diff options
author | Christian Breunig <christian@breunig.cc> | 2023-05-12 20:14:56 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-12 20:14:56 +0200 |
commit | c60e9c932cab24bcc324f45752f0528332cc69a4 (patch) | |
tree | 9af17678e5a5f6bf786b1c0f22b3b3480ce2deaf | |
parent | 0224707acc7299b02eccdd1d2df434c4a57402b5 (diff) | |
parent | 93de3abe1368cab5ab8cd292689466d7af8e86bc (diff) | |
download | vyos-1x-c60e9c932cab24bcc324f45752f0528332cc69a4.tar.gz vyos-1x-c60e9c932cab24bcc324f45752f0528332cc69a4.zip |
Merge pull request #1783 from PeppyH/T3896-ocserv-config-per-x
ocserv: T3896: add CLI options to configure ocserv config-per-user/group
-rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 15 | ||||
-rw-r--r-- | interface-definitions/include/openconnect-identity-based-config.xml.i | 54 | ||||
-rw-r--r-- | interface-definitions/vpn-openconnect.xml.in | 1 | ||||
-rwxr-xr-x | src/conf_mode/vpn_openconnect.py | 11 |
4 files changed, 81 insertions, 0 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index aa1073bca..8b9daed0f 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -16,6 +16,14 @@ acct = "radius [config=/run/ocserv/radiusclient.conf]" {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" +{% if "identity_based_config" in authentication %} +{% if authentication.identity_based_config.disabled is not vyos_defined %} +{% if "group" in authentication.identity_based_config.mode %} +config-per-group = {{ authentication.identity_based_config.directory }} +default-group-config = {{ authentication.identity_based_config.default_config }} +{% endif %} +{% endif %} +{% endif %} {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" @@ -28,6 +36,13 @@ auth = "plain[/run/ocserv/ocpasswd]" auth = "plain[/run/ocserv/ocpasswd]" {% endif %} +{% if "identity_based_config" in authentication %} +{% if "user" in authentication.identity_based_config.mode %} +config-per-user = {{ authentication.identity_based_config.directory }} +default-user-config = {{ authentication.identity_based_config.default_config }} +{% endif %} +{% endif %} + {% if ssl.certificate is vyos_defined %} server-cert = /run/ocserv/cert.pem server-key = /run/ocserv/cert.key diff --git a/interface-definitions/include/openconnect-identity-based-config.xml.i b/interface-definitions/include/openconnect-identity-based-config.xml.i new file mode 100644 index 000000000..dfc51936d --- /dev/null +++ b/interface-definitions/include/openconnect-identity-based-config.xml.i @@ -0,0 +1,54 @@ +<!-- include start from openconnect-identity-based-config.xml.i --> +<node name="identity-based-config"> + <properties> + <help>Configures OpenConnect to search the configured directory for a config file matching the Group name or Username</help> + </properties> + <children> + <leafNode name="mode"> + <properties> + <help>Configures OpenConnect to use config-per-group or config-per-user. Ignored if OpenConnect authentication group is configured.</help> + <valueHelp> + <format>user</format> + <description>OpenConnect config file loaded by matching file in configured directory to the users username</description> + </valueHelp> + <valueHelp> + <format>group</format> + <description>OpenConnect config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory</description> + </valueHelp> + <constraint> + <regex>(user|group)</regex> + </constraint> + <constraintErrorMessage>Invalid mode. Must be one of: user, group</constraintErrorMessage> + <completionHelp> + <list>user group</list> + </completionHelp> + </properties> + </leafNode> + <leafNode name="directory"> + <properties> + <help>Directory to configure OpenConnect to use for matching username/group to config file</help> + <valueHelp> + <format>filename</format> + <description>Must be a child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</description> + </valueHelp> + <constraint> + <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/> + </constraint> + </properties> + </leafNode> + <leafNode name="default-config"> + <properties> + <help>Default/fallback config to use when a file cannot be found in the configured directory that matches the username/group</help> + <valueHelp> + <format>filename</format> + <description>Child directory of /config/auth e.g. /config/auth/ocserv/defaults/user.conf</description> + </valueHelp> + <constraint> + <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/> + </constraint> + </properties> + </leafNode> + #include <include/generic-disable-node.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index a426f604d..afc2a5383 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -71,6 +71,7 @@ </leafNode> </children> </node> + #include <include/openconnect-identity-based-config.xml.i> <leafNode name="group"> <properties> <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help> diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 68da70d7d..7b3325d95 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -173,6 +173,17 @@ def verify(ocserv): users_wo_pswd.append(user) if users_wo_pswd: raise ConfigError(f'password required for users:\n{users_wo_pswd}') + # Validate that if identity-based-config is configured all child config nodes are set + if 'identity_based_config' in ocserv["authentication"]: + if 'disabled' not in ocserv["authentication"]["identity_based_config"]: + if 'mode' not in ocserv["authentication"]["identity_based_config"]: + raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected') + elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]: + raise ConfigError('OpenConnect config-per-group must be used with radius authentication') + if 'directory' not in ocserv["authentication"]["identity_based_config"]: + raise ConfigError('OpenConnect identity-based-config enabled but directory not set') + if 'default_config' not in ocserv["authentication"]["identity_based_config"]: + raise ConfigError('OpenConnect identity-based-config enabled but default-config not set') else: raise ConfigError('openconnect authentication mode required') else: |