diff options
| -rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 6 | ||||
| -rw-r--r-- | interface-definitions/include/openconnect-identity-based-config.xml.i | 54 | ||||
| -rw-r--r-- | interface-definitions/vpn-openconnect.xml.in | 53 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_openconnect.py | 3 |
4 files changed, 57 insertions, 59 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 8b9daed0f..1401b8b26 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -16,12 +16,10 @@ acct = "radius [config=/run/ocserv/radiusclient.conf]" {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" -{% if "identity_based_config" in authentication %} -{% if authentication.identity_based_config.disabled is not vyos_defined %} -{% if "group" in authentication.identity_based_config.mode %} +{% if authentication.identity_based_config.disabled is not vyos_defined %} +{% if "group" in authentication.identity_based_config.mode %} config-per-group = {{ authentication.identity_based_config.directory }} default-group-config = {{ authentication.identity_based_config.default_config }} -{% endif %} {% endif %} {% endif %} {% elif "local" in authentication.mode %} diff --git a/interface-definitions/include/openconnect-identity-based-config.xml.i b/interface-definitions/include/openconnect-identity-based-config.xml.i deleted file mode 100644 index dfc51936d..000000000 --- a/interface-definitions/include/openconnect-identity-based-config.xml.i +++ /dev/null @@ -1,54 +0,0 @@ -<!-- include start from openconnect-identity-based-config.xml.i --> -<node name="identity-based-config"> - <properties> - <help>Configures OpenConnect to search the configured directory for a config file matching the Group name or Username</help> - </properties> - <children> - <leafNode name="mode"> - <properties> - <help>Configures OpenConnect to use config-per-group or config-per-user. Ignored if OpenConnect authentication group is configured.</help> - <valueHelp> - <format>user</format> - <description>OpenConnect config file loaded by matching file in configured directory to the users username</description> - </valueHelp> - <valueHelp> - <format>group</format> - <description>OpenConnect config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory</description> - </valueHelp> - <constraint> - <regex>(user|group)</regex> - </constraint> - <constraintErrorMessage>Invalid mode. Must be one of: user, group</constraintErrorMessage> - <completionHelp> - <list>user group</list> - </completionHelp> - </properties> - </leafNode> - <leafNode name="directory"> - <properties> - <help>Directory to configure OpenConnect to use for matching username/group to config file</help> - <valueHelp> - <format>filename</format> - <description>Must be a child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</description> - </valueHelp> - <constraint> - <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/> - </constraint> - </properties> - </leafNode> - <leafNode name="default-config"> - <properties> - <help>Default/fallback config to use when a file cannot be found in the configured directory that matches the username/group</help> - <valueHelp> - <format>filename</format> - <description>Child directory of /config/auth e.g. /config/auth/ocserv/defaults/user.conf</description> - </valueHelp> - <constraint> - <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/> - </constraint> - </properties> - </leafNode> - #include <include/generic-disable-node.xml.i> - </children> -</node> -<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index afc2a5383..75c64a99a 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -71,7 +71,58 @@ </leafNode> </children> </node> - #include <include/openconnect-identity-based-config.xml.i> + <node name="identity-based-config"> + <properties> + <help>Include configuration file by username or RADIUS group attribute</help> + </properties> + <children> + #include <include/generic-disable-node.xml.i> + <leafNode name="mode"> + <properties> + <help>Select per user or per group configuration file - ignored if authentication group is configured</help> + <completionHelp> + <list>user group</list> + </completionHelp> + <valueHelp> + <format>user</format> + <description>Match configuration file on username</description> + </valueHelp> + <valueHelp> + <format>group</format> + <description>Match RADIUS response class attribute as file name</description> + </valueHelp> + <constraint> + <regex>(user|group)</regex> + </constraint> + <constraintErrorMessage>Invalid mode, must be either user or group</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="directory"> + <properties> + <help>Directory to containing configuration files</help> + <valueHelp> + <format>path</format> + <description>Path to configuration directory, must be under /config/auth</description> + </valueHelp> + <constraint> + <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/> + </constraint> + </properties> + </leafNode> + <leafNode name="default-config"> + <properties> + <help>Default configuration if discrete config could not be found</help> + <valueHelp> + <format>filename</format> + <description>Default configuration filename, must be under /config/auth</description> + </valueHelp> + <constraint> + <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/> + </constraint> + </properties> + </leafNode> + </children> + </node> <leafNode name="group"> <properties> <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help> diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 7b3325d95..83021a3e6 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -17,6 +17,7 @@ import os from sys import exit +from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.pki import wrap_certificate @@ -173,9 +174,11 @@ def verify(ocserv): users_wo_pswd.append(user) if users_wo_pswd: raise ConfigError(f'password required for users:\n{users_wo_pswd}') + # Validate that if identity-based-config is configured all child config nodes are set if 'identity_based_config' in ocserv["authentication"]: if 'disabled' not in ocserv["authentication"]["identity_based_config"]: + Warning("Identity based configuration files is a 3rd party addition. Use at your own risk, this might break the ocserv daemon!") if 'mode' not in ocserv["authentication"]["identity_based_config"]: raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected') elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]: |