diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-19 11:12:33 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-19 19:11:33 +0200 |
| commit | 75fbbc836d8a2fe521c2fa97a385266b693cde21 (patch) | |
| tree | b2e2dd1de20b0c44301a9dc18e2201b9e085871b | |
| parent | 48c768abbf53b752a55db2adea1f998cb28da55c (diff) | |
| download | vyos-1x-75fbbc836d8a2fe521c2fa97a385266b693cde21.tar.gz vyos-1x-75fbbc836d8a2fe521c2fa97a385266b693cde21.zip | |
pki: wireguard: T3642: Migrate Wireguard private key directly into CLI
Also renames peer pubkey to public-key for consistency
| -rw-r--r-- | interface-definitions/interfaces-wireguard.xml.in | 12 | ||||
| -rw-r--r-- | python/vyos/ifconfig/wireguard.py | 12 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_interfaces_wireguard.py | 16 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-wireguard.py | 16 | ||||
| -rwxr-xr-x | src/migration-scripts/interfaces/22-to-23 | 66 | ||||
| -rwxr-xr-x | src/op_mode/pki.py | 2 | ||||
| -rwxr-xr-x | src/op_mode/wireguard_client.py | 2 |
7 files changed, 96 insertions, 30 deletions
diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 378251fed..773bde09c 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -42,12 +42,12 @@ </leafNode> <leafNode name="private-key"> <properties> - <help>Private key to use on that interface</help> - <completionHelp> - <script>${vyos_op_scripts_dir}/wireguard.py --listkdir</script> - </completionHelp> + <help>Base64 encoded private key</help> + <constraint> + <regex>[0-9a-zA-Z\+/]{43}=$</regex> + </constraint> + <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage> </properties> - <defaultValue>default</defaultValue> </leafNode> <tagNode name="peer"> <properties> @@ -59,7 +59,7 @@ </properties> <children> #include <include/generic-disable-node.xml.i> - <leafNode name="pubkey"> + <leafNode name="public-key"> <properties> <help>base64 encoded public key</help> <constraint> diff --git a/python/vyos/ifconfig/wireguard.py b/python/vyos/ifconfig/wireguard.py index e5b9c4408..c4cf2fbbf 100644 --- a/python/vyos/ifconfig/wireguard.py +++ b/python/vyos/ifconfig/wireguard.py @@ -95,7 +95,7 @@ class WireGuardOperational(Operational): for peer in c.list_effective_nodes(["peer"]): if wgdump['peers']: - pubkey = c.return_effective_value(["peer", peer, "pubkey"]) + pubkey = c.return_effective_value(["peer", peer, "public_key"]) if pubkey in wgdump['peers']: wgpeer = wgdump['peers'][pubkey] @@ -194,11 +194,15 @@ class WireGuardIf(Interface): peer = config['peer_remove'][tmp] peer['ifname'] = config['ifname'] - cmd = 'wg set {ifname} peer {pubkey} remove' + cmd = 'wg set {ifname} peer {public_key} remove' self._cmd(cmd.format(**peer)) + config['private_key_file'] = '/tmp/tmp.wireguard.key' + with open(config['private_key_file'], 'w') as f: + f.write(config['private_key']) + # Wireguard base command is identical for every peer - base_cmd = 'wg set {ifname} private-key {private_key}' + base_cmd = 'wg set {ifname} private-key {private_key_file}' if 'port' in config: base_cmd += ' listen-port {port}' if 'fwmark' in config: @@ -210,7 +214,7 @@ class WireGuardIf(Interface): peer = config['peer'][tmp] # start of with a fresh 'wg' command - cmd = base_cmd + ' peer {pubkey}' + cmd = base_cmd + ' peer {public_key}' # If no PSK is given remove it by using /dev/null - passing keys via # the shell (usually bash) is considered insecure, thus we use a file diff --git a/smoketest/scripts/cli/test_interfaces_wireguard.py b/smoketest/scripts/cli/test_interfaces_wireguard.py index d31ec0332..3707eaac3 100755 --- a/smoketest/scripts/cli/test_interfaces_wireguard.py +++ b/smoketest/scripts/cli/test_interfaces_wireguard.py @@ -21,11 +21,6 @@ from base_vyostest_shim import VyOSUnitTestSHIM from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError - -# Generate WireGuard default keypair -if not os.path.isdir('/config/auth/wireguard/default'): - os.system('sudo /usr/libexec/vyos/op_mode/wireguard.py --genkey') - base_path = ['interfaces', 'wireguard'] class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase): @@ -42,12 +37,15 @@ class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase): # Create WireGuard interfaces with associated peers for intf in self._interfaces: peer = 'foo-' + intf + privkey = '6ISOkASm6VhHOOSz/5iIxw+Q9adq9zA17iMM4X40dlc=' psk = 'u2xdA70hkz0S1CG0dZlOh0aq2orwFXRIVrKo4DCvHgM=' pubkey = 'n6ZZL7ph/QJUJSUUTyu19c77my1dRCDHkMzFQUO9Z3A=' for addr in self._test_addr: self.cli_set(base_path + [intf, 'address', addr]) + self.cli_set(base_path + [intf, 'private-key', privkey]) + self.cli_set(base_path + [intf, 'peer', peer, 'address', '127.0.0.1']) self.cli_set(base_path + [intf, 'peer', peer, 'port', '1337']) @@ -57,7 +55,7 @@ class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + [intf, 'peer', peer, 'allowed-ips', ip]) self.cli_set(base_path + [intf, 'peer', peer, 'preshared-key', psk]) - self.cli_set(base_path + [intf, 'peer', peer, 'pubkey', pubkey]) + self.cli_set(base_path + [intf, 'peer', peer, 'public-key', pubkey]) self.cli_commit() self.assertTrue(os.path.isdir(f'/sys/class/net/{intf}')) @@ -68,17 +66,19 @@ class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase): # Remove one of the configured peers. interface = 'wg0' port = '12345' + privkey = '6ISOkASm6VhHOOSz/5iIxw+Q9adq9zA17iMM4X40dlc=' pubkey_1 = 'n1CUsmR0M2LUUsyicBd6blZICwUqqWWHbu4ifZ2/9gk=' pubkey_2 = 'ebFx/1G0ti8tvuZd94sEIosAZZIznX+dBAKG/8DFm0I=' self.cli_set(base_path + [interface, 'address', '172.16.0.1/24']) + self.cli_set(base_path + [interface, 'private-key', privkey]) - self.cli_set(base_path + [interface, 'peer', 'PEER01', 'pubkey', pubkey_1]) + self.cli_set(base_path + [interface, 'peer', 'PEER01', 'public-key', pubkey_1]) self.cli_set(base_path + [interface, 'peer', 'PEER01', 'port', port]) self.cli_set(base_path + [interface, 'peer', 'PEER01', 'allowed-ips', '10.205.212.10/32']) self.cli_set(base_path + [interface, 'peer', 'PEER01', 'address', '192.0.2.1']) - self.cli_set(base_path + [interface, 'peer', 'PEER02', 'pubkey', pubkey_2]) + self.cli_set(base_path + [interface, 'peer', 'PEER02', 'public-key', pubkey_2]) self.cli_set(base_path + [interface, 'peer', 'PEER02', 'port', port]) self.cli_set(base_path + [interface, 'peer', 'PEER02', 'allowed-ips', '10.205.212.11/32']) self.cli_set(base_path + [interface, 'peer', 'PEER02', 'address', '192.0.2.2']) diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index 024ab8f59..4c566a5ad 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -46,17 +46,14 @@ def get_config(config=None): base = ['interfaces', 'wireguard'] wireguard = get_interface_dict(conf, base) - # Mangle private key - it has a default so its always valid - wireguard['private_key'] = '/config/auth/wireguard/{private_key}/private.key'.format(**wireguard) - # Determine which Wireguard peer has been removed. # Peers can only be removed with their public key! dict = {} tmp = node_changed(conf, ['peer'], key_mangling=('-', '_')) for peer in (tmp or []): - pubkey = leaf_node_changed(conf, ['peer', peer, 'pubkey']) - if pubkey: - dict = dict_merge({'peer_remove' : {peer : {'pubkey' : pubkey[0]}}}, dict) + public_key = leaf_node_changed(conf, ['peer', peer, 'public_key']) + if public_key: + dict = dict_merge({'peer_remove' : {peer : {'public_key' : public_key[0]}}}, dict) wireguard.update(dict) return wireguard @@ -70,9 +67,8 @@ def verify(wireguard): verify_address(wireguard) verify_vrf(wireguard) - if not os.path.exists(wireguard['private_key']): - raise ConfigError('Wireguard private-key not found! Execute: ' \ - '"run generate wireguard [default-keypair|named-keypairs]"') + if 'private_key' not in wireguard: + raise ConfigError('Wireguard private-key not defined') if 'peer' not in wireguard: raise ConfigError('At least one Wireguard peer is required!') @@ -84,7 +80,7 @@ def verify(wireguard): if 'allowed_ips' not in peer: raise ConfigError(f'Wireguard allowed-ips required for peer "{tmp}"!') - if 'pubkey' not in peer: + if 'public_key' not in peer: raise ConfigError(f'Wireguard public-key required for peer "{tmp}"!') if ('address' in peer and 'port' not in peer) or ('port' in peer and 'address' not in peer): diff --git a/src/migration-scripts/interfaces/22-to-23 b/src/migration-scripts/interfaces/22-to-23 new file mode 100755 index 000000000..c52a26908 --- /dev/null +++ b/src/migration-scripts/interfaces/22-to-23 @@ -0,0 +1,66 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# A VTI interface also requires an IPSec configuration - VyOS 1.2 supported +# having a VTI interface in the CLI but no IPSec configuration - drop VTI +# configuration if this is the case for VyOS 1.4 + +import os +import sys +from vyos.configtree import ConfigTree + +if __name__ == '__main__': + if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + + file_name = sys.argv[1] + + with open(file_name, 'r') as f: + config_file = f.read() + + config = ConfigTree(config_file) + base = ['interfaces', 'wireguard'] + if not config.exists(base): + # Nothing to do + sys.exit(0) + + for interface in config.list_nodes(base): + private_key_path = base + [interface, 'private-key'] + + key_file = 'default' + if config.exists(private_key_path): + key_file = config.return_value(private_key_path) + + full_key_path = f'/config/auth/wireguard/{key_file}/private.key' + + if not os.path.exists(full_key_path): + print(f'Could not find wireguard private key for migration on interface "{interface}"') + continue + + with open(full_key_path, 'r') as f: + key_data = f.read().strip() + config.set(private_key_path, value=key_data) + + for peer in config.list_nodes(base + [interface, 'peer']): + config.rename(base + [interface, 'peer', peer, 'pubkey'], 'public-key') + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index 7dbeb4097..b4a68b31c 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -215,7 +215,7 @@ def install_wireguard_key(name, private_key, public_key): print("") print("Public key for use on peer configuration: " + public_key) else: - print("set interfaces wireguard [INTERFACE] peer %s pubkey '%s'" % (name, public_key)) + print("set interfaces wireguard [INTERFACE] peer %s public-key '%s'" % (name, public_key)) print("") print("Private key for use on peer configuration: " + private_key) diff --git a/src/op_mode/wireguard_client.py b/src/op_mode/wireguard_client.py index 7a620a01e..7661254da 100755 --- a/src/op_mode/wireguard_client.py +++ b/src/op_mode/wireguard_client.py @@ -38,7 +38,7 @@ To enable this configuration on a VyOS router you can use the following commands {% for addr in address if address is defined %} set interfaces wireguard {{ interface }} peer {{ name }} allowed-ips '{{ addr }}' {% endfor %} -set interfaces wireguard {{ interface }} peer {{ name }} pubkey '{{ pubkey }}' +set interfaces wireguard {{ interface }} peer {{ name }} public-key '{{ pubkey }}' """ client_config = """ |