openvpn: T3834: verify() is not allowed to change anything on the system (#3851)

Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix
opmode commands") added a code path into verify() which removed files on the
system if TOTP was not defined.

This commit moves the code path to the appropriate generate() function.

(cherry picked from commit 40c835992db9217f48e54dbbf15a7fbf1dcba482)

Co-authored-by: Christian Breunig <christian@breunig.cc>

1 files changed, 10 insertions, 7 deletions

diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 627cc90ba..5bb663a9b 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -235,10 +235,6 @@ def verify_pki(openvpn):
 
 def verify(openvpn):
     if 'deleted' in openvpn:
-        # remove totp secrets file if totp is not configured
-        if os.path.isfile(otp_file.format(**openvpn)):
-            os.remove(otp_file.format(**openvpn))
-
         verify_bridge_delete(openvpn)
         return None
 
@@ -624,9 +620,19 @@ def generate_pki_files(openvpn):
 
 
 def generate(openvpn):
+    if 'deleted' in openvpn:
+        # remove totp secrets file if totp is not configured
+        if os.path.isfile(otp_file.format(**openvpn)):
+            os.remove(otp_file.format(**openvpn))
+        return None
+
+    if 'disable' in openvpn:
+        return None
+
     interface = openvpn['ifname']
     directory = os.path.dirname(cfg_file.format(**openvpn))
     openvpn['plugin_dir'] = '/usr/lib/openvpn'
+
     # create base config directory on demand
     makedir(directory, user, group)
     # enforce proper permissions on /run/openvpn
@@ -643,9 +649,6 @@ def generate(openvpn):
     if os.path.isdir(service_dir):
         rmtree(service_dir, ignore_errors=True)
 
-    if 'deleted' in openvpn or 'disable' in openvpn:
-        return None
-
     # create client config directory on demand
     makedir(ccd_dir, user, group)