summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKim Hagen <kim@sentrium.io>2021-10-07 08:44:00 -0500
committerKim Hagen <kim@sentrium.io>2021-10-07 08:44:00 -0500
commitba8630da96396f09c638fccdc9cfe6a3ee70fd58 (patch)
treea4bedef0d677fa8179dd76c7c8d314476f3683cd
parenteb7f8904076e749e18c10b6374bf363dfa009c19 (diff)
downloadvyos-1x-ba8630da96396f09c638fccdc9cfe6a3ee70fd58.tar.gz
vyos-1x-ba8630da96396f09c638fccdc9cfe6a3ee70fd58.zip
pull request fixes
-rw-r--r--data/templates/openvpn/server.conf.tmpl12
-rw-r--r--interface-definitions/interfaces-openvpn.xml.in23
-rw-r--r--op-mode-definitions/openvpn.xml.in16
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py18
-rwxr-xr-xsrc/op_mode/show_openvpn_mfa.py (renamed from src/op_mode/show_openvpn_2fa.py)12
5 files changed, 48 insertions, 33 deletions
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index 644eb805f..3104203ad 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -127,14 +127,10 @@ push "dhcp-option DNS6 {{ nameserver }}"
{% if server.domain_name is defined and server.domain_name is not none %}
push "dhcp-option DOMAIN {{ server.domain_name }}"
{% endif %}
-{% if server['2fa'] is defined and server['2fa'] is not none %}
-{% if server['2fa']['totp'] is defined and server['2fa']['totp'] is not none %}
-plugin "/usr/lib/openvpn/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop=
-{{- server['2fa']['totp']['slop']|default(180) }} totp_t0=
-{{- server['2fa']['totp']['drift']|default(0) }} totp_step=
-{{- server['2fa']['totp']['step']|default(30) }} totp_digits=
-{{- server['2fa']['totp']['digits']|default(6)}} password_is_cr=
-{%-if server['2fa']['totp']['challenge']|default('enable') == 'enable' %}1{% else %}0{% endif %}"
+{% if server.mfa is defined and server.mfa is not none %}
+{% if server.mfa.totp is defined and server.mfa.totp is not none %}
+{% set totp_config = server.mfa.totp %}
+plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}"
{% endif %}
{% endif %}
{% endif %}
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index 62fac9be0..023f9f55d 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -635,14 +635,14 @@
</properties>
<defaultValue>net30</defaultValue>
</leafNode>
- <node name="2fa">
+ <node name="mfa">
<properties>
- <help>2-factor authentication</help>
+ <help>multi-factor authentication</help>
</properties>
<children>
<node name="totp">
<properties>
- <help>Time-based One-Time Passwords</help>
+ <help>Time-based one-time passwords</help>
</properties>
<children>
<leafNode name="slop">
@@ -656,10 +656,11 @@
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
+ <defaultValue>180</defaultValue>
</leafNode>
<leafNode name="drift">
<properties>
- <help>time drift in seconds (default: 0)</help>
+ <help>Time drift in seconds (default: 0)</help>
<valueHelp>
<format>1-65535</format>
<description>Seconds</description>
@@ -668,10 +669,11 @@
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
+ <defaultValue>0</defaultValue>
</leafNode>
<leafNode name="step">
<properties>
- <help>Step value for TOTP in seconds (default: 30)</help>
+ <help>Step value for totp in seconds (default: 30)</help>
<valueHelp>
<format>1-65535</format>
<description>Seconds</description>
@@ -680,10 +682,11 @@
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
+ <defaultValue>30</defaultValue>
</leafNode>
<leafNode name="digits">
<properties>
- <help>Number of digits to use from TOTP hash (default: 6)</help>
+ <help>Number of digits to use for totp hash (default: 6)</help>
<valueHelp>
<format>1-65535</format>
<description>Seconds</description>
@@ -692,25 +695,27 @@
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
+ <defaultValue>6</defaultValue>
</leafNode>
<leafNode name="challenge">
<properties>
- <help>expect password as result of a challenge response protocol (default: enabled)</help>
+ <help>Expect password as result of a challenge response protocol (default: enabled)</help>
<completionHelp>
<list>disable enable</list>
</completionHelp>
<valueHelp>
<format>disable</format>
- <description>Disable challenge response (default)</description>
+ <description>Disable challenge-response</description>
</valueHelp>
<valueHelp>
<format>enable</format>
- <description>Enable chalenge response (default)</description>
+ <description>Enable chalenge-response (default)</description>
</valueHelp>
<constraint>
<regex>^(disable|enable)$</regex>
</constraint>
</properties>
+ <defaultValue>enable</defaultValue>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/openvpn.xml.in b/op-mode-definitions/openvpn.xml.in
index 068d5d8fb..7243d69fd 100644
--- a/op-mode-definitions/openvpn.xml.in
+++ b/op-mode-definitions/openvpn.xml.in
@@ -63,28 +63,28 @@
</completionHelp>
</properties>
<children>
- <node name="2fa">
+ <node name="mfa">
<properties>
- <help>Show 2fa information</help>
+ <help>Show multi-factor authentication information</help>
</properties>
<children>
<leafNode name="secret">
<properties>
- <help>Show 2fa authentication secret</help>
+ <help>Show multi-factor authentication secret</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=secret</command>
+ <command>${vyos_op_scripts_dir}/show_openvpn_mfa.py --user="$6" --intf="$4" --action=secret</command>
</leafNode>
<leafNode name="uri">
<properties>
- <help>Show 2fa otpauth uri</help>
+ <help>Show multi-factor authentication otpauth uri</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=uri</command>
+ <command>${vyos_op_scripts_dir}/show_openvpn_mfa.py --user="$6" --intf="$4" --action=uri</command>
</leafNode>
<leafNode name="qrcode">
<properties>
- <help>Show 2fa QR code</help>
+ <help>Show multi-factor authentication QR code</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=qrcode</command>
+ <command>${vyos_op_scripts_dir}/show_openvpn_mfa.py --user="$6" --intf="$4" --action=qrcode</command>
</leafNode>
</children>
</node>
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 365d0982e..220c4f157 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -80,6 +80,11 @@ def get_config(config=None):
tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
get_first_key=True, no_tag_node_value_mangle=True)
+ # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict'
+ # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there.
+ tmp_openvpn = conf.get_config_dict(base + [os.environ['VYOS_TAGNODE_VALUE']], key_mangling=('-', '_'),
+ get_first_key=True, no_tag_node_value_mangle=True)
+
openvpn = get_interface_dict(conf, base)
if 'deleted' not in openvpn:
@@ -89,6 +94,14 @@ def get_config(config=None):
openvpn['daemon_user'] = user
openvpn['daemon_group'] = group
+ # We have to cleanup the config dict, as default values could enable features
+ # which are not explicitly enabled on the CLI. Example: server mfa totp
+ # originate comes with defaults, which will enable the
+ # totp plugin, even when not set via CLI so we
+ # need to check this first and drop those keys
+ if 'totp' not in tmp_openvpn['server']:
+ del openvpn['server']['mfa']['totp']
+
return openvpn
def is_ec_private_key(pki, cert_name):
@@ -369,8 +382,8 @@ def verify(openvpn):
if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet:
print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.')
- # add 2fa users to the file the 2fa plugin uses
- if dict_search('server.2fa.totp', openvpn):
+ # add mfa users to the file the mfa plugin uses
+ if dict_search('server.mfa.totp', openvpn):
if not Path(otp_file.format(**openvpn)).is_file():
Path(otp_path).mkdir(parents=True, exist_ok=True)
Path(otp_file.format(**openvpn)).touch()
@@ -590,6 +603,7 @@ def generate_pki_files(openvpn):
def generate(openvpn):
interface = openvpn['ifname']
directory = os.path.dirname(cfg_file.format(**openvpn))
+ plugin_dir = '/usr/lib/openvpn'
# we can't know in advance which clients have been removed,
# thus all client configs will be removed and re-added on demand
diff --git a/src/op_mode/show_openvpn_2fa.py b/src/op_mode/show_openvpn_mfa.py
index 8600f755d..1ab54600c 100755
--- a/src/op_mode/show_openvpn_2fa.py
+++ b/src/op_mode/show_openvpn_mfa.py
@@ -24,7 +24,7 @@ from vyos.util import popen
otp_file = '/config/auth/openvpn/{interface}-otp-secrets'
-def get_2fa_secret(interface, client):
+def get_mfa_secret(interface, client):
try:
with open(otp_file.format(interface=interface), "r") as f:
users = f.readlines()
@@ -34,7 +34,7 @@ def get_2fa_secret(interface, client):
except:
pass
-def get_2fa_uri(client, secret):
+def get_mfa_uri(client, secret):
hostname = socket.gethostname()
fqdn = socket.getfqdn()
uri = 'otpauth://totp/{hostname}:{client}@{fqdn}?secret={secret}'
@@ -42,23 +42,23 @@ def get_2fa_uri(client, secret):
return urllib.parse.quote(uri.format(hostname=hostname, client=client, fqdn=fqdn, secret=secret), safe='/:@?=')
if __name__ == '__main__':
- parser = argparse.ArgumentParser(add_help=False, description='Show 2fa information')
+ parser = argparse.ArgumentParser(add_help=False, description='Show two-factor authentication information')
parser.add_argument('--intf', action="store", type=str, default='', help='only show the specified interface')
parser.add_argument('--user', action="store", type=str, default='', help='only show the specified users')
parser.add_argument('--action', action="store", type=str, default='show', help='action to perform')
args = parser.parse_args()
- secret = get_2fa_secret(args.intf, args.user)
+ secret = get_mfa_secret(args.intf, args.user)
if args.action == "secret" and secret:
print(secret)
if args.action == "uri" and secret:
- uri = get_2fa_uri(args.user, secret)
+ uri = get_mfa_uri(args.user, secret)
print(uri)
if args.action == "qrcode" and secret:
- uri = get_2fa_uri(args.user, secret)
+ uri = get_mfa_uri(args.user, secret)
qrcode,err = popen('qrencode -t ansiutf8', input=uri)
print(qrcode)