ovpnmcgen.rb 0.5.0 → 0.6.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +8 -3
- data/ChangeLog +6 -0
- data/README.md +31 -1
- data/bin/ovpnmcgen.rb +18 -2
- data/features/gen_basic.feature +200 -5
- data/features/gen_ovpnconfigfile_input.feature +3 -3
- data/features/support/setup.rb +1 -1
- data/lib/ovpnmcgen.rb +46 -6
- data/lib/ovpnmcgen/version.rb +1 -1
- data/ovpnmcgen.rb.gemspec +2 -2
- metadata +9 -11
- data/features/step_definitions/env.rb +0 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8c53f1956b9b8994f831ebe16c57c03d68063f00
|
4
|
+
data.tar.gz: 79c052e1292418d755de8ce385f64bd06febe124
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e0a716ca145189a96c24c67485321d24d4c85a995c5582e98ea46ccf25c3c7ff215013371620c0d952919e55105f09a171b32c09ee7cceee73aae4d34d30dda8
|
7
|
+
data.tar.gz: aad1f689dc09017f99b0c43ae4148c4b3c4085db2ec0f1f16b7e0fc5156205ba034741082a7ee840a233839c41c08f4910099599e826a1d96996cb2c749ac7ed
|
data/.travis.yml
CHANGED
@@ -1,13 +1,17 @@
|
|
1
1
|
language: ruby
|
2
|
+
#cache: bundler
|
2
3
|
|
3
4
|
before_install:
|
5
|
+
# https://github.com/travis-ci/travis-ci/issues/8978
|
6
|
+
- gem update --system
|
4
7
|
- gem update bundler
|
5
8
|
- bundle version
|
6
9
|
|
7
10
|
rvm:
|
8
|
-
-
|
9
|
-
-
|
10
|
-
-
|
11
|
+
- 2.2
|
12
|
+
- 2.3
|
13
|
+
- 2.4
|
14
|
+
- 2.5
|
11
15
|
- ruby-head
|
12
16
|
- jruby-19mode
|
13
17
|
|
@@ -25,4 +29,5 @@ deploy:
|
|
25
29
|
on:
|
26
30
|
tags: true
|
27
31
|
repo: "iphoting/ovpnmcgen.rb"
|
32
|
+
ruby: 2.4.0
|
28
33
|
branch: master
|
data/ChangeLog
CHANGED
@@ -1,3 +1,9 @@
|
|
1
|
+
= 0.6.0 / Unreleased
|
2
|
+
* Added support for `EvaluateConnection`, `Domains`, via `--domains`. It will include an `ActionParameters` dict containing `Domains`, and if `--domain-probe-url` is set, also contains `RequiredURLStringProbe`.
|
3
|
+
* Added support for updated bundle identifier (VPNSubType) `net.openvpn.connect.app` (changed since OpenVPN Connect 1.2.x), via `--v12compat`.
|
4
|
+
* Added support for `--cert` and `--key` for inline attachment of certificate and key, to workaround bug in OpenVPN Connect 1.2.5.
|
5
|
+
* Added support for `vpn-on-demand: 0` key/value pair when `--no-vod` is set, so that OpenVPN Connect can control this profile.
|
6
|
+
|
1
7
|
= 0.5.0 / 2015-02-22
|
2
8
|
* Specify multiple remotes with `--remotes "host2 1194 tcp","host3 1195 udp"` flag.
|
3
9
|
|
data/README.md
CHANGED
@@ -47,18 +47,23 @@ Usage: ovpnmcgen.rb generate [options] <user> <device>
|
|
47
47
|
-c, --config FILE Specify path to config file. [Default: .ovpnmcgen.rb.yml]
|
48
48
|
--cafile FILE Path to OpenVPN CA file. (Required)
|
49
49
|
--tafile FILE Path to TLS-Auth Key file.
|
50
|
+
--cert FILE Path to Cert file.
|
51
|
+
--key FILE Path to Private Key file.
|
50
52
|
--host HOSTNAME Hostname of OpenVPN server. (Required)
|
51
53
|
--proto PROTO OpenVPN server protocol. [Default: udp]
|
52
54
|
-p, --port PORT OpenVPN server port. [Default: 1194]
|
53
|
-
--p12file FILE Path to user PKCS#12 file.
|
55
|
+
--p12file FILE Path to user PKCS#12 file.
|
54
56
|
--p12pass PASSWORD Password to unlock PKCS#12 file.
|
55
57
|
--[no-]vod Enable or Disable VPN-On-Demand. [Default: Enabled]
|
58
|
+
--v12compat Enable OpenVPN Connect 1.2.x compatibility. [Default: Disabled]
|
56
59
|
--security-level LEVEL Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]
|
57
60
|
--vpn-uuid UUID Override a VPN configuration payload UUID.
|
58
61
|
--profile-uuid UUID Override a Profile UUID.
|
59
62
|
--cert-uuid UUID Override a Certificate payload UUID.
|
60
63
|
-t, --trusted-ssids SSIDS List of comma-separated trusted SSIDs.
|
61
64
|
-u, --untrusted-ssids SSIDS List of comma-separated untrusted SSIDs.
|
65
|
+
-d, --domains DOMAINS List of comma-separated domain names requiring VPN service.
|
66
|
+
--domain-probe-url PROBE An HTTP(S) URL to probe, using a GET request. If no HTTP response code is received from the server, a VPN connection is established in response.
|
62
67
|
--url-probe URL This URL must return HTTP status 200, without redirection, before the VPN service will try establishing.
|
63
68
|
--remotes REMOTES List of comma-separated alternate remotes: "<host> <port> <proto>".
|
64
69
|
--ovpnconfigfile FILE Path to OpenVPN client config file.
|
@@ -110,6 +115,13 @@ This feature can be enabled for statistical and maintenance-protection reasons.
|
|
110
115
|
|
111
116
|
By enabling this option, you will need to reliably and quickly respond with HTTP status code 200 at the URL string supplied.
|
112
117
|
|
118
|
+
### Domain Matching
|
119
|
+
To require an iOS device to bring up the VPN when `example.com` is requested is not so easy, especially if it is has a publicly accessible DNS resolution.
|
120
|
+
|
121
|
+
Apple provides an `EvaluateConnection` and `ActionParameters` configuration options with the view that certain domains will have DNS resolution failures, and hence, require the VPN to be up. In most corporate cases with internal-facing hostnames, it works well. See the `--domains` option.
|
122
|
+
|
123
|
+
However, if there are certain sensitive public sites (or blocked sites) that you decide that a VPN should be brought up instead, you will need to additionally specify a `RequiredURLStringProbe` that returns a non-200 response. See the `--domain-probe-url` option.
|
124
|
+
|
113
125
|
## Examples
|
114
126
|
|
115
127
|
### Typical Usage
|
@@ -349,8 +361,26 @@ Output similar to above:
|
|
349
361
|
-inkey path/to/john-ipad.key -in path/to/john-ipad.crt \
|
350
362
|
-passout pass:p12passphrase -name john-ipad@vpn.example.com
|
351
363
|
|
364
|
+
### Using OpenSSL to convert from PKCS#12 (.p12) to Cert PEM file
|
365
|
+
openssl pkcs12 -in path/to/john-ipad.p12 -out path/to/john-ipad-cert.crt \
|
366
|
+
-nodes -nokeys
|
367
|
+
|
368
|
+
### Using OpenSSL to convert from PKCS#12 (.p12) to Key PEM file
|
369
|
+
openssl pkcs12 -in path/to/john-ipad.p12 -out path/to/john-ipad-key.pem \
|
370
|
+
-nodes -nocerts
|
371
|
+
|
352
372
|
## Known Issues
|
353
373
|
|
374
|
+
- OpenVPN Connect v1.2.5 breaking changes
|
375
|
+
|
376
|
+
*Diagnosis*: Certificates no longer found or VoD mobileconfig broken after OpenVPN Connect upgrade to v1.2.5.
|
377
|
+
|
378
|
+
The VPN switch in the Settings.app jumps rapidly from On to Off, status switches from Connecting... to Disconnected immediately. No logs produced within the OpernVPN Connect app log viewer.
|
379
|
+
|
380
|
+
This is caused by 1) a breaking change, where the `VPNSubType` has changed, and 2) a bug where the OpenVPN Connect is missing a keychain access entitlement from Apple.
|
381
|
+
|
382
|
+
*Solution + Workaround*: Enable the `--v12compat` switch to resolve (1), and use `--cert` and `--key` switches to workaround (2).
|
383
|
+
|
354
384
|
- "Not connected to Internet" error/behaviour when VPN should be established.
|
355
385
|
|
356
386
|
*Diagnosis*: Load any site in Safari. An error message "Safari cannot open the page because your iPhone is not connected to the Internet" will be presented.
|
data/bin/ovpnmcgen.rb
CHANGED
@@ -19,20 +19,27 @@ command :generate do |c|
|
|
19
19
|
c.example 'Typical Usage', 'ovpnmcgen.rb gen --trusted-ssids home --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
|
20
20
|
c.example 'Extended Usage', 'ovpnmcgen.rb gen --trusted-ssids home,school --untrusted-ssids virusnet --host vpn.example.com --cafile path/to/ca.pem --tafile path/to/ta.key --p12file path/to/john-ipad.p12 --p12pass p12passphrase john ipad'
|
21
21
|
c.example 'Using OpenSSL to convert files into PKCS#12 (.p12)', 'openssl pkcs12 -export -out path/to/john-ipad.p12 -inkey path/to/john-ipad.key -in path/to/john-ipad.crt -passout pass:p12passphrase -name john-ipad@vpn.example.com'
|
22
|
+
c.example 'Using OpenSSL to convert from PKCS#12 (.p12) to Cert PEM file', 'openssl pkcs12 -in path/to/john-ipad.p12 -out path/to/john-ipad-cert.crt -nodes -nokeys'
|
23
|
+
c.example 'Using OpenSSL to convert from PKCS#12 (.p12) to Key PEM file', 'openssl pkcs12 -in path/to/john-ipad.p12 -out path/to/john-ipad-key.pem -nodes -nocerts'
|
22
24
|
c.option '--cafile FILE', 'Path to OpenVPN CA file. (Required)'
|
23
25
|
c.option '--tafile FILE', 'Path to TLS-Auth Key file.'
|
26
|
+
c.option '--cert FILE', 'Path to Cert file.'
|
27
|
+
c.option '--key FILE', 'Path to Private Key file.'
|
24
28
|
c.option '--host HOSTNAME', 'Hostname of OpenVPN server. (Required)'
|
25
29
|
c.option '--proto PROTO', 'OpenVPN server protocol. [Default: udp]'
|
26
30
|
c.option '-p', '--port PORT', 'OpenVPN server port. [Default: 1194]'
|
27
31
|
c.option '--p12file FILE', 'Path to user PKCS#12 file. (Required)'
|
28
32
|
c.option '--p12pass PASSWORD', 'Password to unlock PKCS#12 file.'
|
29
33
|
c.option '--[no-]vod', 'Enable or Disable VPN-On-Demand. [Default: Enabled]'
|
34
|
+
c.option '--v12compat', 'Enable OpenVPN Connect 1.2.x compatibility. [Default: Disabled]'
|
30
35
|
c.option '--security-level LEVEL', 'Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]'
|
31
36
|
c.option '--vpn-uuid UUID', 'Override a VPN configuration payload UUID.'
|
32
37
|
c.option '--profile-uuid UUID', 'Override a Profile UUID.'
|
33
38
|
c.option '--cert-uuid UUID', 'Override a Certificate payload UUID.'
|
34
39
|
c.option '-t', '--trusted-ssids SSIDS', Array, 'List of comma-separated trusted SSIDs.'
|
35
40
|
c.option '-u', '--untrusted-ssids SSIDS', Array, 'List of comma-separated untrusted SSIDs.'
|
41
|
+
c.option '-d', '--domains DOMAINS', Array, 'List of comma-separated domain names requiring VPN service.'
|
42
|
+
c.option '--domain-probe-url PROBE', String, 'An HTTP(S) URL to probe, using a GET request. If no HTTP response code is received from the server, a VPN connection is established in response.'
|
36
43
|
c.option '--url-probe URL', 'This URL must return HTTP status 200, without redirection, before the VPN service will try establishing.'
|
37
44
|
c.option '--remotes REMOTES', Array, 'List of comma-separated alternate remotes: "<host> <port> <proto>".'
|
38
45
|
c.option '--ovpnconfigfile FILE', 'Path to OpenVPN client config file.'
|
@@ -50,7 +57,11 @@ command :generate do |c|
|
|
50
57
|
|
51
58
|
raise ArgumentError.new "Host is required" unless options.host or config.host
|
52
59
|
raise ArgumentError.new "cafile is required" unless options.cafile or config.cafile
|
53
|
-
|
60
|
+
|
61
|
+
# A --p12file or (--cert and --key) needs to be provided. Shall not prevent user from specifying both.
|
62
|
+
unless (options.p12file or config.p12file) or ((options.cert or config.cert) and (options.key or config.key))
|
63
|
+
raise ArgumentError.new "PKCS#12 or cert & key file required"
|
64
|
+
end
|
54
65
|
|
55
66
|
options.default :vod => case
|
56
67
|
when config.vod == true || config.no_vod == false
|
@@ -69,7 +80,6 @@ command :generate do |c|
|
|
69
80
|
inputs = {
|
70
81
|
:user => user,
|
71
82
|
:device => device,
|
72
|
-
:p12file => options.p12file || config.p12file,
|
73
83
|
:p12pass => options.p12pass || config.p12pass,
|
74
84
|
:cafile => options.cafile || config.cafile,
|
75
85
|
:host => options.host || config.host,
|
@@ -84,9 +94,15 @@ command :generate do |c|
|
|
84
94
|
:security_level => options.security_level
|
85
95
|
}
|
86
96
|
inputs[:ovpnconfigfile] = options.ovpnconfigfile || config.ovpnconfigfile if options.ovpnconfigfile or config.ovpnconfigfile
|
97
|
+
inputs[:p12file] = options.p12file || config.p12file if options.p12file or config.p12file
|
87
98
|
inputs[:tafile] = options.tafile || config.tafile if options.tafile or config.tafile
|
99
|
+
inputs[:cert] = options.cert || config.cert if options.cert or config.cert
|
100
|
+
inputs[:key] = options.key || config.key if options.key or config.key
|
88
101
|
inputs[:url_probe] = options.url_probe || config.url_probe if options.url_probe or config.url_probe
|
89
102
|
inputs[:remotes] = options.remotes || config.remotes if options.remotes or config.remotes
|
103
|
+
inputs[:domains] = options.domains || config.domains if options.domains or config.domains
|
104
|
+
inputs[:domain_probe_url] = options.domain_probe_url || config.domain_probe_url if options.domain_probe_url or config.domain_probe_url
|
105
|
+
inputs[:v12compat] = options.v12compat || config.v12compat if options.v12compat or config.v12compat
|
90
106
|
|
91
107
|
unless options.output
|
92
108
|
puts Ovpnmcgen.generate(inputs)
|
data/features/gen_basic.feature
CHANGED
@@ -16,6 +16,20 @@ Feature: Basic Generate Functionality
|
|
16
16
|
p12file that should appear
|
17
17
|
In base64 encoding as <data/>
|
18
18
|
"""
|
19
|
+
And a file named "cert.crt" with:
|
20
|
+
"""
|
21
|
+
Contents of cert file
|
22
|
+
With newlines
|
23
|
+
And more newlines
|
24
|
+
That should appear as one line
|
25
|
+
"""
|
26
|
+
And a file named "key.pem" with:
|
27
|
+
"""
|
28
|
+
Contents of key file
|
29
|
+
With newlines
|
30
|
+
And more newlines
|
31
|
+
That should appear as one line
|
32
|
+
"""
|
19
33
|
|
20
34
|
Scenario: I need help
|
21
35
|
When I run `ovpnmcgen.rb help g`
|
@@ -46,15 +60,22 @@ Feature: Basic Generate Functionality
|
|
46
60
|
And the output should not contain "error: cafile"
|
47
61
|
Then the output should contain "error: "
|
48
62
|
|
49
|
-
|
63
|
+
@v0.6.0
|
64
|
+
Scenario: Correct arguments with all required flags, host, cafile, except (either p12file or (cert and key)).
|
65
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt cucumber aruba`
|
66
|
+
And the output should not contain "error: Host"
|
67
|
+
And the output should not contain "error: cafile"
|
68
|
+
Then the output should contain "error: PKCS#12 or cert & key"
|
69
|
+
|
70
|
+
Scenario: Correct arguments with all required flags, host, cafile, and p12file (no cert and key).
|
50
71
|
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 cucumber aruba`
|
51
72
|
And the output should not contain "error: Host"
|
52
73
|
And the output should not contain "error: cafile"
|
53
74
|
And the output should not contain "error: PKCS#12"
|
54
|
-
Then the output should
|
75
|
+
Then the output should match:
|
55
76
|
"""
|
56
|
-
|
57
|
-
<!DOCTYPE plist PUBLIC "
|
77
|
+
<\?xml version="1.0" encoding="UTF-8"\?>
|
78
|
+
<!DOCTYPE plist PUBLIC "-\/\/Apple*\/\/DTD PLIST 1.0\/\/EN" "http:\/\/www.apple.com\/DTDs\/PropertyList-1.0.dtd">
|
58
79
|
<plist version="1.0">
|
59
80
|
"""
|
60
81
|
And the output should match:
|
@@ -83,6 +104,52 @@ Feature: Basic Generate Functionality
|
|
83
104
|
\s*<integer>1</integer>
|
84
105
|
"""
|
85
106
|
|
107
|
+
@OCv1.2 @v0.6.0
|
108
|
+
Scenario: Correct arguments with all required flags, host, cafile, cert, and key (no p12file).
|
109
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --cert cert.crt --key key.pem cucumber aruba`
|
110
|
+
And the output should not contain "error: Host"
|
111
|
+
And the output should not contain "error: cafile"
|
112
|
+
And the output should not contain "error: PKCS#12 or cert & key"
|
113
|
+
Then the output should match:
|
114
|
+
"""
|
115
|
+
<\?xml version="1.0" encoding="UTF-8"\?>
|
116
|
+
<!DOCTYPE plist PUBLIC "-\/\/Apple*\/\/DTD PLIST 1.0\/\/EN" "http:\/\/www.apple.com\/DTDs\/PropertyList-1.0.dtd">
|
117
|
+
<plist version="1.0">
|
118
|
+
"""
|
119
|
+
And the output should match:
|
120
|
+
"""
|
121
|
+
<key>remote</key>
|
122
|
+
\s*<string>aruba.cucumber.org 1194 udp</string>
|
123
|
+
"""
|
124
|
+
And the output should match:
|
125
|
+
"""
|
126
|
+
<key>ca</key>
|
127
|
+
\s*<string>Contents of CA file\\nWith newlines\\nAnd more newlines\\nThat should appear as one line</string>
|
128
|
+
"""
|
129
|
+
And the output should match:
|
130
|
+
"""
|
131
|
+
<key>cert</key>
|
132
|
+
\s*<string>Contents of cert file\\nWith newlines\\nAnd more newlines\\nThat should appear as one line</string>
|
133
|
+
"""
|
134
|
+
And the output should match:
|
135
|
+
"""
|
136
|
+
<key>key</key>
|
137
|
+
\s*<string>Contents of key file\\nWith newlines\\nAnd more newlines\\nThat should appear as one line</string>
|
138
|
+
"""
|
139
|
+
And the output should match:
|
140
|
+
"""
|
141
|
+
<key>OnDemandEnabled</key>
|
142
|
+
\s*<integer>1</integer>
|
143
|
+
"""
|
144
|
+
And the output should not match:
|
145
|
+
"""
|
146
|
+
<key>AuthenticationMethod</key>
|
147
|
+
"""
|
148
|
+
And the output should not match:
|
149
|
+
"""
|
150
|
+
<key>PayloadCertificateUUID</key>
|
151
|
+
"""
|
152
|
+
|
86
153
|
Scenario: The p12pass flag is set.
|
87
154
|
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 --p12pass p12passphrase cucumber aruba`
|
88
155
|
Then the output should match:
|
@@ -114,6 +181,7 @@ Feature: Basic Generate Functionality
|
|
114
181
|
\s*<string>aruba.cucumber.org 1234 tcp</string>
|
115
182
|
"""
|
116
183
|
|
184
|
+
@OCv1.2 @v0.6.0
|
117
185
|
Scenario: The no-vod flag is set.
|
118
186
|
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 --no-vod cucumber aruba`
|
119
187
|
Then the output should match:
|
@@ -121,6 +189,42 @@ Feature: Basic Generate Functionality
|
|
121
189
|
<key>OnDemandEnabled</key>
|
122
190
|
\s*<integer>0</integer>
|
123
191
|
"""
|
192
|
+
And the output should match:
|
193
|
+
"""
|
194
|
+
<key>vpn-on-demand</key>
|
195
|
+
\s*<string>0</string>
|
196
|
+
"""
|
197
|
+
|
198
|
+
Scenario: The no-vod flag is not set.
|
199
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 cucumber aruba`
|
200
|
+
Then the output should match:
|
201
|
+
"""
|
202
|
+
<key>OnDemandEnabled</key>
|
203
|
+
\s*<integer>1</integer>
|
204
|
+
"""
|
205
|
+
And the output should not match:
|
206
|
+
"""
|
207
|
+
<key>vpn-on-demand</key>
|
208
|
+
\s*<string>0</string>
|
209
|
+
"""
|
210
|
+
|
211
|
+
@OCv1.2 @v0.6.0
|
212
|
+
Scenario: The 1.2 flag is set.
|
213
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 --v12compat cucumber aruba`
|
214
|
+
Then the output should match:
|
215
|
+
"""
|
216
|
+
<key>VPNSubType</key>
|
217
|
+
\s*<string>net.openvpn.connect.app</string>
|
218
|
+
"""
|
219
|
+
|
220
|
+
@OCv1.2 @v0.6.0
|
221
|
+
Scenario: The 1.2 flag is not set.
|
222
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 cucumber aruba`
|
223
|
+
Then the output should match:
|
224
|
+
"""
|
225
|
+
<key>VPNSubType</key>
|
226
|
+
\s*<string>net.openvpn.OpenVPN-Connect.vpnplugin</string>
|
227
|
+
"""
|
124
228
|
|
125
229
|
Scenario: The url-probe flag is set.
|
126
230
|
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 --url-probe 'https://url.to.probe/' cucumber aruba`
|
@@ -219,7 +323,9 @@ Feature: Basic Generate Functionality
|
|
219
323
|
And the file "fileout.mobileconfig" should contain:
|
220
324
|
"""
|
221
325
|
<?xml version="1.0" encoding="UTF-8"?>
|
222
|
-
|
326
|
+
"""
|
327
|
+
And the file "fileout.mobileconfig" should contain:
|
328
|
+
"""
|
223
329
|
<plist version="1.0">
|
224
330
|
"""
|
225
331
|
|
@@ -238,3 +344,92 @@ Feature: Basic Generate Functionality
|
|
238
344
|
\s*<string>2.example.org 1196 tcp</string>
|
239
345
|
"""
|
240
346
|
And the output should not contain "<key>remote</key>"
|
347
|
+
|
348
|
+
Scenario: The domains flag is not set.
|
349
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 cucumber aruba`
|
350
|
+
Then the output should not match:
|
351
|
+
"""
|
352
|
+
<key>Action</key>
|
353
|
+
\s*<string>EvaluateConnection</string>
|
354
|
+
"""
|
355
|
+
And the output should not match:
|
356
|
+
"""
|
357
|
+
<key>ActionParameters</key>
|
358
|
+
\s*<array>
|
359
|
+
\s*<dict>
|
360
|
+
\s*<key>DomainAction</key>
|
361
|
+
\s*<string>ConnectIfNeeded</string>
|
362
|
+
\s*<key>Domains</key>
|
363
|
+
\s*</dict>
|
364
|
+
\s*</array>
|
365
|
+
"""
|
366
|
+
|
367
|
+
Scenario: The domains flag is set with one domain.
|
368
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 --domains "example.com" cucumber aruba`
|
369
|
+
Then the output should match:
|
370
|
+
"""
|
371
|
+
<key>Action</key>
|
372
|
+
\s*<string>EvaluateConnection</string>
|
373
|
+
"""
|
374
|
+
And the output should match:
|
375
|
+
"""
|
376
|
+
<key>ActionParameters</key>
|
377
|
+
\s*<array>
|
378
|
+
\s*<dict>
|
379
|
+
\s*<key>DomainAction</key>
|
380
|
+
\s*<string>ConnectIfNeeded</string>
|
381
|
+
\s*<key>Domains</key>
|
382
|
+
\s*<array>
|
383
|
+
\s*<string>example\.com</string>
|
384
|
+
\s*</array>
|
385
|
+
\s*</dict>
|
386
|
+
\s*</array>
|
387
|
+
"""
|
388
|
+
|
389
|
+
Scenario: The domains flag is set with multiple domains.
|
390
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 --domains "*.example.com,example.com" cucumber aruba`
|
391
|
+
Then the output should match:
|
392
|
+
"""
|
393
|
+
<key>Action</key>
|
394
|
+
\s*<string>EvaluateConnection</string>
|
395
|
+
"""
|
396
|
+
And the output should match:
|
397
|
+
"""
|
398
|
+
<key>ActionParameters</key>
|
399
|
+
\s*<array>
|
400
|
+
\s*<dict>
|
401
|
+
\s*<key>DomainAction</key>
|
402
|
+
\s*<string>ConnectIfNeeded</string>
|
403
|
+
\s*<key>Domains</key>
|
404
|
+
\s*<array>
|
405
|
+
\s*<string>\*\.example\.com</string>
|
406
|
+
\s*<string>example\.com</string>
|
407
|
+
\s*</array>
|
408
|
+
\s*</dict>
|
409
|
+
\s*</array>
|
410
|
+
"""
|
411
|
+
|
412
|
+
Scenario: The domains flag is set with multiple domains and domain probe URL is set.
|
413
|
+
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 --domains "*.example.com,example.com" --domain-probe-URL "https://example.com/404.html" cucumber aruba`
|
414
|
+
Then the output should match:
|
415
|
+
"""
|
416
|
+
<key>Action</key>
|
417
|
+
\s*<string>EvaluateConnection</string>
|
418
|
+
"""
|
419
|
+
And the output should match:
|
420
|
+
"""
|
421
|
+
<key>ActionParameters</key>
|
422
|
+
\s*<array>
|
423
|
+
\s*<dict>
|
424
|
+
\s*<key>DomainAction</key>
|
425
|
+
\s*<string>ConnectIfNeeded</string>
|
426
|
+
\s*<key>Domains</key>
|
427
|
+
\s*<array>
|
428
|
+
\s*<string>\*\.example\.com</string>
|
429
|
+
\s*<string>example\.com</string>
|
430
|
+
\s*</array>
|
431
|
+
\s*<key>RequiredURLStringProbe</key>
|
432
|
+
\s*<string>https:\/\/example\.com\/404\.html</string>
|
433
|
+
\s*</dict>
|
434
|
+
\s*</array>
|
435
|
+
"""
|
@@ -148,10 +148,10 @@ Feature: Generate Functionality From Supplied OpenVPN Config File
|
|
148
148
|
|
149
149
|
Scenario: A decent openvpn config file is specified.
|
150
150
|
When I run `ovpnmcgen.rb g --host aruba.cucumber.org --cafile ca.crt --p12file p12file.p12 --ovpnconfigfile clean.ovpn cucumber aruba`
|
151
|
-
Then the output should
|
151
|
+
Then the output should match:
|
152
152
|
"""
|
153
|
-
|
154
|
-
<!DOCTYPE plist PUBLIC "
|
153
|
+
<\?xml version="1.0" encoding="UTF-8"\?>
|
154
|
+
<!DOCTYPE plist PUBLIC "-\/\/Apple*\/\/DTD PLIST 1.0\/\/EN" "http:\/\/www.apple.com\/DTDs\/PropertyList-1.0.dtd">
|
155
155
|
<plist version="1.0">
|
156
156
|
"""
|
157
157
|
And the output should contain "aruba.cucumber.org 1194 udp"
|
data/features/support/setup.rb
CHANGED
data/lib/ovpnmcgen.rb
CHANGED
@@ -18,11 +18,13 @@ module Ovpnmcgen
|
|
18
18
|
trusted_ssids = inputs[:trusted_ssids] || false
|
19
19
|
untrusted_ssids = inputs[:untrusted_ssids] || false
|
20
20
|
remotes = inputs[:remotes] || false
|
21
|
+
vodDomains = inputs[:domains] || false
|
21
22
|
|
22
23
|
# Ensure [un]trusted_ssids are Arrays.
|
23
24
|
trusted_ssids = Array(trusted_ssids) if trusted_ssids
|
24
25
|
untrusted_ssids = Array(untrusted_ssids) if untrusted_ssids
|
25
26
|
remotes = Array(remotes) if remotes
|
27
|
+
vodDomains = Array(vodDomains) if vodDomains
|
26
28
|
|
27
29
|
begin
|
28
30
|
ca_cert = File.readlines(inputs[:cafile]).map { |x| x.chomp }.join('\n')
|
@@ -38,12 +40,26 @@ module Ovpnmcgen
|
|
38
40
|
exit
|
39
41
|
end if inputs[:tafile]
|
40
42
|
|
43
|
+
begin
|
44
|
+
cert_file = File.readlines(inputs[:cert]).map { |x| x.chomp }.join('\n')
|
45
|
+
rescue Errno::ENOENT
|
46
|
+
puts "Cert file not found: #{inputs[:cert]}!"
|
47
|
+
exit
|
48
|
+
end if inputs[:cert]
|
49
|
+
|
50
|
+
begin
|
51
|
+
key_file = File.readlines(inputs[:key]).map { |x| x.chomp }.join('\n')
|
52
|
+
rescue Errno::ENOENT
|
53
|
+
puts "Key file not found: #{inputs[:key]}!"
|
54
|
+
exit
|
55
|
+
end if inputs[:key]
|
56
|
+
|
41
57
|
begin
|
42
58
|
p12file = Base64.encode64(File.read(inputs[:p12file]))
|
43
59
|
rescue Errno::ENOENT
|
44
|
-
puts "
|
60
|
+
puts "PKCS#12 file not found: #{inputs[:p12file]}!"
|
45
61
|
exit
|
46
|
-
end
|
62
|
+
end if inputs[:p12file]
|
47
63
|
|
48
64
|
unless inputs[:ovpnconfigfile].nil?
|
49
65
|
ovpnconfighash = Ovpnmcgen.getOVPNVendorConfigHash(inputs[:ovpnconfigfile])
|
@@ -66,6 +82,9 @@ module Ovpnmcgen
|
|
66
82
|
ovpnconfighash['ca'] = ca_cert
|
67
83
|
ovpnconfighash['tls-auth'] = tls_auth if inputs[:tafile]
|
68
84
|
ovpnconfighash['key-direction'] = '1' if inputs[:tafile]
|
85
|
+
ovpnconfighash['cert'] = cert_file if inputs[:cert]
|
86
|
+
ovpnconfighash['key'] = key_file if inputs[:key]
|
87
|
+
ovpnconfighash['vpn-on-demand'] = '0' unless enableVOD
|
69
88
|
|
70
89
|
vpnOnDemandRules = Array.new
|
71
90
|
vodTrusted = { # Trust only Wifi SSID
|
@@ -87,6 +106,19 @@ module Ovpnmcgen
|
|
87
106
|
'Ignore'
|
88
107
|
end
|
89
108
|
}
|
109
|
+
|
110
|
+
vodDomainOnlyActionParam = {
|
111
|
+
'Domains' => vodDomains,
|
112
|
+
'DomainAction' => 'ConnectIfNeeded'
|
113
|
+
}
|
114
|
+
vodDomainOnlyActionParam['RequiredURLStringProbe'] = inputs[:domain_probe_url] if inputs[:domain_probe_url]
|
115
|
+
|
116
|
+
vodDomainOnly = { # When a domain is searched, bring up VPN
|
117
|
+
'Action' => 'EvaluateConnection',
|
118
|
+
#'DNSDomainMatch' => vodDomains # this key only works for configured DNS domains search list.
|
119
|
+
'ActionParameters' => [vodDomainOnlyActionParam]
|
120
|
+
}
|
121
|
+
|
90
122
|
vodCellularOnly = { # Trust Cellular
|
91
123
|
'InterfaceTypeMatch' => 'Cellular',
|
92
124
|
'Action' => case inputs[:security_level]
|
@@ -106,13 +138,16 @@ module Ovpnmcgen
|
|
106
138
|
vodTrusted['URLStringProbe'] =
|
107
139
|
vodUntrusted['URLStringProbe'] =
|
108
140
|
vodWifiOnly['URLStringProbe'] =
|
141
|
+
vodDomainOnly['URLStringProbe'] =
|
109
142
|
vodCellularOnly['URLStringProbe'] =
|
110
143
|
vodDefault['URLStringProbe'] =
|
111
144
|
inputs[:url_probe] if inputs[:url_probe]
|
112
145
|
|
113
146
|
vpnOnDemandRules << vodTrusted if trusted_ssids
|
114
147
|
vpnOnDemandRules << vodUntrusted if untrusted_ssids
|
115
|
-
vpnOnDemandRules << vodWifiOnly
|
148
|
+
vpnOnDemandRules << vodWifiOnly
|
149
|
+
vpnOnDemandRules << vodDomainOnly if vodDomains
|
150
|
+
vpnOnDemandRules << vodCellularOnly << vodDefault
|
116
151
|
vpnOnDemandRules << { # Default catch-all when URLStringProbe is enabled and returns false to prevent circular race.
|
117
152
|
'Action' => 'Ignore'
|
118
153
|
} if inputs[:url_probe]
|
@@ -128,7 +163,7 @@ module Ovpnmcgen
|
|
128
163
|
'PayloadType' => 'com.apple.security.pkcs12',
|
129
164
|
'PayloadUUID' => certUUID,
|
130
165
|
'PayloadVersion' => 1
|
131
|
-
}
|
166
|
+
} if p12file
|
132
167
|
|
133
168
|
vpn = {
|
134
169
|
'PayloadDescription' => "Configures VPN settings, including authentication.",
|
@@ -146,12 +181,17 @@ module Ovpnmcgen
|
|
146
181
|
'PayloadCertificateUUID' => certUUID,
|
147
182
|
'RemoteAddress' => 'DEFAULT'
|
148
183
|
},
|
149
|
-
'VPNSubType' => 'net.openvpn.OpenVPN-Connect.vpnplugin',
|
184
|
+
'VPNSubType' => (inputs[:v12compat])? 'net.openvpn.connect.app' : 'net.openvpn.OpenVPN-Connect.vpnplugin',
|
150
185
|
'VPNType' => 'VPN',
|
151
186
|
'VendorConfig' => ovpnconfighash
|
152
187
|
}
|
188
|
+
unless p12file
|
189
|
+
vpn['VPN'].delete('AuthenticationMethod')
|
190
|
+
vpn['VPN'].delete('PayloadCertificateUUID')
|
191
|
+
end
|
153
192
|
|
154
|
-
plistPayloadContent = [vpn
|
193
|
+
plistPayloadContent = [vpn]
|
194
|
+
plistPayloadContent << cert if p12file
|
155
195
|
#encPlistPayloadContent = cmsEncrypt([vpn, cert].to_plist).der_format
|
156
196
|
|
157
197
|
plist = {
|
data/lib/ovpnmcgen/version.rb
CHANGED
data/ovpnmcgen.rb.gemspec
CHANGED
@@ -6,7 +6,7 @@ require 'ovpnmcgen/version'
|
|
6
6
|
Gem::Specification.new do |spec|
|
7
7
|
spec.name = "ovpnmcgen.rb"
|
8
8
|
spec.version = Ovpnmcgen::VERSION
|
9
|
-
spec.version = "#{spec.version}-pre-#{ENV['TRAVIS_BUILD_NUMBER']}" if ENV['TRAVIS']
|
9
|
+
#spec.version = "#{spec.version}-pre-#{ENV['TRAVIS_BUILD_NUMBER']}" if ENV['TRAVIS']
|
10
10
|
spec.authors = ["Ronald Ip"]
|
11
11
|
spec.email = ["myself@iphoting.com"]
|
12
12
|
spec.summary = Ovpnmcgen::SUMMARY
|
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
|
|
22
22
|
spec.required_ruby_version = '>= 1.9.3'
|
23
23
|
|
24
24
|
spec.add_development_dependency "bundler", "~> 1.5"
|
25
|
-
spec.add_development_dependency "rake"
|
25
|
+
spec.add_development_dependency "rake"
|
26
26
|
spec.add_development_dependency "aruba", "~> 0.5", ">= 0.5.4"
|
27
27
|
spec.add_runtime_dependency "plist", "~> 3.1", ">= 3.1.0"
|
28
28
|
spec.add_runtime_dependency "commander", "~> 4.1", ">= 4.1.6"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ovpnmcgen.rb
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.6.0.pre1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ronald Ip
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2018-01-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -28,16 +28,16 @@ dependencies:
|
|
28
28
|
name: rake
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - "
|
31
|
+
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: '
|
33
|
+
version: '0'
|
34
34
|
type: :development
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- - "
|
38
|
+
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: '
|
40
|
+
version: '0'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: aruba
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -139,7 +139,6 @@ files:
|
|
139
139
|
- features/gen_basic.feature
|
140
140
|
- features/gen_configfile.feature
|
141
141
|
- features/gen_ovpnconfigfile_input.feature
|
142
|
-
- features/step_definitions/env.rb
|
143
142
|
- features/support/setup.rb
|
144
143
|
- lib/ovpnmcgen.rb
|
145
144
|
- lib/ovpnmcgen/config.rb
|
@@ -162,12 +161,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
162
161
|
version: 1.9.3
|
163
162
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
164
163
|
requirements:
|
165
|
-
- - "
|
164
|
+
- - ">"
|
166
165
|
- !ruby/object:Gem::Version
|
167
|
-
version:
|
166
|
+
version: 1.3.1
|
168
167
|
requirements: []
|
169
168
|
rubyforge_project:
|
170
|
-
rubygems_version: 2.
|
169
|
+
rubygems_version: 2.6.14
|
171
170
|
signing_key:
|
172
171
|
specification_version: 4
|
173
172
|
summary: An OpenVPN iOS Configuration Profile (.mobileconfig) Utility
|
@@ -175,5 +174,4 @@ test_files:
|
|
175
174
|
- features/gen_basic.feature
|
176
175
|
- features/gen_configfile.feature
|
177
176
|
- features/gen_ovpnconfigfile_input.feature
|
178
|
-
- features/step_definitions/env.rb
|
179
177
|
- features/support/setup.rb
|