From 8931825841598c5539ed1da9274feac6a63ab261 Mon Sep 17 00:00:00 2001
From: Kyle Manna <kyle@kylemanna.com>
Date: Sun, 1 Nov 2020 21:47:20 -0800
Subject: [PATCH] test: Drop --privileged docker run flag

* Fix all the test to not require this flag.
---
 test/client/wait-for-connect.sh | 41 ++++++++++++++++++++++-----------
 test/tests/basic/run.sh         | 20 ++++++++--------
 test/tests/dual-proto/run.sh    |  9 ++++----
 test/tests/otp/run.sh           | 20 +++++++---------
 test/tests/revocation/run.sh    |  6 ++---
 5 files changed, 51 insertions(+), 45 deletions(-)

diff --git a/test/client/wait-for-connect.sh b/test/client/wait-for-connect.sh
index fa69afd8..fdc03242 100755
--- a/test/client/wait-for-connect.sh
+++ b/test/client/wait-for-connect.sh
@@ -5,6 +5,12 @@ set -e
 
 OPENVPN_CONFIG=${1:-/client/config.ovpn}
 
+# For some reason privileged mode creates the char device and cap-add=NET_ADMIN doesn't
+mkdir -p /dev/net
+if [ ! -c /dev/net/tun ]; then
+    mknod /dev/net/tun c 10 200
+fi
+
 # Run in background using bash job management, setup trap to clean-up
 trap "{ jobs -p | xargs -r kill; wait; }" EXIT
 openvpn --config "$OPENVPN_CONFIG" --management 127.0.0.1 9999 &
@@ -12,26 +18,33 @@ openvpn --config "$OPENVPN_CONFIG" --management 127.0.0.1 9999 &
 # Spin waiting for interface to exist signifying connection
 timeout=10
 for i in $(seq $timeout); do
+    # Allow to start-up
+    sleep 0.5
 
-    # Break when connected
-    #echo state | busybox nc 127.0.0.1 9999 | grep -q "CONNECTED,SUCCESS" && break;
+    # Use bash magic to open tcp socket on fd 3 and break when successful
+    exec 3<>/dev/tcp/127.0.0.1/9999 && break
+done
+
+if [ $i -ge $timeout ]; then
+    echo "Error connecting to OpenVPN mgmt interface, i=$i, exiting."
+    exit 2
+fi
 
-    # Bash magic for tcp sockets
-    if exec 3<>/dev/tcp/127.0.0.1/9999; then
-        # Consume all header input
-        while read -t 0.1 <&3; do true; done
-        echo "state" >&3
-        read -t 1 <&3
-        echo -n $REPLY | grep -q "CONNECTED,SUCCESS" && break || true
-        exec 3>&-
-    fi
+# Consume all header input and echo, look for errors here
+while read -t 0.1 <&3; do echo $REPLY; done
 
-    # Else sleep
+# Request state over mgmt interface
+timeout=10
+for i in $(seq $timeout); do
+    echo "state" >&3
+    state=$(head -n1 <&3)
+    echo -n "$state" | grep -q 'CONNECTED,SUCCESS' && break
     sleep 1
 done
 
 if [ $i -ge $timeout ]; then
-    echo "Error starting OpenVPN, i=$i, exiting."
-    exit 2
+    echo "Error connecting to OpenVPN, i=$i, exiting."
+    exit 3
 fi
 
+exec 3>&-
diff --git a/test/tests/basic/run.sh b/test/tests/basic/run.sh
index 0d1f8b1c..26760696 100755
--- a/test/tests/basic/run.sh
+++ b/test/tests/basic/run.sh
@@ -25,21 +25,19 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT
 # Fire up the server and setup a trap to always clean it up
 #
 trap "{ jobs -p | xargs -r kill; wait; }" EXIT
-docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
+docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -e DEBUG --cap-add=NET_ADMIN $IMG &
 
-#for i in $(seq 10); do
-#    SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')
-#    test -n "$SERV_IP" && break
-#done
-#sed -ie s:SERV_IP:$SERV_IP:g config.ovpn
+for i in $(seq 10); do
+    SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test" 2>/dev/null || true)
+    test -n "$SERV_IP_INTERNAL" && break
+    sleep 0.1
+done
+sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g ${CLIENT_DIR}/config.ovpn
 
 #
-# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT
-# the host as it confuses itself:
-# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194"
+# Fire up a client in a container since openvpn is disallowed by Travis-CI
 #
-docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
-
+docker run --rm --cap-add=NET_ADMIN -e DEBUG --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
 
 #
 # Celebrate
diff --git a/test/tests/dual-proto/run.sh b/test/tests/dual-proto/run.sh
index 08aa13dd..63043450 100755
--- a/test/tests/dual-proto/run.sh
+++ b/test/tests/dual-proto/run.sh
@@ -37,17 +37,16 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_
 
 # Run in shell bg to get logs, setup trap to clean-up
 trap "{ jobs -p | xargs -r kill; wait; }" EXIT
-docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
-docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged $IMG ovpn_run --proto tcp &
+docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --cap-add=NET_ADMIN $IMG &
+docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --cap-add=NET_ADMIN $IMG ovpn_run --proto tcp &
 
 #
 # Fire up a clients in a containers since openvpn is disallowed by Travis-CI, don't NAT
 # the host as it confuses itself:
 # "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194"
 #
-docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
-docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn"
-
+docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
+docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn"
 
 #
 # Celebrate
diff --git a/test/tests/otp/run.sh b/test/tests/otp/run.sh
index d320fd71..ad9cac30 100755
--- a/test/tests/otp/run.sh
+++ b/test/tests/otp/run.sh
@@ -50,21 +50,17 @@ grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in c
 # Fire up the server
 #
 trap "{ jobs -p | xargs -r kill; wait; }" EXIT
-docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
+docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN $IMG &
 
-#for i in $(seq 10); do
-#    SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')
-#    test -n "$SERV_IP" && break
-#done
-#sed -ie s:SERV_IP:$SERV_IP:g $CLIENT_DIR/config.ovpn
+for i in $(seq 10); do
+    SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')
+    test -n "$SERV_IP_INTERNAL" && break
+done
+sed -ie s:$SERV_IP:$SERV_IP:g $CLIENT_DIR/config.ovpn
 
 #
-# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT
-# the host as it confuses itself:
-# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194"
-#
-docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
-
+# Fire up a client in a container since openvpn is disallowed by Travis-CI
+docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
 
 #
 # Celebrate
diff --git a/test/tests/revocation/run.sh b/test/tests/revocation/run.sh
index 972c98d4..e12d5158 100755
--- a/test/tests/revocation/run.sh
+++ b/test/tests/revocation/run.sh
@@ -54,7 +54,7 @@ docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1"
 #
 # Test that openvpn client can't connect using $CLIENT1 config.
 #
-if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
+if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then
     echo "Client was able to connect after revocation test #1." >&2
     exit 2
 fi
@@ -66,7 +66,7 @@ docker exec -it $NAME easyrsa build-client-full $CLIENT2 nopass
 docker exec -it $NAME ovpn_getclient $CLIENT2 > $CLIENT_DIR/config.ovpn
 docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2"
 
-if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
+if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then
     echo "Client was able to connect after revocation test #2." >&2
     exit 2
 fi
@@ -79,7 +79,7 @@ docker stop $NAME && docker start $NAME
 #
 # Test for failed connection using $CLIENT2 config again.
 #
-if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
+if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then
     echo "Client was able to connect after revocation test #3." >&2
     exit 2
 fi