Skip to content

Commit 72d4ba7

Browse files
beadonbeadon
committed
test: add Suites 5-7 — cert inspection, CRL coverage, permission fix
Suite 5: list clients (13), check expiry (15), cert details (17), generate all ovpn (18), generate single ovpn (19) — 11 tests Suite 6: CRL renew (r→2), remove cron job (r→5) — 4 tests Suite 7: permission clean check, break/fix key perm (22) — 5 tests
1 parent 2211f4a commit 72d4ba7

1 file changed

Lines changed: 126 additions & 0 deletions

File tree

tests/integration_test.sh

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -266,6 +266,132 @@ expect_send "Select option:" "3" 5
266266
expect_send "Press Enter" "" 10
267267
check wait_for "Select an option:" 5
268268

269+
# ── Suite 5: Certificate Inspection + Bulk .ovpn ─────────────────────────────
270+
# Runs after Suite 3 (client cert exists) and Suite 4 (client revoked).
271+
# server cert is still present; revoked client has moved to pki/revoked/.
272+
273+
printf "\n--- [%s] Suite 5: Certificate Inspection + Bulk .ovpn ---\n" "$(ts)"
274+
275+
it "option 13 lists clients"
276+
select_option "13"
277+
expect_send "Press Enter" "" 5
278+
check wait_for "Select an option:" 5
279+
280+
it "option 15 checks certificate expiration"
281+
select_option "15"
282+
expect_send "Press Enter" "" 5
283+
check wait_for "Select an option:" 5
284+
285+
it "expiration output mentions server cert"
286+
if grep -q "\[OK\]\|EXPIRED\|WARNING\|SOON" "$OVPN_PKI/issued/server.crt" 2>/dev/null || \
287+
openssl x509 -in "$OVPN_PKI/issued/server.crt" -noout -enddate 2>/dev/null | grep -q "notAfter"; then
288+
pass
289+
else
290+
fail "server cert enddate unreadable"
291+
fi
292+
293+
it "option 17 shows server cert details"
294+
select_option "17"
295+
expect_send "Enter certificate name" "server" 5
296+
expect_send "Press Enter" "" 5
297+
check wait_for "Select an option:" 5
298+
299+
it "option 18 generates all .ovpn files"
300+
select_option "18"
301+
expect_send "Continue" "y" 5
302+
expect_send "Press Enter" "" 10
303+
check wait_for "Select an option:" 5
304+
305+
it "ovpn output directory exists"
306+
check assert_file_exists "$OVPN_DIR"
307+
308+
it "server.ovpn not generated (server is not a client)"
309+
if test -f "$OVPN_DIR/server.ovpn"; then
310+
fail "server.ovpn should not be generated"
311+
else
312+
pass
313+
fi
314+
315+
# Create a second client so option 19 (single .ovpn) has a valid target
316+
TEST_CLIENT2="testclient2"
317+
it "create second client for option 19 test"
318+
select_option "12"
319+
expect_send "Enter client name:" "$TEST_CLIENT2" 5
320+
expect_send "Generate" "n" 10 # skip ovpn here, test via option 19
321+
expect_send "Daemon restart" "n" 10
322+
check wait_for "Select an option:" 10
323+
324+
it "option 19 generates single .ovpn file"
325+
select_option "19"
326+
expect_send "Enter client name:" "$TEST_CLIENT2" 5
327+
expect_send "Press Enter" "" 10
328+
check wait_for "Select an option:" 5
329+
330+
it "single .ovpn file created for $TEST_CLIENT2"
331+
check assert_file_exists "$OVPN_DIR/$TEST_CLIENT2.ovpn"
332+
333+
it ".ovpn profile has tls-crypt-v2 block"
334+
check assert_file_contains "$OVPN_DIR/$TEST_CLIENT2.ovpn" "<tls-crypt-v2>"
335+
336+
# ── Suite 6: Complete CRL Coverage ───────────────────────────────────────────
337+
338+
printf "\n--- [%s] Suite 6: Complete CRL Coverage ---\n" "$(ts)"
339+
340+
it "CRL renew (r → 2)"
341+
select_option "r"
342+
expect_send "Select option:" "2" 5
343+
expect_send "Restart OpenVPN" "n" 15
344+
expect_send "Press Enter" "" 5
345+
check wait_for "Select an option:" 5
346+
347+
it "CRL pem still exists after renew"
348+
check assert_file_exists "$OVPN_PKI/crl.pem"
349+
350+
it "renewed CRL is valid"
351+
if openssl crl -in "$OVPN_PKI/crl.pem" -noout 2>/dev/null; then pass; else fail "crl.pem invalid after renew"; fi
352+
353+
it "CRL remove cron job (r → 5)"
354+
select_option "r"
355+
expect_send "Select option:" "5" 5
356+
expect_send "Press Enter" "" 10
357+
check wait_for "Select an option:" 5
358+
359+
it "cron job removed from /etc/crontabs/root"
360+
if grep -q "openvpn-crl-renewal" "$CRONTAB" 2>/dev/null; then
361+
fail "cron entry still present after removal"
362+
else
363+
pass
364+
fi
365+
366+
# ── Suite 7: File Permission Check and Fix ────────────────────────────────────
367+
368+
printf "\n--- [%s] Suite 7: File Permission Check and Fix ---\n" "$(ts)"
369+
370+
it "option 22 reports all permissions OK (clean state)"
371+
select_option "22"
372+
expect_send "Press Enter" "" 10
373+
check wait_for "Select an option:" 5
374+
375+
it "PKI private keys are 600 after Suite 1"
376+
check assert_file_perms "$OVPN_PKI/private/server.key" "600"
377+
378+
it "intentionally break a key permission"
379+
chmod 644 "$OVPN_PKI/private/$TEST_CLIENT2.key"
380+
if [ "$(ls -la "$OVPN_PKI/private/$TEST_CLIENT2.key" | awk '{print $1}')" = "-rw-r--r--" ]; then
381+
pass
382+
else
383+
fail "chmod 644 did not take effect"
384+
fi
385+
386+
it "option 22 detects and fixes broken permission"
387+
select_option "22"
388+
expect_send "Fix all permission issues" "yes" 10
389+
expect_send "Press Enter" "" 5
390+
check wait_for "Select an option:" 5
391+
392+
it "key permission restored to 600 after fix"
393+
check assert_file_perms "$OVPN_PKI/private/$TEST_CLIENT2.key" "600"
394+
269395
# ── Done ──────────────────────────────────────────────────────────────────────
270396

271397
quit_script

0 commit comments

Comments
 (0)