diff options
Diffstat (limited to 'src/conf_mode/vpn_sstp.py')
-rwxr-xr-x | src/conf_mode/vpn_sstp.py | 88 |
1 files changed, 49 insertions, 39 deletions
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 5c229fe62..8661a8aff 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -26,7 +26,9 @@ from vyos.template import render from vyos.utils.process import call from vyos.utils.network import check_port_availability from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos.utils.network import is_listen_port_bind_service @@ -43,48 +45,18 @@ cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem') cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key') ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem') -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['vpn', 'sstp'] - if not conf.exists(base): - return None - - # retrieve common dictionary keys - sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True) - if dict_search('client_ip_pool', sstp): - # Multiple named pools require ordered values T5099 - sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp)) - - sstp['server_type'] = 'sstp' - return sstp - - -def verify(sstp): - if not sstp: - return None - - port = sstp.get('port') - proto = 'tcp' - if check_port_availability('0.0.0.0', int(port), proto) is not True and \ - not is_listen_port_bind_service(int(port), 'accel-pppd'): - raise ConfigError(f'"{proto}" port "{port}" is used by another service') - - verify_accel_ppp_base_service(sstp) - verify_accel_ppp_ip_pool(sstp) +def verify_certificate(config): # # SSL certificate checks # - if not sstp['pki']: + if not config['pki']: raise ConfigError('PKI is not configured') - if 'ssl' not in sstp: + if 'ssl' not in config: raise ConfigError('SSL missing on SSTP config') - ssl = sstp['ssl'] + ssl = config['ssl'] # CA if 'ca_certificate' not in ssl: @@ -92,10 +64,10 @@ def verify(sstp): ca_name = ssl['ca_certificate'] - if ca_name not in sstp['pki']['ca']: + if ca_name not in config['pki']['ca']: raise ConfigError('Invalid CA certificate on SSTP config') - if 'certificate' not in sstp['pki']['ca'][ca_name]: + if 'certificate' not in config['pki']['ca'][ca_name]: raise ConfigError('Missing certificate data for CA certificate on SSTP config') # Certificate @@ -104,10 +76,10 @@ def verify(sstp): cert_name = ssl['certificate'] - if cert_name not in sstp['pki']['certificate']: + if cert_name not in config['pki']['certificate']: raise ConfigError('Invalid certificate on SSTP config') - pki_cert = sstp['pki']['certificate'][cert_name] + pki_cert = config['pki']['certificate'][cert_name] if 'certificate' not in pki_cert: raise ConfigError('Missing certificate data for certificate on SSTP config') @@ -118,6 +90,43 @@ def verify(sstp): if 'password_protected' in pki_cert['private']: raise ConfigError('Encrypted private key is not supported on SSTP config') + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['vpn', 'sstp'] + if not conf.exists(base): + return None + + # retrieve common dictionary keys + sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True) + if dict_search('client_ip_pool', sstp): + # Multiple named pools require ordered values T5099 + sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp)) + + sstp['server_type'] = 'sstp' + return sstp + + +def verify(sstp): + if not sstp: + return None + + port = sstp.get('port') + proto = 'tcp' + if check_port_availability('0.0.0.0', int(port), proto) is not True and \ + not is_listen_port_bind_service(int(port), 'accel-pppd'): + raise ConfigError(f'"{proto}" port "{port}" is used by another service') + + verify_accel_ppp_authentication(sstp) + verify_accel_ppp_ip_pool(sstp) + verify_accel_ppp_name_servers(sstp) + verify_accel_ppp_wins_servers(sstp) + verify_certificate(sstp) + + def generate(sstp): if not sstp: return None @@ -143,6 +152,7 @@ def generate(sstp): return sstp + def apply(sstp): if not sstp: call('systemctl stop accel-ppp@sstp.service') |