From 601401c98f237d5ac8fdbf1d4a130ba3f12ec216 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 26 Oct 2022 20:25:20 +0100 Subject: [PATCH] Add FTP_PORT --- getssl | 29 ++++--- test/34-ftp-ports.bats | 167 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 186 insertions(+), 10 deletions(-) create mode 100644 test/34-ftp-ports.bats diff --git a/getssl b/getssl index 58bb1a7..e3668b0 100755 --- a/getssl +++ b/getssl @@ -319,6 +319,7 @@ DUAL_RSA_ECDSA="false" FTP_OPTIONS="" FTPS_OPTIONS="" FTP_ARGS="" +FTP_PORT="" FULL_CHAIN_INCLUDE_ROOT="false" GETSSL_IGNORE_CP_PRESERVE="false" HTTP_TOKEN_CHECK_WAIT=0 @@ -1013,7 +1014,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. ftpfile=$(basename "$ftplocn") fromdir=$(dirname "$from") fromfile=$(basename "$from") - debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost dir=$ftpdirn file=$ftpfile" + debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost port=$FTP_PORT dir=$ftpdirn file=$ftpfile" debug "from dir=$fromdir file=$fromfile" if [ -n "$FTP_OPTIONS" ]; then # Use eval to expand any variables in FTP_OPTIONS @@ -1021,7 +1022,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. debug "FTP_OPTIONS=$FTP_OPTIONS" fi $FTP_COMMAND <<- _EOF - open $ftphost + open $ftphost $FTP_PORT user $ftpuser $ftppass $FTP_OPTIONS cd $ftpdirn @@ -1038,10 +1039,11 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. ftpfile=$(basename "$ftplocn") fromdir=$(dirname "$from") fromfile=$(basename "$from") - debug "sftp $SFTP_OPTS user=$ftpuser - pass=$ftppass - host=$ftphost dir=$ftpdirn file=$ftpfile" + if [ -n "$FTP_PORT" ]; then SFTP_PORT="-P $FTP_PORT"; else SFTP_PORT=""; fi + debug "sftp $SFTP_OPTS user=$ftpuser - pass=$ftppass - host=$ftphost port=$FTP_PORT dir=$ftpdirn file=$ftpfile" debug "from dir=$fromdir file=$fromfile" # shellcheck disable=SC2086 - sshpass -p "$ftppass" sftp $SFTP_OPTS "$ftpuser@$ftphost" <<- _EOF + sshpass -p "$ftppass" sftp $SFTP_OPTS $SFTP_PORT "$ftpuser@$ftphost" <<- _EOF cd $ftpdirn lcd $fromdir put ./$fromfile @@ -1064,7 +1066,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. curl ${_NOMETER} -u "${davsuser}:${davspass}" -T "${fromdir}/${fromfile}" "https://${davshost}:${davsport}${davsdirn}${davsfile}" elif [[ "${to:0:6}" == "ftpes:" ]] || [[ "${to:0:5}" == "ftps:" ]] ; then # FTPES (FTP over explicit TLS/SSL, port 21) and FTPS (FTP over implicit TLS/SSL, port 990). - debug "using ftp to copy the file from $from" + debug "using ${to:0:5} to copy the file from $from" ftpuser=$(echo "$to"| awk -F: '{print $2}') ftppass=$(echo "$to"| awk -F: '{print $3}') ftphost=$(echo "$to"| awk -F: '{print $4}') @@ -1073,18 +1075,25 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. ftpfile=$(basename "$ftplocn") fromdir=$(dirname "$from") fromfile=$(basename "$from") - debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost dir=$ftpdirn file=$ftpfile" + + SFTP_PORT=""; + if [ -n "$FTP_PORT" ]; then SFTP_PORT=":${FTP_PORT}"; fi + debug "${to:0:5} user=$ftpuser - pass=$ftppass - host=$ftphost port=$FTP_PORT dir=$ftpdirn file=$ftpfile" debug "from dir=$fromdir file=$fromfile" if [[ "${to:0:5}" == "ftps:" ]] ; then + # if no FTP_PORT is specified, then use default + if [ -z "$FTP_PORT" ]; then + SFTP_PORT=":990" + fi # shellcheck disable=SC2086 - debug curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftps://${ftphost}:990/${ftpdirn}/" + debug curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftps://${ftphost}${SFTP_PORT}/${ftpdirn}/" # shellcheck disable=SC2086 - curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftps://${ftphost}:990/${ftpdirn}/" + curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftps://${ftphost}${SFTP_PORT}/${ftpdirn}/" else # shellcheck disable=SC2086 - debug curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}/${ftpdirn}/" + debug curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}${SFTP_PORT}/${ftpdirn}/" # shellcheck disable=SC2086 - curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}/${ftpdirn}/" + curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}${SFTP_PORT}/${ftpdirn}/" fi else if ! mkdir -p "$(dirname "$to")" ; then diff --git a/test/34-ftp-ports.bats b/test/34-ftp-ports.bats new file mode 100644 index 0000000..bab0296 --- /dev/null +++ b/test/34-ftp-ports.bats @@ -0,0 +1,167 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure" + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + if [ -n "${VSFTPD_CONF}" ]; then + if [ ! -f "${VSFTPD_CONF}.getssl" ]; then + cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl + else + cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF + fi + + # enable passive and disable active mode + # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode + cat <<- _FTP >> $VSFTPD_CONF +pasv_enable=YES +pasv_max_port=10100 +pasv_min_port=10090 +_FTP + fi +} + + +teardown() { + [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip + if [ -n "${VSFTPD_CONF}" ]; then + cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF + ${CODE_DIR}/test/restart-ftpd stop + fi +} + + + +@test "Use ftpes, FTP_PORT=1001 (explicit ssl, port 1001) to create challenge file" { + if [[ ! -f /etc/vsftpd.pem ]]; then + echo "FAILED: This test requires the previous test to succeed" + exit 1 + fi + + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + + if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then + mkdir -p /var/www/html/.well-known/acme-challenge + fi + + # Restart vsftpd with ssl enabled + cat <<- _FTP >> $VSFTPD_CONF +connect_from_port_20=NO +listen_port=1001 +ssl_enable=YES +allow_anon_ssl=NO +force_local_data_ssl=NO +force_local_logins_ssl=NO +ssl_tlsv1=YES +ssl_sslv2=NO +ssl_sslv3=NO +require_ssl_reuse=NO +ssl_ciphers=HIGH +rsa_cert_file=/etc/vsftpd.pem +rsa_private_key_file=/etc/vsftpd.pem +_FTP + ${CODE_DIR}/test/restart-ftpd start + + # Always change ownership and permissions in case previous tests created the directories as root + chgrp -R www-data /var/www/html/.well-known + chmod -R g+w /var/www/html/.well-known + + CONFIG_FILE="getssl-http01.cfg" + setup_environment + init_getssl + + # Verbose output is needed so the test assertion passes + # On Ubuntu 14 and 18 curl errors with "unable to get issuer certificate" so disable cert check using "-k" + if [[ "$GETSSL_OS" == "ubuntu14" || "$GETSSL_OS" == "ubuntu18" ]]; then + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg + ACL="ftpes:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge" + FTPS_OPTIONS="--cacert /etc/cacert.pem -v -k" + FTP_PORT=1001 +EOF + else + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +ACL="ftpes:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge" +FTPS_OPTIONS="--cacert /etc/cacert.pem -v" +FTP_PORT=1001 +EOF + fi + + create_certificate + assert_success + # assert_line --partial "SSL connection using TLSv1.3" + assert_line --partial "200 PROT now Private" + + check_output_for_errors +} + + +@test "Use ftps, FTP_PORT=2002 (implicit ssl, port 2002) to create challenge file" { + if [[ ! -f /etc/vsftpd.pem ]]; then + echo "FAILED: This test requires the previous test to succeed" + exit 1 + fi + + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + + # Restart vsftpd listening on port 990 + cat <<- _FTP >> $VSFTPD_CONF +implicit_ssl=YES +listen_port=2002 +connect_from_port_20=NO +ssl_enable=YES +allow_anon_ssl=NO +force_local_data_ssl=NO +force_local_logins_ssl=NO +ssl_tlsv1=YES +ssl_sslv2=NO +ssl_sslv3=NO +require_ssl_reuse=NO +ssl_ciphers=HIGH +rsa_cert_file=/etc/vsftpd.pem +rsa_private_key_file=/etc/vsftpd.pem +_FTP + ${CODE_DIR}/test/restart-ftpd start + + if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then + mkdir -p /var/www/html/.well-known/acme-challenge + fi + + # Always change ownership and permissions in case previous tests created the directories as root + chgrp -R www-data /var/www/html/.well-known + chmod -R g+w /var/www/html/.well-known + + CONFIG_FILE="getssl-http01.cfg" + setup_environment + init_getssl + + # Verbose output is needed so the test assertion passes + # On Ubuntu 14 and 18 curl errors with "unable to get issuer certificate" so disable cert check using "-k" + # as I don't have time to fix + if [[ "$GETSSL_OS" == "ubuntu14" || "$GETSSL_OS" == "ubuntu18" ]]; then + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +ACL="ftps:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge" +FTPS_OPTIONS="--cacert /etc/cacert.pem -v -k" +FTP_PORT=2002 +EOF + else + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +ACL="ftps:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge" +FTPS_OPTIONS="--cacert /etc/cacert.pem -v" +FTP_PORT=2002 +EOF + fi + + create_certificate + assert_success + assert_line --partial "200 PROT now Private" + check_output_for_errors +}