From 70794c8266ffefc6660daac3bc8a63b412d7b350 Mon Sep 17 00:00:00 2001
From: Jamie Austin <jamiea@opusv.com.au>
Date: Thu, 26 Jan 2023 16:34:36 +1100
Subject: ocserv: T3896: add CLI options to configure ocserv
 config-per-user/group

Adds CLI configurations under VPN - OpenConnect to facilitate per user/group vpn session configurations. Validation has been added to restrict config-per-group to be exclusive to OpenConnect RADIUS authentication as the config file is looked up based on a RADIUS response attribute - as well as sanity check that the necessary configs are configured when not disabled.
---
 .../include/openconnect-config-per-x.xml.i         | 54 ++++++++++++++++++++++
 interface-definitions/vpn-openconnect.xml.in       |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 interface-definitions/include/openconnect-config-per-x.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/openconnect-config-per-x.xml.i b/interface-definitions/include/openconnect-config-per-x.xml.i
new file mode 100644
index 000000000..71bbdd68f
--- /dev/null
+++ b/interface-definitions/include/openconnect-config-per-x.xml.i
@@ -0,0 +1,54 @@
+<!-- include start from openconnect-config-per-x.xml.i -->
+<node name="config-per-x">
+    <properties>
+        <help>Configures ocserv to search the configured directory for a config file matching the Group name or username</help>
+    </properties>
+    <children>
+        <leafNode name="mode">
+            <properties>
+                <help>ocserv will ignore these configs if groupconfig is enabled TODO: explain this in better detail - need to make it clear this is in reference to the groupconfig vyos config that lives up one level from here</help>
+                <valueHelp>
+                    <format>user</format>
+                    <description>ocserv config file loaded by matching file in configured directory to the users username</description>
+                </valueHelp>
+                <valueHelp>
+                    <format>group</format>
+                    <description>ocserv config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory</description>
+                </valueHelp>
+                <constraint>
+                    <regex>(user|group)</regex>
+                </constraint>
+                <constraintErrorMessage>Invalid config-per-x. Must be one of: user,  group </constraintErrorMessage>
+                <completionHelp>
+                    <list>user group</list>
+                </completionHelp>
+            </properties>
+        </leafNode>
+        <leafNode name="directory">
+            <properties>
+                <help>Child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</help>
+                <valueHelp>
+                    <format>filename</format>
+                    <description>Child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</description>
+                </valueHelp>
+                <constraint>
+                    <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/>
+                </constraint>
+            </properties>
+        </leafNode>
+        <leafNode name="default-config">
+            <properties>
+                <help>Default/fallback config to use when a file cannot be found in the configured directory that matches the username/group</help>
+                <valueHelp>
+                    <format>filename</format>
+                    <description>Child directory of /config/auth e.g. /config/auth/ocserv/defaults/user.conf</description>
+                </valueHelp>
+                <constraint>
+                    <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/>
+                </constraint>
+            </properties>
+        </leafNode>
+        #include <include/generic-disable-node.xml.i>
+    </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 82fe2bbc9..24d24568f 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -50,6 +50,7 @@
                   </leafNode>
                 </children>
               </node>
+              #include <include/openconnect-config-per-x.xml.i>
               <leafNode name="group">
                 <properties>
                   <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help>
-- 
cgit v1.2.3


From 80d83f6392ceac3907a9c23c6525c984e5808b4d Mon Sep 17 00:00:00 2001
From: Jamie Austin <jamiea@opusv.com.au>
Date: Thu, 2 Feb 2023 09:56:48 +1100
Subject: ocserv: T3896: CLI help and description rewording

---
 .../include/openconnect-config-per-x.xml.i                 | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/openconnect-config-per-x.xml.i b/interface-definitions/include/openconnect-config-per-x.xml.i
index 71bbdd68f..c9b200249 100644
--- a/interface-definitions/include/openconnect-config-per-x.xml.i
+++ b/interface-definitions/include/openconnect-config-per-x.xml.i
@@ -1,24 +1,24 @@
 <!-- include start from openconnect-config-per-x.xml.i -->
 <node name="config-per-x">
     <properties>
-        <help>Configures ocserv to search the configured directory for a config file matching the Group name or username</help>
+        <help>Configures OpenConnect to search the configured directory for a config file matching the Group name or Username</help>
     </properties>
     <children>
         <leafNode name="mode">
             <properties>
-                <help>ocserv will ignore these configs if groupconfig is enabled TODO: explain this in better detail - need to make it clear this is in reference to the groupconfig vyos config that lives up one level from here</help>
+                <help>Configures OpenConnect to use config-per-group or config-per-user. Ignored if OpenConnect authentication group is configured.</help>
                 <valueHelp>
                     <format>user</format>
-                    <description>ocserv config file loaded by matching file in configured directory to the users username</description>
+                    <description>OpenConnect config file loaded by matching file in configured directory to the users username</description>
                 </valueHelp>
                 <valueHelp>
                     <format>group</format>
-                    <description>ocserv config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory</description>
+                    <description>OpenConnect config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory</description>
                 </valueHelp>
                 <constraint>
                     <regex>(user|group)</regex>
                 </constraint>
-                <constraintErrorMessage>Invalid config-per-x. Must be one of: user,  group </constraintErrorMessage>
+                <constraintErrorMessage>Invalid mode. Must be one of: user, group</constraintErrorMessage>
                 <completionHelp>
                     <list>user group</list>
                 </completionHelp>
@@ -26,10 +26,10 @@
         </leafNode>
         <leafNode name="directory">
             <properties>
-                <help>Child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</help>
+                <help>Directory to configure OpenConnect to use for matching username/group to config file</help>
                 <valueHelp>
                     <format>filename</format>
-                    <description>Child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</description>
+                    <description>Must be a child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</description>
                 </valueHelp>
                 <constraint>
                     <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/>
-- 
cgit v1.2.3


From 93de3abe1368cab5ab8cd292689466d7af8e86bc Mon Sep 17 00:00:00 2001
From: Jamie Austin <jamiea@opusv.com.au>
Date: Thu, 20 Apr 2023 17:07:53 +1000
Subject: ocserv: T3896: refactor: change ocserv config-per-x node name

Changes the node name from config-per-x to identity-based-config, as a result the j2 templates and vpn_openeconnect.py has been refactored to update the node name when accessing it's child nodes.
---
 data/templates/ocserv/ocserv_config.j2             | 18 ++++----
 .../include/openconnect-config-per-x.xml.i         | 54 ----------------------
 .../openconnect-identity-based-config.xml.i        | 54 ++++++++++++++++++++++
 interface-definitions/vpn-openconnect.xml.in       |  2 +-
 src/conf_mode/vpn_openconnect.py                   | 20 ++++----
 5 files changed, 74 insertions(+), 74 deletions(-)
 delete mode 100644 interface-definitions/include/openconnect-config-per-x.xml.i
 create mode 100644 interface-definitions/include/openconnect-identity-based-config.xml.i

(limited to 'interface-definitions')

diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index ea2c9e29f..52c208c0d 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -12,11 +12,11 @@ run-as-group = daemon
 
 {% if "radius" in authentication.mode %}
 auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]"
-{%     if "config_per_x" in authentication %}
-{%         if authentication.config_per_x.disabled is not vyos_defined %}
-{%             if "group" in authentication.config_per_x.mode %}
-config-per-group = {{ authentication.config_per_x.directory }}
-default-group-config = {{ authentication.config_per_x.default_config }}
+{%     if "identity_based_config" in authentication %}
+{%         if authentication.identity_based_config.disabled is not vyos_defined %}
+{%             if "group" in authentication.identity_based_config.mode %}
+config-per-group = {{ authentication.identity_based_config.directory }}
+default-group-config = {{ authentication.identity_based_config.default_config }}
 {%             endif %}
 {%         endif %}
 {%     endif %}
@@ -32,10 +32,10 @@ auth = "plain[/run/ocserv/ocpasswd]"
 auth = "plain[/run/ocserv/ocpasswd]"
 {% endif %}
 
-{% if "config_per_x" in authentication %}
-{%     if "user" in authentication.config_per_x.mode %}
-config-per-user = {{ authentication.config_per_x.directory }}
-default-user-config = {{ authentication.config_per_x.default_config }}
+{% if "identity_based_config" in authentication %}
+{%     if "user" in authentication.identity_based_config.mode %}
+config-per-user = {{ authentication.identity_based_config.directory }}
+default-user-config = {{ authentication.identity_based_config.default_config }}
 {%     endif %}
 {% endif %}
 
diff --git a/interface-definitions/include/openconnect-config-per-x.xml.i b/interface-definitions/include/openconnect-config-per-x.xml.i
deleted file mode 100644
index c9b200249..000000000
--- a/interface-definitions/include/openconnect-config-per-x.xml.i
+++ /dev/null
@@ -1,54 +0,0 @@
-<!-- include start from openconnect-config-per-x.xml.i -->
-<node name="config-per-x">
-    <properties>
-        <help>Configures OpenConnect to search the configured directory for a config file matching the Group name or Username</help>
-    </properties>
-    <children>
-        <leafNode name="mode">
-            <properties>
-                <help>Configures OpenConnect to use config-per-group or config-per-user. Ignored if OpenConnect authentication group is configured.</help>
-                <valueHelp>
-                    <format>user</format>
-                    <description>OpenConnect config file loaded by matching file in configured directory to the users username</description>
-                </valueHelp>
-                <valueHelp>
-                    <format>group</format>
-                    <description>OpenConnect config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory</description>
-                </valueHelp>
-                <constraint>
-                    <regex>(user|group)</regex>
-                </constraint>
-                <constraintErrorMessage>Invalid mode. Must be one of: user, group</constraintErrorMessage>
-                <completionHelp>
-                    <list>user group</list>
-                </completionHelp>
-            </properties>
-        </leafNode>
-        <leafNode name="directory">
-            <properties>
-                <help>Directory to configure OpenConnect to use for matching username/group to config file</help>
-                <valueHelp>
-                    <format>filename</format>
-                    <description>Must be a child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</description>
-                </valueHelp>
-                <constraint>
-                    <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/>
-                </constraint>
-            </properties>
-        </leafNode>
-        <leafNode name="default-config">
-            <properties>
-                <help>Default/fallback config to use when a file cannot be found in the configured directory that matches the username/group</help>
-                <valueHelp>
-                    <format>filename</format>
-                    <description>Child directory of /config/auth e.g. /config/auth/ocserv/defaults/user.conf</description>
-                </valueHelp>
-                <constraint>
-                    <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/>
-                </constraint>
-            </properties>
-        </leafNode>
-        #include <include/generic-disable-node.xml.i>
-    </children>
-</node>
-<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/openconnect-identity-based-config.xml.i b/interface-definitions/include/openconnect-identity-based-config.xml.i
new file mode 100644
index 000000000..dfc51936d
--- /dev/null
+++ b/interface-definitions/include/openconnect-identity-based-config.xml.i
@@ -0,0 +1,54 @@
+<!-- include start from openconnect-identity-based-config.xml.i -->
+<node name="identity-based-config">
+    <properties>
+        <help>Configures OpenConnect to search the configured directory for a config file matching the Group name or Username</help>
+    </properties>
+    <children>
+        <leafNode name="mode">
+            <properties>
+                <help>Configures OpenConnect to use config-per-group or config-per-user. Ignored if OpenConnect authentication group is configured.</help>
+                <valueHelp>
+                    <format>user</format>
+                    <description>OpenConnect config file loaded by matching file in configured directory to the users username</description>
+                </valueHelp>
+                <valueHelp>
+                    <format>group</format>
+                    <description>OpenConnect config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory</description>
+                </valueHelp>
+                <constraint>
+                    <regex>(user|group)</regex>
+                </constraint>
+                <constraintErrorMessage>Invalid mode. Must be one of: user, group</constraintErrorMessage>
+                <completionHelp>
+                    <list>user group</list>
+                </completionHelp>
+            </properties>
+        </leafNode>
+        <leafNode name="directory">
+            <properties>
+                <help>Directory to configure OpenConnect to use for matching username/group to config file</help>
+                <valueHelp>
+                    <format>filename</format>
+                    <description>Must be a child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</description>
+                </valueHelp>
+                <constraint>
+                    <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/>
+                </constraint>
+            </properties>
+        </leafNode>
+        <leafNode name="default-config">
+            <properties>
+                <help>Default/fallback config to use when a file cannot be found in the configured directory that matches the username/group</help>
+                <valueHelp>
+                    <format>filename</format>
+                    <description>Child directory of /config/auth e.g. /config/auth/ocserv/defaults/user.conf</description>
+                </valueHelp>
+                <constraint>
+                    <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/>
+                </constraint>
+            </properties>
+        </leafNode>
+        #include <include/generic-disable-node.xml.i>
+    </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 24d24568f..db575d227 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -50,7 +50,7 @@
                   </leafNode>
                 </children>
               </node>
-              #include <include/openconnect-config-per-x.xml.i>
+              #include <include/openconnect-identity-based-config.xml.i>
               <leafNode name="group">
                 <properties>
                   <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help>
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 12165a4f2..16a5b5952 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -113,17 +113,17 @@ def verify(ocserv):
                                 users_wo_pswd.append(user)
                         if users_wo_pswd:
                             raise ConfigError(f'password required for users:\n{users_wo_pswd}')
-            # Validate that if config-per-x is configured all child config nodes are set
-            if 'config_per_x' in ocserv["authentication"]:
-                if 'disabled' not in ocserv["authentication"]["config_per_x"]:
-                    if 'mode' not in ocserv["authentication"]["config_per_x"]:
-                        raise ConfigError('OpenConnect radius config-per-x enabled but mode not selected')
-                    elif 'group' in ocserv["authentication"]["config_per_x"]["mode"] and "radius" not in ocserv["authentication"]["mode"]:
+            # Validate that if identity-based-config is configured all child config nodes are set
+            if 'identity_based_config' in ocserv["authentication"]:
+                if 'disabled' not in ocserv["authentication"]["identity_based_config"]:
+                    if 'mode' not in ocserv["authentication"]["identity_based_config"]:
+                        raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected')
+                    elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]:
                         raise ConfigError('OpenConnect config-per-group must be used with radius authentication')
-                    if 'directory' not in ocserv["authentication"]["config_per_x"]:
-                        raise ConfigError('OpenConnect config-per-x enabled but directory not set')
-                    if 'default_config' not in ocserv["authentication"]["config_per_x"]:
-                        raise ConfigError('OpenConnect config-per-x enabled but default-config not set')
+                    if 'directory' not in ocserv["authentication"]["identity_based_config"]:
+                        raise ConfigError('OpenConnect identity-based-config enabled but directory not set')
+                    if 'default_config' not in ocserv["authentication"]["identity_based_config"]:
+                        raise ConfigError('OpenConnect identity-based-config enabled but default-config not set')
         else:
             raise ConfigError('openconnect authentication mode required')
     else:
-- 
cgit v1.2.3