sstp: T2150: use full file path on SSL certificates

3 files changed, 139 insertions, 26 deletions

diff --git a/interface-definitions/vpn-sstp.xml.in b/interface-definitions/vpn-sstp.xml.in
index 59aae9f7f..b026417b3 100644
--- a/interface-definitions/vpn-sstp.xml.in
+++ b/interface-definitions/vpn-sstp.xml.in
@@ -260,25 +260,36 @@
               <leafNode name="ca-cert-file">
                 <properties>
                   <help>Certificate Authority certificate</help>
-                  <completionHelp>
-                    <script>if [ -e /config/user-data/sstp ]; then ls /config/user-data/sstp; fi</script>
-                  </completionHelp>
+                  <valueHelp>
+                    <format>file</format>
+                    <description>File in /config/auth directory</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="file-exists" argument="--directory /config/auth"/>
+                  </constraint>
                 </properties>
               </leafNode>
               <leafNode name="cert-file">
                 <properties>
                   <help>Server Certificate</help>
                   <completionHelp>
-                    <script>if [ -e /config/user-data/sstp ]; then ls /config/user-data/sstp; fi</script>
+                    <script>ls /config</script>
                   </completionHelp>
+                  <constraint>
+                    <validator name="file-exists" argument="--directory /config/auth"/>
+                  </constraint>
                 </properties>
               </leafNode>
               <leafNode name="key-file">
                 <properties>
                   <help>Privat Key of the Server Certificate</help>
-                  <completionHelp>
-                    <script>if [ -e /config/user-data/sstp ]; then ls /config/user-data/sstp; fi</script>
-                  </completionHelp>
+                  <valueHelp>
+                    <format>file</format>
+                    <description>File in /config/auth directory</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="file-exists" argument="--directory /config/auth"/>
+                  </constraint>
                 </properties>
               </leafNode>
             </children>
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 205702a9f..8583ece74 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -32,15 +32,11 @@ pidfile = r'/var/run/accel_sstp.pid'
 sstp_cnf_dir = r'/etc/accel-ppp/sstp'
 chap_secrets = sstp_cnf_dir + '/chap-secrets'
 sstp_conf = sstp_cnf_dir + '/sstp.config'
-ssl_cert_dir = r'/config/user-data/sstp'
 
 # config path creation
 if not os.path.exists(sstp_cnf_dir):
     os.makedirs(sstp_cnf_dir)
 
-if not os.path.exists(ssl_cert_dir):
-    os.makedirs(ssl_cert_dir)
-
 sstp_config = """### generated by vpn_sstp.py ###
 [modules]
 log_syslog
@@ -74,9 +70,9 @@ disable
 [sstp]
 verbose=1
 accept=ssl
-ssl-ca-file=/config/user-data/sstp/{{ ssl_ca }}
-ssl-pemfile=/config/user-data/sstp/{{ ssl_cert }}
-ssl-keyfile=/config/user-data/sstp/{{ ssl_key }}
+ssl-ca-file={{ ssl_ca }}
+ssl-pemfile={{ ssl_cert }}
+ssl-keyfile={{ ssl_key }}
 
 {% if client_ip_pool %}
 [ip-pool]
@@ -452,22 +448,18 @@ def verify(sstp):
     if not sstp['ssl_ca'] or not sstp['ssl_cert'] or not sstp['ssl_key']:
         raise ConfigError('One or more SSL certificates missing')
 
-    ssl_path = ssl_cert_dir + '/'
-    if not os.path.exists(ssl_path + sstp['ssl_ca']):
-        ca = ssl_path + sstp['ssl_ca']
-        raise ConfigError(f'CA cert file {ca} does not exist')
+    if not os.path.exists(sstp['ssl_ca']):
+        raise ConfigError(f"CA cert file {sstp['ssl_ca']} does not exist")
 
-    if not os.path.exists(ssl_path + sstp['ssl_cert']):
-        cert = ssl_path + sstp['ssl_cert']
-        raise ConfigError(f'SSL cert file {cert} does not exist')
+    if not os.path.exists(sstp['ssl_cert']):
+        raise ConfigError(f"SSL cert file {sstp['ssl_cert']} does not exist")
 
-    if not os.path.exists(ssl_path + sstp['ssl_key']):
-        key = ssl_path + sstp['ssl_key']
-        raise ConfigError(f'SSL key file {key} does not exist')
+    if not os.path.exists(sstp['ssl_key']):
+        raise ConfigError(f"SSL key file {sstp['ssl_key']} does not exist")
 
     if sstp['auth_mode'] == 'radius':
         if len(sstp['radius_server']) == 0:
-            raise ConfigError('RADIUS authentication requires at least one server')
+            raise ConfigError("RADIUS authentication requires at least one server")
 
         for radius in sstp['radius_server']:
             if not radius['key']:
@@ -489,7 +481,7 @@ def generate(sstp):
         with open(chap_secrets, 'w') as f:
             f.write(config_text)
 
-        os.chmod(chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP )
+        os.chmod(chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP)
     else:
         if os.path.exists(chap_secrets):
              os.unlink(chap_secrets)
diff --git a/src/migration-scripts/sstp/1-to-2 b/src/migration-scripts/sstp/1-to-2
new file mode 100755
index 000000000..94cb04831
--- /dev/null
+++ b/src/migration-scripts/sstp/1-to-2
@@ -0,0 +1,110 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - migrate relative path SSL certificate to absolute path, as certs are only
+#   allowed to stored in /config/user-data/sstp/ this is pretty straight
+#   forward move. Delete certificates from source directory
+
+import os
+import sys
+
+from shutil import copy2
+from stat import S_IRUSR, S_IWUSR, S_IRGRP, S_IROTH
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 1):
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base_path = ['vpn', 'sstp', 'ssl']
+if not config.exists(base_path):
+    # Nothing to do
+    sys.exit(0)
+else:
+    cert_path_old ='/config/user-data/sstp/'
+    cert_path_new ='/config/auth/sstp/'
+
+    if not os.path.isdir(cert_path_new):
+        os.mkdir(cert_path_new)
+
+    #
+    # migrate ca-cert-file to new path
+    if config.exists(base_path + ['ca-cert-file']):
+        tmp = config.return_value(base_path + ['ca-cert-file'])
+        cert_old = cert_path_old + tmp
+        cert_new = cert_path_new + tmp
+
+        if os.path.isfile(cert_old):
+            # adjust file permissions on source file,
+            # permissions will be copied by copy2()
+            os.chmod(cert_old, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)
+            copy2(cert_old, cert_path_new)
+            # delete old certificate file
+            os.unlink(cert_old)
+
+        config.set(base_path + ['ca-cert-file'], value=cert_new, replace=True)
+
+    #
+    # migrate cert-file to new path
+    if config.exists(base_path + ['cert-file']):
+        tmp = config.return_value(base_path + ['cert-file'])
+        cert_old = cert_path_old + tmp
+        cert_new = cert_path_new + tmp
+
+        if os.path.isfile(cert_old):
+            # adjust file permissions on source file,
+            # permissions will be copied by copy2()
+            os.chmod(cert_old, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)
+            copy2(cert_old, cert_path_new)
+            # delete old certificate file
+            os.unlink(cert_old)
+
+        config.set(base_path + ['cert-file'], value=cert_new, replace=True)
+
+    #
+    # migrate key-file to new path
+    if config.exists(base_path + ['key-file']):
+        tmp = config.return_value(base_path + ['key-file'])
+        cert_old = cert_path_old + tmp
+        cert_new = cert_path_new + tmp
+
+        if os.path.isfile(cert_old):
+            # adjust file permissions on source file,
+            # permissions will be copied by copy2()
+            os.chmod(cert_old, S_IRUSR | S_IWUSR)
+            copy2(cert_old, cert_path_new)
+            # delete old certificate file
+            os.unlink(cert_old)
+
+        config.set(base_path + ['key-file'], value=cert_new, replace=True)
+
+    #
+    # check if old certificate directory exists but is empty
+    if os.path.isdir(cert_path_old) and not os.listdir(cert_path_old):
+        os.rmdir(cert_path_old)
+
+    try:
+        with open(file_name, 'w') as f:
+            f.write(config.to_string())
+    except OSError as e:
+        print("Failed to save the modified config: {}".format(e))
+        sys.exit(1)