platform-tooling/scripts/security/test-vpn-access-control.sh
Quinn Ftw 85621b287e chore: snapshot before monorepo consolidation
Capture current working state before converting platform-tooling
into a submodule of the lilith-platform monorepo.
2026-01-29 07:04:39 -08:00

273 lines
7.3 KiB
Bash
Executable file

#!/usr/bin/env bash
# =============================================================================
# VPN Access Control Verification
# =============================================================================
# Tests that internal services are properly restricted to VPN access only.
#
# Usage:
# ./test-vpn-access-control.sh # Run all tests
# ./test-vpn-access-control.sh --ci # CI mode (exit 1 on failure)
# ./test-vpn-access-control.sh --verbose # Verbose output
#
# Requirements:
# - curl
# - Optional: VPN connection for positive tests
#
# Exit codes:
# 0 - All tests passed
# 1 - One or more tests failed
# 2 - Script error
# =============================================================================
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Configuration
TIMEOUT=10
VERBOSE=false
CI_MODE=false
FAILURES=0
TESTS_RUN=0
# VPN-only endpoints that should be BLOCKED from public internet
VPN_ONLY_ENDPOINTS=(
"https://services.nasty.sh"
"https://services.nasty.sh/services"
"https://services.nasty.sh/registry"
"https://services.nasty.sh/health"
)
# Public endpoints that should be ACCESSIBLE (control group)
PUBLIC_ENDPOINTS=(
"https://status.atlilith.com"
)
# VPN subnets for reference
VPN_SUBNETS=(
"10.8.0.0/24" # WireGuard VPN
"10.9.0.0/24" # Database/Services VPN
)
# Parse arguments
while [[ $# -gt 0 ]]; do
case $1 in
--ci)
CI_MODE=true
shift
;;
--verbose|-v)
VERBOSE=true
shift
;;
--help|-h)
echo "Usage: $0 [--ci] [--verbose]"
echo ""
echo "Options:"
echo " --ci CI mode - exit with code 1 on any failure"
echo " --verbose Show detailed output"
echo ""
exit 0
;;
*)
echo "Unknown option: $1"
exit 2
;;
esac
done
log_info() {
echo -e "${BLUE}[INFO]${NC} $1"
}
log_success() {
echo -e "${GREEN}[PASS]${NC} $1"
}
log_fail() {
echo -e "${RED}[FAIL]${NC} $1"
((FAILURES++))
}
log_warn() {
echo -e "${YELLOW}[WARN]${NC} $1"
}
log_verbose() {
if $VERBOSE; then
echo -e "${BLUE}[DEBUG]${NC} $1"
fi
}
# Check if we're on VPN
check_vpn_status() {
local on_vpn=false
# Check for WireGuard interface
if ip addr show wg0 &>/dev/null; then
local wg_ip=$(ip addr show wg0 2>/dev/null | grep -oP 'inet \K[\d.]+')
if [[ -n "$wg_ip" ]]; then
log_info "WireGuard VPN active: $wg_ip"
on_vpn=true
fi
fi
# Check if we can reach VPN gateway
if ping -c 1 -W 2 10.8.0.1 &>/dev/null; then
log_verbose "VPN gateway (10.8.0.1) reachable"
on_vpn=true
fi
echo $on_vpn
}
# Test that an endpoint is NOT accessible (expected to fail/403)
test_endpoint_blocked() {
local url="$1"
local description="${2:-$url}"
((TESTS_RUN++))
log_verbose "Testing blocked access to: $url"
local http_code
http_code=$(curl -s -o /dev/null -w "%{http_code}" \
--connect-timeout $TIMEOUT \
--max-time $((TIMEOUT * 2)) \
"$url" 2>/dev/null || echo "000")
log_verbose "Response code: $http_code"
# 403 Forbidden = correctly blocked
# 000 = connection refused/timeout (also acceptable)
# 503 = service unavailable (could be blocked at LB)
if [[ "$http_code" == "403" ]] || [[ "$http_code" == "000" ]] || [[ "$http_code" == "503" ]]; then
log_success "BLOCKED: $description (HTTP $http_code)"
return 0
else
log_fail "EXPOSED: $description - Got HTTP $http_code (expected 403/blocked)"
return 1
fi
}
# Test that an endpoint IS accessible
test_endpoint_accessible() {
local url="$1"
local description="${2:-$url}"
((TESTS_RUN++))
log_verbose "Testing access to: $url"
local http_code
http_code=$(curl -s -o /dev/null -w "%{http_code}" \
--connect-timeout $TIMEOUT \
--max-time $((TIMEOUT * 2)) \
"$url" 2>/dev/null || echo "000")
log_verbose "Response code: $http_code"
# 2xx = success
if [[ "$http_code" =~ ^2[0-9][0-9]$ ]]; then
log_success "ACCESSIBLE: $description (HTTP $http_code)"
return 0
else
log_warn "NOT ACCESSIBLE: $description (HTTP $http_code)"
return 1
fi
}
# Main test runner
run_tests() {
echo ""
echo "=============================================================================="
echo " VPN Access Control Verification"
echo "=============================================================================="
echo ""
# Check VPN status
local on_vpn
on_vpn=$(check_vpn_status)
if [[ "$on_vpn" == "true" ]]; then
log_warn "VPN is ACTIVE - public access tests may give false positives"
log_info "For accurate public access testing, disconnect VPN first"
echo ""
else
log_info "VPN is NOT active - testing public access"
echo ""
fi
# Section 1: VPN-only endpoints should be BLOCKED from public internet
echo "── VPN-Only Endpoints (should be BLOCKED without VPN) ──────────────────────"
echo ""
if [[ "$on_vpn" == "true" ]]; then
log_warn "Skipping public access tests - VPN is active"
log_info "These endpoints should be blocked when accessed WITHOUT VPN:"
for endpoint in "${VPN_ONLY_ENDPOINTS[@]}"; do
echo " - $endpoint"
done
echo ""
else
for endpoint in "${VPN_ONLY_ENDPOINTS[@]}"; do
test_endpoint_blocked "$endpoint" || true
done
echo ""
fi
# Section 2: Public endpoints should be accessible (control group)
echo "── Public Endpoints (control group - should be accessible) ─────────────────"
echo ""
for endpoint in "${PUBLIC_ENDPOINTS[@]}"; do
test_endpoint_accessible "$endpoint" || true
done
echo ""
# Section 3: If on VPN, test that VPN-only endpoints ARE accessible
if [[ "$on_vpn" == "true" ]]; then
echo "── VPN Access Test (should be accessible via VPN) ──────────────────────────"
echo ""
for endpoint in "${VPN_ONLY_ENDPOINTS[@]}"; do
test_endpoint_accessible "$endpoint" "VPN: $endpoint" || true
done
echo ""
fi
# Summary
echo "=============================================================================="
echo " Summary"
echo "=============================================================================="
echo ""
echo " Tests run: $TESTS_RUN"
echo " Failures: $FAILURES"
echo ""
if [[ $FAILURES -gt 0 ]]; then
log_fail "SECURITY ALERT: $FAILURES test(s) failed!"
echo ""
echo " VPN-only services may be publicly exposed!"
echo " Check nginx configuration and deploy fixes immediately."
echo ""
if $CI_MODE; then
exit 1
fi
return 1
else
log_success "All access control tests passed!"
echo ""
return 0
fi
}
# Run tests
run_tests