From 70794c8266ffefc6660daac3bc8a63b412d7b350 Mon Sep 17 00:00:00 2001 From: Jamie Austin Date: Thu, 26 Jan 2023 16:34:36 +1100 Subject: ocserv: T3896: add CLI options to configure ocserv config-per-user/group Adds CLI configurations under VPN - OpenConnect to facilitate per user/group vpn session configurations. Validation has been added to restrict config-per-group to be exclusive to OpenConnect RADIUS authentication as the config file is looked up based on a RADIUS response attribute - as well as sanity check that the necessary configs are configured when not disabled. --- .../include/openconnect-config-per-x.xml.i | 54 ++++++++++++++++++++++ interface-definitions/vpn-openconnect.xml.in | 1 + 2 files changed, 55 insertions(+) create mode 100644 interface-definitions/include/openconnect-config-per-x.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/include/openconnect-config-per-x.xml.i b/interface-definitions/include/openconnect-config-per-x.xml.i new file mode 100644 index 000000000..71bbdd68f --- /dev/null +++ b/interface-definitions/include/openconnect-config-per-x.xml.i @@ -0,0 +1,54 @@ + + + + Configures ocserv to search the configured directory for a config file matching the Group name or username + + + + + ocserv will ignore these configs if groupconfig is enabled TODO: explain this in better detail - need to make it clear this is in reference to the groupconfig vyos config that lives up one level from here + + user + ocserv config file loaded by matching file in configured directory to the users username + + + group + ocserv config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory + + + (user|group) + + Invalid config-per-x. Must be one of: user, group + + user group + + + + + + Child directory of /config/auth e.g. /config/auth/ocserv/config-per-user + + filename + Child directory of /config/auth e.g. /config/auth/ocserv/config-per-user + + + + + + + + + Default/fallback config to use when a file cannot be found in the configured directory that matches the username/group + + filename + Child directory of /config/auth e.g. /config/auth/ocserv/defaults/user.conf + + + + + + + #include + + + \ No newline at end of file diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 82fe2bbc9..24d24568f 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -50,6 +50,7 @@ + #include Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute. -- cgit v1.2.3 From 80d83f6392ceac3907a9c23c6525c984e5808b4d Mon Sep 17 00:00:00 2001 From: Jamie Austin Date: Thu, 2 Feb 2023 09:56:48 +1100 Subject: ocserv: T3896: CLI help and description rewording --- .../include/openconnect-config-per-x.xml.i | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/include/openconnect-config-per-x.xml.i b/interface-definitions/include/openconnect-config-per-x.xml.i index 71bbdd68f..c9b200249 100644 --- a/interface-definitions/include/openconnect-config-per-x.xml.i +++ b/interface-definitions/include/openconnect-config-per-x.xml.i @@ -1,24 +1,24 @@ - Configures ocserv to search the configured directory for a config file matching the Group name or username + Configures OpenConnect to search the configured directory for a config file matching the Group name or Username - ocserv will ignore these configs if groupconfig is enabled TODO: explain this in better detail - need to make it clear this is in reference to the groupconfig vyos config that lives up one level from here + Configures OpenConnect to use config-per-group or config-per-user. Ignored if OpenConnect authentication group is configured. user - ocserv config file loaded by matching file in configured directory to the users username + OpenConnect config file loaded by matching file in configured directory to the users username group - ocserv config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory + OpenConnect config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory (user|group) - Invalid config-per-x. Must be one of: user, group + Invalid mode. Must be one of: user, group user group @@ -26,10 +26,10 @@ - Child directory of /config/auth e.g. /config/auth/ocserv/config-per-user + Directory to configure OpenConnect to use for matching username/group to config file filename - Child directory of /config/auth e.g. /config/auth/ocserv/config-per-user + Must be a child directory of /config/auth e.g. /config/auth/ocserv/config-per-user -- cgit v1.2.3 From 93de3abe1368cab5ab8cd292689466d7af8e86bc Mon Sep 17 00:00:00 2001 From: Jamie Austin Date: Thu, 20 Apr 2023 17:07:53 +1000 Subject: ocserv: T3896: refactor: change ocserv config-per-x node name Changes the node name from config-per-x to identity-based-config, as a result the j2 templates and vpn_openeconnect.py has been refactored to update the node name when accessing it's child nodes. --- data/templates/ocserv/ocserv_config.j2 | 18 ++++---- .../include/openconnect-config-per-x.xml.i | 54 ---------------------- .../openconnect-identity-based-config.xml.i | 54 ++++++++++++++++++++++ interface-definitions/vpn-openconnect.xml.in | 2 +- src/conf_mode/vpn_openconnect.py | 20 ++++---- 5 files changed, 74 insertions(+), 74 deletions(-) delete mode 100644 interface-definitions/include/openconnect-config-per-x.xml.i create mode 100644 interface-definitions/include/openconnect-identity-based-config.xml.i (limited to 'interface-definitions') diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index ea2c9e29f..52c208c0d 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -12,11 +12,11 @@ run-as-group = daemon {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" -{% if "config_per_x" in authentication %} -{% if authentication.config_per_x.disabled is not vyos_defined %} -{% if "group" in authentication.config_per_x.mode %} -config-per-group = {{ authentication.config_per_x.directory }} -default-group-config = {{ authentication.config_per_x.default_config }} +{% if "identity_based_config" in authentication %} +{% if authentication.identity_based_config.disabled is not vyos_defined %} +{% if "group" in authentication.identity_based_config.mode %} +config-per-group = {{ authentication.identity_based_config.directory }} +default-group-config = {{ authentication.identity_based_config.default_config }} {% endif %} {% endif %} {% endif %} @@ -32,10 +32,10 @@ auth = "plain[/run/ocserv/ocpasswd]" auth = "plain[/run/ocserv/ocpasswd]" {% endif %} -{% if "config_per_x" in authentication %} -{% if "user" in authentication.config_per_x.mode %} -config-per-user = {{ authentication.config_per_x.directory }} -default-user-config = {{ authentication.config_per_x.default_config }} +{% if "identity_based_config" in authentication %} +{% if "user" in authentication.identity_based_config.mode %} +config-per-user = {{ authentication.identity_based_config.directory }} +default-user-config = {{ authentication.identity_based_config.default_config }} {% endif %} {% endif %} diff --git a/interface-definitions/include/openconnect-config-per-x.xml.i b/interface-definitions/include/openconnect-config-per-x.xml.i deleted file mode 100644 index c9b200249..000000000 --- a/interface-definitions/include/openconnect-config-per-x.xml.i +++ /dev/null @@ -1,54 +0,0 @@ - - - - Configures OpenConnect to search the configured directory for a config file matching the Group name or Username - - - - - Configures OpenConnect to use config-per-group or config-per-user. Ignored if OpenConnect authentication group is configured. - - user - OpenConnect config file loaded by matching file in configured directory to the users username - - - group - OpenConnect config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory - - - (user|group) - - Invalid mode. Must be one of: user, group - - user group - - - - - - Directory to configure OpenConnect to use for matching username/group to config file - - filename - Must be a child directory of /config/auth e.g. /config/auth/ocserv/config-per-user - - - - - - - - - Default/fallback config to use when a file cannot be found in the configured directory that matches the username/group - - filename - Child directory of /config/auth e.g. /config/auth/ocserv/defaults/user.conf - - - - - - - #include - - - \ No newline at end of file diff --git a/interface-definitions/include/openconnect-identity-based-config.xml.i b/interface-definitions/include/openconnect-identity-based-config.xml.i new file mode 100644 index 000000000..dfc51936d --- /dev/null +++ b/interface-definitions/include/openconnect-identity-based-config.xml.i @@ -0,0 +1,54 @@ + + + + Configures OpenConnect to search the configured directory for a config file matching the Group name or Username + + + + + Configures OpenConnect to use config-per-group or config-per-user. Ignored if OpenConnect authentication group is configured. + + user + OpenConnect config file loaded by matching file in configured directory to the users username + + + group + OpenConnect config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory + + + (user|group) + + Invalid mode. Must be one of: user, group + + user group + + + + + + Directory to configure OpenConnect to use for matching username/group to config file + + filename + Must be a child directory of /config/auth e.g. /config/auth/ocserv/config-per-user + + + + + + + + + Default/fallback config to use when a file cannot be found in the configured directory that matches the username/group + + filename + Child directory of /config/auth e.g. /config/auth/ocserv/defaults/user.conf + + + + + + + #include + + + \ No newline at end of file diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 24d24568f..db575d227 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -50,7 +50,7 @@ - #include + #include Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute. diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 12165a4f2..16a5b5952 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -113,17 +113,17 @@ def verify(ocserv): users_wo_pswd.append(user) if users_wo_pswd: raise ConfigError(f'password required for users:\n{users_wo_pswd}') - # Validate that if config-per-x is configured all child config nodes are set - if 'config_per_x' in ocserv["authentication"]: - if 'disabled' not in ocserv["authentication"]["config_per_x"]: - if 'mode' not in ocserv["authentication"]["config_per_x"]: - raise ConfigError('OpenConnect radius config-per-x enabled but mode not selected') - elif 'group' in ocserv["authentication"]["config_per_x"]["mode"] and "radius" not in ocserv["authentication"]["mode"]: + # Validate that if identity-based-config is configured all child config nodes are set + if 'identity_based_config' in ocserv["authentication"]: + if 'disabled' not in ocserv["authentication"]["identity_based_config"]: + if 'mode' not in ocserv["authentication"]["identity_based_config"]: + raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected') + elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]: raise ConfigError('OpenConnect config-per-group must be used with radius authentication') - if 'directory' not in ocserv["authentication"]["config_per_x"]: - raise ConfigError('OpenConnect config-per-x enabled but directory not set') - if 'default_config' not in ocserv["authentication"]["config_per_x"]: - raise ConfigError('OpenConnect config-per-x enabled but default-config not set') + if 'directory' not in ocserv["authentication"]["identity_based_config"]: + raise ConfigError('OpenConnect identity-based-config enabled but directory not set') + if 'default_config' not in ocserv["authentication"]["identity_based_config"]: + raise ConfigError('OpenConnect identity-based-config enabled but default-config not set') else: raise ConfigError('openconnect authentication mode required') else: -- cgit v1.2.3