summaryrefslogtreecommitdiff
path: root/src/conf_mode/interfaces-openvpn.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/interfaces-openvpn.py')
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py81
1 files changed, 25 insertions, 56 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 6be4e918b..02b7f83bf 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -45,9 +45,10 @@ from vyos.template import is_ipv4
from vyos.template import is_ipv6
from vyos.util import call
from vyos.util import chown
-from vyos.util import chmod_600
from vyos.util import dict_search
from vyos.util import dict_search_args
+from vyos.util import makedir
+from vyos.util import write_file
from vyos.validate import is_addr_assigned
from vyos import ConfigError
@@ -80,9 +81,6 @@ def get_config(config=None):
openvpn['pki'] = tmp_pki
openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn)
- openvpn['daemon_user'] = user
- openvpn['daemon_group'] = group
-
return openvpn
def is_ec_private_key(pki, cert_name):
@@ -128,7 +126,7 @@ def verify_pki(openvpn):
if tls['ca_certificate'] not in pki['ca']:
raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}')
- if not (mode == 'client' and 'auth_key' in tls):
+ if mode != 'client' and 'auth_key' not in tls:
if 'certificate' not in tls:
raise ConfigError(f'Missing "tls certificate" on openvpn interface {interface}')
@@ -449,7 +447,6 @@ def verify(openvpn):
def generate_pki_files(openvpn):
pki = openvpn['pki']
-
if not pki:
return None
@@ -457,16 +454,11 @@ def generate_pki_files(openvpn):
shared_secret_key = dict_search_args(openvpn, 'shared_secret_key')
tls = dict_search_args(openvpn, 'tls')
- files = []
-
if shared_secret_key:
pki_key = pki['openvpn']['shared_secret'][shared_secret_key]
key_path = os.path.join(cfg_dir, f'{interface}_shared.key')
-
- with open(key_path, 'w') as f:
- f.write(wrap_openvpn_key(pki_key['key']))
-
- files.append(key_path)
+ write_file(key_path, wrap_openvpn_key(pki_key['key']),
+ user=user, group=group)
if tls:
if 'ca_certificate' in tls:
@@ -475,20 +467,15 @@ def generate_pki_files(openvpn):
if 'certificate' in pki_ca:
cert_path = os.path.join(cfg_dir, f'{interface}_ca.pem')
-
- with open(cert_path, 'w') as f:
- f.write(wrap_certificate(pki_ca['certificate']))
-
- files.append(cert_path)
+ write_file(cert_path, wrap_certificate(pki_ca['certificate']),
+ user=user, group=group, mode=0o600)
if 'crl' in pki_ca:
for crl in pki_ca['crl']:
crl_path = os.path.join(cfg_dir, f'{interface}_crl.pem')
+ write_file(crl_path, wrap_crl(crl), user=user, group=group,
+ mode=0o600)
- with open(crl_path, 'w') as f:
- f.write(wrap_crl(crl))
-
- files.append(crl_path)
openvpn['tls']['crl'] = True
if 'certificate' in tls:
@@ -497,19 +484,14 @@ def generate_pki_files(openvpn):
if 'certificate' in pki_cert:
cert_path = os.path.join(cfg_dir, f'{interface}_cert.pem')
-
- with open(cert_path, 'w') as f:
- f.write(wrap_certificate(pki_cert['certificate']))
-
- files.append(cert_path)
+ write_file(cert_path, wrap_certificate(pki_cert['certificate']),
+ user=user, group=group, mode=0o600)
if 'private' in pki_cert and 'key' in pki_cert['private']:
key_path = os.path.join(cfg_dir, f'{interface}_cert.key')
+ write_file(key_path, wrap_private_key(pki_cert['private']['key']),
+ user=user, group=group, mode=0o600)
- with open(key_path, 'w') as f:
- f.write(wrap_private_key(pki_cert['private']['key']))
-
- files.append(key_path)
openvpn['tls']['private_key'] = True
if 'dh_params' in tls:
@@ -518,11 +500,8 @@ def generate_pki_files(openvpn):
if 'parameters' in pki_dh:
dh_path = os.path.join(cfg_dir, f'{interface}_dh.pem')
-
- with open(dh_path, 'w') as f:
- f.write(wrap_dh_parameters(pki_dh['parameters']))
-
- files.append(dh_path)
+ write_file(dh_path, wrap_dh_parameters(pki_dh['parameters']),
+ user=user, group=group, mode=0o600)
if 'auth_key' in tls:
key_name = tls['auth_key']
@@ -530,11 +509,8 @@ def generate_pki_files(openvpn):
if 'key' in pki_key:
key_path = os.path.join(cfg_dir, f'{interface}_auth.key')
-
- with open(key_path, 'w') as f:
- f.write(wrap_openvpn_key(pki_key['key']))
-
- files.append(key_path)
+ write_file(key_path, wrap_openvpn_key(pki_key['key']),
+ user=user, group=group, mode=0o600)
if 'crypt_key' in tls:
key_name = tls['crypt_key']
@@ -542,18 +518,17 @@ def generate_pki_files(openvpn):
if 'key' in pki_key:
key_path = os.path.join(cfg_dir, f'{interface}_crypt.key')
-
- with open(key_path, 'w') as f:
- f.write(wrap_openvpn_key(pki_key['key']))
-
- files.append(key_path)
-
- return files
+ write_file(key_path, wrap_openvpn_key(pki_key['key']),
+ user=user, group=group, mode=0o600)
def generate(openvpn):
interface = openvpn['ifname']
directory = os.path.dirname(cfg_file.format(**openvpn))
+ # create base config directory on demand
+ makedir(directory, user, group)
+ # enforce proper permissions on /run/openvpn
+ chown(directory, user, group)
# we can't know in advance which clients have been removed,
# thus all client configs will be removed and re-added on demand
@@ -565,12 +540,10 @@ def generate(openvpn):
return None
# create client config directory on demand
- if not os.path.exists(ccd_dir):
- os.makedirs(ccd_dir, 0o755)
- chown(ccd_dir, user, group)
+ makedir(ccd_dir, user, group)
# Fix file permissons for keys
- fix_permissions = generate_pki_files(openvpn)
+ generate_pki_files(openvpn)
# Generate User/Password authentication file
if 'authentication' in openvpn:
@@ -598,10 +571,6 @@ def generate(openvpn):
render(cfg_file.format(**openvpn), 'openvpn/server.conf.tmpl', openvpn,
formater=lambda _: _.replace(""", '"'), user=user, group=group)
- # Fixup file permissions
- for file in fix_permissions:
- chmod_600(file)
-
return None
def apply(openvpn):
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-20 04:00:39 +0000