diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-07-20 20:33:54 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-20 20:33:54 +0200 |
commit | 4d55afded46a07c761a724989e0e66fe88d705c7 (patch) | |
tree | 5c9cae9c04121dd082c0a7a3e6d262df27c86489 /src/migration-scripts/interfaces/22-to-23 | |
parent | 4ff379d18a750314fda2b2fec5a1e285bd92f15c (diff) | |
parent | bfadd6dfb5969f231097353a76ada3b839964a19 (diff) | |
download | vyos-1x-4d55afded46a07c761a724989e0e66fe88d705c7.tar.gz vyos-1x-4d55afded46a07c761a724989e0e66fe88d705c7.zip |
Merge pull request #931 from sarthurdev/pki_eapol
pki: eapol: T3642: Migrate EAPoL to use PKI configuration
Diffstat (limited to 'src/migration-scripts/interfaces/22-to-23')
-rwxr-xr-x | src/migration-scripts/interfaces/22-to-23 | 134 |
1 files changed, 113 insertions, 21 deletions
diff --git a/src/migration-scripts/interfaces/22-to-23 b/src/migration-scripts/interfaces/22-to-23 index c52a26908..3fd5998a0 100755 --- a/src/migration-scripts/interfaces/22-to-23 +++ b/src/migration-scripts/interfaces/22-to-23 @@ -14,30 +14,35 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -# A VTI interface also requires an IPSec configuration - VyOS 1.2 supported -# having a VTI interface in the CLI but no IPSec configuration - drop VTI -# configuration if this is the case for VyOS 1.4 +# Migrate Wireguard to store keys in CLI +# Migrate EAPoL to PKI configuration import os import sys from vyos.configtree import ConfigTree +from vyos.pki import load_certificate +from vyos.pki import load_private_key +from vyos.pki import encode_certificate +from vyos.pki import encode_private_key -if __name__ == '__main__': - if (len(sys.argv) < 1): - print("Must specify file name!") - sys.exit(1) +def wrapped_pem_to_config_value(pem): + return "".join(pem.strip().split("\n")[1:-1]) - file_name = sys.argv[1] +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) - with open(file_name, 'r') as f: - config_file = f.read() +file_name = sys.argv[1] - config = ConfigTree(config_file) - base = ['interfaces', 'wireguard'] - if not config.exists(base): - # Nothing to do - sys.exit(0) +with open(file_name, 'r') as f: + config_file = f.read() +config = ConfigTree(config_file) + +# Wireguard +base = ['interfaces', 'wireguard'] + +if config.exists(base): for interface in config.list_nodes(base): private_key_path = base + [interface, 'private-key'] @@ -58,9 +63,96 @@ if __name__ == '__main__': for peer in config.list_nodes(base + [interface, 'peer']): config.rename(base + [interface, 'peer', peer, 'pubkey'], 'public-key') - try: - with open(file_name, 'w') as f: - f.write(config.to_string()) - except OSError as e: - print("Failed to save the modified config: {}".format(e)) - sys.exit(1) +# Ethernet EAPoL +base = ['interfaces', 'ethernet'] + +if config.exists(base): + AUTH_DIR = '/config/auth' + pki_base = ['pki'] + + for interface in config.list_nodes(base): + if not config.exists(base + [interface, 'eapol']): + continue + + x509_base = base + [interface, 'eapol'] + pki_name = f'eapol_{interface}' + + if config.exists(x509_base + ['ca-cert-file']): + if not config.exists(pki_base + ['ca']): + config.set(pki_base + ['ca']) + config.set_tag(pki_base + ['ca']) + + cert_file = config.return_value(x509_base + ['ca-cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['ca-certificate'], value=pki_name) + else: + print(f'Failed to migrate CA certificate on eapol config for interface {interface}') + + config.delete(x509_base + ['ca-cert-file']) + + if config.exists(x509_base + ['cert-file']): + if not config.exists(pki_base + ['certificate']): + config.set(pki_base + ['certificate']) + config.set_tag(pki_base + ['certificate']) + + cert_file = config.return_value(x509_base + ['cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['certificate'], value=pki_name) + else: + print(f'Failed to migrate certificate on eapol config for interface {interface}') + + config.delete(x509_base + ['cert-file']) + + if config.exists(x509_base + ['key-file']): + key_file = config.return_value(x509_base + ['key-file']) + key_path = os.path.join(AUTH_DIR, key_file) + key = None + + if os.path.isfile(key_path): + if not os.access(key_path, os.R_OK): + run(f'sudo chmod 644 {key_path}') + + with open(key_path, 'r') as f: + key_data = f.read() + key = load_private_key(key_data, passphrase=None, wrap_tags=False) + + if key: + key_pem = encode_private_key(key, passphrase=None) + config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + else: + print(f'Failed to migrate private key on eapol config for interface {interface}') + + config.delete(x509_base + ['key-file']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) |