From 9d48ba7a84d3a29ac3f83b983159019e3ce11e3c Mon Sep 17 00:00:00 2001 From: Jernej Jakob Date: Tue, 24 Mar 2020 21:57:15 +0100 Subject: openvpn: T2146: delete old client configs Previously old client configs for clients that were deleted from the server stayed in the ccd directory, causing them to still be used. As we can't know which clients were deleted, this deletes all the client configs as they are recreated shortly later. --- src/conf_mode/interfaces-openvpn.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 3a3c69e37..fe49f776b 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -28,6 +28,7 @@ from psutil import pid_exists from pwd import getpwnam from subprocess import Popen, PIPE from time import sleep +from shutil import rmtree from vyos import ConfigError from vyos.config import Config @@ -899,6 +900,10 @@ def generate(openvpn): interface = openvpn['intf'] directory = os.path.dirname(get_config_name(interface)) + # we can't know which clients were deleted, remove all client configs + if os.path.isdir(os.path.join(directory, 'ccd', interface)): + rmtree(os.path.join(directory, 'ccd', interface), ignore_errors=True) + # create config directory on demand openvpn_mkdir(directory) # create status directory on demand @@ -977,11 +982,8 @@ def apply(openvpn): # cleanup client config dir directory = os.path.dirname(get_config_name(openvpn['intf'])) - if os.path.isdir(directory + '/ccd/' + openvpn['intf']): - try: - os.remove(directory + '/ccd/' + openvpn['intf'] + '/*') - except: - pass + if os.path.isdir(os.path.join(directory, 'ccd', openvpn['intf'])): + rmtree(os.path.join(directory, 'ccd', openvpn['intf']), ignore_errors=True) return None -- cgit v1.2.3 From 30b3a0af7e079bfdf9b0e696cccf0e052ff40e8d Mon Sep 17 00:00:00 2001 From: Jernej Jakob Date: Tue, 24 Mar 2020 21:59:54 +0100 Subject: openvpn: T2146: remove user/pass auth file when not needed --- src/conf_mode/interfaces-openvpn.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index fe49f776b..55f9aa67d 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -925,6 +925,11 @@ def generate(openvpn): fixup_permission(auth_file) + else: + # delete old auth file if present + if os.path.isfile('/tmp/openvpn-{}-pw'.format(interface)): + os.remove('/tmp/openvpn-{}-pw'.format(interface)) + # get numeric uid/gid uid = getpwnam(user).pw_uid gid = getgrnam(group).gr_gid @@ -985,6 +990,10 @@ def apply(openvpn): if os.path.isdir(os.path.join(directory, 'ccd', openvpn['intf'])): rmtree(os.path.join(directory, 'ccd', openvpn['intf']), ignore_errors=True) + # cleanup auth file + if os.path.isfile('/tmp/openvpn-{}-pw'.format(openvpn['intf'])): + os.remove('/tmp/openvpn-{}-pw'.format(openvpn['intf'])) + return None # On configuration change we need to wait for the 'old' interface to -- cgit v1.2.3