diff options
| -rw-r--r-- | .github/workflows/pr-conflicts.yml | 4 | ||||
| -rw-r--r-- | data/templates/ipsec/swanctl/remote_access.j2 | 5 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 4 | ||||
| -rwxr-xr-x | src/op_mode/generate_tech-support_archive.py | 2 |
4 files changed, 12 insertions, 3 deletions
diff --git a/.github/workflows/pr-conflicts.yml b/.github/workflows/pr-conflicts.yml index 96040cd60..2fd0bb42d 100644 --- a/.github/workflows/pr-conflicts.yml +++ b/.github/workflows/pr-conflicts.yml @@ -6,10 +6,10 @@ on: jobs: Conflict_Check: name: 'Check PR status: conflicts and resolution' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest steps: - name: check if PRs are dirty - uses: eps1lon/actions-label-merge-conflict@releases/2.x + uses: eps1lon/actions-label-merge-conflict@v3 with: dirtyLabel: "state: conflict" removeOnDirtyLabel: "state: conflict resolved" diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2 index af7f2994e..adfa32bde 100644 --- a/data/templates/ipsec/swanctl/remote_access.j2 +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -35,6 +35,11 @@ auth = {{ rw_conf.authentication.client_mode }} eap_id = %any {% endif %} +{% if rw_conf.authentication.client_mode is vyos_defined('eap-tls') or rw_conf.authentication.client_mode is vyos_defined('x509') %} +{# pass all configured CAs as filenames, separated by commas #} +{# this will produce a string like "MyCA1.pem,MyCA2.pem" #} + cacerts = {{ '.pem,'.join(rw_conf.authentication.x509.ca_certificate) ~ '.pem' }} +{% endif %} } children { ikev2-vpn { diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 6d3a93877..145b5990e 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -757,6 +757,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): f'id = "{local_id}"', f'auth = pubkey', f'certs = peer1.pem', + f'cacerts = MyVyOS-CA.pem', f'auth = eap-tls', f'eap_id = %any', f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256', @@ -840,6 +841,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): with self.assertRaises(ConfigSessionError): self.cli_commit() self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'ca-certificate', ca_name]) + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'ca-certificate', int_ca_name]) self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'esp-group', esp_group]) self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'ike-group', ike_group]) @@ -867,6 +869,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): f'id = "{local_id}"', f'auth = pubkey', f'certs = peer1.pem', + f'cacerts = MyVyOS-CA.pem,MyVyOS-IntCA.pem', f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256', f'rekey_time = {eap_lifetime}s', f'rand_time = 540s', @@ -894,6 +897,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): # Check Root CA, Intermediate CA and Peer cert/key pair is present self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}.pem'))) + self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}.pem'))) self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem'))) self.tearDownPKI() diff --git a/src/op_mode/generate_tech-support_archive.py b/src/op_mode/generate_tech-support_archive.py index c490b0137..41b53cd15 100755 --- a/src/op_mode/generate_tech-support_archive.py +++ b/src/op_mode/generate_tech-support_archive.py @@ -120,7 +120,7 @@ if __name__ == '__main__': # Temporary directory creation tmp_dir_path = f'{tmp_path}/drops-debug_{time_now}' tmp_dir: Path = Path(tmp_dir_path) - tmp_dir.mkdir() + tmp_dir.mkdir(parents=True) report_file: Path = Path(f'{tmp_dir_path}/show_tech-support_report.txt') report_file.touch() |