summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJamie Austin <jamiea@opusv.com.au>2023-01-26 16:34:36 +1100
committerJamie Austin <jamiea@opusv.com.au>2023-01-26 16:34:36 +1100
commit70794c8266ffefc6660daac3bc8a63b412d7b350 (patch)
treedc9b94123e3d68efafa63d63be54ca778ea99e9e /src
parent7634e16dcaaf4e08dec8bd9b92c6e731c32ef7cd (diff)
downloadvyos-1x-70794c8266ffefc6660daac3bc8a63b412d7b350.tar.gz
vyos-1x-70794c8266ffefc6660daac3bc8a63b412d7b350.zip
ocserv: T3896: add CLI options to configure ocserv config-per-user/group
Adds CLI configurations under VPN - OpenConnect to facilitate per user/group vpn session configurations. Validation has been added to restrict config-per-group to be exclusive to OpenConnect RADIUS authentication as the config file is looked up based on a RADIUS response attribute - as well as sanity check that the necessary configs are configured when not disabled.
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/vpn_openconnect.py11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index af3c51efc..12165a4f2 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -113,6 +113,17 @@ def verify(ocserv):
users_wo_pswd.append(user)
if users_wo_pswd:
raise ConfigError(f'password required for users:\n{users_wo_pswd}')
+ # Validate that if config-per-x is configured all child config nodes are set
+ if 'config_per_x' in ocserv["authentication"]:
+ if 'disabled' not in ocserv["authentication"]["config_per_x"]:
+ if 'mode' not in ocserv["authentication"]["config_per_x"]:
+ raise ConfigError('OpenConnect radius config-per-x enabled but mode not selected')
+ elif 'group' in ocserv["authentication"]["config_per_x"]["mode"] and "radius" not in ocserv["authentication"]["mode"]:
+ raise ConfigError('OpenConnect config-per-group must be used with radius authentication')
+ if 'directory' not in ocserv["authentication"]["config_per_x"]:
+ raise ConfigError('OpenConnect config-per-x enabled but directory not set')
+ if 'default_config' not in ocserv["authentication"]["config_per_x"]:
+ raise ConfigError('OpenConnect config-per-x enabled but default-config not set')
else:
raise ConfigError('openconnect authentication mode required')
else: