summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-07-22 16:39:52 +0200
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-07-22 17:20:11 +0000
commit334c96afdb906ee08eee66d072c57fcaeb198b02 (patch)
tree801a07c99a31b6214e72a74e34657c1c2941dd7e /src/conf_mode
parenteb39342171b4767e483d616df16f4d94c86be108 (diff)
downloadvyos-1x-334c96afdb906ee08eee66d072c57fcaeb198b02.tar.gz
vyos-1x-334c96afdb906ee08eee66d072c57fcaeb198b02.zip
openvpn: T3834: verify() is not allowed to change anything on the system
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix opmode commands") added a code path into verify() which removed files on the system if TOTP was not defined. This commit moves the code path to the appropriate generate() function. (cherry picked from commit 40c835992db9217f48e54dbbf15a7fbf1dcba482)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/interfaces_openvpn.py17
1 files changed, 10 insertions, 7 deletions
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 0dc76b39a..320ab7b7b 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -235,10 +235,6 @@ def verify_pki(openvpn):
def verify(openvpn):
if 'deleted' in openvpn:
- # remove totp secrets file if totp is not configured
- if os.path.isfile(otp_file.format(**openvpn)):
- os.remove(otp_file.format(**openvpn))
-
verify_bridge_delete(openvpn)
return None
@@ -635,9 +631,19 @@ def generate_pki_files(openvpn):
def generate(openvpn):
+ if 'deleted' in openvpn:
+ # remove totp secrets file if totp is not configured
+ if os.path.isfile(otp_file.format(**openvpn)):
+ os.remove(otp_file.format(**openvpn))
+ return None
+
+ if 'disable' in openvpn:
+ return None
+
interface = openvpn['ifname']
directory = os.path.dirname(cfg_file.format(**openvpn))
openvpn['plugin_dir'] = '/usr/lib/openvpn'
+
# create base config directory on demand
makedir(directory, user, group)
# enforce proper permissions on /run/openvpn
@@ -654,9 +660,6 @@ def generate(openvpn):
if os.path.isdir(service_dir):
rmtree(service_dir, ignore_errors=True)
- if 'deleted' in openvpn or 'disable' in openvpn:
- return None
-
# create client config directory on demand
makedir(ccd_dir, user, group)