From a87ada1c4e9d5a426282c900207964d09d2a1020 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Wed, 17 Aug 2022 18:05:02 -0400
Subject: T3896: Drop cserv local user req, add groupconfig

From ocserv documentation:
```
If the groupconfig option is set, then config-per-user will be
overriden, and all configuration will be read from radius. That
also includes the Acct-Interim-Interval, and Session-Timeout
values.
```
Implement yes/no configuration and parameter handling during jinja
rendering.

Fix bug wherein openconnect-server configuration requires creation
of local user accounts even when RADIUS authentication is used.

Testing:
  Set the groupconfig=yes param and observed change in generated
/run/ocserv/ocserv.conf.
  Removed the local users via `delete vpn openconnect
authentication local-users` and observed commit & service operation
---
 data/templates/ocserv/ocserv_config.j2 | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'data/templates/ocserv/ocserv_config.j2')

diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index e0cad5181..1cbb52ccf 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -7,7 +7,11 @@ run-as-user = nobody
 run-as-group = daemon
 
 {% if "radius" in authentication.mode %}
+{%      if "yes" in authentication.radius.groupconfig %}
+auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]"
+{%      else %}
 auth = "radius [config=/run/ocserv/radiusclient.conf]"
+{%      endif %}
 {% elif "local" in authentication.mode %}
 {%     if authentication.mode.local == "password-otp" %}
 auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
-- 
cgit v1.2.3


From 0b3bfe97b617b08ab9fd6682a0875c75c8a7bc5c Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Wed, 17 Aug 2022 21:03:50 -0400
Subject: T3896: Use group selector and forced dns tunneling

Enterprise RADIUS configurations often utilize group selectors for
authentication and attribute distribution for connecting clients.

Ocserv implements this functionality via the `select-group` config
file attribute, repeating for multiple groups. When a user selects
their membership group and the request is passed to the RADIUS
server, ocserv will match the returned Class attribute against the
value selected by the user. This functionality also works for local
group membership resolution, although VyOS currently doesn't have
group membership configuration for this.

Expose the tunnel-all-dns option in the ocserv config file allowing
users who deploy default routes to select split-dns and those who
do not to enable full DNS tunneling.

Testing:
  Smoketests & build
  Configured groups in openconnect profile and verified existence
in /run/ocserv/ocserv.conf
  Configured forced dns tunneling and verified presence of setting
in /run/ocserv/ocserv.conf
---
 data/templates/ocserv/ocserv_config.j2       | 20 ++++++++++++++++---
 interface-definitions/vpn-openconnect.xml.in | 30 ++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 3 deletions(-)

(limited to 'data/templates/ocserv/ocserv_config.j2')

diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 1cbb52ccf..5d5a4101b 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -7,11 +7,11 @@ run-as-user = nobody
 run-as-group = daemon
 
 {% if "radius" in authentication.mode %}
-{%      if "yes" in authentication.radius.groupconfig %}
+{%     if "yes" in authentication.radius.groupconfig %}
 auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]"
-{%      else %}
+{%     else %}
 auth = "radius [config=/run/ocserv/radiusclient.conf]"
-{%      endif %}
+{%     endif %}
 {% elif "local" in authentication.mode %}
 {%     if authentication.mode.local == "password-otp" %}
 auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
@@ -66,6 +66,13 @@ device = sslvpn
 dns = {{ dns }}
 {%     endfor %}
 {% endif %}
+{% if network_settings.tunnel_all_dns is vyos_defined %}
+{%     if "yes" in network_settings.tunnel_all_dns %}
+tunnel-all-dns = true
+{%     else %}
+tunnel-all-dns = false
+{%     endif %}
+{% endif %}
 
 # IPv4 network pool
 {% if network_settings.client_ip_settings.subnet is vyos_defined %}
@@ -89,3 +96,10 @@ route = {{ route }}
 split-dns = {{ tmp }}
 {%     endfor %}
 {% endif %}
+
+{% if authentication.groups is vyos_defined %}
+# Group settings
+{%     for grp in authentication.groups %}
+select-group = {{ grp }}
+{%     endfor %}
+{% endif %}
\ No newline at end of file
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 3ab8dd815..54f93344b 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -50,6 +50,16 @@
                   </leafNode>
                 </children>
               </node>
+              <leafNode name="groups">
+                <properties>
+                  <help>Groups that a client is allowed to select from. Maps to RADIUS Class attribute.</help>
+                  <valueHelp>
+                    <format>txt</format>
+                    <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description>
+                  </valueHelp>
+                  <multi/>
+                </properties>
+              </leafNode>
               #include <include/auth-local-users.xml.i>
               <node name="local-users">
                 <children>
@@ -298,6 +308,26 @@
                   <multi/>
                 </properties>
               </leafNode>
+              <leafNode name="tunnel-all-dns">
+                <properties>
+                  <help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help>
+                  <completionHelp>
+                    <list>yes no</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>yes</format>
+                    <description>Enable tunneling of all DNS traffic</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>no</format>
+                    <description>Disable tunneling of all DNS traffic</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(yes|no)</regex>
+                  </constraint>
+                </properties>
+                <defaultValue>no</defaultValue>
+              </leafNode>
             </children>
           </node>
       </children>
-- 
cgit v1.2.3


From 4a5e4cfd6c11a6eed3252744ec45638249d6d2b1 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Thu, 18 Aug 2022 18:57:19 -0400
Subject: T3896: update groupconfig syntax per PR1463

Address @sever-sever's suggestion to refactor how groupconfig is
defined, parsed, and set (with his proposed conditional string
appending Py-sugar). Use the disable-mobike refactor as template
for XML simplification.

Testing:
  None yet
---
 data/templates/ocserv/ocserv_config.j2       |  6 +-----
 interface-definitions/vpn-openconnect.xml.in | 17 +----------------
 2 files changed, 2 insertions(+), 21 deletions(-)

(limited to 'data/templates/ocserv/ocserv_config.j2')

diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 5d5a4101b..fef49d30f 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -7,11 +7,7 @@ run-as-user = nobody
 run-as-group = daemon
 
 {% if "radius" in authentication.mode %}
-{%     if "yes" in authentication.radius.groupconfig %}
-auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]"
-{%     else %}
-auth = "radius [config=/run/ocserv/radiusclient.conf]"
-{%     endif %}
+auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]"
 {% elif "local" in authentication.mode %}
 {%     if authentication.mode.local == "password-otp" %}
 auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 54f93344b..7167b5d8d 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -156,23 +156,8 @@
                   </leafNode>
                   <leafNode name="groupconfig">
                     <properties>
-                      <help>If the groupconfig option is set to yes, then config-per-user will be overriden, and all configuration will be read from radius.</help>
-                      <completionHelp>
-                        <list>yes no</list>
-                      </completionHelp>
-                      <valueHelp>
-                        <format>yes</format>
-                        <description>Enable RADIUS acquisition of group properties</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>no</format>
-                        <description>Disable RADIUS acquisition of group properties</description>
-                      </valueHelp>
-                      <constraint>
-                        <regex>(yes|no)</regex>
-                      </constraint>
+                      <help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius.</help>
                     </properties>
-                    <defaultValue>no</defaultValue>
                   </leafNode>
                 </children>
               </node>
-- 
cgit v1.2.3


From e5785ff748f93b66879d8bd0393c208c6df574a9 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Wed, 24 Aug 2022 21:36:32 -0400
Subject: T3896: update group syntax per PR1463

---
 data/templates/ocserv/ocserv_config.j2       | 4 ++--
 interface-definitions/vpn-openconnect.xml.in | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'data/templates/ocserv/ocserv_config.j2')

diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index fef49d30f..1d105113d 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -93,9 +93,9 @@ split-dns = {{ tmp }}
 {%     endfor %}
 {% endif %}
 
-{% if authentication.groups is vyos_defined %}
+{% if authentication.group is vyos_defined %}
 # Group settings
-{%     for grp in authentication.groups %}
+{%     for grp in authentication.group %}
 select-group = {{ grp }}
 {%     endfor %}
 {% endif %}
\ No newline at end of file
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 7167b5d8d..522465611 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -50,9 +50,9 @@
                   </leafNode>
                 </children>
               </node>
-              <leafNode name="groups">
+              <leafNode name="group">
                 <properties>
-                  <help>Groups that a client is allowed to select from. Maps to RADIUS Class attribute.</help>
+                  <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help>
                   <valueHelp>
                     <format>txt</format>
                     <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description>
-- 
cgit v1.2.3