diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-20 17:33:00 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-20 20:14:12 +0200 |
| commit | bfadd6dfb5969f231097353a76ada3b839964a19 (patch) | |
| tree | 5c9cae9c04121dd082c0a7a3e6d262df27c86489 /src/migration-scripts | |
| parent | 1554d3316eb74971d2ac7e3608173f6f113684e0 (diff) | |
| download | vyos-1x-bfadd6dfb5969f231097353a76ada3b839964a19.tar.gz vyos-1x-bfadd6dfb5969f231097353a76ada3b839964a19.zip | |
pki: eapol: T3642: Migrate EAPoL to use PKI configuration
Diffstat (limited to 'src/migration-scripts')
| -rwxr-xr-x | src/migration-scripts/interfaces/22-to-23 | 130 |
1 files changed, 112 insertions, 18 deletions
diff --git a/src/migration-scripts/interfaces/22-to-23 b/src/migration-scripts/interfaces/22-to-23 index c6dc32baf..3fd5998a0 100755 --- a/src/migration-scripts/interfaces/22-to-23 +++ b/src/migration-scripts/interfaces/22-to-23 @@ -15,27 +15,34 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # Migrate Wireguard to store keys in CLI +# Migrate EAPoL to PKI configuration import os import sys from vyos.configtree import ConfigTree +from vyos.pki import load_certificate +from vyos.pki import load_private_key +from vyos.pki import encode_certificate +from vyos.pki import encode_private_key -if __name__ == '__main__': - if (len(sys.argv) < 1): - print("Must specify file name!") - sys.exit(1) +def wrapped_pem_to_config_value(pem): + return "".join(pem.strip().split("\n")[1:-1]) - file_name = sys.argv[1] +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) - with open(file_name, 'r') as f: - config_file = f.read() +file_name = sys.argv[1] - config = ConfigTree(config_file) - base = ['interfaces', 'wireguard'] - if not config.exists(base): - # Nothing to do - sys.exit(0) +with open(file_name, 'r') as f: + config_file = f.read() +config = ConfigTree(config_file) + +# Wireguard +base = ['interfaces', 'wireguard'] + +if config.exists(base): for interface in config.list_nodes(base): private_key_path = base + [interface, 'private-key'] @@ -56,9 +63,96 @@ if __name__ == '__main__': for peer in config.list_nodes(base + [interface, 'peer']): config.rename(base + [interface, 'peer', peer, 'pubkey'], 'public-key') - try: - with open(file_name, 'w') as f: - f.write(config.to_string()) - except OSError as e: - print("Failed to save the modified config: {}".format(e)) - sys.exit(1) +# Ethernet EAPoL +base = ['interfaces', 'ethernet'] + +if config.exists(base): + AUTH_DIR = '/config/auth' + pki_base = ['pki'] + + for interface in config.list_nodes(base): + if not config.exists(base + [interface, 'eapol']): + continue + + x509_base = base + [interface, 'eapol'] + pki_name = f'eapol_{interface}' + + if config.exists(x509_base + ['ca-cert-file']): + if not config.exists(pki_base + ['ca']): + config.set(pki_base + ['ca']) + config.set_tag(pki_base + ['ca']) + + cert_file = config.return_value(x509_base + ['ca-cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['ca-certificate'], value=pki_name) + else: + print(f'Failed to migrate CA certificate on eapol config for interface {interface}') + + config.delete(x509_base + ['ca-cert-file']) + + if config.exists(x509_base + ['cert-file']): + if not config.exists(pki_base + ['certificate']): + config.set(pki_base + ['certificate']) + config.set_tag(pki_base + ['certificate']) + + cert_file = config.return_value(x509_base + ['cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['certificate'], value=pki_name) + else: + print(f'Failed to migrate certificate on eapol config for interface {interface}') + + config.delete(x509_base + ['cert-file']) + + if config.exists(x509_base + ['key-file']): + key_file = config.return_value(x509_base + ['key-file']) + key_path = os.path.join(AUTH_DIR, key_file) + key = None + + if os.path.isfile(key_path): + if not os.access(key_path, os.R_OK): + run(f'sudo chmod 644 {key_path}') + + with open(key_path, 'r') as f: + key_data = f.read() + key = load_private_key(key_data, passphrase=None, wrap_tags=False) + + if key: + key_pem = encode_private_key(key, passphrase=None) + config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + else: + print(f'Failed to migrate private key on eapol config for interface {interface}') + + config.delete(x509_base + ['key-file']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) |