Merge pull request #1783 from PeppyH/T3896-ocserv-config-per-x

ocserv: T3896: add CLI options to configure ocserv config-per-user/group
author: Christian Breunig <christian@breunig.cc> 2023-05-12 20:14:56 +0200
committer: GitHub <noreply@github.com> 2023-05-12 20:14:56 +0200
commit: c60e9c932cab24bcc324f45752f0528332cc69a4 (patch)
tree: 9af17678e5a5f6bf786b1c0f22b3b3480ce2deaf /src
parent: 0224707acc7299b02eccdd1d2df434c4a57402b5 (diff)
parent: 93de3abe1368cab5ab8cd292689466d7af8e86bc (diff)
download: vyos-1x-c60e9c932cab24bcc324f45752f0528332cc69a4.tar.gz
vyos-1x-c60e9c932cab24bcc324f45752f0528332cc69a4.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 68da70d7d..7b3325d95 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -173,6 +173,17 @@ def verify(ocserv):
                                 users_wo_pswd.append(user)
                         if users_wo_pswd:
                             raise ConfigError(f'password required for users:\n{users_wo_pswd}')
+            # Validate that if identity-based-config is configured all child config nodes are set
+            if 'identity_based_config' in ocserv["authentication"]:
+                if 'disabled' not in ocserv["authentication"]["identity_based_config"]:
+                    if 'mode' not in ocserv["authentication"]["identity_based_config"]:
+                        raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected')
+                    elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]:
+                        raise ConfigError('OpenConnect config-per-group must be used with radius authentication')
+                    if 'directory' not in ocserv["authentication"]["identity_based_config"]:
+                        raise ConfigError('OpenConnect identity-based-config enabled but directory not set')
+                    if 'default_config' not in ocserv["authentication"]["identity_based_config"]:
+                        raise ConfigError('OpenConnect identity-based-config enabled but default-config not set')
         else:
             raise ConfigError('openconnect authentication mode required')
     else:
author	Christian Breunig <christian@breunig.cc>	2023-05-12 20:14:56 +0200
committer	GitHub <noreply@github.com>	2023-05-12 20:14:56 +0200
commit	c60e9c932cab24bcc324f45752f0528332cc69a4 (patch)
tree	9af17678e5a5f6bf786b1c0f22b3b3480ce2deaf /src
parent	0224707acc7299b02eccdd1d2df434c4a57402b5 (diff)
parent	93de3abe1368cab5ab8cd292689466d7af8e86bc (diff)
download	vyos-1x-c60e9c932cab24bcc324f45752f0528332cc69a4.tar.gz vyos-1x-c60e9c932cab24bcc324f45752f0528332cc69a4.zip