summaryrefslogtreecommitdiff
path: root/src/conf_mode/vpn_openconnect.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-04-02 18:52:29 +0200
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-04-02 17:01:41 +0000
commit7cf3f42f5ee8e1d8ecfe5da338ba3fe5bd5c55e2 (patch)
treef9a3559fc9b5549ba04404928d157fcd7e0fea52 /src/conf_mode/vpn_openconnect.py
parent2831bec9c1d94f5382140e937ccae11fb345eefd (diff)
downloadvyos-1x-7cf3f42f5ee8e1d8ecfe5da338ba3fe5bd5c55e2.tar.gz
vyos-1x-7cf3f42f5ee8e1d8ecfe5da338ba3fe5bd5c55e2.zip
configverify: T6198: add common helper for PKI certificate validation
The next evolutional step after adding get_config_dict(..., with_pki=True) is to add a common verification function for the recurring task of validating SSL certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS. (cherry picked from commit 3b758d870449e92fece9e29c791b950b332e6e65)
Diffstat (limited to 'src/conf_mode/vpn_openconnect.py')
-rwxr-xr-xsrc/conf_mode/vpn_openconnect.py52
1 files changed, 17 insertions, 35 deletions
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 08e4fc6db..8159fedea 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2023 VyOS maintainers and contributors
+# Copyright (C) 2018-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -19,6 +19,8 @@ from sys import exit
from vyos.base import Warning
from vyos.config import Config
+from vyos.configverify import verify_pki_certificate
+from vyos.configverify import verify_pki_ca_certificate
from vyos.pki import wrap_certificate
from vyos.pki import wrap_private_key
from vyos.template import render
@@ -75,7 +77,7 @@ def verify(ocserv):
if "accounting" in ocserv:
if "mode" in ocserv["accounting"] and "radius" in ocserv["accounting"]["mode"]:
if not origin["accounting"]['radius']['server']:
- raise ConfigError('Openconnect accounting mode radius requires at least one RADIUS server')
+ raise ConfigError('OpenConnect accounting mode radius requires at least one RADIUS server')
if "authentication" not in ocserv or "mode" not in ocserv["authentication"]:
raise ConfigError('Accounting depends on OpenConnect authentication configuration')
elif "radius" not in ocserv["authentication"]["mode"]:
@@ -89,12 +91,12 @@ def verify(ocserv):
raise ConfigError('OpenConnect authentication modes are mutually-exclusive, remove either local or radius from your configuration')
if "radius" in ocserv["authentication"]["mode"]:
if not ocserv["authentication"]['radius']['server']:
- raise ConfigError('Openconnect authentication mode radius requires at least one RADIUS server')
+ raise ConfigError('OpenConnect authentication mode radius requires at least one RADIUS server')
if "local" in ocserv["authentication"]["mode"]:
if not ocserv.get("authentication", {}).get("local_users"):
- raise ConfigError('openconnect mode local required at least one user')
+ raise ConfigError('OpenConnect mode local required at least one user')
if not ocserv["authentication"]["local_users"]["username"]:
- raise ConfigError('openconnect mode local required at least one user')
+ raise ConfigError('OpenConnect mode local required at least one user')
else:
# For OTP mode: verify that each local user has an OTP key
if "otp" in ocserv["authentication"]["mode"]["local"]:
@@ -127,40 +129,20 @@ def verify(ocserv):
if 'default_config' not in ocserv["authentication"]["identity_based_config"]:
raise ConfigError('OpenConnect identity-based-config enabled but default-config not set')
else:
- raise ConfigError('openconnect authentication mode required')
+ raise ConfigError('OpenConnect authentication mode required')
else:
- raise ConfigError('openconnect authentication credentials required')
+ raise ConfigError('OpenConnect authentication credentials required')
# Check ssl
if 'ssl' not in ocserv:
- raise ConfigError('openconnect ssl required')
+ raise ConfigError('SSL missing on OpenConnect config!')
- if not ocserv['pki'] or 'certificate' not in ocserv['pki']:
- raise ConfigError('PKI not configured')
+ if 'certificate' not in ocserv['ssl']:
+ raise ConfigError('SSL certificate missing on OpenConnect config!')
+ verify_pki_certificate(ocserv, ocserv['ssl']['certificate'])
- ssl = ocserv['ssl']
- if 'certificate' not in ssl:
- raise ConfigError('openconnect ssl certificate required')
-
- cert_name = ssl['certificate']
-
- if cert_name not in ocserv['pki']['certificate']:
- raise ConfigError('Invalid openconnect ssl certificate')
-
- cert = ocserv['pki']['certificate'][cert_name]
-
- if 'certificate' not in cert:
- raise ConfigError('Missing certificate in PKI')
-
- if 'private' not in cert or 'key' not in cert['private']:
- raise ConfigError('Missing private key in PKI')
-
- if 'ca_certificate' in ssl:
- if 'ca' not in ocserv['pki']:
- raise ConfigError('PKI not configured')
-
- if ssl['ca_certificate'] not in ocserv['pki']['ca']:
- raise ConfigError('Invalid openconnect ssl CA certificate')
+ if 'ca_certificate' in ocserv['ssl']:
+ verify_pki_ca_certificate(ocserv, ocserv['ssl']['ca_certificate'])
# Check network settings
if "network_settings" in ocserv:
@@ -172,7 +154,7 @@ def verify(ocserv):
else:
ocserv["network_settings"]["push_route"] = ["default"]
else:
- raise ConfigError('openconnect network settings required')
+ raise ConfigError('OpenConnect network settings required!')
def generate(ocserv):
if not ocserv:
@@ -276,7 +258,7 @@ def apply(ocserv):
break
sleep(0.250)
if counter > 5:
- raise ConfigError('openconnect failed to start, check the logs for details')
+ raise ConfigError('OpenConnect failed to start, check the logs for details')
break
counter += 1