summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2022-08-18 15:18:33 +0100
committerGitHub <noreply@github.com>2022-08-18 15:18:33 +0100
commitdc0e468046bef4aef3ee81eec23c3703e0b5da85 (patch)
tree375ae6f0a735436bd58643f6d1d74eeca88e7c21
parent4d845cc368220b509faa91e61260eab1b4c38517 (diff)
parent28936477c4f4c4633c9a384054c0a65090ece101 (diff)
downloadvyos-1x-dc0e468046bef4aef3ee81eec23c3703e0b5da85.tar.gz
vyos-1x-dc0e468046bef4aef3ee81eec23c3703e0b5da85.zip
Merge pull request #1470 from c-po/openconnect-T4614
ocserv: openconnect: T4614: add support for split-dns (equuleus)
-rw-r--r--data/templates/ocserv/ocserv_config.tmpl6
-rw-r--r--interface-definitions/vpn_openconnect.xml.in13
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_openconnect.py72
-rwxr-xr-xsrc/conf_mode/vpn_openconnect.py6
4 files changed, 80 insertions, 17 deletions
diff --git a/data/templates/ocserv/ocserv_config.tmpl b/data/templates/ocserv/ocserv_config.tmpl
index 328af0c0d..8a394f0ac 100644
--- a/data/templates/ocserv/ocserv_config.tmpl
+++ b/data/templates/ocserv/ocserv_config.tmpl
@@ -70,6 +70,11 @@ ipv6-network = {{ network_settings.client_ipv6_pool.prefix }}
ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }}
{% endif %}
{% endif %}
+{% if network_settings.split_dns is defined %}
+{% for tmp in network_settings.split_dns %}
+split-dns = {{ tmp }}
+{% endfor %}
+{% endif %}
{% endif %}
{% if network_settings.push_route is string %}
@@ -79,4 +84,3 @@ route = {{ network_settings.push_route }}
route = {{ route }}
{% endfor %}
{% endif %}
-
diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in
index f35b1ebbd..888f32b99 100644
--- a/interface-definitions/vpn_openconnect.xml.in
+++ b/interface-definitions/vpn_openconnect.xml.in
@@ -191,6 +191,19 @@
</children>
</node>
#include <include/name-server-ipv4-ipv6.xml.i>
+ <leafNode name="split-dns">
+ <properties>
+ <help>Domains over which the provided DNS should be used</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Client prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="fqdn"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
</children>
</node>
</children>
diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py
index ccac0820d..6db49abab 100755
--- a/smoketest/scripts/cli/test_vpn_openconnect.py
+++ b/smoketest/scripts/cli/test_vpn_openconnect.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -19,36 +19,82 @@ import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.util import process_named_running
from vyos.util import cmd
+from vyos.util import read_file
from os import path, mkdir
-OCSERV_CONF = '/run/ocserv/ocserv.conf'
base_path = ['vpn', 'openconnect']
cert_dir = '/config/auth/'
ca_cert = f'{cert_dir}ca.crt'
ssl_cert = f'{cert_dir}server.crt'
ssl_key = f'{cert_dir}server.key'
-class TestVpnOpenconnect(VyOSUnitTestSHIM.TestCase):
+PROCESS_NAME = 'ocserv-main'
+config_file = '/run/ocserv/ocserv.conf'
+auth_file = '/run/ocserv/ocpasswd'
+otp_file = '/run/ocserv/users.oath'
+
+class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
+ @classmethod
+ def setUpClass(cls):
+ super(TestVPNOpenConnect, cls).setUpClass()
+
+ # ensure we can also run this test on a live system - so lets clean
+ # out the current configuration :)
+ cls.cli_delete(cls, base_path)
+
+ cls.cli_set(cls, base_path + ["ssl", "ca-cert-file", ca_cert])
+ cls.cli_set(cls, base_path + ["ssl", "cert-file", ssl_cert])
+ cls.cli_set(cls, base_path + ["ssl", "key-file", ssl_key])
+
def tearDown(self):
+ self.assertTrue(process_named_running(PROCESS_NAME))
+
# Delete vpn openconnect configuration
self.cli_delete(base_path)
self.cli_commit()
- def test_vpn(self):
+ self.assertFalse(process_named_running(PROCESS_NAME))
+
+ def test_ocserv(self):
user = 'vyos_user'
password = 'vyos_pass'
- self.cli_delete(base_path)
- self.cli_set(base_path + ["authentication", "local-users", "username", user, "password", password])
- self.cli_set(base_path + ["authentication", "mode", "local"])
- self.cli_set(base_path + ["network-settings", "client-ip-settings", "subnet", "192.0.2.0/24"])
- self.cli_set(base_path + ["ssl", "ca-cert-file", ca_cert])
- self.cli_set(base_path + ["ssl", "cert-file", ssl_cert])
- self.cli_set(base_path + ["ssl", "key-file", ssl_key])
+
+ v4_subnet = '192.0.2.0/24'
+ v6_prefix = '2001:db8:1000::/64'
+ v6_len = '126'
+ name_server = ['1.2.3.4', '1.2.3.5', '2001:db8::1']
+ split_dns = ['vyos.net', 'vyos.io']
+
+ self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'password', password])
+ self.cli_set(base_path + ['authentication', 'mode', "local"])
+ self.cli_set(base_path + ["network-settings", "client-ip-settings", "subnet", v4_subnet])
+ self.cli_set(base_path + ['network-settings', 'client-ip-settings', 'subnet', v4_subnet])
+ self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'prefix', v6_prefix])
+ self.cli_set(base_path + ['network-settings', 'client-ipv6-pool', 'mask', v6_len])
+
+ for ns in name_server:
+ self.cli_set(base_path + ['network-settings', 'name-server', ns])
+ for domain in split_dns:
+ self.cli_set(base_path + ['network-settings', 'split-dns', domain])
self.cli_commit()
- # Check for running process
- self.assertTrue(process_named_running('ocserv-main'))
+ # Verify configuration
+ daemon_config = read_file(config_file)
+
+ # authentication mode local password-otp
+ self.assertIn(f'auth = "plain[/run/ocserv/ocpasswd]"', daemon_config)
+ self.assertIn(f'ipv4-network = {v4_subnet}', daemon_config)
+ self.assertIn(f'ipv6-network = {v6_prefix}', daemon_config)
+ self.assertIn(f'ipv6-subnet-prefix = {v6_len}', daemon_config)
+
+ for ns in name_server:
+ self.assertIn(f'dns = {ns}', daemon_config)
+ for domain in split_dns:
+ self.assertIn(f'split-dns = {domain}', daemon_config)
+
+ auth_config = read_file(auth_file)
+ self.assertIn(f'{user}:*:$', auth_config)
if __name__ == '__main__':
if not path.exists(cert_dir):
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 00b96884b..f24d5b618 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -61,8 +61,8 @@ def verify(ocserv):
if "authentication" in ocserv:
if "mode" in ocserv["authentication"]:
if "local" in ocserv["authentication"]["mode"]:
- if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]:
- raise ConfigError('openconnect mode local required at leat one user')
+ if 'local_users' not in ocserv["authentication"] or 'username' not in ocserv["authentication"]["local_users"]:
+ raise ConfigError('openconnect mode local requires at leat one user')
else:
for user in ocserv["authentication"]["local_users"]["username"]:
if not "password" in ocserv["authentication"]["local_users"]["username"][user]: