From f40a192635ec3445997c100134a638b1faece044 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 14 Apr 2022 21:38:57 +0200 Subject: ethernet: T4353: fix Jinja2 linting errors --- data/templates/ethernet/wpa_supplicant.conf.j2 | 72 ++++++++++++++++++++++++ data/templates/ethernet/wpa_supplicant.conf.tmpl | 72 ------------------------ src/conf_mode/interfaces-ethernet.py | 2 +- 3 files changed, 73 insertions(+), 73 deletions(-) create mode 100644 data/templates/ethernet/wpa_supplicant.conf.j2 delete mode 100644 data/templates/ethernet/wpa_supplicant.conf.tmpl diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2 new file mode 100644 index 000000000..8f140f6cb --- /dev/null +++ b/data/templates/ethernet/wpa_supplicant.conf.j2 @@ -0,0 +1,72 @@ +### Autogenerated by interfaces-ethernet.py ### + +# see full documentation: +# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf + +# For UNIX domain sockets (default on Linux and BSD): This is a directory that +# will be created for UNIX domain sockets for listening to requests from +# external programs (CLI/GUI, etc.) for status information and configuration. +# The socket file will be named based on the interface name, so multiple +# wpa_supplicant processes can be run at the same time if more than one +# interface is used. +# /var/run/wpa_supplicant is the recommended directory for sockets and by +# default, wpa_cli will use it when trying to connect with wpa_supplicant. +ctrl_interface=/run/wpa_supplicant + +# IEEE 802.1X/EAPOL version +# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines +# EAPOL version 2. However, there are many APs that do not handle the new +# version number correctly (they seem to drop the frames completely). In order +# to make wpa_supplicant interoperate with these APs, the version number is set +# to 1 by default. This configuration value can be used to set it to the new +# version (2). +# Note: When using MACsec, eapol_version shall be set to 3, which is +# defined in IEEE Std 802.1X-2010. +eapol_version=2 + +# No need to scan for access points in EAPoL mode +ap_scan=0 + +# EAP fast re-authentication +fast_reauth=1 + +network={ +{% if eapol is vyos_defined %} +{% if eapol.ca_certificate is vyos_defined %} + ca_cert="/run/wpa_supplicant/{{ ifname }}_ca.pem" +{% endif %} + client_cert="/run/wpa_supplicant/{{ ifname }}_cert.pem" + private_key="/run/wpa_supplicant/{{ ifname }}_cert.key" +{% endif %} + + # list of accepted authenticated key management protocols + key_mgmt=IEEE8021X + eap=TLS + +{% if mac is vyos_defined %} + identity="{{ mac }}" +{% else %} + identity="{{ hw_id }}" +{% endif %} + + # eapol_flags: IEEE 802.1X/EAPOL options (bit field) + # Dynamic WEP key required for non-WPA mode + # bit0 (1): require dynamically generated unicast WEP key + # bit1 (2): require dynamically generated broadcast WEP key + # (3) = require both keys; default) + # Note: When using wired authentication (including MACsec drivers), + # eapol_flags must be set to 0 for the authentication to be completed + # successfully. + eapol_flags=0 + + # For wired IEEE 802.1X authentication, "allow_canned_success=1" can be + # used to configure a mode that allows EAP-Success (and EAP-Failure) without + # going through authentication step. Some switches use such sequence when + # forcing the port to be authorized/unauthorized or as a fallback option if + # the authentication server is unreachable. By default, wpa_supplicant + # discards such frames to protect against potential attacks by rogue + # devices, but this option can be used to disable that protection for cases + # where the server/authenticator does not need to be authenticated. + phase1="allow_canned_success=1" +} + diff --git a/data/templates/ethernet/wpa_supplicant.conf.tmpl b/data/templates/ethernet/wpa_supplicant.conf.tmpl deleted file mode 100644 index 74f0999c1..000000000 --- a/data/templates/ethernet/wpa_supplicant.conf.tmpl +++ /dev/null @@ -1,72 +0,0 @@ -### Autogenerated by interfaces-ethernet.py ### - -# see full documentation: -# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf - -# For UNIX domain sockets (default on Linux and BSD): This is a directory that -# will be created for UNIX domain sockets for listening to requests from -# external programs (CLI/GUI, etc.) for status information and configuration. -# The socket file will be named based on the interface name, so multiple -# wpa_supplicant processes can be run at the same time if more than one -# interface is used. -# /var/run/wpa_supplicant is the recommended directory for sockets and by -# default, wpa_cli will use it when trying to connect with wpa_supplicant. -ctrl_interface=/run/wpa_supplicant - -# IEEE 802.1X/EAPOL version -# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines -# EAPOL version 2. However, there are many APs that do not handle the new -# version number correctly (they seem to drop the frames completely). In order -# to make wpa_supplicant interoperate with these APs, the version number is set -# to 1 by default. This configuration value can be used to set it to the new -# version (2). -# Note: When using MACsec, eapol_version shall be set to 3, which is -# defined in IEEE Std 802.1X-2010. -eapol_version=2 - -# No need to scan for access points in EAPoL mode -ap_scan=0 - -# EAP fast re-authentication -fast_reauth=1 - -network={ -{% if eapol is vyos_defined %} -{% if eapol.ca_certificate is vyos_defined %} - ca_cert="/run/wpa_supplicant/{{ ifname }}_ca.pem" -{% endif %} - client_cert="/run/wpa_supplicant/{{ ifname }}_cert.pem" - private_key="/run/wpa_supplicant/{{ ifname }}_cert.key" -{% endif %} - - # list of accepted authenticated key management protocols - key_mgmt=IEEE8021X - eap=TLS - -{% if mac is vyos_defined %} - identity="{{ mac }}" -{% else %} - identity="{{ hw_id }}" -{% endif %} - - # eapol_flags: IEEE 802.1X/EAPOL options (bit field) - # Dynamic WEP key required for non-WPA mode - # bit0 (1): require dynamically generated unicast WEP key - # bit1 (2): require dynamically generated broadcast WEP key - # (3) = require both keys; default) - # Note: When using wired authentication (including MACsec drivers), - # eapol_flags must be set to 0 for the authentication to be completed - # successfully. - eapol_flags=0 - - # For wired IEEE 802.1X authentication, "allow_canned_success=1" can be - # used to configure a mode that allows EAP-Success (and EAP-Failure) without - # going through authentication step. Some switches use such sequence when - # forcing the port to be authorized/unauthorized or as a fallback option if - # the authentication server is unreachable. By default, wpa_supplicant - # discards such frames to protect against potential attacks by rogue - # devices, but this option can be used to disable that protection for cases - # where the server/authenticator does not need to be authenticated. - phase1="allow_canned_success=1" -} - diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py index 6aea7a80e..68f59893a 100755 --- a/src/conf_mode/interfaces-ethernet.py +++ b/src/conf_mode/interfaces-ethernet.py @@ -152,7 +152,7 @@ def verify(ethernet): def generate(ethernet): if 'eapol' in ethernet: render(wpa_suppl_conf.format(**ethernet), - 'ethernet/wpa_supplicant.conf.tmpl', ethernet) + 'ethernet/wpa_supplicant.conf.j2', ethernet) ifname = ethernet['ifname'] cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem') -- cgit v1.2.3