diff options
author | Christian Breunig <christian@breunig.cc> | 2024-07-22 16:39:52 +0200 |
---|---|---|
committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-07-22 17:20:11 +0000 |
commit | 334c96afdb906ee08eee66d072c57fcaeb198b02 (patch) | |
tree | 801a07c99a31b6214e72a74e34657c1c2941dd7e /src/conf_mode | |
parent | eb39342171b4767e483d616df16f4d94c86be108 (diff) | |
download | vyos-1x-334c96afdb906ee08eee66d072c57fcaeb198b02.tar.gz vyos-1x-334c96afdb906ee08eee66d072c57fcaeb198b02.zip |
openvpn: T3834: verify() is not allowed to change anything on the system
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix
opmode commands") added a code path into verify() which removed files on the
system if TOTP was not defined.
This commit moves the code path to the appropriate generate() function.
(cherry picked from commit 40c835992db9217f48e54dbbf15a7fbf1dcba482)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/interfaces_openvpn.py | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py index 0dc76b39a..320ab7b7b 100755 --- a/src/conf_mode/interfaces_openvpn.py +++ b/src/conf_mode/interfaces_openvpn.py @@ -235,10 +235,6 @@ def verify_pki(openvpn): def verify(openvpn): if 'deleted' in openvpn: - # remove totp secrets file if totp is not configured - if os.path.isfile(otp_file.format(**openvpn)): - os.remove(otp_file.format(**openvpn)) - verify_bridge_delete(openvpn) return None @@ -635,9 +631,19 @@ def generate_pki_files(openvpn): def generate(openvpn): + if 'deleted' in openvpn: + # remove totp secrets file if totp is not configured + if os.path.isfile(otp_file.format(**openvpn)): + os.remove(otp_file.format(**openvpn)) + return None + + if 'disable' in openvpn: + return None + interface = openvpn['ifname'] directory = os.path.dirname(cfg_file.format(**openvpn)) openvpn['plugin_dir'] = '/usr/lib/openvpn' + # create base config directory on demand makedir(directory, user, group) # enforce proper permissions on /run/openvpn @@ -654,9 +660,6 @@ def generate(openvpn): if os.path.isdir(service_dir): rmtree(service_dir, ignore_errors=True) - if 'deleted' in openvpn or 'disable' in openvpn: - return None - # create client config directory on demand makedir(ccd_dir, user, group) |