diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-05-12 21:03:03 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2023-05-12 21:06:56 +0200 |
| commit | d1abba03229128c3f2a6f718e9f14f4d7285e74d (patch) | |
| tree | 43d8443adbb8fdaf6218d6a20c78c53688877797 | |
| parent | 25ddb57b66de2c0918050052a4d374d4edb905f0 (diff) | |
| download | vyos-1x-d1abba03229128c3f2a6f718e9f14f4d7285e74d.tar.gz vyos-1x-d1abba03229128c3f2a6f718e9f14f4d7285e74d.zip | |
ocserv: T3896: improve XML definition and add warning about 3rd party configs
When enabling identity-based-config, users can add arbitrary config keys
that are processed by ocserv. The user "must know" what he is been doing, as
invalid config option will make the ocserv daemon go ... whoop!
Thus add a warning and inform the user about this setting.
| -rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 6 | ||||
| -rw-r--r-- | interface-definitions/include/openconnect-identity-based-config.xml.i | 54 | ||||
| -rw-r--r-- | interface-definitions/vpn-openconnect.xml.in | 53 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_openconnect.py | 3 |
4 files changed, 57 insertions, 59 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 8b9daed0f..1401b8b26 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -16,12 +16,10 @@ acct = "radius [config=/run/ocserv/radiusclient.conf]" {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" -{% if "identity_based_config" in authentication %} -{% if authentication.identity_based_config.disabled is not vyos_defined %} -{% if "group" in authentication.identity_based_config.mode %} +{% if authentication.identity_based_config.disabled is not vyos_defined %} +{% if "group" in authentication.identity_based_config.mode %} config-per-group = {{ authentication.identity_based_config.directory }} default-group-config = {{ authentication.identity_based_config.default_config }} -{% endif %} {% endif %} {% endif %} {% elif "local" in authentication.mode %} diff --git a/interface-definitions/include/openconnect-identity-based-config.xml.i b/interface-definitions/include/openconnect-identity-based-config.xml.i deleted file mode 100644 index dfc51936d..000000000 --- a/interface-definitions/include/openconnect-identity-based-config.xml.i +++ /dev/null @@ -1,54 +0,0 @@ -<!-- include start from openconnect-identity-based-config.xml.i --> -<node name="identity-based-config"> - <properties> - <help>Configures OpenConnect to search the configured directory for a config file matching the Group name or Username</help> - </properties> - <children> - <leafNode name="mode"> - <properties> - <help>Configures OpenConnect to use config-per-group or config-per-user. Ignored if OpenConnect authentication group is configured.</help> - <valueHelp> - <format>user</format> - <description>OpenConnect config file loaded by matching file in configured directory to the users username</description> - </valueHelp> - <valueHelp> - <format>group</format> - <description>OpenConnect config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory</description> - </valueHelp> - <constraint> - <regex>(user|group)</regex> - </constraint> - <constraintErrorMessage>Invalid mode. Must be one of: user, group</constraintErrorMessage> - <completionHelp> - <list>user group</list> - </completionHelp> - </properties> - </leafNode> - <leafNode name="directory"> - <properties> - <help>Directory to configure OpenConnect to use for matching username/group to config file</help> - <valueHelp> - <format>filename</format> - <description>Must be a child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</description> - </valueHelp> - <constraint> - <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/> - </constraint> - </properties> - </leafNode> - <leafNode name="default-config"> - <properties> - <help>Default/fallback config to use when a file cannot be found in the configured directory that matches the username/group</help> - <valueHelp> - <format>filename</format> - <description>Child directory of /config/auth e.g. /config/auth/ocserv/defaults/user.conf</description> - </valueHelp> - <constraint> - <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/> - </constraint> - </properties> - </leafNode> - #include <include/generic-disable-node.xml.i> - </children> -</node> -<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index afc2a5383..75c64a99a 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -71,7 +71,58 @@ </leafNode> </children> </node> - #include <include/openconnect-identity-based-config.xml.i> + <node name="identity-based-config"> + <properties> + <help>Include configuration file by username or RADIUS group attribute</help> + </properties> + <children> + #include <include/generic-disable-node.xml.i> + <leafNode name="mode"> + <properties> + <help>Select per user or per group configuration file - ignored if authentication group is configured</help> + <completionHelp> + <list>user group</list> + </completionHelp> + <valueHelp> + <format>user</format> + <description>Match configuration file on username</description> + </valueHelp> + <valueHelp> + <format>group</format> + <description>Match RADIUS response class attribute as file name</description> + </valueHelp> + <constraint> + <regex>(user|group)</regex> + </constraint> + <constraintErrorMessage>Invalid mode, must be either user or group</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="directory"> + <properties> + <help>Directory to containing configuration files</help> + <valueHelp> + <format>path</format> + <description>Path to configuration directory, must be under /config/auth</description> + </valueHelp> + <constraint> + <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/> + </constraint> + </properties> + </leafNode> + <leafNode name="default-config"> + <properties> + <help>Default configuration if discrete config could not be found</help> + <valueHelp> + <format>filename</format> + <description>Default configuration filename, must be under /config/auth</description> + </valueHelp> + <constraint> + <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/> + </constraint> + </properties> + </leafNode> + </children> + </node> <leafNode name="group"> <properties> <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help> diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 7b3325d95..83021a3e6 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -17,6 +17,7 @@ import os from sys import exit +from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.pki import wrap_certificate @@ -173,9 +174,11 @@ def verify(ocserv): users_wo_pswd.append(user) if users_wo_pswd: raise ConfigError(f'password required for users:\n{users_wo_pswd}') + # Validate that if identity-based-config is configured all child config nodes are set if 'identity_based_config' in ocserv["authentication"]: if 'disabled' not in ocserv["authentication"]["identity_based_config"]: + Warning("Identity based configuration files is a 3rd party addition. Use at your own risk, this might break the ocserv daemon!") if 'mode' not in ocserv["authentication"]["identity_based_config"]: raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected') elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]: |