fix: support fingerprint mode in client management operations (#1446)

## Summary Fixes fingerprint mode (OpenVPN 2.6+ peer-fingerprint authentication) which was broken for client management operations. ### CI Fix Docker environment variables (`AUTH_MODE`, etc.) weren't being passed to the systemd service running tests. Added `PassEnvironment` directive to fix this. ### Script Fixes In fingerprint mode, `easyrsa self-sign-*` commands don't create/maintain `index.txt`, but several functions depended on it. **Fixed operations:** - `selectClient()`: uses fingerprints from server.conf instead of index.txt - `listClients()`: scans certs in pki/issued/, marks those without fingerprint as revoked - `newClient()`: duplicate check works in fingerprint mode, cleans up revoked cert files for name reuse - `revokeClient()`: removes fingerprint from server.conf, keeps cert for listing - `renewClient()`: uses `self-sign-client` instead of `easyrsa renew` - `renewServer()`: uses `self-sign-server` + regenerates all client configs (they embed server fingerprint) **New helpers:** - `getAuthMode()` - returns "pki" or "fingerprint" - `getClientsFromFingerprints()` - parses client names from server.conf - `clientExistsInFingerprints()` - checks client existence - `getCertExpiry()` - extracts expiry date/days from cert file - `removeCertFiles()` - removes cert/key/req files for regeneration - `extractFingerprint()` - gets SHA256 fingerprint from cert Fixes #1444
2025-12-31 06:57:02 +01:00 · 2025-12-29 17:04:45 +01:00
parent 62e98f79e0
commit 28050efa50
3 changed files with 275 additions and 79 deletions
--- a/test/Dockerfile.server
+++ b/test/Dockerfile.server
@@ -71,6 +71,7 @@ COPY test/validate-output.sh /opt/test/validate-output.sh
 RUN chmod +x /entrypoint.sh /opt/test/validate-output.sh

 # Create systemd service for the test script
+# PassEnvironment passes Docker env vars (-e) from PID 1 to the service
 RUN printf '%s\n' \
    '[Unit]' \
    'Description=OpenVPN Installation Test' \
@@ -79,6 +80,7 @@ RUN printf '%s\n' \
    '[Service]' \
    'Type=oneshot' \
    'Environment=HOME=/root' \
+    'PassEnvironment=AUTH_MODE TLS_SIG TLS_KEY_FILE TLS_VERSION_MIN TLS13_CIPHERSUITES CLIENT_IPV6 VPN_SUBNET_IPV6' \
    'WorkingDirectory=/root' \
    'ExecStart=/entrypoint.sh' \
    'RemainAfterExit=yes' \
--- a/test/server-entrypoint.sh
+++ b/test/server-entrypoint.sh
@@ -203,7 +203,7 @@ if [ "$DUPLICATE_EXIT_CODE" -ne 1 ]; then
 	cat "$DUPLICATE_OUTPUT"
 	exit 1
 fi
-if grep -q "The specified client CN was already found in easy-rsa" "$DUPLICATE_OUTPUT"; then
+if grep -q "The specified client CN was already found" "$DUPLICATE_OUTPUT"; then
 	echo "PASS: Duplicate client name correctly rejected with exit code 1"
 else
 	echo "FAIL: Expected error message for duplicate client name not found"
@@ -538,6 +538,11 @@ done
 # Allow routing to stabilize after renewal restart
 sleep 3

+# Update shared client config after server renewal (fingerprint changed)
+cp /root/testclient.ovpn /shared/client.ovpn
+sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
+echo "Updated client config with new server fingerprint"
+
 # =====================================================
 # Verify Unbound DNS resolver (started by systemd via install script)
 # =====================================================