/auth?session=xyz\" 300",
+			resp:    "SUCCESS: client-pending-auth command succeeded",
+			testFn: func(t *testing.T, response *management.Response) {
+				t.Helper()
+
+				require.Equal(t, uint32(4), response.ClientID)
+				require.Equal(t, management.ClientAuthPending, response.ClientAuth)
+				require.Equal(t, "WEB_AUTH::https://sso.example.com/auth?session=xyz", response.Message)
+				require.Equal(t, "300", response.Timeout)
+			},
+		},
+		{
+			name:    "client-pending-auth without timeout",
+			command: "client-pending-auth 4 0 \"WEB_AUTH::https://sso.example.com/auth?session=xyz\"",
+			resp:    "ERROR: client-pending-auth command failed",
+			testFn: func(t *testing.T, response *management.Response) {
+				t.Helper()
+
+				require.Equal(t, uint32(4), response.ClientID)
+				require.Equal(t, management.ClientAuthDeny, response.ClientAuth)
+				require.Equal(t, "internal error", response.Message)
+			},
+		},
+		{
+			name:    "invalid",
+			command: "invalid",
+			resp:    "ERROR: unknown command, enter 'help' for more options",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			managementInterface, err := nettest.NewLocalListener("tcp")
+			require.NoError(t, err)
+
+			err = managementInterface.Close()
+			require.NoError(t, err)
+
+			managementServer := management.NewServer(slog.New(slog.DiscardHandler), "")
+			err = managementServer.Listen(t.Context(), fmt.Sprintf("%s://%s", managementInterface.Addr().Network(), managementInterface.Addr().String()))
+			require.NoError(t, err)
+
+			t.Cleanup(managementServer.Close)
+
+			responseCh := make(chan *management.Response, 1)
+			errCh := make(chan error, 1)
+
+			var clientID uint64
+
+			if !strings.HasSuffix(tc.name, "invalid") {
+				clientID, err = strconv.ParseUint(strings.Split(tc.command, " ")[1], 10, 64)
+				require.NoError(t, err)
+
+				go func() {
+					response, err := managementServer.AuthPendingPoller(clientID, time.Second*5)
+
+					errCh <- err
+
+					responseCh <- response
+				}()
+			}
+
+			var dialer net.Dialer
+
+			client, err := dialer.DialContext(t.Context(), "tcp", managementInterface.Addr().String())
+			require.NoError(t, err)
+
+			t.Cleanup(func() {
+				_ = client.Close()
+			})
+
+			clientReader := bufio.NewReader(client)
+
+			testutils.ExpectMessage(t, client, clientReader, openvpn.WelcomeBanner)
+			testutils.SendMessagef(t, client, tc.command)
+
+			testutils.ExpectMessage(t, client, clientReader, tc.resp)
+
+			if strings.HasSuffix(tc.name, "invalid") {
+				return
+			}
+
+			require.NoError(t, <-errCh)
+
+			response := <-responseCh
+			require.NotNil(t, response)
+
+			if tc.testFn == nil {
+				return
+			}
+
+			tc.testFn(t, response)
+		})
+	}
+}
+
+func TestServer_AuthPendingPoller_Twice(t *testing.T) {
+	t.Parallel()
+
+	managementInterface, err := nettest.NewLocalListener("tcp")
+	require.NoError(t, err)
+
+	err = managementInterface.Close()
+	require.NoError(t, err)
+
+	managementServer := management.NewServer(slog.New(slog.DiscardHandler), "")
+	err = managementServer.Listen(t.Context(), fmt.Sprintf("%s://%s", managementInterface.Addr().Network(), managementInterface.Addr().String()))
+	require.NoError(t, err)
+
+	t.Cleanup(managementServer.Close)
+
+	errCh := make(chan error, 1)
+
+	go func() {
+		_, err := managementServer.AuthPendingPoller(0, time.Millisecond*10)
+		errCh <- err
+	}()
+
+	go func() {
+		_, err := managementServer.AuthPendingPoller(0, time.Millisecond*10)
+		errCh <- err
+	}()
+
+	require.EqualError(t, <-errCh, "poller for client ID 0 already exists")
+	require.EqualError(t, <-errCh, "timeout waiting for client response")
+}
+
+func TestClientAuth_String(t *testing.T) {
+	t.Parallel()
+
+	require.Equal(t, "ACCEPT", management.ClientAuthAccept.String())
+	require.Equal(t, "DENY", management.ClientAuthDeny.String())
+	require.Equal(t, "PENDING", management.ClientAuthPending.String())
+	require.Equal(t, "UNKNOWN", management.ClientAuth(4).String())
+}

lib/openvpn-auth-oauth2/openvpn/plugin_test.go

@@ -233,3 +233,17 @@ func TestPlugin(t *testing.T) {
 	// PluginClientDestructorV1
 	PluginClientDestructorV1(args.Handle, clientContext)
 }
+
+func TestPluginOpenV3_InvalidArgs(t *testing.T) {
+	t.Parallel()
+
+	status := PluginOpenV3(0, nil, nil)
+	require.Equal(t, c.OpenVPNPluginFuncError, status)
+}
+
+func TestPluginFuncV3_InvalidArgs(t *testing.T) {
+	t.Parallel()
+
+	status := PluginFuncV3(0, nil, nil)
+	require.Equal(t, c.OpenVPNPluginFuncError, status)
+}