summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--interface-definitions/vpn-sstp.xml.in25
-rwxr-xr-xsrc/conf_mode/vpn_sstp.py30
-rwxr-xr-xsrc/migration-scripts/sstp/1-to-2110
3 files changed, 139 insertions, 26 deletions
diff --git a/interface-definitions/vpn-sstp.xml.in b/interface-definitions/vpn-sstp.xml.in
index 59aae9f7f..b026417b3 100644
--- a/interface-definitions/vpn-sstp.xml.in
+++ b/interface-definitions/vpn-sstp.xml.in
@@ -260,25 +260,36 @@
<leafNode name="ca-cert-file">
<properties>
<help>Certificate Authority certificate</help>
- <completionHelp>
- <script>if [ -e /config/user-data/sstp ]; then ls /config/user-data/sstp; fi</script>
- </completionHelp>
+ <valueHelp>
+ <format>file</format>
+ <description>File in /config/auth directory</description>
+ </valueHelp>
+ <constraint>
+ <validator name="file-exists" argument="--directory /config/auth"/>
+ </constraint>
</properties>
</leafNode>
<leafNode name="cert-file">
<properties>
<help>Server Certificate</help>
<completionHelp>
- <script>if [ -e /config/user-data/sstp ]; then ls /config/user-data/sstp; fi</script>
+ <script>ls /config</script>
</completionHelp>
+ <constraint>
+ <validator name="file-exists" argument="--directory /config/auth"/>
+ </constraint>
</properties>
</leafNode>
<leafNode name="key-file">
<properties>
<help>Privat Key of the Server Certificate</help>
- <completionHelp>
- <script>if [ -e /config/user-data/sstp ]; then ls /config/user-data/sstp; fi</script>
- </completionHelp>
+ <valueHelp>
+ <format>file</format>
+ <description>File in /config/auth directory</description>
+ </valueHelp>
+ <constraint>
+ <validator name="file-exists" argument="--directory /config/auth"/>
+ </constraint>
</properties>
</leafNode>
</children>
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 205702a9f..8583ece74 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -32,15 +32,11 @@ pidfile = r'/var/run/accel_sstp.pid'
sstp_cnf_dir = r'/etc/accel-ppp/sstp'
chap_secrets = sstp_cnf_dir + '/chap-secrets'
sstp_conf = sstp_cnf_dir + '/sstp.config'
-ssl_cert_dir = r'/config/user-data/sstp'
# config path creation
if not os.path.exists(sstp_cnf_dir):
os.makedirs(sstp_cnf_dir)
-if not os.path.exists(ssl_cert_dir):
- os.makedirs(ssl_cert_dir)
-
sstp_config = """### generated by vpn_sstp.py ###
[modules]
log_syslog
@@ -74,9 +70,9 @@ disable
[sstp]
verbose=1
accept=ssl
-ssl-ca-file=/config/user-data/sstp/{{ ssl_ca }}
-ssl-pemfile=/config/user-data/sstp/{{ ssl_cert }}
-ssl-keyfile=/config/user-data/sstp/{{ ssl_key }}
+ssl-ca-file={{ ssl_ca }}
+ssl-pemfile={{ ssl_cert }}
+ssl-keyfile={{ ssl_key }}
{% if client_ip_pool %}
[ip-pool]
@@ -452,22 +448,18 @@ def verify(sstp):
if not sstp['ssl_ca'] or not sstp['ssl_cert'] or not sstp['ssl_key']:
raise ConfigError('One or more SSL certificates missing')
- ssl_path = ssl_cert_dir + '/'
- if not os.path.exists(ssl_path + sstp['ssl_ca']):
- ca = ssl_path + sstp['ssl_ca']
- raise ConfigError(f'CA cert file {ca} does not exist')
+ if not os.path.exists(sstp['ssl_ca']):
+ raise ConfigError(f"CA cert file {sstp['ssl_ca']} does not exist")
- if not os.path.exists(ssl_path + sstp['ssl_cert']):
- cert = ssl_path + sstp['ssl_cert']
- raise ConfigError(f'SSL cert file {cert} does not exist')
+ if not os.path.exists(sstp['ssl_cert']):
+ raise ConfigError(f"SSL cert file {sstp['ssl_cert']} does not exist")
- if not os.path.exists(ssl_path + sstp['ssl_key']):
- key = ssl_path + sstp['ssl_key']
- raise ConfigError(f'SSL key file {key} does not exist')
+ if not os.path.exists(sstp['ssl_key']):
+ raise ConfigError(f"SSL key file {sstp['ssl_key']} does not exist")
if sstp['auth_mode'] == 'radius':
if len(sstp['radius_server']) == 0:
- raise ConfigError('RADIUS authentication requires at least one server')
+ raise ConfigError("RADIUS authentication requires at least one server")
for radius in sstp['radius_server']:
if not radius['key']:
@@ -489,7 +481,7 @@ def generate(sstp):
with open(chap_secrets, 'w') as f:
f.write(config_text)
- os.chmod(chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP )
+ os.chmod(chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP)
else:
if os.path.exists(chap_secrets):
os.unlink(chap_secrets)
diff --git a/src/migration-scripts/sstp/1-to-2 b/src/migration-scripts/sstp/1-to-2
new file mode 100755
index 000000000..94cb04831
--- /dev/null
+++ b/src/migration-scripts/sstp/1-to-2
@@ -0,0 +1,110 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# - migrate relative path SSL certificate to absolute path, as certs are only
+# allowed to stored in /config/user-data/sstp/ this is pretty straight
+# forward move. Delete certificates from source directory
+
+import os
+import sys
+
+from shutil import copy2
+from stat import S_IRUSR, S_IWUSR, S_IRGRP, S_IROTH
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 1):
+ print("Must specify file name!")
+ sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+base_path = ['vpn', 'sstp', 'ssl']
+if not config.exists(base_path):
+ # Nothing to do
+ sys.exit(0)
+else:
+ cert_path_old ='/config/user-data/sstp/'
+ cert_path_new ='/config/auth/sstp/'
+
+ if not os.path.isdir(cert_path_new):
+ os.mkdir(cert_path_new)
+
+ #
+ # migrate ca-cert-file to new path
+ if config.exists(base_path + ['ca-cert-file']):
+ tmp = config.return_value(base_path + ['ca-cert-file'])
+ cert_old = cert_path_old + tmp
+ cert_new = cert_path_new + tmp
+
+ if os.path.isfile(cert_old):
+ # adjust file permissions on source file,
+ # permissions will be copied by copy2()
+ os.chmod(cert_old, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)
+ copy2(cert_old, cert_path_new)
+ # delete old certificate file
+ os.unlink(cert_old)
+
+ config.set(base_path + ['ca-cert-file'], value=cert_new, replace=True)
+
+ #
+ # migrate cert-file to new path
+ if config.exists(base_path + ['cert-file']):
+ tmp = config.return_value(base_path + ['cert-file'])
+ cert_old = cert_path_old + tmp
+ cert_new = cert_path_new + tmp
+
+ if os.path.isfile(cert_old):
+ # adjust file permissions on source file,
+ # permissions will be copied by copy2()
+ os.chmod(cert_old, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)
+ copy2(cert_old, cert_path_new)
+ # delete old certificate file
+ os.unlink(cert_old)
+
+ config.set(base_path + ['cert-file'], value=cert_new, replace=True)
+
+ #
+ # migrate key-file to new path
+ if config.exists(base_path + ['key-file']):
+ tmp = config.return_value(base_path + ['key-file'])
+ cert_old = cert_path_old + tmp
+ cert_new = cert_path_new + tmp
+
+ if os.path.isfile(cert_old):
+ # adjust file permissions on source file,
+ # permissions will be copied by copy2()
+ os.chmod(cert_old, S_IRUSR | S_IWUSR)
+ copy2(cert_old, cert_path_new)
+ # delete old certificate file
+ os.unlink(cert_old)
+
+ config.set(base_path + ['key-file'], value=cert_new, replace=True)
+
+ #
+ # check if old certificate directory exists but is empty
+ if os.path.isdir(cert_path_old) and not os.listdir(cert_path_old):
+ os.rmdir(cert_path_old)
+
+ try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+ except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ sys.exit(1)