summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJamie Austin <jamiea@opusv.com.au>2023-04-20 17:07:53 +1000
committerJamie Austin <jamiea@opusv.com.au>2023-04-20 17:10:27 +1000
commit93de3abe1368cab5ab8cd292689466d7af8e86bc (patch)
tree026f9fadcbea105db2d0ba90d4d4db40c2b35d32
parent80d83f6392ceac3907a9c23c6525c984e5808b4d (diff)
downloadvyos-1x-93de3abe1368cab5ab8cd292689466d7af8e86bc.tar.gz
vyos-1x-93de3abe1368cab5ab8cd292689466d7af8e86bc.zip
ocserv: T3896: refactor: change ocserv config-per-x node name
Changes the node name from config-per-x to identity-based-config, as a result the j2 templates and vpn_openeconnect.py has been refactored to update the node name when accessing it's child nodes.
-rw-r--r--data/templates/ocserv/ocserv_config.j218
-rw-r--r--interface-definitions/include/openconnect-identity-based-config.xml.i (renamed from interface-definitions/include/openconnect-config-per-x.xml.i)4
-rw-r--r--interface-definitions/vpn-openconnect.xml.in2
-rwxr-xr-xsrc/conf_mode/vpn_openconnect.py20
4 files changed, 22 insertions, 22 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index ea2c9e29f..52c208c0d 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -12,11 +12,11 @@ run-as-group = daemon
{% if "radius" in authentication.mode %}
auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]"
-{% if "config_per_x" in authentication %}
-{% if authentication.config_per_x.disabled is not vyos_defined %}
-{% if "group" in authentication.config_per_x.mode %}
-config-per-group = {{ authentication.config_per_x.directory }}
-default-group-config = {{ authentication.config_per_x.default_config }}
+{% if "identity_based_config" in authentication %}
+{% if authentication.identity_based_config.disabled is not vyos_defined %}
+{% if "group" in authentication.identity_based_config.mode %}
+config-per-group = {{ authentication.identity_based_config.directory }}
+default-group-config = {{ authentication.identity_based_config.default_config }}
{% endif %}
{% endif %}
{% endif %}
@@ -32,10 +32,10 @@ auth = "plain[/run/ocserv/ocpasswd]"
auth = "plain[/run/ocserv/ocpasswd]"
{% endif %}
-{% if "config_per_x" in authentication %}
-{% if "user" in authentication.config_per_x.mode %}
-config-per-user = {{ authentication.config_per_x.directory }}
-default-user-config = {{ authentication.config_per_x.default_config }}
+{% if "identity_based_config" in authentication %}
+{% if "user" in authentication.identity_based_config.mode %}
+config-per-user = {{ authentication.identity_based_config.directory }}
+default-user-config = {{ authentication.identity_based_config.default_config }}
{% endif %}
{% endif %}
diff --git a/interface-definitions/include/openconnect-config-per-x.xml.i b/interface-definitions/include/openconnect-identity-based-config.xml.i
index c9b200249..dfc51936d 100644
--- a/interface-definitions/include/openconnect-config-per-x.xml.i
+++ b/interface-definitions/include/openconnect-identity-based-config.xml.i
@@ -1,5 +1,5 @@
-<!-- include start from openconnect-config-per-x.xml.i -->
-<node name="config-per-x">
+<!-- include start from openconnect-identity-based-config.xml.i -->
+<node name="identity-based-config">
<properties>
<help>Configures OpenConnect to search the configured directory for a config file matching the Group name or Username</help>
</properties>
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 24d24568f..db575d227 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -50,7 +50,7 @@
</leafNode>
</children>
</node>
- #include <include/openconnect-config-per-x.xml.i>
+ #include <include/openconnect-identity-based-config.xml.i>
<leafNode name="group">
<properties>
<help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help>
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 12165a4f2..16a5b5952 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -113,17 +113,17 @@ def verify(ocserv):
users_wo_pswd.append(user)
if users_wo_pswd:
raise ConfigError(f'password required for users:\n{users_wo_pswd}')
- # Validate that if config-per-x is configured all child config nodes are set
- if 'config_per_x' in ocserv["authentication"]:
- if 'disabled' not in ocserv["authentication"]["config_per_x"]:
- if 'mode' not in ocserv["authentication"]["config_per_x"]:
- raise ConfigError('OpenConnect radius config-per-x enabled but mode not selected')
- elif 'group' in ocserv["authentication"]["config_per_x"]["mode"] and "radius" not in ocserv["authentication"]["mode"]:
+ # Validate that if identity-based-config is configured all child config nodes are set
+ if 'identity_based_config' in ocserv["authentication"]:
+ if 'disabled' not in ocserv["authentication"]["identity_based_config"]:
+ if 'mode' not in ocserv["authentication"]["identity_based_config"]:
+ raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected')
+ elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]:
raise ConfigError('OpenConnect config-per-group must be used with radius authentication')
- if 'directory' not in ocserv["authentication"]["config_per_x"]:
- raise ConfigError('OpenConnect config-per-x enabled but directory not set')
- if 'default_config' not in ocserv["authentication"]["config_per_x"]:
- raise ConfigError('OpenConnect config-per-x enabled but default-config not set')
+ if 'directory' not in ocserv["authentication"]["identity_based_config"]:
+ raise ConfigError('OpenConnect identity-based-config enabled but directory not set')
+ if 'default_config' not in ocserv["authentication"]["identity_based_config"]:
+ raise ConfigError('OpenConnect identity-based-config enabled but default-config not set')
else:
raise ConfigError('openconnect authentication mode required')
else: