#!/bin/bash
#
# Copyright (C) 2026 Nikos Mavrogiannopoulos
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Behavioral test for ocserv-fw-nftables when restrict-user-to-ports
# (allow-list form) and restrict-user-to-routes are both active.
#
# restrict-user-to-ports implies restrict-user-to-routes=true, so when
# an allow-list is used the fw script must enforce both policies at once:
# allowed ports are forwarded to a route-restriction chain, while ports
# not in the allow-list are rejected before reaching that chain.
#
# Three cases are verified:
#   1. allowed port + advertised route   -> connection succeeds
#   2. denied port  + advertised route   -> rejected at port level
#   3. allowed port + non-advertised route -> rejected at route level

SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.}
PIDFILE=ocserv-pid.$$.tmp
CLIPID=oc-pid.$$.tmp
TMPFILE=cookie.$$.tmp
PATH=${PATH}:/usr/sbin
IP=$(which ip)

. "$(dirname $0)/common.sh"

eval "${GETPORT}"

if test -z "${IP}"; then
	echo "no IP tool is present"
	exit 77
fi

if ! command -v nft >/dev/null 2>&1; then
	echo "Skipping: nft not found"
	exit 77
fi

if ! command -v ncat >/dev/null 2>&1; then
	echo "Error: ncat not found"
	exit 1
fi

echo "Testing ocserv-fw-nftables with restrict-user-to-ports (allow-list) + restrict-user-to-routes..."

# Point ocserv at the local (uninstalled) nftables fw script.
export OCSERV_FW_SCRIPT="$(realpath "${srcdir}/../src/ocserv-fw-nftables")"

LISTENER_PID=""

function finish {
	set +e
	echo " * Cleaning up..."
	test -n "${LISTENER_PID}" && kill "${LISTENER_PID}" >/dev/null 2>&1
	test -n "${CLIPID}" && kill "$(cat ${CLIPID})" >/dev/null 2>&1
	test -n "${CLIPID}" && rm -f "${CLIPID}" >/dev/null 2>&1
	test -n "${PID}" && kill "${PID}" >/dev/null 2>&1
	test -n "${PIDFILE}" && rm -f "${PIDFILE}" >/dev/null 2>&1
	test -n "${CONFIG}" && rm -f "${CONFIG}" >/dev/null 2>&1
	rm -f "${TMPFILE}" >/dev/null 2>&1
}
trap finish EXIT

OCCTL_SOCKET=./occtl-fw-pr-$$.socket
USERNAME=test

. "$(dirname $0)/random-net.sh"
. "$(dirname $0)/random-net2.sh"

# Advertise only CLI_ADDRESS2 as a split-tunnel route.
ROUTE1="${CLI_ADDRESS2}/32"

. "$(dirname $0)/ns.sh"

# ns.sh sets NS3's default route via CLI_ADDRESS2 (its own address), which
# does not produce a usable outbound path.  Replace it with a route via
# ADDRESS2 (NS2's end of the ETHNAME4/ETHNAME3 veth pair) so that NS3 can
# send replies back to VPN clients forwarded through NS2.
${IP} -n "${NSNAME3}" route replace default via "${ADDRESS2}" dev "${ETHNAME3}" onlink

# Enable IP forwarding in NS2 so the kernel forwards VPN traffic from the
# TUN device to ETHNAME4 toward NS3.
${IP} netns exec "${NSNAME2}" sysctl -w net.ipv4.ip_forward=1 >/dev/null

# Add a second IP on NS3 that ocserv will NOT advertise to clients.
# This simulates an address a user tries to reach by manually adding a
# route after the VPN is up.
BLOCKED_IP="10.111.0.1"
${IP} -n "${NSNAME3}" addr add "${BLOCKED_IP}/32" dev "${ETHNAME3}"
# NS2 must have a route to BLOCKED_IP so packets reach the forward chain.
${IP} -n "${NSNAME2}" route add "${BLOCKED_IP}/32" via "${ADDRESS2}" dev "${ETHNAME4}" onlink

update_config fw-ocserv-ports-routes.config

if test "${VERBOSE}" = 1; then
	DEBUG="-d 3"
fi

${CMDNS2} ${SERV} -p "${PIDFILE}" -f -c "${CONFIG}" ${DEBUG} &
PID=$!

sleep 4

echo " * Getting cookie from ${ADDRESS}:${PORT}..."
echo "test" | ${CMDNS1} ${OPENCONNECT} "${ADDRESS}:${PORT}" \
	-u "${USERNAME}" \
	--servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= \
	--authenticate --passwd-on-stdin >"${TMPFILE}"
if test $? != 0; then
	echo "Could not get cookie from server"
	cat "${TMPFILE}"
	exit 1
fi

echo " * Connecting to ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} "${ADDRESS}:${PORT}" \
	-u "${USERNAME}" \
	--servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= \
	-s "${srcdir}/scripts/vpnc-script" \
	--pid-file="${CLIPID}" \
	--passwd-on-stdin -b ) || { echo "Could not connect to server"; exit 1; }

sleep 2

# Simulate the user manually adding a route to the non-advertised destination.
${IP} -n "${NSNAME1}" route add "${BLOCKED_IP}/32" via "${VPNADDR}"

# start_listener PORT — TCP listener in NS3.
start_listener() {
	${CMDNS3} ncat -l -p "$1" >/dev/null 2>&1 &
	LISTENER_PID=$!
	sleep 0.2
}

stop_listener() {
	test -n "${LISTENER_PID}" && kill "${LISTENER_PID}" >/dev/null 2>&1 || true
	LISTENER_PID=""
}

# tcp_ok IP PORT — connect from NS1; returns 0 if connection succeeds.
tcp_ok() {
	${CMDNS1} ncat -w 1 "$1" "$2" </dev/null >/dev/null 2>&1
}

echo -n " * TCP 80 to advertised route (allowed port + allowed route) should succeed ... "
start_listener 80
tcp_ok "${CLI_ADDRESS2}" 80 || { echo "FAIL: should be reachable"; exit 1; }
stop_listener
echo "ok"

echo -n " * TCP 443 to advertised route (denied port) should be blocked ... "
start_listener 443
tcp_ok "${CLI_ADDRESS2}" 443 && { echo "FAIL: port 443 is not in the allow-list"; exit 1; }
stop_listener
echo "ok"

echo -n " * TCP 80 to non-advertised route (allowed port, blocked route) should be blocked ... "
start_listener 80
tcp_ok "${BLOCKED_IP}" 80 && { echo "FAIL: non-advertised route should be rejected"; exit 1; }
stop_listener
echo "ok"

echo -n " * ICMP to advertised route (not in allow-list) should be blocked ... "
${CMDNS1} ping -c 1 -W 2 "${CLI_ADDRESS2}" >/dev/null 2>&1 && \
	{ echo "FAIL: ping should be rejected (ICMP not in allow-list)"; exit 1; }
echo "ok"

echo " * Disconnecting VPN client..."
kill "$(cat ${CLIPID})" 2>/dev/null || true
rm -f "${CLIPID}"
sleep 2

echo -n " * nft fw table should be removed after disconnect ... "
${CMDNS2} nft list ruleset 2>/dev/null | grep -q "ocserv_" && \
	{ echo "FAIL: nft fw table still present after disconnect"; exit 1; }
echo "ok"

echo "All tests passed."
exit 0
