1 files changed, 49 insertions, 39 deletions

diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 5c229fe62..8661a8aff 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -26,7 +26,9 @@ from vyos.template import render
 from vyos.utils.process import call
 from vyos.utils.network import check_port_availability
 from vyos.utils.dict import dict_search
-from vyos.accel_ppp_util import verify_accel_ppp_base_service
+from vyos.accel_ppp_util import verify_accel_ppp_name_servers
+from vyos.accel_ppp_util import verify_accel_ppp_wins_servers
+from vyos.accel_ppp_util import verify_accel_ppp_authentication
 from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
 from vyos.accel_ppp_util import get_pools_in_order
 from vyos.utils.network import is_listen_port_bind_service
@@ -43,48 +45,18 @@ cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem')
 cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key')
 ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem')
 
-def get_config(config=None):
-    if config:
-        conf = config
-    else:
-        conf = Config()
-    base = ['vpn', 'sstp']
-    if not conf.exists(base):
-        return None
-
-    # retrieve common dictionary keys
-    sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True)
-    if dict_search('client_ip_pool', sstp):
-        # Multiple named pools require ordered values T5099
-        sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp))
-
-    sstp['server_type'] = 'sstp'
-    return sstp
-
-
-def verify(sstp):
-    if not sstp:
-        return None
-
-    port = sstp.get('port')
-    proto = 'tcp'
-    if check_port_availability('0.0.0.0', int(port), proto) is not True and \
-            not is_listen_port_bind_service(int(port), 'accel-pppd'):
-        raise ConfigError(f'"{proto}" port "{port}" is used by another service')
-
-    verify_accel_ppp_base_service(sstp)
-    verify_accel_ppp_ip_pool(sstp)
 
+def verify_certificate(config):
     #
     # SSL certificate checks
     #
-    if not sstp['pki']:
+    if not config['pki']:
         raise ConfigError('PKI is not configured')
 
-    if 'ssl' not in sstp:
+    if 'ssl' not in config:
         raise ConfigError('SSL missing on SSTP config')
 
-    ssl = sstp['ssl']
+    ssl = config['ssl']
 
     # CA
     if 'ca_certificate' not in ssl:
@@ -92,10 +64,10 @@ def verify(sstp):
 
     ca_name = ssl['ca_certificate']
 
-    if ca_name not in sstp['pki']['ca']:
+    if ca_name not in config['pki']['ca']:
         raise ConfigError('Invalid CA certificate on SSTP config')
 
-    if 'certificate' not in sstp['pki']['ca'][ca_name]:
+    if 'certificate' not in config['pki']['ca'][ca_name]:
         raise ConfigError('Missing certificate data for CA certificate on SSTP config')
 
     # Certificate
@@ -104,10 +76,10 @@ def verify(sstp):
 
     cert_name = ssl['certificate']
 
-    if cert_name not in sstp['pki']['certificate']:
+    if cert_name not in config['pki']['certificate']:
         raise ConfigError('Invalid certificate on SSTP config')
 
-    pki_cert = sstp['pki']['certificate'][cert_name]
+    pki_cert = config['pki']['certificate'][cert_name]
 
     if 'certificate' not in pki_cert:
         raise ConfigError('Missing certificate data for certificate on SSTP config')
@@ -118,6 +90,43 @@ def verify(sstp):
     if 'password_protected' in pki_cert['private']:
         raise ConfigError('Encrypted private key is not supported on SSTP config')
 
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+    base = ['vpn', 'sstp']
+    if not conf.exists(base):
+        return None
+
+    # retrieve common dictionary keys
+    sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True)
+    if dict_search('client_ip_pool', sstp):
+        # Multiple named pools require ordered values T5099
+        sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp))
+
+    sstp['server_type'] = 'sstp'
+    return sstp
+
+
+def verify(sstp):
+    if not sstp:
+        return None
+
+    port = sstp.get('port')
+    proto = 'tcp'
+    if check_port_availability('0.0.0.0', int(port), proto) is not True and \
+            not is_listen_port_bind_service(int(port), 'accel-pppd'):
+        raise ConfigError(f'"{proto}" port "{port}" is used by another service')
+
+    verify_accel_ppp_authentication(sstp)
+    verify_accel_ppp_ip_pool(sstp)
+    verify_accel_ppp_name_servers(sstp)
+    verify_accel_ppp_wins_servers(sstp)
+    verify_certificate(sstp)
+
+
 def generate(sstp):
     if not sstp:
         return None
@@ -143,6 +152,7 @@ def generate(sstp):
 
     return sstp
 
+
 def apply(sstp):
     if not sstp:
         call('systemctl stop accel-ppp@sstp.service')