Merge pull request #1548 from c-po/t4702-equuleus-wireguard

wireguard: T4702: actively revoke peer if it gets disabled
author: Christian Poessinger <christian@poessinger.com> 2022-10-03 14:00:29 +0200
committer: GitHub <noreply@github.com> 2022-10-03 14:00:29 +0200
commit: 8560c1cc38f9104fe0d12fe72e0312c52afa9c08 (patch)
tree: 4c83f1bd8c8b38ba81076134ef08fc1af8d42c0d /python
parent: 180a1b0a79de67aa352b31ee7f06273c8e34d497 (diff)
parent: 99b63a1eb5a4441aba4bd0c8908007450ceb7d1c (diff)
download: vyos-1x-8560c1cc38f9104fe0d12fe72e0312c52afa9c08.tar.gz
vyos-1x-8560c1cc38f9104fe0d12fe72e0312c52afa9c08.zip
1 files changed, 43 insertions, 42 deletions
diff --git a/python/vyos/ifconfig/wireguard.py b/python/vyos/ifconfig/wireguard.py
index de1b56ce5..200beb123 100644
--- a/python/vyos/ifconfig/wireguard.py
+++ b/python/vyos/ifconfig/wireguard.py
@@ -171,12 +171,8 @@ class WireGuardIf(Interface):
 
         # remove no longer associated peers first
         if 'peer_remove' in config:
-            for tmp in config['peer_remove']:
-                peer = config['peer_remove'][tmp]
-                peer['ifname'] = config['ifname']
-
-                cmd = 'wg set {ifname} peer {pubkey} remove'
-                self._cmd(cmd.format(**peer))
+            for peer, public_key in config['peer_remove'].items():
+                self._cmd(f'wg set {self.ifname} peer {public_key} remove')
 
         # Wireguard base command is identical for every peer
         base_cmd  = 'wg set {ifname} private-key {private_key}'
@@ -187,44 +183,49 @@ class WireGuardIf(Interface):
 
         base_cmd = base_cmd.format(**config)
 
-        for tmp in config['peer']:
-            peer = config['peer'][tmp]
-
-            # start of with a fresh 'wg' command
-            cmd = base_cmd + ' peer {pubkey}'
-
-            # If no PSK is given remove it by using /dev/null - passing keys via
-            # the shell (usually bash) is considered insecure, thus we use a file
-            no_psk_file = '/dev/null'
-            psk_file = no_psk_file
-            if 'preshared_key' in peer:
-                psk_file = '/tmp/tmp.wireguard.psk'
-                with open(psk_file, 'w') as f:
-                    f.write(peer['preshared_key'])
-            cmd += f' preshared-key {psk_file}'
-
-            # Persistent keepalive is optional
-            if 'persistent_keepalive'in peer:
-                cmd += ' persistent-keepalive {persistent_keepalive}'
-
-            # Multiple allowed-ip ranges can be defined - ensure we are always
-            # dealing with a list
-            if isinstance(peer['allowed_ips'], str):
-                peer['allowed_ips'] = [peer['allowed_ips']]
-            cmd += ' allowed-ips ' + ','.join(peer['allowed_ips'])
-
-            # Endpoint configuration is optional
-            if {'address', 'port'} <= set(peer):
-                if is_ipv6(peer['address']):
-                    cmd += ' endpoint [{address}]:{port}'
-                else:
-                    cmd += ' endpoint {address}:{port}'
+        if 'peer' in config:
+            for peer, peer_config in config['peer'].items():
+                # T4702: No need to configure this peer when it was explicitly
+                # marked as disabled - also active sessions are terminated as
+                # the public key was already removed when entering this method!
+                if 'disable' in peer_config:
+                    continue
+
+                # start of with a fresh 'wg' command
+                cmd = base_cmd + ' peer {pubkey}'
+
+                # If no PSK is given remove it by using /dev/null - passing keys via
+                # the shell (usually bash) is considered insecure, thus we use a file
+                no_psk_file = '/dev/null'
+                psk_file = no_psk_file
+                if 'preshared_key' in peer_config:
+                    psk_file = '/tmp/tmp.wireguard.psk'
+                    with open(psk_file, 'w') as f:
+                        f.write(peer_config['preshared_key'])
+                cmd += f' preshared-key {psk_file}'
+
+                # Persistent keepalive is optional
+                if 'persistent_keepalive' in peer_config:
+                    cmd += ' persistent-keepalive {persistent_keepalive}'
+
+                # Multiple allowed-ip ranges can be defined - ensure we are always
+                # dealing with a list
+                if isinstance(peer_config['allowed_ips'], str):
+                    peer_config['allowed_ips'] = [peer_config['allowed_ips']]
+                cmd += ' allowed-ips ' + ','.join(peer_config['allowed_ips'])
+
+                # Endpoint configuration is optional
+                if {'address', 'port'} <= set(peer_config):
+                    if is_ipv6(peer_config['address']):
+                        cmd += ' endpoint [{address}]:{port}'
+                    else:
+                        cmd += ' endpoint {address}:{port}'
 
-            self._cmd(cmd.format(**peer))
+                self._cmd(cmd.format(**peer_config))
 
-            # PSK key file is not required to be stored persistently as its backed by CLI
-            if psk_file != no_psk_file and os.path.exists(psk_file):
-                os.remove(psk_file)
+                # PSK key file is not required to be stored persistently as its backed by CLI
+                if psk_file != no_psk_file and os.path.exists(psk_file):
+                    os.remove(psk_file)
 
         # call base class
         super().update(config)
author	Christian Poessinger <christian@poessinger.com>	2022-10-03 14:00:29 +0200
committer	GitHub <noreply@github.com>	2022-10-03 14:00:29 +0200
commit	8560c1cc38f9104fe0d12fe72e0312c52afa9c08 (patch)
tree	4c83f1bd8c8b38ba81076134ef08fc1af8d42c0d /python
parent	180a1b0a79de67aa352b31ee7f06273c8e34d497 (diff)
parent	99b63a1eb5a4441aba4bd0c8908007450ceb7d1c (diff)
download	vyos-1x-8560c1cc38f9104fe0d12fe72e0312c52afa9c08.tar.gz vyos-1x-8560c1cc38f9104fe0d12fe72e0312c52afa9c08.zip