openvpn/doc/tests/authentication-plugins.md

# TESTING OF MULTIPLE AUTHENTICATION PLUG-INS


OpenVPN 2.x can support loading and authenticating users through multiple
plug-ins at the same time.  But it can only support a single plug-in doing
deferred authentication.  However, a plug-in supporting deferred
authentication may be accompanied by other authentication plug-ins **not**
doing deferred authentication.

This is a test script useful to test the various combinations and order of
plug-in execution.

The configuration files are expected to be used from the root of the build
directory.

To build the needed authentication plug-in, run:

     make -C sample/sample-plugins


## Test configs

* Client config

      verb 4
      dev tun
      client
      remote x.x.x.x
      ca sample/sample-keys/ca.crt
      cert sample/sample-keys/client.crt
      key sample/sample-keys/client.key
      auth-user-pass

* Base server config (`base-server.conf`)

      verb 4
      dev tun
      server 10.8.0.0 255.255.255.0
      dh sample/sample-keys/dh2048.pem
      ca sample/sample-keys/ca.crt
      cert sample/sample-keys/server.crt
      key sample/sample-keys/server.key


## Test cases

### Test: *sanity-1*

This tests the basic authentication with an instant answer.

     config base-server.conf
     plugin multi-auth.so S1.1 0 foo bar

#### Expected results
 - Username/password `foo`/`bar`: **PASS**
 - Anything else: **FAIL**


### Test: *sanity-2*

This is similar to `sanity-1`, but does the authentication
through two plug-ins providing an instant reply.

     config base-server.conf
     plugin multi-auth.so S2.1 0 foo bar
     plugin multi-auth.so S2.2 0 foo bar

#### Expected results
 - Username/password `foo`/`bar`: **PASS**
 - Anything else: **FAIL**


### Test: *sanity-3*

This is also similar to `sanity-1`, but uses deferred authentication
with a 1 second delay on the response.

     plugin multi-auth.so S3.1 1000 foo bar

#### Expected results
 - Username/password `foo`/`bar`: **PASS**
 - Anything else: **FAIL**


### Test: *case-a*

Runs two authentications, the first one deferred by 1 second and the
second one providing an instant response.

     plugin multi-auth.so A.1 1000 foo bar
     plugin multi-auth.so A.2 0 foo bar

#### Expected results
 - Username/password `foo`/`bar`: **PASS**
 - Anything else: **FAIL**


### Test: *case-b*

This is similar to `case-a`, but the instant authentication response
is provided first before the deferred authentication.

     plugin multi-auth.so B.1 0 foo bar
     plugin multi-auth.so B.2 1000 test pass

#### Expected results
 - **Always FAIL**
 - This test should never pass, as each plug-in expects different
   usernames and passwords.


### Test: *case-c*

This is similar to the two prior tests, but the authentication result
is returned instantly in both steps.

     plugin multi-auth.so C.1 0 foo bar
     plugin multi-auth.so C.2 0 foo2 bar2

#### Expected results
 - **Always FAIL**
 - This test should never pass, as each plug-in expects different
   usernames and passwords.


### Test: *case-d*

This is similar to the `case-b` test, but the order of deferred
and instant response is reversed.

    plugin ./multi-auth.so D.1 2000 test pass
    plugin ./multi-auth.so D.2 0 foo bar

#### Expected results
 - **Always FAIL**
 - This test should never pass, as each plug-in expects different
   usernames and passwords.


### Test: *case-e*

This test case will run two deferred authentication plug-ins.  This is
**not** supported by OpenVPN, and should therefore fail instantly.

    plugin ./multi-auth.so E1 1000 test1 pass1
    plugin ./multi-auth.so E2 2000 test2 pass2

#### Expected results
 - The OpenVPN server process should stop running
 - An error about multiple deferred plug-ins being configured
   should be seen in the server log.