summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authormergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2024-07-23 07:43:35 +0300
committerGitHub <noreply@github.com>2024-07-23 07:43:35 +0300
commit218fbe09324de91d447f125ee06aa6c87eb9c58c (patch)
tree3ad67981c504ad74de90a58ae33fa8d952584db6 /src
parentf19a531e389b98509e9ccdba3e6b32c72fe25eae (diff)
downloadvyos-1x-218fbe09324de91d447f125ee06aa6c87eb9c58c.tar.gz
vyos-1x-218fbe09324de91d447f125ee06aa6c87eb9c58c.zip
openvpn: T3834: verify() is not allowed to change anything on the system (#3851)
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix opmode commands") added a code path into verify() which removed files on the system if TOTP was not defined. This commit moves the code path to the appropriate generate() function. (cherry picked from commit 40c835992db9217f48e54dbbf15a7fbf1dcba482) Co-authored-by: Christian Breunig <christian@breunig.cc>
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/interfaces_openvpn.py17
1 files changed, 10 insertions, 7 deletions
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 627cc90ba..5bb663a9b 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -235,10 +235,6 @@ def verify_pki(openvpn):
def verify(openvpn):
if 'deleted' in openvpn:
- # remove totp secrets file if totp is not configured
- if os.path.isfile(otp_file.format(**openvpn)):
- os.remove(otp_file.format(**openvpn))
-
verify_bridge_delete(openvpn)
return None
@@ -624,9 +620,19 @@ def generate_pki_files(openvpn):
def generate(openvpn):
+ if 'deleted' in openvpn:
+ # remove totp secrets file if totp is not configured
+ if os.path.isfile(otp_file.format(**openvpn)):
+ os.remove(otp_file.format(**openvpn))
+ return None
+
+ if 'disable' in openvpn:
+ return None
+
interface = openvpn['ifname']
directory = os.path.dirname(cfg_file.format(**openvpn))
openvpn['plugin_dir'] = '/usr/lib/openvpn'
+
# create base config directory on demand
makedir(directory, user, group)
# enforce proper permissions on /run/openvpn
@@ -643,9 +649,6 @@ def generate(openvpn):
if os.path.isdir(service_dir):
rmtree(service_dir, ignore_errors=True)
- if 'deleted' in openvpn or 'disable' in openvpn:
- return None
-
# create client config directory on demand
makedir(ccd_dir, user, group)