Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T5735: Stunnel CLI and configuration #3588

Merged
merged 1 commit into from
Jun 24, 2024
Merged

T5735: Stunnel CLI and configuration #3588

merged 1 commit into from
Jun 24, 2024

Conversation

HollyGurza
Copy link
Contributor

@HollyGurza HollyGurza commented Jun 6, 2024
edited
Loading

Add CLI commands
Add config
Add conf_mode
Add systemd config
Add stunnel smoketests

Change Summary

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

Proposed changes

How to test

Simple test is:
configure server:

conf
del service stunnel
commit
set service stunnel server one connect address google.com
set service stunnel server one connect port 80
set service stunnel server one listen port 9001
set service stunnel server one psk serv id cli1
set service stunnel server one psk serv secret 1234567890ABCDEF1234567890ABCDEF
commit

configure client:

conf
del service stunnel
set service stunnel client cli1 connect address 192.168.122.166
set service stunnel client cli1 connect port 9001
set service stunnel client cli1 listen address 127.0.0.1
set service stunnel client cli1 listen port 80
set service stunnel client cli1 psk cli1 id cli1
set service stunnel client cli1 psk cli1 secret 1234567890ABCDEF1234567890ABCDEF
commit

try to make a request on the client side:

 curl -X GET http://127.0.0.1:80/
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

Socks proxy example:

set service stunnel server one listen port '9001'
set service stunnel server one protocol 'socks'
set service stunnel server one psk serv id 'cli1'
set service stunnel server one psk serv secret '1234567890ABCDEF1234567890ABCDEF'

set service stunnel client one listen port '9000'
set service stunnel client one connect port '9001'
set service stunnel client one psk serv id 'cli1'
set service stunnel client one psk serv secret '1234567890ABCDEF1234567890ABCDEF'
commit

curl --proxy 'socks5h://127.0.0.1:9000' 'https://api.ipify.org/'

Smoketest result

vyos@vyos:~$ python3 /usr/libexec/vyos/tests/smoke/cli/test_service_stunnel.py 
test_01_stunnel_simple_client (__main__.TestServiceStunnel.test_01_stunnel_simple_client) ... 
client [app1]: listen port number is required!

ok
test_02_stunnel_simple_server (__main__.TestServiceStunnel.test_02_stunnel_simple_server) ... 
server [ser1]: listen port number is required!

ok
test_03_multy_services (__main__.TestServiceStunnel.test_03_multy_services) ... ok
test_04_cert_problems (__main__.TestServiceStunnel.test_04_cert_problems) ... 
PKI does not contain any CA certificates!


PKI does not contain any certificates!


server [app1]: TLS server needs a certificate or PSK


PKI does not contain any CA certificates!


PKI does not contain any certificates!

ok
test_05_psk_auth (__main__.TestServiceStunnel.test_05_psk_auth) ... ok
test_06_socks_proxy (__main__.TestServiceStunnel.test_06_socks_proxy) ... 
The 'connect' option cannot be used with the 'socks' protocol in server
mode.

ok
test_07_available_port (__main__.TestServiceStunnel.test_07_available_port) ... 
server [srv1]: Address 127.0.0.1:8001 already in use by other stunnel
service

ok
test_08_two_endpoints (__main__.TestServiceStunnel.test_08_two_endpoints) ... 
client [app1]: connect port number is required!

ok
test_09_pki_still_used (__main__.TestServiceStunnel.test_09_pki_still_used) ... 
PKI object "srv-1" still in use by "service stunnel server ser1 ssl
certificate"

ok
test_99_protocols (__main__.TestServiceStunnel.test_99_protocols) ... 
Additional option is only supported in the 'connect' and 'smtp'
protocols.


Additional option is only supported in the 'connect' and 'smtp'
protocols.


Additional option is only supported in the 'connect' and 'smtp'
protocols.


Additional option is only supported in the 'connect' and 'smtp'
protocols.


Additional option is only supported in the 'connect' and 'smtp'
protocols.


Additional option is only supported in the 'connect' and 'smtp'
protocols.


Protocol 'smtp' does not support options 'domain' and 'host'.


Additional option is only supported in the 'connect' and 'smtp'
protocols.

ok

----------------------------------------------------------------------
Ran 10 tests in 97.202s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@HollyGurza HollyGurza requested a review from a team as a code owner June 6, 2024 09:07
@HollyGurza HollyGurza force-pushed the T5735 branch 2 times, most recently from cc8f076 to 91a3d3a Compare June 10, 2024 06:22
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 10, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

@sever-sever
Copy link
Member

sever-sever commented Jun 13, 2024
edited
Loading

Needs to verify
1.

vyos@r4# set service stunnel 
[edit]
vyos@r4# commit
[ service stunnel ]
VyOS had an issue completing a command.

Report time:      2024-06-13 12:01:01
Image version:    VyOS 1.5-rolling-202406130020
Release train:    current

Built by:         [email protected]
Built on:         Thu 13 Jun 2024 03:16 UTC
Build UUID:       84281102-574f-443d-83f7-af82b6ba3512
Build commit ID:  f2154b4252535e

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    166cfd25-7d3a-4eca-9ef6-0b655c9acf0f

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/service_stunnel.py", line 198, in <module>
    generate(c)
  File "/usr/libexec/vyos/conf_mode/service_stunnel.py", line 129, in generate
    for c in stunnel['pki']['ca'].values()} if 'ca' in stunnel['pki'] else {}
                                                       ~~~~~~~^^^^^^^
KeyError: 'pki'



[[service stunnel]] failed
Commit failed
[edit]


set service stunnel server my-server connect address 'google.com'
set service stunnel server my-server connect port '80'
set service stunnel server my-server psk PSK id 'foo'
set service stunnel server my-server psk PSK secret '12345'
commit


vyos@r4# commit
[ service stunnel ]
Job for stunnel.service failed because the control process exited with error code.
See "systemctl status stunnel.service" and "journalctl -xeu stunnel.service" for details.

[edit]
vyos@r4# 



set service stunnel server one connect address google.com
set service stunnel server one connect port 80
set service stunnel server one listen port 9001
set service stunnel server one psk serv id cli1
set service stunnel server one psk serv secret 12345
commit


vyos@r4# commit
[ service stunnel ]
Job for stunnel.service failed because the control process exited with error code.
See "systemctl status stunnel.service" and "journalctl -xeu stunnel.service" for details.

[edit]
vyos@r4#

set service stunnel server one connect address 'google.com'
set service stunnel server one connect port '80'
set service stunnel server one listen port '9001'
set service stunnel server one protocol 'socks'
set service stunnel server one psk serv id 'cli1'
set service stunnel server one psk serv secret '1234567890ABCDEF1234567890ABCDEF'

vyos@r4# commit
[ service stunnel ]
Job for stunnel.service failed because the control process exited with error code.
See "systemctl status stunnel.service" and "journalctl -xeu stunnel.service" for details.

[edit]
vyos@r4#

sever-sever
sever-sever requested changes Jun 13, 2024
View reviewed changes
Copy link
Member

@sever-sever sever-sever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the comment above. There should be several verifications before I can test it again.

interface-definitions/include/stunnel/port.xml.i Outdated Show resolved Hide resolved
@HollyGurza HollyGurza changed the title T5735: Stunnel CLI and configuration [Draft]T5735: Stunnel CLI and configuration Jun 13, 2024
@HollyGurza HollyGurza marked this pull request as draft June 13, 2024 14:51
@HollyGurza HollyGurza changed the title [Draft]T5735: Stunnel CLI and configuration T5735: Stunnel CLI and configuration Jun 13, 2024
@HollyGurza HollyGurza force-pushed the T5735 branch 2 times, most recently from 7cee2e9 to 560271e Compare June 17, 2024 11:01
@HollyGurza HollyGurza marked this pull request as ready for review June 17, 2024 11:03
@HollyGurza HollyGurza requested a review from sever-sever June 17, 2024 11:03
@sever-sever
Copy link
Member

It seems not all required options were set

set service stunnel server my-server listen port '22222'
set service stunnel server my-server psk FOO id 'my-cert'
set service stunnel server my-server psk FOO secret '1234567890ABCDEF1234567890ABCDEF'

vyos@r4# commit
[ service stunnel ]
Job for stunnel.service failed because the control process exited with error code.
See "systemctl status stunnel.service" and "journalctl -xeu stunnel.service" for details.

[edit]
vyos@r4#

Log:

Jun 18 12:49:32 r4 stunnel[6964]: [!] Service [my-server]: Each service must define two endpoints
Jun 18 12:49:32 r4 stunnel[6964]: [!] Configuration failed
Jun 18 12:49:32 r4 stunnel[6964]: [ ] Deallocating temporary section defaults
Jun 18 12:49:32 r4 stunnel[6964]: [ ] Deallocating section [my-server]
Jun 18 12:49:32 r4 systemd[1]: stunnel.service: Control process exited, code=exited, status=1/FAILURE
Jun 18 12:49:32 r4 systemd[1]: stunnel.service: Failed with result 'exit-code'.
Jun 18 12:49:32 r4 systemd[1]: Failed to start stunnel.service - SSL tunneling service.

@HollyGurza HollyGurza requested a review from sever-sever June 19, 2024 08:39
@HollyGurza HollyGurza force-pushed the T5735 branch 3 times, most recently from ca497fe to 9742f9d Compare June 19, 2024 12:29
@HollyGurza HollyGurza requested a review from c-po June 20, 2024 08:35
c-po
c-po requested changes Jun 24, 2024
View reviewed changes
src/conf_mode/service_stunnel.py Outdated Show resolved Hide resolved
@HollyGurza
T5735: Stunnel CLI and configuration
f613161 
Add CLI commands
Add config
Add conf_mode
Add systemd config
Add stunnel smoketests
Add log level config
@c-po c-po merged commit 6fbe91e into vyos:current Jun 24, 2024
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sever-sever sever-sever sever-sever approved these changes

@c-po c-po c-po approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

Assignees

@HollyGurza HollyGurza

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@HollyGurza @sever-sever @c-po