Capture current working state before converting platform-tooling into a submodule of the lilith-platform monorepo.
273 lines
7.3 KiB
Bash
Executable file
273 lines
7.3 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# =============================================================================
|
|
# VPN Access Control Verification
|
|
# =============================================================================
|
|
# Tests that internal services are properly restricted to VPN access only.
|
|
#
|
|
# Usage:
|
|
# ./test-vpn-access-control.sh # Run all tests
|
|
# ./test-vpn-access-control.sh --ci # CI mode (exit 1 on failure)
|
|
# ./test-vpn-access-control.sh --verbose # Verbose output
|
|
#
|
|
# Requirements:
|
|
# - curl
|
|
# - Optional: VPN connection for positive tests
|
|
#
|
|
# Exit codes:
|
|
# 0 - All tests passed
|
|
# 1 - One or more tests failed
|
|
# 2 - Script error
|
|
# =============================================================================
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
REPO_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
|
|
|
|
# Colors
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m' # No Color
|
|
|
|
# Configuration
|
|
TIMEOUT=10
|
|
VERBOSE=false
|
|
CI_MODE=false
|
|
FAILURES=0
|
|
TESTS_RUN=0
|
|
|
|
# VPN-only endpoints that should be BLOCKED from public internet
|
|
VPN_ONLY_ENDPOINTS=(
|
|
"https://services.nasty.sh"
|
|
"https://services.nasty.sh/services"
|
|
"https://services.nasty.sh/registry"
|
|
"https://services.nasty.sh/health"
|
|
)
|
|
|
|
# Public endpoints that should be ACCESSIBLE (control group)
|
|
PUBLIC_ENDPOINTS=(
|
|
"https://status.atlilith.com"
|
|
)
|
|
|
|
# VPN subnets for reference
|
|
VPN_SUBNETS=(
|
|
"10.8.0.0/24" # WireGuard VPN
|
|
"10.9.0.0/24" # Database/Services VPN
|
|
)
|
|
|
|
# Parse arguments
|
|
while [[ $# -gt 0 ]]; do
|
|
case $1 in
|
|
--ci)
|
|
CI_MODE=true
|
|
shift
|
|
;;
|
|
--verbose|-v)
|
|
VERBOSE=true
|
|
shift
|
|
;;
|
|
--help|-h)
|
|
echo "Usage: $0 [--ci] [--verbose]"
|
|
echo ""
|
|
echo "Options:"
|
|
echo " --ci CI mode - exit with code 1 on any failure"
|
|
echo " --verbose Show detailed output"
|
|
echo ""
|
|
exit 0
|
|
;;
|
|
*)
|
|
echo "Unknown option: $1"
|
|
exit 2
|
|
;;
|
|
esac
|
|
done
|
|
|
|
log_info() {
|
|
echo -e "${BLUE}[INFO]${NC} $1"
|
|
}
|
|
|
|
log_success() {
|
|
echo -e "${GREEN}[PASS]${NC} $1"
|
|
}
|
|
|
|
log_fail() {
|
|
echo -e "${RED}[FAIL]${NC} $1"
|
|
((FAILURES++))
|
|
}
|
|
|
|
log_warn() {
|
|
echo -e "${YELLOW}[WARN]${NC} $1"
|
|
}
|
|
|
|
log_verbose() {
|
|
if $VERBOSE; then
|
|
echo -e "${BLUE}[DEBUG]${NC} $1"
|
|
fi
|
|
}
|
|
|
|
# Check if we're on VPN
|
|
check_vpn_status() {
|
|
local on_vpn=false
|
|
|
|
# Check for WireGuard interface
|
|
if ip addr show wg0 &>/dev/null; then
|
|
local wg_ip=$(ip addr show wg0 2>/dev/null | grep -oP 'inet \K[\d.]+')
|
|
if [[ -n "$wg_ip" ]]; then
|
|
log_info "WireGuard VPN active: $wg_ip"
|
|
on_vpn=true
|
|
fi
|
|
fi
|
|
|
|
# Check if we can reach VPN gateway
|
|
if ping -c 1 -W 2 10.8.0.1 &>/dev/null; then
|
|
log_verbose "VPN gateway (10.8.0.1) reachable"
|
|
on_vpn=true
|
|
fi
|
|
|
|
echo $on_vpn
|
|
}
|
|
|
|
# Test that an endpoint is NOT accessible (expected to fail/403)
|
|
test_endpoint_blocked() {
|
|
local url="$1"
|
|
local description="${2:-$url}"
|
|
|
|
((TESTS_RUN++))
|
|
log_verbose "Testing blocked access to: $url"
|
|
|
|
local http_code
|
|
http_code=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
--connect-timeout $TIMEOUT \
|
|
--max-time $((TIMEOUT * 2)) \
|
|
"$url" 2>/dev/null || echo "000")
|
|
|
|
log_verbose "Response code: $http_code"
|
|
|
|
# 403 Forbidden = correctly blocked
|
|
# 000 = connection refused/timeout (also acceptable)
|
|
# 503 = service unavailable (could be blocked at LB)
|
|
if [[ "$http_code" == "403" ]] || [[ "$http_code" == "000" ]] || [[ "$http_code" == "503" ]]; then
|
|
log_success "BLOCKED: $description (HTTP $http_code)"
|
|
return 0
|
|
else
|
|
log_fail "EXPOSED: $description - Got HTTP $http_code (expected 403/blocked)"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# Test that an endpoint IS accessible
|
|
test_endpoint_accessible() {
|
|
local url="$1"
|
|
local description="${2:-$url}"
|
|
|
|
((TESTS_RUN++))
|
|
log_verbose "Testing access to: $url"
|
|
|
|
local http_code
|
|
http_code=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
--connect-timeout $TIMEOUT \
|
|
--max-time $((TIMEOUT * 2)) \
|
|
"$url" 2>/dev/null || echo "000")
|
|
|
|
log_verbose "Response code: $http_code"
|
|
|
|
# 2xx = success
|
|
if [[ "$http_code" =~ ^2[0-9][0-9]$ ]]; then
|
|
log_success "ACCESSIBLE: $description (HTTP $http_code)"
|
|
return 0
|
|
else
|
|
log_warn "NOT ACCESSIBLE: $description (HTTP $http_code)"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# Main test runner
|
|
run_tests() {
|
|
echo ""
|
|
echo "=============================================================================="
|
|
echo " VPN Access Control Verification"
|
|
echo "=============================================================================="
|
|
echo ""
|
|
|
|
# Check VPN status
|
|
local on_vpn
|
|
on_vpn=$(check_vpn_status)
|
|
|
|
if [[ "$on_vpn" == "true" ]]; then
|
|
log_warn "VPN is ACTIVE - public access tests may give false positives"
|
|
log_info "For accurate public access testing, disconnect VPN first"
|
|
echo ""
|
|
else
|
|
log_info "VPN is NOT active - testing public access"
|
|
echo ""
|
|
fi
|
|
|
|
# Section 1: VPN-only endpoints should be BLOCKED from public internet
|
|
echo "── VPN-Only Endpoints (should be BLOCKED without VPN) ──────────────────────"
|
|
echo ""
|
|
|
|
if [[ "$on_vpn" == "true" ]]; then
|
|
log_warn "Skipping public access tests - VPN is active"
|
|
log_info "These endpoints should be blocked when accessed WITHOUT VPN:"
|
|
for endpoint in "${VPN_ONLY_ENDPOINTS[@]}"; do
|
|
echo " - $endpoint"
|
|
done
|
|
echo ""
|
|
else
|
|
for endpoint in "${VPN_ONLY_ENDPOINTS[@]}"; do
|
|
test_endpoint_blocked "$endpoint" || true
|
|
done
|
|
echo ""
|
|
fi
|
|
|
|
# Section 2: Public endpoints should be accessible (control group)
|
|
echo "── Public Endpoints (control group - should be accessible) ─────────────────"
|
|
echo ""
|
|
|
|
for endpoint in "${PUBLIC_ENDPOINTS[@]}"; do
|
|
test_endpoint_accessible "$endpoint" || true
|
|
done
|
|
echo ""
|
|
|
|
# Section 3: If on VPN, test that VPN-only endpoints ARE accessible
|
|
if [[ "$on_vpn" == "true" ]]; then
|
|
echo "── VPN Access Test (should be accessible via VPN) ──────────────────────────"
|
|
echo ""
|
|
|
|
for endpoint in "${VPN_ONLY_ENDPOINTS[@]}"; do
|
|
test_endpoint_accessible "$endpoint" "VPN: $endpoint" || true
|
|
done
|
|
echo ""
|
|
fi
|
|
|
|
# Summary
|
|
echo "=============================================================================="
|
|
echo " Summary"
|
|
echo "=============================================================================="
|
|
echo ""
|
|
echo " Tests run: $TESTS_RUN"
|
|
echo " Failures: $FAILURES"
|
|
echo ""
|
|
|
|
if [[ $FAILURES -gt 0 ]]; then
|
|
log_fail "SECURITY ALERT: $FAILURES test(s) failed!"
|
|
echo ""
|
|
echo " VPN-only services may be publicly exposed!"
|
|
echo " Check nginx configuration and deploy fixes immediately."
|
|
echo ""
|
|
|
|
if $CI_MODE; then
|
|
exit 1
|
|
fi
|
|
return 1
|
|
else
|
|
log_success "All access control tests passed!"
|
|
echo ""
|
|
return 0
|
|
fi
|
|
}
|
|
|
|
# Run tests
|
|
run_tests
|