diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-09-29 20:43:08 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-10-01 18:59:17 +0200 |
commit | 38ae3032180a3d49253237232a0e3de8d2836e7c (patch) | |
tree | 100c3bbfbcc79f8f51f8acb9d551a24576cc9438 | |
parent | 5b640551fdff979275b49965801ad438938fb067 (diff) | |
download | vyos-1x-38ae3032180a3d49253237232a0e3de8d2836e7c.tar.gz vyos-1x-38ae3032180a3d49253237232a0e3de8d2836e7c.zip |
pppoe-server: T2936: move to get_config_dict()
For easier configuration read in (CLI) validation and also template rendering
it makes sense to drop the old, single implementation and move to the new,
generic get_config_dict() approach.
Recurring configuration parts like ip-pool, ipv6-pool and nameservers have
also been split our into individual templates which will be included through
Jinja2 - leading to a single-source of the template sections, too.
-rw-r--r-- | data/templates/accel-ppp/chap-secrets.pppoe.tmpl | 12 | ||||
-rw-r--r-- | data/templates/accel-ppp/config_ip_pool.j2 | 14 | ||||
-rw-r--r-- | data/templates/accel-ppp/config_ipv6_pool.j2 | 16 | ||||
-rw-r--r-- | data/templates/accel-ppp/config_name_server.j2 | 13 | ||||
-rw-r--r-- | data/templates/accel-ppp/pppoe.config.tmpl | 243 | ||||
-rw-r--r-- | interface-definitions/include/accel-auth-mode.xml.i | 1 | ||||
-rw-r--r-- | interface-definitions/include/accel-radius-additions.xml.i | 8 | ||||
-rw-r--r-- | interface-definitions/include/radius-server.xml.i | 1 | ||||
-rw-r--r-- | interface-definitions/service_pppoe-server.xml.in | 37 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_service_pppoe-server.py | 182 | ||||
-rwxr-xr-x | src/conf_mode/service_pppoe-server.py | 500 |
11 files changed, 458 insertions, 569 deletions
diff --git a/data/templates/accel-ppp/chap-secrets.pppoe.tmpl b/data/templates/accel-ppp/chap-secrets.pppoe.tmpl new file mode 100644 index 000000000..da64b64d5 --- /dev/null +++ b/data/templates/accel-ppp/chap-secrets.pppoe.tmpl @@ -0,0 +1,12 @@ +# username server password acceptable local IP addresses shaper +{% if authentication is defined and authentication.local_users is defined and authentication.local_users.username is defined %} +{% for user, user_config in authentication.local_users.username.items() %} +{% if user_config.disabled is not defined %} +{% if user_config.rate_limit is defined %} +{{ "%-12s" | format(user) }} * {{ "%-16s" | format(user_config.password) }} {{ "%-16s" | format(user_config.static_ip) }} {{ user_config.rate_limit.download }}/{{ user_config.rate_limit.upload }} +{% else %} +{{ "%-12s" | format(user) }} * {{ "%-16s" | format(user_config.password) }} {{ "%-16s" | format(user_config.static_ip) }} +{% endif %} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2 new file mode 100644 index 000000000..51fe67334 --- /dev/null +++ b/data/templates/accel-ppp/config_ip_pool.j2 @@ -0,0 +1,14 @@ +{% if client_ip_pool is defined and client_ip_pool is not none %} +[ip-pool] +{% if local_ip is defined and local_ip is not none %} +gw-ip-address={{ local_ip }} +{% endif %} +{% if client_ip_pool.start is defined and client_ip_pool.stop is defined and client_ip_pool.start is not none and client_ip_pool.stop is not none %} +{{ client_ip_pool.start }}-{{ client_ip_pool.stop }} +{% endif -%} +{% if client_ip_pool.subnet is defined and client_ip_pool.subnet is not none %} +{% for subnet in client_ip_pool.subnet %} +{{ subnet }} +{% endfor %} +{% endif %} +{% endif %} diff --git a/data/templates/accel-ppp/config_ipv6_pool.j2 b/data/templates/accel-ppp/config_ipv6_pool.j2 new file mode 100644 index 000000000..b764fc6f0 --- /dev/null +++ b/data/templates/accel-ppp/config_ipv6_pool.j2 @@ -0,0 +1,16 @@ +{% if client_ipv6_pool is defined and client_ipv6_pool is not none %} +[ipv6-nd] +AdvAutonomousFlag=1 + +{% if client_ipv6_pool.prefix is defined and client_ipv6_pool.prefix is not none %} +[ipv6-pool] +{% for prefix, options in client_ipv6_pool.prefix.items() %} +{{ prefix }},{{ options.mask }} +{% endfor %} +{% if client_ipv6_pool.delegate is defined and client_ipv6_pool.delegate is not none %} +{% for prefix, options in client_ipv6_pool.delegate.items() %} +delegate={{ prefix }},{{ options.delegation_prefix }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} diff --git a/data/templates/accel-ppp/config_name_server.j2 b/data/templates/accel-ppp/config_name_server.j2 new file mode 100644 index 000000000..2bf064f92 --- /dev/null +++ b/data/templates/accel-ppp/config_name_server.j2 @@ -0,0 +1,13 @@ +{% if name_server_ipv4 is defined and name_server_ipv4 is not none %} +[dns] +{% for ns in name_server_ipv4 %} +dns{{ loop.index }}={{ ns }} +{% endfor %} +{% endif %} + +{% if name_server_ipv6 is defined and name_server_ipv6 is not none %} +[ipv6-dns] +{% for ns in name_server_ipv6 %} +{{ ns }} +{% endfor %} +{% endif %} diff --git a/data/templates/accel-ppp/pppoe.config.tmpl b/data/templates/accel-ppp/pppoe.config.tmpl index bdbd32d33..d0331f4e2 100644 --- a/data/templates/accel-ppp/pppoe.config.tmpl +++ b/data/templates/accel-ppp/pppoe.config.tmpl @@ -2,36 +2,34 @@ [modules] log_syslog pppoe -{% if auth_mode == 'radius' %} -radius -{% endif %} +{{ "radius" if authentication.mode is defined and authentication.mode == 'radius' }} chap-secrets ippool -{% if ppp_ipv6 != 'deny' %} +{% if ppp_options.ipv6 is defined and ppp_options.ipv6 != 'deny' %} ipv6pool ipv6_nd ipv6_dhcp {% endif %} -{% for proto in auth_proto: %} -{{proto}} +{% for protocol in authentication.protocols %} +{{ protocol }} {% endfor%} shaper -{% if snmp %} +{% if snmp is defined %} net-snmp {% endif %} -{% if limits %} +{% if limits is defined %} connlimit {% endif %} [core] -thread-count={{ thread_cnt }} +thread-count={{ thread_count }} [log] syslog=accel-pppoe,daemon copy=1 level=5 -{% if snmp == 'enable-ma' %} +{% if snmp is defined and snmp.master_agent is defined %} [snmp] master=1 {% endif %} @@ -39,177 +37,130 @@ master=1 [client-ip-range] disable -{% if ppp_gw %} -[ip-pool] -gw-ip-address={{ ppp_gw }} -{% if client_ip_pool %} -{{ client_ip_pool }} -{% endif -%} -{% if client_ip_subnets %} -{% for subnet in client_ip_subnets %} -{{ subnet }} -{% endfor %} -{% endif %} -{% endif %} - -{% if client_ipv6_pool %} -[ipv6-nd] -AdvAutonomousFlag=1 +{# Common IP pool definitions #} +{% include 'accel-ppp/config_ip_pool.j2' %} -[ipv6-pool] -{% for p in client_ipv6_pool %} -{{ p.prefix }},{{ p.mask }} -{% endfor %} -{% for p in client_ipv6_delegate_prefix %} -delegate={{ p.prefix }},{{ p.mask }} -{% endfor %} -{% endif %} +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} -{% if dnsv4 %} -[dns] -{% for dns in dnsv4 -%} -dns{{ loop.index }}={{ dns }} -{% endfor -%} -{% endif %} +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} -{% if dnsv6 %} -[ipv6-dns] -{% for dns in dnsv6 -%} -{{ dns }} -{% endfor -%} -{% endif %} - -{% if wins %} +{% if wins_server is defined and wins_server is not none %} [wins] -{% for server in wins -%} +{% for server in wins_server %} wins{{ loop.index }}={{ server }} -{% endfor -%} +{% endfor %} {% endif %} -{% if auth_mode == 'local' %} +{% if authentication.mode is defined and authentication.mode == 'local' %} [chap-secrets] chap-secrets={{ chap_secrets_file }} -{% elif auth_mode == 'radius' %} +{% elif authentication.mode is defined and authentication.mode == 'radius' %} [radius] verbose=1 -{% for r in radius_server %} -server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }} -{% endfor -%} - -{% if radius_acct_inter_jitter %} -acct-interim-jitter={{ radius_acct_inter_jitter }} -{% endif %} - -acct-timeout={{ radius_acct_tmo }} -timeout={{ radius_timeout }} -max-try={{ radius_max_try }} - -{% if radius_nas_id %} -nas-identifier={{ radius_nas_id }} -{% endif -%} -{% if radius_nas_ip %} -nas-ip-address={{ radius_nas_ip }} -{% endif -%} -{% if radius_source_address %} -bind={{ radius_source_address }} -{% endif -%} - - -{% if radius_dynamic_author %} -dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }} -{% endif -%} -{% endif %} -{% if ppp_gw %} -gw-ip-address={{ ppp_gw }} -{% endif %} - -{% if sesscrtl != 'disable' %} +{% for server, options in authentication.radius.server.items() if not options.disable is defined %} +server={{ server }},{{ options.key }},auth-port={{ options.port }},acct-port={{ options.acct_port }},req-limit=0,fail-time={{ options.fail_time }} +{% endfor %} +{% if authentication.radius.acct_interim_jitter is defined and authentication.radius.acct_interim_jitter is not none %} +acct-interim-jitter={{ authentication.radius.acct_interim_jitter }} +{% endif %} +acct-timeout={{ authentication.radius.acct_timeout }} +timeout={{ authentication.radius.timeout }} +max-try={{ authentication.radius.max_try }} +{% if authentication.radius.nas_identifier is defined and authentication.radius.nas_identifier is not none %} +nas-identifier={{ authentication.radius.nas_identifier }} +{% endif %} +{% if authentication.radius.nas_ip_address is defined and authentication.radius.nas_ip_address is not none %} +nas-ip-address={{ authentication.radius.nas_ip_address }} +{% endif %} +{% if authentication.radius.source_address is defined and authentication.radius.source_address is not none %} +bind={{ authentication.radius.source_address }} +{% endif %} +{% if authentication.radius.called_sid_format is defined and authentication.radius.called_sid_format is not none %} +called-sid={{ authentication.radius.called_sid_format }} +{% endif %} +{% if authentication.radius.dynamic_author.server is defined and authentication.radius.dynamic_author.server is not none %} +dae-server={{ authentication.radius.dynamic_author.server }}:{{ authentication.radius.dynamic_author.port }},{{ authentication.radius.dynamic_author.key }} +{% endif -%} +{% endif %} + +{% if local_ip is defined and local_ip is not none %} +gw-ip-address={{ local_ip }} +{% endif %} + +{% if session_control is defined and session_control != 'disable' %} [common] -single-session={{ sesscrtl }} +single-session={{ session_control }} {% endif %} [ppp] verbose=1 check-ip=1 -{% if ppp_ccp %} -ccp=1 -{% else %} -ccp=0 -{% endif %} -{% if ppp_preallocate_vif %} -unit-preallocate=1 -{% else %} -unit-preallocate=0 -{% endif %} -{% if ppp_min_mtu %} -min-mtu={{ ppp_min_mtu }} +ccp={{ "1" if ppp_options.ccp is defined else "0" }} +unit-preallocate={{ "1" if authentication.radius.preallocate_vif is defined else "0" }} +{% if ppp_options.min_mtu is defined and ppp_options.min_mtu is not none %} +min-mtu={{ ppp_options.min_mtu }} {% else %} min-mtu={{ mtu }} {% endif %} -{% if ppp_mru %} -mru={{ ppp_mru }} -{% endif %} -mppe={{ ppp_mppe }} -lcp-echo-interval={{ ppp_echo_interval }} -lcp-echo-timeout={{ ppp_echo_timeout }} -lcp-echo-failure={{ ppp_echo_failure }} -{% if ppp_ipv4 %} -ipv4={{ ppp_ipv4 }} -{% endif %} -{% if client_ipv6_pool %} -ipv6=allow -{% endif %} - -{% if ppp_ipv6 %} -ipv6={{ ppp_ipv6 }} -{% if ppp_ipv6_intf_id %} -ipv6-intf-id={{ ppp_ipv6_intf_id }} -{% endif %} -{% if ppp_ipv6_peer_intf_id %} -ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }} -{% endif %} -{% if ppp_ipv6_accept_peer_intf_id %} -ipv6-accept-peer-intf-id={{ ppp_ipv6_accept_peer_intf_id }} -{% endif %} -{% endif %} +{% if ppp_options.mru is defined and ppp_options.mru is not none %} +mru={{ ppp_options.mru }} +{% endif %} +mppe={{ ppp_options.mppe }} +lcp-echo-interval={{ ppp_options.lcp_echo_interval }} +lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }} +lcp-echo-failure={{ ppp_options.lcp_echo_failure }} +{% if ppp_options.ipv4 is defined and ppp_options.ipv4 is not none %} +ipv4={{ ppp_options.ipv4 }} +{% endif %} +{# IPv6 #} +{% if ppp_options.ipv6 is defined and ppp_options.ipv6 is not none %} +ipv6={{ ppp_options.ipv6 }} +{% if ppp_options.ipv6_intf_id is defined and ppp_options.ipv6_intf_id is not none %} +ipv6-intf-id={{ ppp_options.ipv6_intf_id }} +{% endif %} +{% if ppp_options.ipv6_peer_intf_id is defined and ppp_options.ipv6_peer_intf_id is not none %} +ipv6-peer-intf-id={{ ppp_options.ipv6_peer_intf_id }} +{% endif %} +ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is defined else "0" }} +{% endif %} +{# MTU #} mtu={{ mtu }} [pppoe] verbose=1 -ac-name={{ concentrator }} +ac-name={{ access_concentrator }} -{% if interfaces %} -{% for interface in interfaces %} -interface={{ interface.name }} -{% if interface.vlans %} -vlan-mon={{ interface.name }},{{ interface.vlans | join(',') }} +{% if interface %} +{% for iface in interface %} +interface={{ iface }} +{% if interface[iface].vlan_id is defined or interface[iface].vlan_range is defined %} +vlan-mon={{ iface }},{{ interface[iface].vlan_id | join(',') }},{{ interface[iface].vlan_range | join(',') }} interface=re:{{ interface.name }}\.\d+ +{% endif %} +{% endfor %} {% endif %} -{% endfor -%} -{% if radius_called_sid_format %} -called-sid={{ radius_called_sid_format }} -{% endif %} -{% endif -%} -{% if svc_name %} -service-name={{ svc_name|join(',') }} +{% if service_name %} +service-name={{ service_name | join(',') }} {% endif -%} {% if pado_delay %} pado-delay={{ pado_delay }} {% endif %} -{% if limits_burst or limits_connections or limits_connections %} +{% if limits is defined %} [connlimit] -{% if limits_connections %} -limit={{ limits_connections }} -{% endif %} -{% if limits_burst %} -burst={{ limits_burst }} -{% endif %} -{% if limits_timeout %} -timeout={{ limits_timeout }} -{% endif %} +{% if limits.connection_limit is defined and limits.connection_limit is not none %} +limit={{ limits.connection_limit }} +{% endif %} +{% if limits.burst is defined and limits.burst %} +burst={{ limits.burst }} +{% endif %} +{% if limits.timeout is defined and limits.timeout is not none %} +timeout={{ limits.timeout }} +{% endif %} {% endif %} [cli] diff --git a/interface-definitions/include/accel-auth-mode.xml.i b/interface-definitions/include/accel-auth-mode.xml.i index e719112db..750c3117b 100644 --- a/interface-definitions/include/accel-auth-mode.xml.i +++ b/interface-definitions/include/accel-auth-mode.xml.i @@ -16,4 +16,5 @@ <list>local radius</list> </completionHelp> </properties> + <defaultValue>local</defaultValue> </leafNode> diff --git a/interface-definitions/include/accel-radius-additions.xml.i b/interface-definitions/include/accel-radius-additions.xml.i index f4db51b97..43810625a 100644 --- a/interface-definitions/include/accel-radius-additions.xml.i +++ b/interface-definitions/include/accel-radius-additions.xml.i @@ -26,6 +26,7 @@ <validator name="numeric" argument="--range 1-65535"/> </constraint> </properties> + <defaultValue>1813</defaultValue> </leafNode> <leafNode name="fail-time"> <properties> @@ -39,6 +40,7 @@ </constraint> <constraintErrorMessage>Fail time must be between 0 and 600 seconds</constraintErrorMessage> </properties> + <defaultValue>0</defaultValue> </leafNode> </children> </tagNode> @@ -54,6 +56,7 @@ </constraint> <constraintErrorMessage>Timeout must be between 1 and 60 seconds</constraintErrorMessage> </properties> + <defaultValue>3</defaultValue> </leafNode> <leafNode name="acct-timeout"> <properties> @@ -67,6 +70,7 @@ </constraint> <constraintErrorMessage>Timeout must be between 0 and 60 seconds</constraintErrorMessage> </properties> + <defaultValue>3</defaultValue> </leafNode> <leafNode name="max-try"> <properties> @@ -80,6 +84,7 @@ </constraint> <constraintErrorMessage>Maximum tries must be between 1 and 20</constraintErrorMessage> </properties> + <defaultValue>3</defaultValue> </leafNode> <leafNode name="nas-identifier"> <properties> @@ -123,7 +128,7 @@ </leafNode> <leafNode name="port"> <properties> - <help>Port for Dynamic Authorization Extension server (DM/CoA)</help> + <help>Port for Dynamic Authorization Extension server (DM/CoA) (default: 1700)</help> <valueHelp> <format>number</format> <description>TCP port</description> @@ -132,6 +137,7 @@ <validator name="numeric" argument="--range 1-65535"/> </constraint> </properties> + <defaultValue>1700</defaultValue> </leafNode> <leafNode name="key"> <properties> diff --git a/interface-definitions/include/radius-server.xml.i b/interface-definitions/include/radius-server.xml.i index 047728233..7c2ddff80 100644 --- a/interface-definitions/include/radius-server.xml.i +++ b/interface-definitions/include/radius-server.xml.i @@ -49,6 +49,7 @@ <validator name="numeric" argument="--range 1-65535"/> </constraint> </properties> + <defaultValue>1812</defaultValue> </leafNode> </children> </tagNode> diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index eaaac0d4c..b38f692d8 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -29,12 +29,13 @@ </constraint> <constraintErrorMessage>access-concentrator name limited to alphanumerical characters only (max. 100)</constraintErrorMessage> </properties> + <defaultValue>vyos-ac</defaultValue> </leafNode> <leafNode name="session-control"> <properties> <help>control sessions count</help> <constraint> - <regex>(deny|disable)</regex> + <regex>^(deny|disable|replace)$</regex> </constraint> <constraintErrorMessage>Invalid value</constraintErrorMessage> <valueHelp> @@ -45,10 +46,15 @@ <format>deny</format> <description>Deny second session authorization</description> </valueHelp> + <valueHelp> + <format>replace</format> + <description>Terminate first session when second is authorized</description> + </valueHelp> <completionHelp> - <list>deny disable</list> + <list>deny disable replace</list> </completionHelp> </properties> + <defaultValue>replace</defaultValue> </leafNode> <node name="authentication"> <properties> @@ -68,6 +74,7 @@ <leafNode name="disable"> <properties> <help>Option to disable a PPPoE Server user</help> + <valueless/> </properties> </leafNode> <leafNode name="password"> @@ -79,6 +86,7 @@ <properties> <help>Static client IP address</help> </properties> + <defaultValue>*</defaultValue> </leafNode> <node name="rate-limit"> <properties> @@ -182,7 +190,7 @@ <completionHelp> <list>pap chap mschap mschap-v2</list> </completionHelp> - <multi /> + <multi/> </properties> </leafNode> </children> @@ -234,10 +242,10 @@ <properties> <help>VLAN monitor for the automatic creation of vlans (user per vlan)</help> <constraint> - <validator name="numeric" argument="--range 1-4096"/> - </constraint> - <constraintErrorMessage>VLAN ID needs to be between 1 and 4096</constraintErrorMessage> - <multi /> + <validator name="numeric" argument="--range 1-4096"/> + </constraint> + <constraintErrorMessage>VLAN ID needs to be between 1 and 4096</constraintErrorMessage> + <multi/> </properties> </leafNode> <leafNode name="vlan-range"> @@ -246,7 +254,7 @@ <constraint> <regex>(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})-(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})</regex> </constraint> - <multi /> + <multi/> </properties> </leafNode> </children> @@ -263,9 +271,10 @@ <properties> <help>Maximum Transmission Unit (MTU) - default 1492</help> <constraint> - <validator name="numeric" argument="--range 128-16384"/> + <validator name="numeric" argument="--range 128-16384"/> </constraint> </properties> + <defaultValue>1492</defaultValue> </leafNode> <node name="limits"> <properties> @@ -353,6 +362,7 @@ <regex>^(deny|prefer|require)$</regex> </constraint> </properties> + <defaultValue>prefer</defaultValue> </leafNode> <leafNode name="lcp-echo-interval"> <properties> @@ -361,6 +371,7 @@ <validator name="numeric" argument="--positive"/> </constraint> </properties> + <defaultValue>30</defaultValue> </leafNode> <leafNode name="lcp-echo-failure"> <properties> @@ -369,6 +380,7 @@ <validator name="numeric" argument="--positive"/> </constraint> </properties> + <defaultValue>3</defaultValue> </leafNode> <leafNode name="lcp-echo-timeout"> <properties> @@ -377,6 +389,7 @@ <validator name="numeric" argument="--positive"/> </constraint> </properties> + <defaultValue>0</defaultValue> </leafNode> <leafNode name="ipv4"> <properties> @@ -437,6 +450,9 @@ <leafNode name="ipv6-intf-id"> <properties> <help>Fixed or random interface identifier for IPv6</help> + <completionHelp> + <list>random</list> + </completionHelp> <valueHelp> <format>random</format> <description>Random interface identifier for IPv6</description> @@ -450,6 +466,9 @@ <leafNode name="ipv6-peer-intf-id"> <properties> <help>Peer interface identifier for IPv6</help> + <completionHelp> + <list>random calling-sid ipv4</list> + </completionHelp> <valueHelp> <format>x:x:x:x</format> <description>Interface identifier for IPv6</description> diff --git a/smoketest/scripts/cli/test_service_pppoe-server.py b/smoketest/scripts/cli/test_service_pppoe-server.py index 3a6b12ef4..14f8316f5 100755 --- a/smoketest/scripts/cli/test_service_pppoe-server.py +++ b/smoketest/scripts/cli/test_service_pppoe-server.py @@ -15,12 +15,14 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os +import re import unittest from configparser import ConfigParser from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError from vyos.util import process_named_running +from vyos.util import cmd process_name = 'accel-pppd' base_path = ['service', 'pppoe-server'] @@ -28,10 +30,8 @@ local_if = ['interfaces', 'dummy', 'dum667'] pppoe_conf = '/run/accel-pppd/pppoe.conf' ac_name = 'ACN' -subnet = '172.18.0.0/24' gateway = '192.0.2.1' nameserver = '9.9.9.9' -mtu = '1492' interface = 'eth0' class TestServicePPPoEServer(unittest.TestCase): @@ -48,10 +48,12 @@ class TestServicePPPoEServer(unittest.TestCase): del self.session def verify(self, conf): + mtu = '1492' + # validate some common values in the configuration - for tmp in ['log_syslog', 'pppoe', 'chap-secrets', 'ippool', 'ipv6pool', - 'ipv6_nd', 'ipv6_dhcp', 'auth_mschap_v2', 'auth_mschap_v1', - 'auth_chap_md5', 'auth_pap', 'shaper']: + for tmp in ['log_syslog', 'pppoe', 'chap-secrets', 'ippool', + 'auth_mschap_v2', 'auth_mschap_v1', 'auth_chap_md5', + 'auth_pap', 'shaper']: # Settings without values provide None self.assertEqual(conf['modules'][tmp], None) @@ -60,14 +62,9 @@ class TestServicePPPoEServer(unittest.TestCase): self.assertTrue(conf['pppoe'].getboolean('verbose')) self.assertTrue(conf['pppoe']['interface'], interface) - # check configured subnet - self.assertEqual(conf['ip-pool'][subnet], None) - self.assertEqual(conf['ip-pool']['gw-ip-address'], gateway) - # check ppp self.assertTrue(conf['ppp'].getboolean('verbose')) self.assertTrue(conf['ppp'].getboolean('check-ip')) - self.assertEqual(conf['ppp']['min-mtu'], mtu) self.assertEqual(conf['ppp']['mtu'], mtu) self.assertEqual(conf['ppp']['lcp-echo-interval'], '30') self.assertEqual(conf['ppp']['lcp-echo-timeout'], '0') @@ -76,24 +73,46 @@ class TestServicePPPoEServer(unittest.TestCase): def basic_config(self): self.session.set(local_if + ['address', '192.0.2.1/32']) + # PPPoE local auth mode requires local users to be configured! + self.session.set(base_path + ['authentication', 'local-users', 'username', 'vyos', 'password', 'vyos']) + self.session.set(base_path + ['authentication', 'mode', 'local']) + self.session.set(base_path + ['access-concentrator', ac_name]) self.session.set(base_path + ['authentication', 'mode', 'local']) - self.session.set(base_path + ['client-ip-pool', 'subnet', subnet]) self.session.set(base_path + ['name-server', nameserver]) self.session.set(base_path + ['interface', interface]) self.session.set(base_path + ['local-ip', gateway]) - def test_local_auth(self): + def test_local_user(self): """ Test configuration of local authentication for PPPoE server """ self.basic_config() - # authentication - self.session.set(base_path + ['authentication', 'local-users', 'username', 'vyos', 'password', 'vyos']) - self.session.set(base_path + ['authentication', 'mode', 'local']) + # other settings self.session.set(base_path + ['ppp-options', 'ccp']) self.session.set(base_path + ['ppp-options', 'mppe', 'require']) self.session.set(base_path + ['limits', 'connection-limit', '20/min']) + # upload / download limit + user = 'test' + password = 'test2' + static_ip = '100.100.100.101' + self.session.set(base_path + ['authentication', 'local-users', 'username', user, 'password', password]) + self.session.set(base_path + ['authentication', 'local-users', 'username', user, 'static-ip', static_ip]) + self.session.set(base_path + ['authentication', 'local-users', 'username', user, 'rate-limit', 'upload', '5000']) + + # upload rate-limit requires also download rate-limit + with self.assertRaises(ConfigSessionError): + self.session.commit() + self.session.set(base_path + ['authentication', 'local-users', 'username', user, 'rate-limit', 'download', '10000']) + + # min-mtu + min_mtu = '1400' + self.session.set(base_path + ['ppp-options', 'min-mtu', min_mtu]) + + # mru + mru = '9000' + self.session.set(base_path + ['ppp-options', 'mru', mru]) + # commit changes self.session.commit() @@ -108,13 +127,22 @@ class TestServicePPPoEServer(unittest.TestCase): self.assertEqual(conf['chap-secrets']['chap-secrets'], '/run/accel-pppd/pppoe.chap-secrets') self.assertEqual(conf['chap-secrets']['gw-ip-address'], gateway) - # check pado + # check ppp self.assertEqual(conf['ppp']['mppe'], 'require') + self.assertEqual(conf['ppp']['min-mtu'], min_mtu) + self.assertEqual(conf['ppp']['mru'], mru) + self.assertTrue(conf['ppp'].getboolean('ccp')) # check other settings self.assertEqual(conf['connlimit']['limit'], '20/min') + # check local users + tmp = cmd('sudo cat /run/accel-pppd/pppoe.chap-secrets') + regex = f'{user}\s+\*\s+{password}\s+{static_ip}\s+10000/5000' + tmp = re.findall(regex, tmp) + self.assertTrue(tmp) + # Check for running process self.assertTrue(process_named_running(process_name)) @@ -124,12 +152,30 @@ class TestServicePPPoEServer(unittest.TestCase): radius_key = 'secretVyOS' radius_port = '2000' radius_port_acc = '3000' + radius_acct_interim_jitter = '9' + radius_called_sid = 'ifname:mac' self.basic_config() + + self.session.set(base_path + ['authentication', 'mode', 'radius']) self.session.set(base_path + ['authentication', 'radius', 'server', radius_server, 'key', radius_key]) self.session.set(base_path + ['authentication', 'radius', 'server', radius_server, 'port', radius_port]) self.session.set(base_path + ['authentication', 'radius', 'server', radius_server, 'acct-port', radius_port_acc]) - self.session.set(base_path + ['authentication', 'mode', 'radius']) + self.session.set(base_path + ['authentication', 'radius', 'acct-interim-jitter', radius_acct_interim_jitter]) + self.session.set(base_path + ['authentication', 'radius', 'called-sid-format', radius_called_sid]) + + coa_server = '4.4.4.4' + coa_key = 'testCoA' + self.session.set(base_path + ['authentication', 'radius', 'dynamic-author', 'server', coa_server]) + self.session.set(base_path + ['authentication', 'radius', 'dynamic-author', 'key', coa_key]) + + nas_id = 'VyOS-PPPoE' + nas_ip = '7.7.7.7' + self.session.set(base_path + ['authentication', 'radius', 'nas-identifier', nas_id]) + self.session.set(base_path + ['authentication', 'radius', 'nas-ip-address', nas_ip]) + + source_address = '1.2.3.4' + self.session.set(base_path + ['authentication', 'radius', 'source-address', source_address]) # commit changes self.session.commit() @@ -143,10 +189,16 @@ class TestServicePPPoEServer(unittest.TestCase): # check auth self.assertTrue(conf['radius'].getboolean('verbose')) - self.assertTrue(conf['radius']['acct-timeout'], '3') - self.assertTrue(conf['radius']['timeout'], '3') - self.assertTrue(conf['radius']['max-try'], '3') - self.assertTrue(conf['radius']['gw-ip-address'], gateway) + self.assertEqual(conf['radius']['acct-timeout'], '3') + self.assertEqual(conf['radius']['timeout'], '3') + self.assertEqual(conf['radius']['max-try'], '3') + self.assertEqual(conf['radius']['gw-ip-address'], gateway) + self.assertEqual(conf['radius']['acct-interim-jitter'], radius_acct_interim_jitter) + self.assertEqual(conf['radius']['called-sid'], radius_called_sid) + self.assertEqual(conf['radius']['dae-server'], f'{coa_server}:1700,{coa_key}') + self.assertEqual(conf['radius']['nas-identifier'], nas_id) + self.assertEqual(conf['radius']['nas-ip-address'], nas_ip) + self.assertEqual(conf['radius']['bind'], source_address) server = conf['radius']['server'].split(',') self.assertEqual(radius_server, server[0]) @@ -163,5 +215,93 @@ class TestServicePPPoEServer(unittest.TestCase): # Check for running process self.assertTrue(process_named_running(process_name)) + def test_auth_protocols(self): + """ Test configuration of local authentication for PPPoE server """ + self.basic_config() + self.session.set(base_path + ['authentication', 'protocols', 'auth_mschap_v2']) + + # commit changes + self.session.commit() + + # Validate configuration values + conf = ConfigParser(allow_no_value=True) + conf.read(pppoe_conf) + + self.assertEqual(conf['modules']['auth_mschap_v2'], None) + + # Check for running process + self.assertTrue(process_named_running(process_name)) + + + def test_ip_pool(self): + """ Test configuration of IPv6 client pools """ + self.basic_config() + + subnet = '172.18.0.0/24' + self.session.set(base_path + ['client-ip-pool', 'subnet', subnet]) + + start = '192.0.2.10' + stop = '192.0.2.20' + start_stop = f'{start}-{stop}' + self.session.set(base_path + ['client-ip-pool', 'start', start]) + self.session.set(base_path + ['client-ip-pool', 'stop', stop]) + + # commit changes + self.session.commit() + + # Validate configuration values + conf = ConfigParser(allow_no_value=True) + conf.read(pppoe_conf) + + # check configured subnet + self.assertEqual(conf['ip-pool'][subnet], None) + self.assertEqual(conf['ip-pool'][start_stop], None) + self.assertEqual(conf['ip-pool']['gw-ip-address'], gateway) + + + def test_ipv6_pool(self): + """ Test configuration of IPv6 client pools """ + self.basic_config() + + # Enable IPv6 + allow_ipv6 = 'allow' + random = 'random' + self.session.set(base_path + ['ppp-options', 'ipv6', allow_ipv6]) + self.session.set(base_path + ['ppp-options', 'ipv6-intf-id', random]) + self.session.set(base_path + ['ppp-options', 'ipv6-accept-peer-intf-id']) + self.session.set(base_path + ['ppp-options', 'ipv6-peer-intf-id', random]) + + prefix = '2001:db8:ffff::/64' + prefix_mask = '128' + client_prefix = f'{prefix},{prefix_mask}' + self.session.set(base_path + ['client-ipv6-pool', 'prefix', prefix, 'mask', prefix_mask]) + + delegate_prefix = '2001:db8::/40' + delegate_mask = '56' + self.session.set(base_path + ['client-ipv6-pool', 'delegate', delegate_prefix, 'delegation-prefix', delegate_mask]) + + # commit changes + self.session.commit() + + # Validate configuration values + conf = ConfigParser(allow_no_value=True, delimiters='=') + conf.read(pppoe_conf) + from vyos.util import read_file + print(read_file(pppoe_conf)) + + for tmp in ['ipv6pool', 'ipv6_nd', 'ipv6_dhcp']: + self.assertEqual(conf['modules'][tmp], None) + + self.assertEqual(conf['ppp']['ipv6'], allow_ipv6) + self.assertEqual(conf['ppp']['ipv6-intf-id'], random) + self.assertEqual(conf['ppp']['ipv6-peer-intf-id'], random) + self.assertTrue(conf['ppp'].getboolean('ipv6-accept-peer-intf-id')) + + self.assertEqual(conf['ipv6-pool'][client_prefix], None) + self.assertEqual(conf['ipv6-pool']['delegate'], f'{delegate_prefix},{delegate_mask}') + + # Check for running process + self.assertTrue(process_named_running(process_name)) + if __name__ == '__main__': unittest.main() diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index 9935b166f..fb2cd5a26 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -15,385 +15,93 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os -import re -from copy import deepcopy -from stat import S_IRUSR, S_IWUSR, S_IRGRP from sys import exit from vyos.config import Config -from vyos.template import render -from vyos.util import call, get_half_cpus +from vyos.configdict import dict_merge from vyos.validate import is_ipv4 +from vyos.template import render +from vyos.util import call +from vyos.util import get_half_cpus +from vyos.util import vyos_dict_search +from vyos.xml import defaults from vyos import ConfigError - from vyos import airbag airbag.enable() pppoe_conf = r'/run/accel-pppd/pppoe.conf' pppoe_chap_secrets = r'/run/accel-pppd/pppoe.chap-secrets' -default_config_data = { - 'auth_mode': 'local', - 'auth_proto': ['auth_mschap_v2', 'auth_mschap_v1', 'auth_chap_md5', 'auth_pap'], - 'chap_secrets_file': pppoe_chap_secrets, # used in Jinja2 template - 'client_ip_pool': '', - 'client_ip_subnets': [], - 'client_ipv6_pool': [], - 'client_ipv6_delegate_prefix': [], - 'concentrator': 'vyos-ac', - 'interfaces': [], - 'local_users' : [], - - 'svc_name': [], - 'dnsv4': [], - 'dnsv6': [], - 'wins': [], - 'mtu': '1492', - - 'limits_burst': '', - 'limits_connections': '', - 'limits_timeout': '', - - 'pado_delay': '', - 'ppp_ccp': False, - 'ppp_gw': '', - 'ppp_ipv4': '', - 'ppp_ipv6': '', - 'ppp_ipv6_accept_peer_intf_id': False, - 'ppp_ipv6_intf_id': '', - 'ppp_ipv6_peer_intf_id': '', - 'ppp_echo_failure': '3', - 'ppp_echo_interval': '30', - 'ppp_echo_timeout': '0', - 'ppp_min_mtu': '', - 'ppp_mppe': 'prefer', - 'ppp_mru': '', - 'ppp_preallocate_vif': False, - - 'radius_server': [], - 'radius_acct_inter_jitter': '', - 'radius_acct_tmo': '3', - 'radius_max_try': '3', - 'radius_timeout': '3', - 'radius_nas_id': '', - 'radius_nas_ip': '', - 'radius_source_address': '', - 'radius_shaper_attr': '', - 'radius_shaper_vendor': '', - 'radius_dynamic_author': '', - 'radius_called_sid_format': '', - 'sesscrtl': 'replace', - 'snmp': False, - 'thread_cnt': get_half_cpus() -} - def get_config(config=None): if config: conf = config else: conf = Config() - base_path = ['service', 'pppoe-server'] - if not conf.exists(base_path): + base = ['service', 'pppoe-server'] + if not conf.exists(base): return None - conf.set_level(base_path) - pppoe = deepcopy(default_config_data) - - # general options - if conf.exists(['access-concentrator']): - pppoe['concentrator'] = conf.return_value(['access-concentrator']) - - if conf.exists(['service-name']): - pppoe['svc_name'] = conf.return_values(['service-name']) - - if conf.exists(['interface']): - for interface in conf.list_nodes(['interface']): - conf.set_level(base_path + ['interface', interface]) - tmp = { - 'name': interface, - 'vlans': [] - } - - if conf.exists(['vlan-id']): - tmp['vlans'] += conf.return_values(['vlan-id']) - - if conf.exists(['vlan-range']): - tmp['vlans'] += conf.return_values(['vlan-range']) - - pppoe['interfaces'].append(tmp) - - conf.set_level(base_path) - - if conf.exists(['local-ip']): - pppoe['ppp_gw'] = conf.return_value(['local-ip']) - - if conf.exists(['name-server']): - for name_server in conf.return_values(['name-server']): - if is_ipv4(name_server): - pppoe['dnsv4'].append(name_server) - else: - pppoe['dnsv6'].append(name_server) - - if conf.exists(['wins-server']): - pppoe['wins'] = conf.return_values(['wins-server']) - - - if conf.exists(['client-ip-pool']): - if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']): - start = conf.return_value(['client-ip-pool', 'start']) - stop = conf.return_value(['client-ip-pool', 'stop']) - pppoe['client_ip_pool'] = start + '-' + re.search('[0-9]+$', stop).group(0) - - if conf.exists(['client-ip-pool', 'subnet']): - pppoe['client_ip_subnets'] = conf.return_values(['client-ip-pool', 'subnet']) - - - if conf.exists(['client-ipv6-pool', 'prefix']): - for prefix in conf.list_nodes(['client-ipv6-pool', 'prefix']): - tmp = { - 'prefix': prefix, - 'mask': '64' - } - - if conf.exists(['client-ipv6-pool', 'prefix', prefix, 'mask']): - tmp['mask'] = conf.return_value(['client-ipv6-pool', 'prefix', prefix, 'mask']) - - pppoe['client_ipv6_pool'].append(tmp) - - - if conf.exists(['client-ipv6-pool', 'delegate']): - for prefix in conf.list_nodes(['client-ipv6-pool', 'delegate']): - tmp = { - 'prefix': prefix, - 'mask': '' - } - - if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']): - tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']) - - pppoe['client_ipv6_delegate_prefix'].append(tmp) - - - if conf.exists(['limits']): - if conf.exists(['limits', 'burst']): - pppoe['limits_burst'] = conf.return_value(['limits', 'burst']) - - if conf.exists(['limits', 'connection-limit']): - pppoe['limits_connections'] = conf.return_value(['limits', 'connection-limit']) - - if conf.exists(['limits', 'timeout']): - pppoe['limits_timeout'] = conf.return_value(['limits', 'timeout']) - - - if conf.exists(['snmp']): - pppoe['snmp'] = True - - if conf.exists(['snmp', 'master-agent']): - pppoe['snmp'] = 'enable-ma' - - # authentication mode local - if conf.exists(['authentication', 'mode']): - pppoe['auth_mode'] = conf.return_value(['authentication', 'mode']) - - if conf.exists(['authentication', 'local-users']): - for username in conf.list_nodes(['authentication', 'local-users', 'username']): - user = { - 'name' : username, - 'password' : '', - 'state' : 'enabled', - 'ip' : '*', - 'upload' : None, - 'download' : None - } - conf.set_level(base_path + ['authentication', 'local-users', 'username', username]) - - if conf.exists(['password']): - user['password'] = conf.return_value(['password']) - - if conf.exists(['disable']): - user['state'] = 'disable' - - if conf.exists(['static-ip']): - user['ip'] = conf.return_value(['static-ip']) - - if conf.exists(['rate-limit', 'download']): - user['download'] = conf.return_value(['rate-limit', 'download']) - - if conf.exists(['rate-limit', 'upload']): - user['upload'] = conf.return_value(['rate-limit', 'upload']) - - pppoe['local_users'].append(user) - - conf.set_level(base_path) - - if conf.exists(['authentication', 'protocols']): - auth_mods = { - 'mschap-v2': 'auth_mschap_v2', - 'mschap': 'auth_mschap_v1', - 'chap': 'auth_chap_md5', - 'pap': 'auth_pap' - } - - pppoe['auth_proto'] = [] - for proto in conf.return_values(['authentication', 'protocols']): - pppoe['auth_proto'].append(auth_mods[proto]) - - # - # authentication mode radius servers and settings - if conf.exists(['authentication', 'mode', 'radius']): - - for server in conf.list_nodes(['authentication', 'radius', 'server']): - radius = { - 'server' : server, - 'key' : '', - 'fail_time' : 0, - 'port' : '1812', - 'acct_port' : '1813' - } - - conf.set_level(base_path + ['authentication', 'radius', 'server', server]) - - if conf.exists(['fail-time']): - radius['fail_time'] = conf.return_value(['fail-time']) - - if conf.exists(['port']): - radius['port'] = conf.return_value(['port']) - - if conf.exists(['acct-port']): - radius['acct_port'] = conf.return_value(['acct-port']) - - if conf.exists(['key']): - radius['key'] = conf.return_value(['key']) - - if not conf.exists(['disable']): - pppoe['radius_server'].append(radius) - - # - # advanced radius-setting - conf.set_level(base_path + ['authentication', 'radius']) - - if conf.exists(['acct-interim-jitter']): - pppoe['radius_acct_inter_jitter'] = conf.return_value(['acct-interim-jitter']) - - if conf.exists(['acct-timeout']): - pppoe['radius_acct_tmo'] = conf.return_value(['acct-timeout']) - - if conf.exists(['max-try']): - pppoe['radius_max_try'] = conf.return_value(['max-try']) - - if conf.exists(['timeout']): - pppoe['radius_timeout'] = conf.return_value(['timeout']) - - if conf.exists(['nas-identifier']): - pppoe['radius_nas_id'] = conf.return_value(['nas-identifier']) - - if conf.exists(['nas-ip-address']): - pppoe['radius_nas_ip'] = conf.return_value(['nas-ip-address']) - - if conf.exists(['preallocate-vif']): - pppoe['ppp_preallocate_vif'] = True - - if conf.exists(['source-address']): - pppoe['radius_source_address'] = conf.return_value(['source-address']) - - # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA) - if conf.exists(['dynamic-author']): - dae = { - 'port' : '', - 'server' : '', - 'key' : '' - } - - if conf.exists(['dynamic-author', 'server']): - dae['server'] = conf.return_value(['dynamic-author', 'server']) - - if conf.exists(['dynamic-author', 'port']): - dae['port'] = conf.return_value(['dynamic-author', 'port']) - - if conf.exists(['dynamic-author', 'key']): - dae['key'] = conf.return_value(['dynamic-author', 'key']) - - pppoe['radius_dynamic_author'] = dae - - if conf.exists(['called-sid-format']): - pppoe['radius_called_sid_format'] = conf.return_value(['called-sid-format']) - - # RADIUS based rate-limiter - if conf.exists(['rate-limit', 'enable']): - pppoe['radius_shaper_attr'] = 'Filter-Id' - c_attr = ['rate-limit', 'enable', 'attribute'] - if conf.exists(c_attr): - pppoe['radius_shaper_attr'] = conf.return_value(c_attr) - - c_vendor = ['rate-limit', 'enable', 'vendor'] - if conf.exists(c_vendor): - pppoe['radius_shaper_vendor'] = conf.return_value(c_vendor) - - # re-set config level - conf.set_level(base_path) - - if conf.exists(['mtu']): - pppoe['mtu'] = conf.return_value(['mtu']) - - if conf.exists(['session-control']): - pppoe['sesscrtl'] = conf.return_value(['session-control']) - - # ppp_options - if conf.exists(['ppp-options']): - conf.set_level(base_path + ['ppp-options']) - - if conf.exists(['ccp']): - pppoe['ppp_ccp'] = True - - if conf.exists(['ipv4']): - pppoe['ppp_ipv4'] = conf.return_value(['ipv4']) - - if conf.exists(['ipv6']): - pppoe['ppp_ipv6'] = conf.return_value(['ipv6']) - - if conf.exists(['ipv6-accept-peer-intf-id']): - pppoe['ppp_ipv6_peer_intf_id'] = True - - if conf.exists(['ipv6-intf-id']): - pppoe['ppp_ipv6_intf_id'] = conf.return_value(['ipv6-intf-id']) - - if conf.exists(['ipv6-peer-intf-id']): - pppoe['ppp_ipv6_peer_intf_id'] = conf.return_value(['ipv6-peer-intf-id']) - - if conf.exists(['lcp-echo-failure']): - pppoe['ppp_echo_failure'] = conf.return_value(['lcp-echo-failure']) - - if conf.exists(['lcp-echo-failure']): - pppoe['ppp_echo_interval'] = conf.return_value(['lcp-echo-failure']) - - if conf.exists(['lcp-echo-timeout']): - pppoe['ppp_echo_timeout'] = conf.return_value(['lcp-echo-timeout']) - - if conf.exists(['min-mtu']): - pppoe['ppp_min_mtu'] = conf.return_value(['min-mtu']) - - if conf.exists(['mppe']): - pppoe['ppp_mppe'] = conf.return_value(['mppe']) - - if conf.exists(['mru']): - pppoe['ppp_mru'] = conf.return_value(['mru']) - - if conf.exists(['pado-delay']): - pppoe['pado_delay'] = '0' - a = {} - for id in conf.list_nodes(['pado-delay']): - if not conf.return_value(['pado-delay', id, 'sessions']): - a[id] = 0 - else: - a[id] = conf.return_value(['pado-delay', id, 'sessions']) - - for k in sorted(a.keys()): - if k != sorted(a.keys())[-1]: - pppoe['pado_delay'] += ",{0}:{1}".format(k, a[k]) - else: - pppoe['pado_delay'] += ",{0}:{1}".format('-1', a[k]) - + pppoe = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base) + + # defaults include RADIUS server specifics per TAG node which need to be + # added to individual RADIUS servers instead - so we can simply delete them + if vyos_dict_search('authentication.radius.server', default_values): + del default_values['authentication']['radius']['server'] + # defaults include static-ip address per TAG node which need to be added to + # individual local users instead - so we can simply delete them + if vyos_dict_search('authentication.local_users.username', default_values): + del default_values['authentication']['local_users']['username'] + + pppoe = dict_merge(default_values, pppoe) + + # set CPUs cores to process requests + pppoe.update({'thread_count' : get_half_cpus()}) + # we need to store the path to the secrets file + pppoe.update({'chap_secrets_file' : pppoe_chap_secrets}) + + if not vyos_dict_search('authentication.protocols', pppoe): + if not 'authentication' in pppoe: + pppoe.update({'authentication' : ''}) + + pppoe['authentication'].update( + {'protocols' : ['auth_mschap_v2', 'auth_mschap_v1', + 'auth_chap_md5', 'auth_pap']}) + + # We can only have two IPv4 and three IPv6 nameservers - also they are + # configured in a different way in the configuration, this is why we split + # the configuration + if 'name_server' in pppoe: + for ns in pppoe['name_server']: + ns_v4 = [] + ns_v6 = [] + if is_ipv4(ns): ns_v4.append(ns) + else: ns_v6.append(ns) + + pppoe.update({'name_server_ipv4' : ns_v4, 'name_server_ipv6' : ns_v6}) + del pppoe['name_server'] + + # Add individual RADIUS server default values + if vyos_dict_search('authentication.radius.server', pppoe): + default_values = defaults(base + ['authentication', 'radius', 'server']) + + for server in vyos_dict_search('authentication.radius.server', pppoe): + pppoe['authentication']['radius']['server'][server] = dict_merge( + default_values, pppoe['authentication']['radius']['server'][server]) + + # Add individual local-user default values + if vyos_dict_search('authentication.local_users.username', pppoe): + default_values = defaults(base + ['authentication', 'local_users', 'username']) + + for username in vyos_dict_search('authentication.local_users.username', pppoe): + pppoe['authentication']['local_users']['username'][username] = dict_merge( + default_values, pppoe['authentication']['local_users']['username'][username]) + + import pprint + pprint.pprint(pppoe) return pppoe @@ -402,50 +110,59 @@ def verify(pppoe): return None # vertify auth settings - if pppoe['auth_mode'] == 'local': - if not pppoe['local_users']: + if vyos_dict_search('authentication.mode', pppoe) == 'local': + if not vyos_dict_search('authentication.local_users', pppoe): raise ConfigError('PPPoE local auth mode requires local users to be configured!') - for user in pppoe['local_users']: - username = user['name'] - if not user['password']: - raise ConfigError(f'Password required for local user "{username}"') + for user in vyos_dict_search('authentication.local_users.username', pppoe): + user_config = pppoe['authentication']['local_users']['username'][user] - # if up/download is set, check that both have a value - if user['upload'] and not user['download']: - raise ConfigError(f'Download speed value required for local user "{username}"') + if 'password' not in user_config: + raise ConfigError(f'Password required for local user "{user}"') - if user['download'] and not user['upload']: - raise ConfigError(f'Upload speed value required for local user "{username}"') + if 'rate_limit' in user_config: + # if up/download is set, check that both have a value + if not {'upload', 'download'} <= set(user_config['rate_limit']): + raise ConfigError(f'User "{user}" has rate-limit configured for only one ' \ + 'direction but both upload and download must be given!') - elif pppoe['auth_mode'] == 'radius': - if len(pppoe['radius_server']) == 0: + elif vyos_dict_search('authentication.mode', pppoe) == 'radius': + if not vyos_dict_search('authentication.radius.server', pppoe): raise ConfigError('RADIUS authentication requires at least one server') - for radius in pppoe['radius_server']: - if not radius['key']: - server = radius['server'] - raise ConfigError(f'Missing RADIUS secret key for server "{ server }"') + for server in vyos_dict_search('authentication.radius.server', pppoe): + radius_config = pppoe['authentication']['radius']['server'][server] + if 'key' not in radius_config: + raise ConfigError(f'Missing RADIUS secret key for server "{server}"') - if len(pppoe['wins']) > 2: + if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2: raise ConfigError('Not more then two IPv4 WINS name-servers can be configured') - if len(pppoe['dnsv4']) > 2: - raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') + if 'name_server_ipv4' in pppoe: + if len(pppoe['name_server_ipv4']) > 2: + raise ConfigError('Not more then two IPv4 DNS name-servers ' \ + 'can be configured') - if len(pppoe['dnsv6']) > 3: - raise ConfigError('Not more then three IPv6 DNS name-servers can be configured') + if 'name_server_ipv6' in pppoe: + if len(pppoe['name_server_ipv6']) > 2: + raise ConfigError('Not more then three IPv6 DNS name-servers ' \ + 'can be configured') - if not pppoe['interfaces']: + if 'interface' not in pppoe: raise ConfigError('At least one listen interface must be defined!') + if 'local_ip' not in pppoe: + raise ConfigError('PPPoE server requires local-ip to be configured!') + # local ippool and gateway settings config checks - if pppoe['client_ip_subnets'] or pppoe['client_ip_pool']: - if not pppoe['ppp_gw']: - raise ConfigError('PPPoE server requires local IP to be configured') + if not (vyos_dict_search('client_ip_pool.subnet', pppoe) or + (vyos_dict_search('client_ip_pool.start', pppoe) and + vyos_dict_search('client_ip_pool.stop', pppoe))): + print('Warning: No PPPoE client pool defined') - if pppoe['ppp_gw'] and not pppoe['client_ip_subnets'] and not pppoe['client_ip_pool']: - print("Warning: No PPPoE client pool defined") + if vyos_dict_search('authentication.radius.dynamic_author.server', pppoe): + if not vyos_dict_search('authentication.radius.dynamic_author.key', pppoe): + raise ConfigError('DA/CoE server key required!') return None @@ -456,12 +173,11 @@ def generate(pppoe): render(pppoe_conf, 'accel-ppp/pppoe.config.tmpl', pppoe, trim_blocks=True) - if pppoe['local_users']: - render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.tmpl', pppoe, trim_blocks=True) - os.chmod(pppoe_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) + if vyos_dict_search('authentication.mode', pppoe) == 'local': + render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.pppoe.tmpl', pppoe, trim_blocks=True, permission=0o640) else: if os.path.exists(pppoe_chap_secrets): - os.unlink(pppoe_chap_secrets) + os.unlink(pppoe_chap_secrets) return None |