From 79ac70653d5432eb6db3153ed6754de050a7c291 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 7 Jan 2021 21:54:16 +0000 Subject: [PATCH 1/8] Add chmod to ftp command --- getssl | 1 + 1 file changed, 1 insertion(+) diff --git a/getssl b/getssl index 4ca7f1b..9a42b28 100755 --- a/getssl +++ b/getssl @@ -859,6 +859,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. cd $ftpdirn lcd $fromdir put ./$fromfile + chmod 644 $fromfile _EOF elif [[ "${to:0:5}" == "sftp:" ]] ; then debug "using sftp to copy the file from $from" From 12eb0ae0d1ec2395d9a0cae5dfa914307bceae0a Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 7 Jan 2021 21:55:33 +0000 Subject: [PATCH 2/8] First ftp test --- test/33-ftp.bats | 37 +++++++++++++++++++++++++++++++++++++ test/Dockerfile-ubuntu | 10 ++++++++++ test/restart-ftpd | 11 +++++++++++ test/run-test.cmd | 2 +- 4 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 test/33-ftp.bats create mode 100644 test/restart-ftpd diff --git a/test/33-ftp.bats b/test/33-ftp.bats new file mode 100644 index 0000000..d6387df --- /dev/null +++ b/test/33-ftp.bats @@ -0,0 +1,37 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +} + + +@test "Use FTP to create challenge file" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + + ${CODE_DIR}/test/restart-ftpd + if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then + mkdir -p /var/www/html/.well-known/acme-challenge + chgrp -R www-data /var/www/html/.well-known + chmod -R g+w /var/www/html/.well-known + fi + + CONFIG_FILE="getssl-http01.cfg" + setup_environment + init_getssl + + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge" +EOF + + create_certificate -d + assert_success + check_output_for_errors +} diff --git a/test/Dockerfile-ubuntu b/test/Dockerfile-ubuntu index 3849e55..4e80409 100644 --- a/test/Dockerfile-ubuntu +++ b/test/Dockerfile-ubuntu @@ -9,6 +9,16 @@ ENV DEBIAN_FRONTEND noninteractive RUN apt-get update --fix-missing RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light RUN apt-get install -y vim dos2unix # for debugging +RUN apt-get install -y ftp vsftpd +RUN apt-get install -y openssh-server + +RUN echo "write_enable=YES" >> /etc/vsftpd.conf +RUN adduser ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser ftpuser www-data +RUN adduser root www-data +RUN chown -R www-data.www-data /var/www +RUN chmod g+w -R /var/www WORKDIR /root diff --git a/test/restart-ftpd b/test/restart-ftpd new file mode 100644 index 0000000..279c2ff --- /dev/null +++ b/test/restart-ftpd @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +if [ "$GETSSL_OS" = "alpine" ]; then + killall -HUP vsftpd >&3- + sleep 5 +elif [[ "$GETSSL_OS" == "centos"[78] ]]; then + pgrep vsftpd | head -1 | xargs kill -HUP + sleep 5 +else + service vsftpd restart >/dev/null >&3- +fi diff --git a/test/run-test.cmd b/test/run-test.cmd index d33c005..5908de7 100644 --- a/test/run-test.cmd +++ b/test/run-test.cmd @@ -45,7 +45,7 @@ set GETSSL_OS=alpine :Run for %%I in (.) do set CurrDirName=%%~nxI -docker build --rm -f "test\Dockerfile-%OS%" -t getssl-%OS% . +docker build --pull --rm -f "test\Dockerfile-%OS%" -t getssl-%OS% . @echo on docker run -it ^ --env GETSSL_HOST=%ALIAS% %STAGING% ^ From 4d23e085e146b8712860e60a13a6780c35b81262 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sat, 16 Jan 2021 15:12:22 +0000 Subject: [PATCH 3/8] Add FTP_OPTIONS --- getssl | 36 ++++++++++++++++++++++++++++++------ test/33-ftp.bats | 3 ++- 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/getssl b/getssl index 9a42b28..f34cac0 100755 --- a/getssl +++ b/getssl @@ -274,6 +274,7 @@ DEACTIVATE_AUTH="false" DEFAULT_REVOKE_CA="https://acme-v02.api.letsencrypt.org" DOMAIN_KEY_LENGTH=4096 DUAL_RSA_ECDSA="false" +FTP_OPTIONS="" GETSSL_IGNORE_CP_PRESERVE="false" HTTP_TOKEN_CHECK_WAIT=0 IGNORE_DIRECTORY_DOMAIN="false" @@ -842,6 +843,9 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. if [[ "$cert" != "challenge token" ]] ; then error_exit "ftp is not a secure method for copying certificates or keys" fi + if [[ -z "$FTP_COMMAND" ]]; then + error_exit "No ftp command found" + fi debug "using ftp to copy the file from $from" ftpuser=$(echo "$to"| awk -F: '{print $2}') ftppass=$(echo "$to"| awk -F: '{print $3}') @@ -853,13 +857,18 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. fromfile=$(basename "$from") debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost dir=$ftpdirn file=$ftpfile" debug "from dir=$fromdir file=$fromfile" - ftp -n <<- _EOF - open $ftphost - user $ftpuser $ftppass + if [ -n "$FTP_OPTIONS" ]; then + # Use eval to expand any variables in FTP_OPTIONS + FTP_OPTIONS=$(eval echo "$FTP_OPTIONS") + debug "FTP_OPTIONS=$FTP_OPTIONS" + fi + $FTP_COMMAND <<- _EOF + connect $ftphost + user $ftpuser $ftppass cd $ftpdirn lcd $fromdir put ./$fromfile - chmod 644 $fromfile + $FTP_OPTIONS _EOF elif [[ "${to:0:5}" == "sftp:" ]] ; then debug "using sftp to copy the file from $from" @@ -1119,6 +1128,18 @@ find_dns_utils() { fi } +find_ftp_command() { + FTP_COMMAND="" + if [[ -n "$(command -v ftp 2>/dev/null)" ]]; then + debug "Has ftp" + FTP_COMMAND="ftp -n" + elif [[ -n "$(command -v lftp 2>/dev/null)" ]]; then + debug "Has lftp" + FTP_COMMAND="lftp" + fi +} + + fulfill_challenges() { dn=0 for d in "${alldomains[@]}"; do @@ -1268,8 +1289,8 @@ for d in "${alldomains[@]}"; do ftppass=$(echo "${t_loc}"| awk -F: '{print $3}') ftphost=$(echo "${t_loc}"| awk -F: '{print $4}') ftplocn=$(echo "${t_loc}"| awk -F: '{print $5}') - debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost location=$ftplocn" - ftp -n <<- EOF + debug "$FTP_COMMAND user=$ftpuser - pass=$ftppass - host=$ftphost location=$ftplocn" + $FTP_COMMAND <<- EOF open $ftphost user $ftpuser $ftppass cd $ftplocn @@ -2654,6 +2675,9 @@ set_server_type # check what dns utils are installed find_dns_utils +# Find what ftp client is installed +find_ftp_command + # auto upgrade clients to v2 auto_upgrade_v2 diff --git a/test/33-ftp.bats b/test/33-ftp.bats index d6387df..9c52bb2 100644 --- a/test/33-ftp.bats +++ b/test/33-ftp.bats @@ -29,9 +29,10 @@ setup() { cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge" +FTP_OPTIONS="chmod 644 \\\$fromfile" EOF - create_certificate -d + create_certificate assert_success check_output_for_errors } From d7869561a3ca88d76eb0fc2b48f15d2fed45df3c Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 19 Jan 2021 12:04:47 +0000 Subject: [PATCH 4/8] Change ftp command back to use `open` --- getssl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/getssl b/getssl index f34cac0..69bb152 100755 --- a/getssl +++ b/getssl @@ -863,7 +863,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. debug "FTP_OPTIONS=$FTP_OPTIONS" fi $FTP_COMMAND <<- _EOF - connect $ftphost + open $ftphost user $ftpuser $ftppass cd $ftpdirn lcd $fromdir From e407426bdba2ed46a6d24f2f97a6d18c928b9049 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 20 Jan 2021 22:00:32 +0000 Subject: [PATCH 5/8] Move FTP_OPTIONS earlier otherwise cd and put will fail --- getssl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/getssl b/getssl index 69bb152..aae7ad9 100755 --- a/getssl +++ b/getssl @@ -865,10 +865,10 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. $FTP_COMMAND <<- _EOF open $ftphost user $ftpuser $ftppass + $FTP_OPTIONS cd $ftpdirn lcd $fromdir put ./$fromfile - $FTP_OPTIONS _EOF elif [[ "${to:0:5}" == "sftp:" ]] ; then debug "using sftp to copy the file from $from" From 8f32f9f0788034121f76115e794a54ad46478d31 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 20 Jan 2021 22:02:09 +0000 Subject: [PATCH 6/8] Test ftp and passive ftp --- test/33-ftp.bats | 37 +++++++- test/34-ftp-passive.bats | 67 +++++++++++++++ test/Dockerfile-alpine | 14 ++- test/Dockerfile-bash4-0 | 14 ++- test/Dockerfile-bash4-2 | 14 ++- test/Dockerfile-bash5-0 | 14 ++- test/Dockerfile-centos6 | 23 ++++- test/Dockerfile-centos7 | 15 ++++ test/Dockerfile-centos8 | 15 ++++ test/Dockerfile-debian | 13 +++ test/Dockerfile-ubuntu | 5 +- test/Dockerfile-ubuntu16 | 15 ++++ test/Dockerfile-ubuntu18 | 15 ++++ test/restart-ftpd | 2 - test/run-test.cmd | 39 +++++---- test/test-config/alpine-supervisord.conf | 9 ++ test/test-config/vsftpd.conf | 66 +++++++++++++++ test/test-config/vsftpd.initd | 103 +++++++++++++++++++++++ test/test_helper.bash | 7 +- 19 files changed, 453 insertions(+), 34 deletions(-) create mode 100644 test/34-ftp-passive.bats create mode 100644 test/test-config/vsftpd.conf create mode 100644 test/test-config/vsftpd.initd diff --git a/test/33-ftp.bats b/test/33-ftp.bats index 9c52bb2..9c0bb2f 100644 --- a/test/33-ftp.bats +++ b/test/33-ftp.bats @@ -8,6 +8,21 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl + + # enable passive and disable active mode + # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode + cat <<- _FTP >> $VSFTPD_CONF +pasv_enable=NO +_FTP + + ${CODE_DIR}/test/restart-ftpd +} + + +teardown() { + cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF + ${CODE_DIR}/test/restart-ftpd } @@ -16,23 +31,37 @@ setup() { skip "Using staging server, skipping internal test" fi - ${CODE_DIR}/test/restart-ftpd if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then mkdir -p /var/www/html/.well-known/acme-challenge - chgrp -R www-data /var/www/html/.well-known - chmod -R g+w /var/www/html/.well-known fi + # Always change ownership and permissions in case previous tests created the directories as root + chgrp -R www-data /var/www/html/.well-known + chmod -R g+w /var/www/html/.well-known + CONFIG_FILE="getssl-http01.cfg" setup_environment init_getssl cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge" -FTP_OPTIONS="chmod 644 \\\$fromfile" EOF + if [[ "$GETSSL_OS" = "alpine" ]]; then + cat <<- EOF2 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +FTP_OPTIONS="set ftp:passive-mode off" +EOF2 + elif [[ "$FTP_PASSIVE_DEFAULT" == "true" ]]; then + cat <<- EOF3 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +FTP_OPTIONS="passive" +EOF3 + fi + create_certificate assert_success + assert_line --partial "ftp:ftpuser:ftpuser:" + if [[ "$GETSSL_OS" != "alpine" ]] && [[ "$FTP_PASSIVE_DEFAULT" == "true" ]]; then + assert_line --partial "Passive mode off" + fi check_output_for_errors } diff --git a/test/34-ftp-passive.bats b/test/34-ftp-passive.bats new file mode 100644 index 0000000..cb61dda --- /dev/null +++ b/test/34-ftp-passive.bats @@ -0,0 +1,67 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl + + # enable passive and disable active mode + # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode + cat <<- _FTP >> $VSFTPD_CONF +pasv_enable=YES +pasv_max_port=10100 +pasv_min_port=10090 +connect_from_port_20=NO +_FTP + + ${CODE_DIR}/test/restart-ftpd +} + + +teardown() { + cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF + ${CODE_DIR}/test/restart-ftpd +} + + +@test "Use Passive FTP to create challenge file" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + + if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then + mkdir -p /var/www/html/.well-known/acme-challenge + fi + + # Always change ownership and permissions in case previous tests created the directories as root + chgrp -R www-data /var/www/html/.well-known + chmod -R g+w /var/www/html/.well-known + + CONFIG_FILE="getssl-http01.cfg" + setup_environment + init_getssl + + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge" +EOF + if [[ "$FTP_PASSIVE_DEFAULT" == "false" ]]; then + cat <<- EOF3 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +FTP_OPTIONS="passive" +EOF3 + fi + + create_certificate + assert_success + assert_line --partial "ftp:ftpuser:ftpuser:" + if [[ "$FTP_PASSIVE_DEFAULT" == "false" ]]; then + assert_line --partial "Passive mode on" + else + refute_line --partial "Passive mode off" + fi + check_output_for_errors +} diff --git a/test/Dockerfile-alpine b/test/Dockerfile-alpine index b609938..924950b 100644 --- a/test/Dockerfile-alpine +++ b/test/Dockerfile-alpine @@ -2,7 +2,7 @@ FROM alpine:latest # Note this image uses busybox awk instead of gawk -RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash +RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash lftp vsftpd openssh-server WORKDIR /root @@ -11,6 +11,18 @@ RUN mkdir /run/nginx RUN mkdir /etc/nginx/pki RUN mkdir /etc/nginx/pki/private +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=true +COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf +RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf +RUN adduser -D ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser ftpuser www-data +RUN adduser root www-data +RUN chown -R ftpuser.www-data /var/www +RUN chmod g+w -R /var/www + # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 RUN git clone https://github.com/bats-core/bats-support /bats-support diff --git a/test/Dockerfile-bash4-0 b/test/Dockerfile-bash4-0 index e75b74a..9b1f790 100644 --- a/test/Dockerfile-bash4-0 +++ b/test/Dockerfile-bash4-0 @@ -2,7 +2,7 @@ FROM bash:4.0 # https://hub.docker.com/_/bash -RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash +RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server WORKDIR /root @@ -11,6 +11,18 @@ RUN mkdir /run/nginx RUN mkdir /etc/nginx/pki RUN mkdir /etc/nginx/pki/private +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=true +COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf +RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf +RUN adduser -D ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser ftpuser www-data +RUN adduser root www-data +RUN chown -R ftpuser.www-data /var/www +RUN chmod g+w -R /var/www + # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 RUN git clone https://github.com/bats-core/bats-support /bats-support diff --git a/test/Dockerfile-bash4-2 b/test/Dockerfile-bash4-2 index 720884c..d9386f6 100644 --- a/test/Dockerfile-bash4-2 +++ b/test/Dockerfile-bash4-2 @@ -2,7 +2,7 @@ FROM bash:4.2 # https://hub.docker.com/_/bash -RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash +RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server WORKDIR /root @@ -11,6 +11,18 @@ RUN mkdir /run/nginx RUN mkdir /etc/nginx/pki RUN mkdir /etc/nginx/pki/private +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=true +COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf +RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf +RUN adduser -D ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser ftpuser www-data +RUN adduser root www-data +RUN chown -R ftpuser.www-data /var/www +RUN chmod g+w -R /var/www + # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 RUN git clone https://github.com/bats-core/bats-support /bats-support diff --git a/test/Dockerfile-bash5-0 b/test/Dockerfile-bash5-0 index ba0295a..2d776eb 100644 --- a/test/Dockerfile-bash5-0 +++ b/test/Dockerfile-bash5-0 @@ -2,7 +2,7 @@ FROM bash:5.0 # https://hub.docker.com/_/bash -RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash +RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server WORKDIR /root @@ -11,6 +11,18 @@ RUN mkdir /run/nginx RUN mkdir /etc/nginx/pki RUN mkdir /etc/nginx/pki/private +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=true +COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf +RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf +RUN adduser -D ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser ftpuser www-data +RUN adduser root www-data +RUN chown -R ftpuser.www-data /var/www +RUN chmod g+w -R /var/www + # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 RUN git clone https://github.com/bats-core/bats-support /bats-support diff --git a/test/Dockerfile-centos6 b/test/Dockerfile-centos6 index 6874cb2..a8d59b0 100644 --- a/test/Dockerfile-centos6 +++ b/test/Dockerfile-centos6 @@ -5,16 +5,29 @@ FROM centos:centos6 # [wsl2] # kernelCommandLine = vsyscall=emulate -# Centos 6 is EOL and is no longer available from the usual mirrors, so switch -# to https://vault.centos.org +# Centos 6 is EOL and is no longer available from the usual mirrors, so switch to https://vault.centos.org RUN sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf && \ sed -i 's/^mirrorlist/#mirrorlist/g' /etc/yum.repos.d/*.repo && \ sed -i 's;^#baseurl=http://mirror;baseurl=https://vault;g' /etc/yum.repos.d/*.repo # Update and install required software -#RUN yum -y update RUN yum -y install epel-release RUN yum -y install git curl dnsutils ldns wget nginx +RUN yum -y install ftp vsftpd +RUN yum -y install openssh-server + +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=true +COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf +RUN adduser ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser www-data +RUN usermod -G www-data ftpuser +RUN usermod -G www-data root +RUN mkdir -p /var/www/.well-known/acme-challenge +RUN chown -R www-data.www-data /var/www +RUN chmod g+w -R /var/www WORKDIR /root RUN mkdir /etc/nginx/pki @@ -22,10 +35,12 @@ RUN mkdir /etc/nginx/pki/private COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf # BATS (Bash Automated Testings) -RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 +RUN git clone https://github.com/bats-core/bats-core.git /bats-core # --branch v1.2.1 RUN git clone https://github.com/bats-core/bats-support /bats-support RUN git clone https://github.com/bats-core/bats-assert /bats-assert RUN /bats-core/install.sh /usr/local +# Hack to disable BATS pretty formatter which stopped working on centos6 +ENV CI=yes EXPOSE 80 443 diff --git a/test/Dockerfile-centos7 b/test/Dockerfile-centos7 index e86f521..8bf8fa9 100644 --- a/test/Dockerfile-centos7 +++ b/test/Dockerfile-centos7 @@ -4,6 +4,8 @@ FROM centos:centos7 RUN yum -y update RUN yum -y install epel-release RUN yum -y install git curl ldns bind-utils wget which nginx +RUN yum -y install ftp vsftpd +RUN yum -y install openssh-server WORKDIR /root RUN mkdir /etc/nginx/pki @@ -11,6 +13,19 @@ RUN mkdir /etc/nginx/pki/private COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=true +COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf +RUN adduser ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser www-data +RUN usermod -G www-data ftpuser +RUN usermod -G www-data root +RUN mkdir -p /var/www/.well-known/acme-challenge +RUN chown -R www-data.www-data /var/www +RUN chmod g+w -R /var/www + # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 RUN git clone https://github.com/bats-core/bats-support /bats-support diff --git a/test/Dockerfile-centos8 b/test/Dockerfile-centos8 index 4ccb817..64f4381 100644 --- a/test/Dockerfile-centos8 +++ b/test/Dockerfile-centos8 @@ -6,6 +6,8 @@ FROM centos:centos8 RUN yum -y update RUN yum -y install epel-release RUN yum -y install git curl bind-utils wget which nginx +RUN yum -y install ftp vsftpd +RUN yum -y install openssh-server WORKDIR /root RUN mkdir /etc/nginx/pki @@ -13,6 +15,19 @@ RUN mkdir /etc/nginx/pki/private COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=true +COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf +RUN adduser ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser www-data +RUN usermod -G www-data ftpuser +RUN usermod -G www-data root +RUN mkdir -p /var/www/.well-known/acme-challenge +RUN chown -R www-data.www-data /var/www +RUN chmod g+w -R /var/www + # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 RUN git clone https://github.com/bats-core/bats-support /bats-support diff --git a/test/Dockerfile-debian b/test/Dockerfile-debian index b39f915..fa74995 100644 --- a/test/Dockerfile-debian +++ b/test/Dockerfile-debian @@ -5,11 +5,24 @@ FROM debian:latest # Update and install required software RUN apt-get update --fix-missing RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light +RUN apt-get install -y ftp vsftpd +RUN apt-get install -y openssh-server WORKDIR /root RUN mkdir /etc/nginx/pki RUN mkdir /etc/nginx/pki/private +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=false +COPY test/test-config/vsftpd.conf /etc/vsftpd.conf +RUN adduser ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser ftpuser www-data +RUN adduser root www-data +RUN chown -R www-data.www-data /var/www +RUN chmod g+w -R /var/www + # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 RUN git clone https://github.com/bats-core/bats-support /bats-support diff --git a/test/Dockerfile-ubuntu b/test/Dockerfile-ubuntu index 4e80409..68813f8 100644 --- a/test/Dockerfile-ubuntu +++ b/test/Dockerfile-ubuntu @@ -12,7 +12,10 @@ RUN apt-get install -y vim dos2unix # for debugging RUN apt-get install -y ftp vsftpd RUN apt-get install -y openssh-server -RUN echo "write_enable=YES" >> /etc/vsftpd.conf +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=false +COPY test/test-config/vsftpd.conf /etc/vsftpd.conf RUN adduser ftpuser RUN echo 'ftpuser:ftpuser' | chpasswd RUN adduser ftpuser www-data diff --git a/test/Dockerfile-ubuntu16 b/test/Dockerfile-ubuntu16 index 41be837..184db87 100644 --- a/test/Dockerfile-ubuntu16 +++ b/test/Dockerfile-ubuntu16 @@ -6,12 +6,27 @@ FROM ubuntu:xenial # Update and install required software RUN apt-get update --fix-missing RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light +RUN apt-get install -y ftp vsftpd +RUN apt-get install -y openssh-server WORKDIR /root RUN mkdir /etc/nginx/pki RUN mkdir /etc/nginx/pki/private COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=false +COPY test/test-config/vsftpd.conf /etc/vsftpd.conf +# The default init.d script seems to have an incorrect check that vsftpd has started +COPY test/test-config/vsftpd.initd /etc/init.d/vsftpd +RUN adduser ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser ftpuser www-data +RUN adduser root www-data +RUN chown -R www-data.www-data /var/www +RUN chmod g+w -R /var/www + # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1 RUN git clone https://github.com/bats-core/bats-support /bats-support diff --git a/test/Dockerfile-ubuntu18 b/test/Dockerfile-ubuntu18 index 5e4c574..ed1fae3 100644 --- a/test/Dockerfile-ubuntu18 +++ b/test/Dockerfile-ubuntu18 @@ -6,12 +6,27 @@ FROM ubuntu:bionic # Update and install required software RUN apt-get update --fix-missing RUN apt-get install -y git curl dnsutils ldnsutils wget gawk nginx-light +RUN apt-get install -y ftp vsftpd +RUN apt-get install -y openssh-server WORKDIR /root RUN mkdir /etc/nginx/pki RUN mkdir /etc/nginx/pki/private COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default +# Setup ftp +ENV VSFTPD_CONF=/etc/vsftpd.conf +ENV FTP_PASSIVE_DEFAULT=false +COPY test/test-config/vsftpd.conf /etc/vsftpd.conf +# The default init.d script seems to have an incorrect check that vsftpd has started +COPY test/test-config/vsftpd.initd /etc/init.d/vsftpd +RUN adduser ftpuser +RUN echo 'ftpuser:ftpuser' | chpasswd +RUN adduser ftpuser www-data +RUN adduser root www-data +RUN chown -R www-data.www-data /var/www +RUN chmod g+w -R /var/www + # Prevent "Can't load /root/.rnd into RNG" error from openssl RUN touch /root/.rnd diff --git a/test/restart-ftpd b/test/restart-ftpd index 279c2ff..f87d9d8 100644 --- a/test/restart-ftpd +++ b/test/restart-ftpd @@ -2,10 +2,8 @@ if [ "$GETSSL_OS" = "alpine" ]; then killall -HUP vsftpd >&3- - sleep 5 elif [[ "$GETSSL_OS" == "centos"[78] ]]; then pgrep vsftpd | head -1 | xargs kill -HUP - sleep 5 else service vsftpd restart >/dev/null >&3- fi diff --git a/test/run-test.cmd b/test/run-test.cmd index 5908de7..61b360e 100644 --- a/test/run-test.cmd +++ b/test/run-test.cmd @@ -1,51 +1,52 @@ @echo off IF %1.==. GOTO NoOS -set OS=%1 +SET OS=%1 :CheckCommand IF %2.==. GOTO NoCmd -set COMMAND=%2 %3 +SET COMMAND=%2 %3 :CheckAlias REM check if OS *contains* staging IF NOT x%OS:duck=%==x%OS% GOTO duckdns IF NOT x%OS:dynu=%==x%OS% GOTO dynu IF NOT x%OS:bash=%==x%OS% GOTO bash -set ALIAS=%OS%.getssl.test -set STAGING= -set GETSSL_OS=%OS% +SET ALIAS=%OS%.getssl.test +SET STAGING= +SET GETSSL_OS=%OS% GOTO Run :NoOS -set OS=ubuntu +SET OS=ubuntu GOTO CheckCommand :NoCmd -REM set COMMAND=/getssl/test/run-bats.sh -set COMMAND=bats /getssl/test --timing +REM SET COMMAND=/getssl/test/run-bats.sh +SET COMMAND=bats /getssl/test --timing GOTO CheckAlias :duckdns -set ALIAS=%OS:-duckdns=%-getssl.duckdns.org -set STAGING=--env STAGING=true --env dynamic_dns=duckdns -set GETSSL_OS=%OS:-duckdns=% +SET ALIAS=%OS:-duckdns=%-getssl.duckdns.org +SET STAGING=--env STAGING=true --env dynamic_dns=duckdns +SET GETSSL_OS=%OS:-duckdns=% GOTO Run :dynu -set ALIAS=%OS:-dynu=%-getssl.freeddns.org -set STAGING=--env STAGING=true --env dynamic_dns=dynu -set GETSSL_OS=%OS:-dynu=% +SET ALIAS=%OS:-dynu=%-getssl.freeddns.org +SET STAGING=--env STAGING=true --env dynamic_dns=dynu +SET GETSSL_OS=%OS:-dynu=% GOTO Run :bash -set ALIAS=%OS%.getssl.test -set STAGING= -set GETSSL_OS=alpine +SET ALIAS=%OS%.getssl.test +SET STAGING= +SET GETSSL_OS=alpine :Run -for %%I in (.) do set CurrDirName=%%~nxI +FOR %%I in (.) DO SET CurrDirName=%%~nxI docker build --pull --rm -f "test\Dockerfile-%OS%" -t getssl-%OS% . +IF %ErrorLevel% EQU 1 GOTO End @echo on docker run -it ^ --env GETSSL_HOST=%ALIAS% %STAGING% ^ @@ -69,3 +70,5 @@ docker run -it ^ --name getssl-%OS% ^ getssl-%OS% ^ %COMMAND% + +:End diff --git a/test/test-config/alpine-supervisord.conf b/test/test-config/alpine-supervisord.conf index 9759570..bbf671e 100644 --- a/test/test-config/alpine-supervisord.conf +++ b/test/test-config/alpine-supervisord.conf @@ -12,3 +12,12 @@ stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 autorestart=false startretries=0 + +[program:vsftpd] +command=vsftpd +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +autorestart=false +startretries=0 diff --git a/test/test-config/vsftpd.conf b/test/test-config/vsftpd.conf new file mode 100644 index 0000000..59ca78a --- /dev/null +++ b/test/test-config/vsftpd.conf @@ -0,0 +1,66 @@ +# Example config file /etc/vsftpd.conf (alpine) /etc/vsftpd/vsftpd.conf +# +# The default compiled in settings are fairly paranoid. This sample file +# loosens things up a bit, to make the ftp daemon more usable. +# Please see vsftpd.conf.5 for all compiled in defaults. +# +# Run standalone? vsftpd can run either from an inetd or as a standalone +# daemon started from an initscript. +listen=YES +# +# This directive enables listening on IPv6 sockets. By default, listening +# on the IPv6 "any" address (::) will accept connections from both IPv6 +# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 +# sockets. If you want that (perhaps because you want to listen on specific +# addresses) then you must run two copies of vsftpd with two configuration +# files. +#listen_ipv6=NO +# +# Allow anonymous FTP? (Disabled by default). +anonymous_enable=NO +# +# Uncomment this to allow local users to log in. +local_enable=YES +# +# Uncomment this to enable any form of FTP write command. +write_enable=YES +# +# Default umask for local users is 077. You may wish to change this to 022, +# if your users expect that (022 is used by most other ftpd's) +local_umask=022 +# +# Activate directory messages - messages given to remote users when they +# go into a certain directory. +dirmessage_enable=YES +# +# If enabled, vsftpd will display directory listings with the time +# in your local time zone. The default is to display GMT. The +# times returned by the MDTM FTP command are also affected by this +# option. +use_localtime=YES +# +# Activate logging of uploads/downloads. +xferlog_enable=YES +# +# Make sure PORT transfer connections originate from port 20 (ftp-data). +connect_from_port_20=YES +# +# You may change the default value for timing out an idle session. +#idle_session_timeout=600 +# +# You may change the default value for timing out a data connection. +#data_connection_timeout=120 +# +# You may restrict local users to their home directories. See the FAQ for +# the possible risks in this before using chroot_local_user or +# chroot_list_enable below. +chroot_local_user=NO +# +# This string is the name of the PAM service vsftpd will use. +pam_service_name=vsftpd +# +# This option specifies the location of the RSA certificate to use for SSL +# encrypted connections. +rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +ssl_enable=NO diff --git a/test/test-config/vsftpd.initd b/test/test-config/vsftpd.initd new file mode 100644 index 0000000..d5b2b00 --- /dev/null +++ b/test/test-config/vsftpd.initd @@ -0,0 +1,103 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: vsftpd +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $network $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Very secure FTP server +# Description: Provides a lightweight, efficient FTP server written +# for security. +### END INIT INFO + +set -e + +DAEMON="/usr/sbin/vsftpd" +NAME="vsftpd" +PATH="/sbin:/bin:/usr/sbin:/usr/bin" +LOGFILE="/var/log/vsftpd.log" +CHROOT="/var/run/vsftpd/empty" + +test -x "${DAEMON}" || exit 0 + +. /lib/lsb/init-functions + +if [ ! -e "${LOGFILE}" ] +then + touch "${LOGFILE}" + chmod 640 "${LOGFILE}" + chown root:adm "${LOGFILE}" +fi + +if [ ! -d "${CHROOT}" ] +then + mkdir -p "${CHROOT}" +fi + +case "${1}" in + start) + log_daemon_msg "Starting FTP server" "${NAME}" + + if [ -e /etc/vsftpd.conf ] && ! egrep -iq "^ *listen(_ipv6)? *= *yes" /etc/vsftpd.conf + then + log_warning_msg "vsftpd disabled - listen disabled in config." + exit 0 + fi + + start-stop-daemon --start --background -m --oknodo --pidfile /var/run/vsftpd/vsftpd.pid --exec ${DAEMON} + + n=0 + while [ ${n} -le 5 ] + do + _PID="$(if [ -e /var/run/vsftpd/vsftpd.pid ]; then cat /var/run/vsftpd/vsftpd.pid; fi)" + if ! ps -C vsftpd | grep -qs "${_PID}" + then + break + fi + sleep 1 + n=$(( $n + 1 )) + done + + if ps -C vsftpd | grep -qs "${_PID}" + then + log_warning_msg "vsftpd failed - probably invalid config." + exit 1 + fi + + log_end_msg 0 + ;; + + stop) + log_daemon_msg "Stopping FTP server" "${NAME}" + + start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --oknodo --exec ${DAEMON} + rm -f /var/run/vsftpd/vsftpd.pid + + log_end_msg 0 + ;; + + restart) + ${0} stop + ${0} start + ;; + + reload|force-reload) + log_daemon_msg "Reloading FTP server configuration" + + start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --signal 1 --exec $DAEMON + + log_end_msg "${?}" + ;; + + status) + status_of_proc "${DAEMON}" "FTP server" + ;; + + *) + echo "Usage: ${0} {start|stop|restart|reload|status}" + exit 1 + ;; +esac + +exit 0 diff --git a/test/test_helper.bash b/test/test_helper.bash index c5d5320..3adcdfa 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -70,16 +70,21 @@ setup_environment() { /getssl/test/restart-nginx } -# start nginx in background on alpine via supervisord +# start nginx and vsftpd in background on alpine via supervisord # shellcheck disable=SC2153 # Ignore GETSSL_OS looks like typo of GETSSL_IP if [[ -f /usr/bin/supervisord && -f /etc/supervisord.conf ]]; then if [[ ! $(pgrep supervisord) ]]; then /usr/bin/supervisord -c /etc/supervisord.conf >&3- + # Give supervisord time to start + sleep 1 fi elif [[ "$GETSSL_OS" == "centos"[78] ]]; then if [ -z "$(pgrep nginx)" ]; then nginx >&3- fi + if [ -z "$(pgrep vsftpd)" ]; then + vsftpd >&3- + fi fi # Find NGINX configuration directory for HTTP-01 testing (need to add SSL to config) From 170e65d1cdc50a961fe49b22f61173f8fe6c1fe7 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 22 Jan 2021 15:32:44 +0000 Subject: [PATCH 7/8] Add +x for scripts used in testing --- test/restart-ftpd | 0 test/test-config/vsftpd.initd | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 test/restart-ftpd mode change 100644 => 100755 test/test-config/vsftpd.initd diff --git a/test/restart-ftpd b/test/restart-ftpd old mode 100644 new mode 100755 diff --git a/test/test-config/vsftpd.initd b/test/test-config/vsftpd.initd old mode 100644 new mode 100755 From 99d1fcccf66bb35a9c6e86d35228dbae4b382e0f Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 22 Jan 2021 17:51:50 +0000 Subject: [PATCH 8/8] Fix staging tests where vsftpd is not installed --- test/33-ftp.bats | 18 +++++++++++------- test/34-ftp-passive.bats | 18 +++++++++++------- test/test_helper.bash | 2 +- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/test/33-ftp.bats b/test/33-ftp.bats index 9c0bb2f..9c2e387 100644 --- a/test/33-ftp.bats +++ b/test/33-ftp.bats @@ -8,21 +8,25 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt - cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl + if [ -n "${VSFTPD_CONF}" ]; then + cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl - # enable passive and disable active mode - # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode - cat <<- _FTP >> $VSFTPD_CONF + # enable passive and disable active mode + # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode + cat <<- _FTP >> $VSFTPD_CONF pasv_enable=NO _FTP - ${CODE_DIR}/test/restart-ftpd + ${CODE_DIR}/test/restart-ftpd + fi } teardown() { - cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF - ${CODE_DIR}/test/restart-ftpd + if [ -n "${VSFTPD_CONF}" ]; then + cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF + ${CODE_DIR}/test/restart-ftpd + fi } diff --git a/test/34-ftp-passive.bats b/test/34-ftp-passive.bats index cb61dda..0d16574 100644 --- a/test/34-ftp-passive.bats +++ b/test/34-ftp-passive.bats @@ -8,24 +8,28 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt - cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl + if [ -n "${VSFTPD_CONF}" ]; then + cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl - # enable passive and disable active mode - # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode - cat <<- _FTP >> $VSFTPD_CONF + # enable passive and disable active mode + # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode + cat <<- _FTP >> $VSFTPD_CONF pasv_enable=YES pasv_max_port=10100 pasv_min_port=10090 connect_from_port_20=NO _FTP - ${CODE_DIR}/test/restart-ftpd + ${CODE_DIR}/test/restart-ftpd + fi } teardown() { - cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF - ${CODE_DIR}/test/restart-ftpd + if [ -n "${VSFTPD_CONF}" ]; then + cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF + ${CODE_DIR}/test/restart-ftpd + fi } diff --git a/test/test_helper.bash b/test/test_helper.bash index 3adcdfa..11cdf44 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -82,7 +82,7 @@ elif [[ "$GETSSL_OS" == "centos"[78] ]]; then if [ -z "$(pgrep nginx)" ]; then nginx >&3- fi - if [ -z "$(pgrep vsftpd)" ]; then + if [ -z "$(pgrep vsftpd)" ] && [ "$(command -v vsftpd)" ]; then vsftpd >&3- fi fi