#!/bin/sh

. STlsVars

#########################################
# CERTIFICATE SETUP
#

# produce the certificates to use

# snmpd
HOSTNAME=`hostname`
CAPTURE $NSCERT gencert -t snmpd   --cn $HOSTNAME $NSCERTARGS
SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd  $NSCERTARGS`
CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate"

# user
CAPTURE $NSCERT gencert -t snmpapp --cn 'testuser'  $NSCERTARGS
TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS`
CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate"

# user 1.5
CAPTURE $NSCERT gencert -t snmpapp2 --cn 'testuser2'  $NSCERTARGS
TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS`
CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser certificate"

# user 2
CAPTURE $NSCERT gencert -t otheruser --cn 'otheruser'  $NSCERTARGS
OTHERUSERFP=`$NSCERT showcerts --fingerprint --brief otheruser $NSCERTARGS`
CHECKVALUEISNT "$OTHERUSERFP" "" "generated fingerprint for otheruser certificate"

# user 3
CAPTURE $NSCERT gencert -t invaliduser --cn 'invaliduser'  $NSCERTARGS
INVALIDUSERFP=`$NSCERT showcerts --fingerprint --brief invaliduser $NSCERTARGS`
CHECKVALUEISNT "$INVALIDUSERFP" "" "generated fingerprint for otheruser certificate"

# user 4
CAPTURE $NSCERT gencert -t unmapped --cn 'unmapped'  $NSCERTARGS
UNMAPPEDFP=`$NSCERT showcerts --fingerprint --brief unmapped $NSCERTARGS`
CHECKVALUEISNT "$UNMAPPEDFP" "" "generated fingerprint for unmapped certificate"

# user 5
CAPTURE $NSCERT gencert -t mappeduser --cn 'mappeduser'  $NSCERTARGS
MAPPEDUSERFP=`$NSCERT showcerts --fingerprint --brief mappeduser $NSCERTARGS`
CHECKVALUEISNT "$MAPPEDUSERFP" "" "generated fingerprint for mappeduser certificate"

# user 6: SAN email
CAPTURE $NSCERT gencert -t email --san email:foobaruser@example.com  $NSCERTARGS
EMAILUSERFP=`$NSCERT showcerts --fingerprint --brief email $NSCERTARGS`
CHECKVALUEISNT "$EMAILUSERFP" "" "generated fingerprint for email certificate"

# user 7: SAN dns
CAPTURE $NSCERT gencert -t dns --san DNS:foobar.example.com  $NSCERTARGS
DNSUSERFP=`$NSCERT showcerts --fingerprint --brief dns $NSCERTARGS`
CHECKVALUEISNT "$DNSUSERFP" "" "generated fingerprint for dns certificate"

# user 8: SAN IPv4
CAPTURE $NSCERT gencert -t ipaddr --san IP:127.0.0.1  $NSCERTARGS
IPUSERFP=`$NSCERT showcerts --fingerprint --brief ipaddr $NSCERTARGS`
CHECKVALUEISNT "$IPUSERFP" "" "generated fingerprint for ipaddr certificate"

# user 8.1:  afile
CAPTURE $NSCERT gencert -t afile --cn afileuser $NSCERTARGS
AFILEUSERFP=`$NSCERT showcerts --fingerprint --brief afile $NSCERTARGS`
CHECKVALUEISNT "$AFILEUSERFP" "" "generated fingerprint for afile certificate"


# CA certificate

CAPTURE $NSCERT genca --cn ca-net-snmp.org  $NSCERTARGS
CAFP=`$NSCERT showcas --fingerprint --brief ca-net-snmp.org $NSCERTARGS`
CHECKVALUEISNT "$CAFP" "" "generated fingerprint for ca-net-snmp.org certificate"

# user 9: CA signed user cert
CAPTURE $NSCERT gencert -t causer --with-ca ca-net-snmp.org --san email:user9@test.net-snmp.org --email user9@test.net-snmp.org  $NSCERTARGS
CAUSERFP=`$NSCERT showcerts --fingerprint --brief causer $NSCERTARGS`
CHECKVALUEISNT "$CAUSERFP" "" "generated fingerprint for causer certificate"

CAPTURE $NSCERT gencert -t cadirect9b --with-ca ca-net-snmp.org --san email:user9b@test.net-snmp.org --email user9b@test.net-snmp.org  $NSCERTARGS
CADIRECTFP=`$NSCERT showcerts --fingerprint --brief cadirect9b $NSCERTARGS`
CHECKVALUEISNT "$CADIRECTFP" "" "generated fingerprint for cadirect certificate"

CAPTURE $NSCERT genca --cn ca2-net-snmp.org  $NSCERTARGS
CA2FP=`$NSCERT showcas --fingerprint --brief ca2-net-snmp.org $NSCERTARGS`
CHECKVALUEISNT "$CA2FP" "" "generated fingerprint for ca2-net-snmp.org certificate"

CAPTURE $NSCERT gencert -t cadirect9c --with-ca ca2-net-snmp.org --san email:user9c@test.net-snmp.org --email user9c@test.net-snmp.org  $NSCERTARGS
CADIRECT9CFP=`$NSCERT showcerts --fingerprint --brief cadirect9c $NSCERTARGS`
CHECKVALUEISNT "$CADIRECT9CFP" "" "generated fingerprint for cadirect9c certificate"

CAPTURE $NSCERT gencert -t cadirect9d --with-ca ca2-net-snmp.org --san email:user9d@test.net-snmp.org --email user9d@test.net-snmp.org  $NSCERTARGS
CADIRECT9DFP=`$NSCERT showcerts --fingerprint --brief cadirect9d $NSCERTARGS`
CHECKVALUEISNT "$CADIRECT9DFP" "" "generated fingerprint for cadirect9d certificate"

#########################################
# AGENT CONFIGURATION
#

CONFIGAGENT '[snmp]' debugTokens tsm
# ,tls,ssl,cert,tsm
CONFIGAGENT '[snmp]' doDebugging 1
CONFIGAGENT '[snmp]' logTimestamp 1
CONFIGAGENT '[snmp]' serverCert $SERVERFP

CONFIGAGENT '[snmp]' trustCert $CAFP
CONFIGAGENT '[snmp]' trustCert $CADIRECT9CFP

# common name mappings
CONFIGAGENT certSecName 9  $TESTUSERFP     --cn
CONFIGAGENT certSecName 10 $TESTUSER2FP    --cn
CONFIGAGENT certSecName 11 $OTHERUSERFP    --cn
CONFIGAGENT certSecName 12 $INVALIDUSERFP  --cn

CONFIGAGENT certSecName 20 $MAPPEDUSERFP --sn aftermapping
CONFIGAGENT certSecName 21 $EMAILUSERFP  --rfc822
CONFIGAGENT certSecName 22 $DNSUSERFP    --dns
CONFIGAGENT certSecName 23 $IPUSERFP     --ip
CONFIGAGENT certSecName 24 afile         --cn

CONFIGAGENT certSecName 100 $CAFP        --rfc822
CONFIGAGENT certSecName 101 $CADIRECTFP  --sn causerdirectmap
CONFIGAGENT certSecName 102 $CADIRECT9CFP  --sn causerdirect9cmap
# intentionally not mapped:
#CONFIGAGENT certSecName 1001 $CADIRECT9DFP  --sn causerdirect9dmap

# *** INTENTIONALLY NOT MAPPING AT ALL: ***
# CONFIGAGENT certSecName 1000 $UNMAPPEDFP ....

CONFIGAPP   serverCert  	  $SERVERFP
CONFIGAPP   defSecurityModel      tsm
CONFIGAPP   logTimestamp          1

CONFIGAGENT  rwuser -s tsm testuser authpriv
CONFIGAGENT  rwuser -s tsm testuser2 authpriv
CONFIGAGENT  rwuser -s tsm otheruser authpriv
CONFIGAGENT  rwuser -s tsm aftermapping authpriv

CONFIGAGENT  rwuser -s tsm foobaruser@example.com authpriv
CONFIGAGENT  rwuser -s tsm foobar.example.com authpriv
CONFIGAGENT  rwuser -s tsm 127.0.0.1 authpriv
CONFIGAGENT  rwuser -s tsm user8@test.net-snmp.org authpriv
CONFIGAGENT  rwuser -s tsm user9@test.net-snmp.org authpriv
CONFIGAGENT  rwuser -s tsm user10@test.net-snmp.org authpriv
CONFIGAGENT  rwuser -s tsm afileuser authpriv
CONFIGAGENT  rwuser -s tsm causerdirectmap authpriv
CONFIGAGENT  rwuser -s tsm causerdirect9cmap authpriv


# this file contains tests common to both tls and dtls usages

# start the agent up
FLAGS="-Dtls -v3 -On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT"

STARTAGENT

# shouldn't have config errors
CHECKAGENTCOUNT 0 ": Error:"

######################################################################
# EXTENDED CERTIFICATE SETUP
#
# Perform more steps of configuration that should occur *after* the
# agent has started in order to prevent it from having seen these
# files ahead of time.

# this user's fingerprint should not be recognized 
CAPTURE $NSCERT gencert -t unknownuser --san email:unknownuser@example.com  $NSCERTARGS
UNKNOWNUSER=`$NSCERT showcerts --fingerprint --brief unknownuser $NSCERTARGS`
CHECKVALUEISNT "$UNMAPPEDFP" "" "generated fingerprint for unknownuser certificate"

# this user's fingerprint should not be directly recognized, but it's
# CA should.

# user 10: CA signed cert
CAPTURE $NSCERT gencert -D -t unknowncauser --cn unknowncauser@net-snmp.org --email unknowncauser@net-snmp.org  --with-ca ca-net-snmp.org --san email:user10@test.net-snmp.org $NSCERTARGS
UNKNOWNCAUSERFP=`$NSCERT showcerts --fingerprint --brief unknowncauser $NSCERTARGS`
CHECKVALUEISNT "$UNKNOWNCAUSERFP" "" "generated fingerprint for unknowncauser certificate"

######################################################################
# ACTUAL TESTS
#
# Run the actual list of tests
#

# using user 1 - a common name mapped certificate
# (using the default "snmpapp" certificate because we don't specify another)
DOSETTEST user1SnmpApp "$FLAGS"

# now rerun the test after specifying our default using the (same) fingerprint
CONFIGAPP   clientCert  	  $TESTUSER2FP
DOSETTEST user1ClientPub "$FLAGS"

# using user 2 - a common name mapped certificate with a direct -T FP request
DOSETTEST user2DashTFPFlag "-T our_identity=$OTHERUSERFP $FLAGS"

CHECKAGENTCOUNT 4  "otheruser"

# using user 2, specifying the file name instead of the fingerprint
DOSETTEST user2DashTFileFlag "-T our_identity=otheruser $FLAGS"

CHECKAGENTCOUNT 8  "otheruser"

# using user 3 - an invalid certificate (mapped but not authorized)
DOFAILSETTEST "invalidUnauthorizedCert" "-T our_identity=$INVALIDUSERFP $FLAGS"

CHECK "authorizationError"

# using user 4 - an unmapped certificate
DOFAILSETTEST "unmappedCertificate" "-T our_identity=$UNMAPPEDFP $FLAGS"

CHECK "failed rfc5343"

# Check *their* certificate with a different one than expected; should fail
DOFAILSETTEST "incorectServerCertificate" "-r 0 -T our_identity=$OTHERUSERFP -T their_identity=$OTHERUSERFP $FLAGS"

CHECK "failed to verify ssl certificate"

# using user 5 - a completely remapped certificate (direct specified secname)
DOSETTEST user5RemappedSecname "-T our_identity=$MAPPEDUSERFP $FLAGS"

# using user 6 - a subjectAltName=email certificate mapping
DOSETTEST user6SANEmail "-T our_identity=$EMAILUSERFP $FLAGS"

# using user 7 - a subjectAltName=dns certificate mapping
DOSETTEST user7SANDNS "-T our_identity=$DNSUSERFP $FLAGS"

# using user 8 - a subjectAltName=ipv4 certificate mapping
DOSETTEST user8SANIP "-T our_identity=$IPUSERFP $FLAGS"

# using user 8 - test that certmapping works from a local filename
DOSETTEST afileuser "-T our_identity=afile $FLAGS"

# using user 9 - a CA signed certificate
DOSETTEST user9CASignedCert "-T our_identity=$CAUSERFP -T trust_cert=$CAFP $FLAGS"

# using user 9b - a CA signed certificate with a user-based fp mapping
DOSETTEST user9bCASignedDirectMap "-T our_identity=$CADIRECTFP $FLAGS"

# using user 9c - a CA2 signed certificate with a user-based fp mapping
DOSETTEST user9cCASignedDirectMap "-T our_identity=$CADIRECT9CFP $FLAGS"

# using user 9d - a CA2 signed certificate no user-based fp mapping
DOFAILSETTEST user9dCASignedDirectMap "-T our_identity=$CADIRECT9DFP $FLAGS"

# using user unknown - the server will not have seen this fingerprint at all
CAPTURE "snmpget -T our_identity=$UNKNOWNUSER -T trust_cert=$CAFP $FLAGS .1.3.6.1.2.1.1.6.0"

# different types of failure messaages for tls/dtls...
if [ $SNMP_TRANSPORT_SPEC = dtlsudp ]; then
    CHECK              "failed rfc5343 contextEngineID probing"
    CHECKAGENTCOUNT  1 "TLS Error: no certificate returned"
else
    CHECK              "failed to ssl_connect"
    CHECKAGENTCOUNT  1 "Failed SSL_accept"
fi

# using the user without a known fingerprint but with a known CA
DOSETTEST userNewFromCA " -T trust_cert=$CAFP -T our_identity=$UNKNOWNCAUSERFP $FLAGS"

STOPAGENT

FINISHED