mirror of https://github.com/trailofbits/algo.git synced 2025-09-23 04:13:20 +02:00

History

Dan Guido a6852f3ca6 Refactor StrongSwan PKI with comprehensive security enhancements and hybrid testing ## StrongSwan PKI Modernization - Migrated from shell-based OpenSSL commands to Ansible community.crypto modules - Simplified complex Jinja2 templates while preserving all security properties - Added clear, concise comments explaining security rationale and Apple compatibility ## Enhanced Security Implementation (Issues #75, #153) - Name constraints: CA certificates restricted to specific IP/email domains - EKU role separation: Server certs (serverAuth only) vs client certs (clientAuth only) - Domain exclusions: Blocks public domains (.com, .org, etc.) and private IP ranges - Apple compatibility: SAN extensions and PKCS#12 compatibility2022 encryption - Certificate revocation: Automated CRL generation for removed users ## Comprehensive Test Suite - Hybrid testing: Validates real certificates when available, config validation for CI - Security validation: Verifies name constraints, EKU restrictions, role separation - Apple compatibility: Tests SAN extensions and PKCS#12 format compliance - Certificate chain: Validates CA signing and certificate validity periods - CI-compatible: No deployment required, tests Ansible configuration directly ## Configuration Updates - Updated CLAUDE.md: Ansible version rationale (stay current for security/performance) - Streamlined comments: Removed duplicative explanations while preserving technical context - Maintained all Issue #75/#153 security enhancements with modern Ansible approach 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>		2025-08-04 22:06:58 -07:00
..
fixtures	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00
integration	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00
legacy-lxd	Optimize GitHub Actions workflows for security and performance (#14769 )	2025-08-02 23:31:54 -04:00
unit	Refactor StrongSwan PKI with comprehensive security enhancements and hybrid testing	2025-08-04 22:06:58 -07:00
README.md	Optimize GitHub Actions workflows for security and performance (#14769 )	2025-08-02 23:31:54 -04:00
test-aws-credentials.yml	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00
test-local-config.sh	Optimize GitHub Actions workflows for security and performance (#14769 )	2025-08-02 23:31:54 -04:00
test-wireguard-async.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test-wireguard-fix.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test-wireguard-real-async.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test_bsd_ipv6.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test_cloud_init_template.py	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00
test_package_preinstall.py	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00

README.md

Algo VPN Test Suite

Current Test Coverage

What We Test Now

Basic Sanity (test_basic_sanity.py)
- Python version >= 3.10
- requirements.txt exists
- config.cfg is valid YAML
- Ansible playbook syntax
- Shell scripts pass shellcheck
- Dockerfile exists and is valid
Docker Build (test_docker_build.py)
- Docker image builds successfully
- Container can start
- Ansible is available in container
Configuration Generation (test-local-config.sh)
- Ansible templates render without errors
- Basic configuration can be generated
Config Validation (test_config_validation.py)
- WireGuard config format validation
- Base64 key format checking
- IP address and CIDR notation
- Mobile config XML validation
- Port range validation
Certificate Validation (test_certificate_validation.py)
- OpenSSL availability
- Certificate subject formats
- Key file permissions (600)
- Password complexity
- IPsec cipher suite security
User Management (test_user_management.py) - Addresses #14745, #14746, #14738, #14726
- User list parsing from config
- Server selection string parsing
- SSH key preservation
- CA password handling
- User config path generation
- Duplicate user detection
OpenSSL Compatibility (test_openssl_compatibility.py) - Addresses #14755, #14718
- OpenSSL version detection
- Legacy flag support detection
- Apple device key format compatibility
- Certificate generation compatibility
- PKCS#12 export for mobile devices
Cloud Provider Configs (test_cloud_provider_configs.py) - Addresses #14752, #14730, #14762
- Cloud provider configuration validation
- Hetzner server type updates (cx11 → cx22)
- Azure dependency compatibility
- Region format validation
- Server size naming conventions
- OS image naming validation

What We DON'T Test Yet

1. VPN Functionality

WireGuard configuration validation
- Private/public key generation
- Client config file format
- QR code generation
- Mobile config profiles
IPsec configuration validation
- Certificate generation and validation
- StrongSwan config format
- Apple profile generation
SSH tunnel configuration
- Key generation
- SSH config file format

2. Cloud Provider Integrations

DigitalOcean API interactions
AWS EC2/Lightsail deployments
Azure deployments
Google Cloud deployments
Other providers (Vultr, Hetzner, etc.)

3. User Management

Adding new users
Removing users
Updating user configurations

4. Advanced Features

DNS ad-blocking configuration
On-demand VPN settings
MTU calculations
IPv6 configuration

5. Security Validations

Certificate constraints
Key permissions
Password generation
Firewall rules

Potential Improvements

Short Term (Easy Wins)

Add job names to fix zizmor warnings

Test configuration file generation without deployment:

def test_wireguard_config_format():
    # Generate a test config
    # Validate it has required sections
    # Check key format with regex

Test user management scripts in isolation:

# Test that update-users generates valid YAML
./algo update-users --dry-run

Add XML validation for mobile configs:

xmllint --noout generated_configs/*.mobileconfig

Medium Term

Mock cloud provider APIs to test deployment logic
Container-based integration tests using Docker Compose
Test certificate generation without full deployment
Validate generated configs against schemas

Long Term

End-to-end tests with actual VPN connections (using network namespaces)
Performance testing for large user counts
Upgrade path testing (old configs → new configs)
Multi-platform client testing

Security Improvements (from zizmor)

Current status: ✅ No security issues found

Recommendations:

Add explicit job names for better workflow clarity
Consider pinning Ubuntu runner versions to specific releases
Add GITHUB_TOKEN with minimal permissions when needed for API checks

Test Philosophy

Our approach focuses on:

Fast feedback - Tests run in < 3 minutes
No flaky tests - Avoid complex networking setups
Test what matters - Config generation, not VPN protocols
Progressive enhancement - Start simple, add coverage gradually