From 70794c8266ffefc6660daac3bc8a63b412d7b350 Mon Sep 17 00:00:00 2001 From: Jamie Austin Date: Thu, 26 Jan 2023 16:34:36 +1100 Subject: ocserv: T3896: add CLI options to configure ocserv config-per-user/group Adds CLI configurations under VPN - OpenConnect to facilitate per user/group vpn session configurations. Validation has been added to restrict config-per-group to be exclusive to OpenConnect RADIUS authentication as the config file is looked up based on a RADIUS response attribute - as well as sanity check that the necessary configs are configured when not disabled. --- src/conf_mode/vpn_openconnect.py | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'src/conf_mode') diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index af3c51efc..12165a4f2 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -113,6 +113,17 @@ def verify(ocserv): users_wo_pswd.append(user) if users_wo_pswd: raise ConfigError(f'password required for users:\n{users_wo_pswd}') + # Validate that if config-per-x is configured all child config nodes are set + if 'config_per_x' in ocserv["authentication"]: + if 'disabled' not in ocserv["authentication"]["config_per_x"]: + if 'mode' not in ocserv["authentication"]["config_per_x"]: + raise ConfigError('OpenConnect radius config-per-x enabled but mode not selected') + elif 'group' in ocserv["authentication"]["config_per_x"]["mode"] and "radius" not in ocserv["authentication"]["mode"]: + raise ConfigError('OpenConnect config-per-group must be used with radius authentication') + if 'directory' not in ocserv["authentication"]["config_per_x"]: + raise ConfigError('OpenConnect config-per-x enabled but directory not set') + if 'default_config' not in ocserv["authentication"]["config_per_x"]: + raise ConfigError('OpenConnect config-per-x enabled but default-config not set') else: raise ConfigError('openconnect authentication mode required') else: -- cgit v1.2.3