From d1abba03229128c3f2a6f718e9f14f4d7285e74d Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 12 May 2023 21:03:03 +0200
Subject: ocserv: T3896: improve XML definition and add warning about 3rd party
 configs

When enabling identity-based-config, users can add arbitrary config keys
that are processed by ocserv. The user "must know" what he is been doing, as
invalid config option will make the ocserv daemon go ... whoop!

Thus add a warning and inform the user about this setting.
---
 interface-definitions/vpn-openconnect.xml.in | 53 +++++++++++++++++++++++++++-
 1 file changed, 52 insertions(+), 1 deletion(-)

(limited to 'interface-definitions/vpn-openconnect.xml.in')

diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index afc2a5383..75c64a99a 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -71,7 +71,58 @@
                   </leafNode>
                 </children>
               </node>
-              #include <include/openconnect-identity-based-config.xml.i>
+              <node name="identity-based-config">
+                <properties>
+                  <help>Include configuration file by username or RADIUS group attribute</help>
+                </properties>
+                <children>
+                  #include <include/generic-disable-node.xml.i>
+                  <leafNode name="mode">
+                    <properties>
+                      <help>Select per user or per group configuration file - ignored if authentication group is configured</help>
+                      <completionHelp>
+                        <list>user group</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>user</format>
+                        <description>Match configuration file on username</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>group</format>
+                        <description>Match RADIUS response class attribute as file name</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(user|group)</regex>
+                      </constraint>
+                      <constraintErrorMessage>Invalid mode, must be either user or group</constraintErrorMessage>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="directory">
+                    <properties>
+                      <help>Directory to containing configuration files</help>
+                      <valueHelp>
+                        <format>path</format>
+                        <description>Path to configuration directory, must be under /config/auth</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="default-config">
+                    <properties>
+                      <help>Default configuration if discrete config could not be found</help>
+                      <valueHelp>
+                        <format>filename</format>
+                        <description>Default configuration filename, must be under /config/auth</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
               <leafNode name="group">
                 <properties>
                   <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help>
-- 
cgit v1.2.3