summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-12-27 11:43:27 +0100
committerChristian Poessinger <christian@poessinger.com>2020-12-28 19:42:50 +0100
commiteeb78e842423319169b036d16601e73227dbffdd (patch)
tree282dac56ecfccf381fa92ad9027df6779d16ae2f /src/conf_mode
parent1efd20ab21e75e421487d563fc794a7f97361a3e (diff)
downloadvyos-1x-eeb78e842423319169b036d16601e73227dbffdd.tar.gz
vyos-1x-eeb78e842423319169b036d16601e73227dbffdd.zip
webproxy: T563: squidguard: support default ruleset
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/service_webproxy.py57
1 files changed, 55 insertions, 2 deletions
diff --git a/src/conf_mode/service_webproxy.py b/src/conf_mode/service_webproxy.py
index 76b72ad48..8dfae348a 100755
--- a/src/conf_mode/service_webproxy.py
+++ b/src/conf_mode/service_webproxy.py
@@ -16,6 +16,7 @@
import os
+from shutil import rmtree
from sys import exit
from vyos.config import Config
@@ -23,6 +24,7 @@ from vyos.configdict import dict_merge
from vyos.template import render
from vyos.util import call
from vyos.util import dict_search
+from vyos.util import write_file
from vyos.validate import is_addr_assigned
from vyos.xml import defaults
from vyos import ConfigError
@@ -31,6 +33,47 @@ airbag.enable()
squid_config_file = '/etc/squid/squid.conf'
squidguard_config_file = '/etc/squidguard/squidGuard.conf'
+squidguard_db_dir = '/opt/vyatta/etc/config/url-filtering/squidguard/db'
+user_group = 'proxy'
+
+def generate_sg_localdb(category, list_type, role, proxy):
+ cat_ = category.replace('-', '_')
+ if isinstance(dict_search(f'url_filtering.squidguard.{cat_}', proxy),
+ list):
+
+ # local block databases must be generated "on-the-fly"
+ tmp = {
+ 'squidguard_db_dir' : squidguard_db_dir,
+ 'category' : f'{category}-default',
+ 'list_type' : list_type,
+ 'rule' : role
+ }
+ sg_tmp_file = '/tmp/sg.conf'
+ db_file = f'{category}-default/{list_type}'
+ domains = '\n'.join(dict_search(f'url_filtering.squidguard.{cat_}', proxy))
+
+ # local file
+ write_file(f'{squidguard_db_dir}/{category}-default/local', '',
+ user=user_group, group=user_group)
+ # database input file
+ write_file(f'{squidguard_db_dir}/{db_file}', domains,
+ user=user_group, group=user_group)
+
+ # temporary config file, deleted after generation
+ render(sg_tmp_file, 'squid/sg_acl.conf.tmpl', tmp,
+ user=user_group, group=user_group)
+
+ call(f'su - {user_group} -c "squidGuard -d -c {sg_tmp_file} -C {db_file}"')
+
+ if os.path.exists(sg_tmp_file):
+ os.unlink(sg_tmp_file)
+
+ else:
+ # if category is not part of our configuration, clean out the
+ # squidguard lists
+ tmp = f'{squidguard_db_dir}/{category}-default'
+ if os.path.exists(tmp):
+ rmtree(f'{squidguard_db_dir}/{category}-default')
def get_config(config=None):
if config:
@@ -55,6 +98,7 @@ def get_config(config=None):
else:
# store path to squidGuard config, used when generating Squid config
proxy['squidguard_conf'] = squidguard_config_file
+ proxy['squidguard_db_dir'] = squidguard_db_dir
# XXX: T2665: blend in proper cache-peer default values later
default_values.pop('cache_peer')
@@ -67,8 +111,6 @@ def get_config(config=None):
proxy['cache_peer'][peer] = dict_merge(default_values,
proxy['cache_peer'][peer])
- import pprint
- pprint.pprint(proxy)
return proxy
def verify(proxy):
@@ -121,6 +163,7 @@ def verify(proxy):
if 'address' not in config:
raise ConfigError(f'Cache-peer "{peer}" address must be set!')
+
def generate(proxy):
if not proxy:
return None
@@ -128,6 +171,16 @@ def generate(proxy):
render(squid_config_file, 'squid/squid.conf.tmpl', proxy)
render(squidguard_config_file, 'squid/squidGuard.conf.tmpl', proxy)
+ cat_dict = {
+ 'local-block' : 'domains',
+ 'local-block-keyword' : 'expressions',
+ 'local-block-url' : 'urls',
+ 'local-ok' : 'domains',
+ 'local-ok-url' : 'urls'
+ }
+ for category, list_type in cat_dict.items():
+ generate_sg_localdb(category, list_type, 'default', proxy)
+
return None
def apply(proxy):