summaryrefslogtreecommitdiff
path: root/src/conf_mode/vpn_openconnect.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-05-12 21:03:03 +0200
committerChristian Breunig <christian@breunig.cc>2023-05-12 21:06:56 +0200
commitd1abba03229128c3f2a6f718e9f14f4d7285e74d (patch)
tree43d8443adbb8fdaf6218d6a20c78c53688877797 /src/conf_mode/vpn_openconnect.py
parent25ddb57b66de2c0918050052a4d374d4edb905f0 (diff)
downloadvyos-1x-d1abba03229128c3f2a6f718e9f14f4d7285e74d.tar.gz
vyos-1x-d1abba03229128c3f2a6f718e9f14f4d7285e74d.zip
ocserv: T3896: improve XML definition and add warning about 3rd party configs
When enabling identity-based-config, users can add arbitrary config keys that are processed by ocserv. The user "must know" what he is been doing, as invalid config option will make the ocserv daemon go ... whoop! Thus add a warning and inform the user about this setting.
Diffstat (limited to 'src/conf_mode/vpn_openconnect.py')
-rwxr-xr-xsrc/conf_mode/vpn_openconnect.py3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 7b3325d95..83021a3e6 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -17,6 +17,7 @@
import os
from sys import exit
+from vyos.base import Warning
from vyos.config import Config
from vyos.configdict import dict_merge
from vyos.pki import wrap_certificate
@@ -173,9 +174,11 @@ def verify(ocserv):
users_wo_pswd.append(user)
if users_wo_pswd:
raise ConfigError(f'password required for users:\n{users_wo_pswd}')
+
# Validate that if identity-based-config is configured all child config nodes are set
if 'identity_based_config' in ocserv["authentication"]:
if 'disabled' not in ocserv["authentication"]["identity_based_config"]:
+ Warning("Identity based configuration files is a 3rd party addition. Use at your own risk, this might break the ocserv daemon!")
if 'mode' not in ocserv["authentication"]["identity_based_config"]:
raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected')
elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]: