From e61f7abdb2136d8dfbf73729dbc14c3b5ab2ecba Mon Sep 17 00:00:00 2001
From: Jamie Austin <jamiea@opusv.com.au>
Date: Fri, 27 Jan 2023 17:32:29 +1100
Subject: T4958: ocserv: openconnect: adds support for configuring RADIUS
 accounting

Adds CLI configuration options to configure RADIUS accounting for OpenConnect VPN sessions. This functionality cannot be used outside of the RADIUS OpenConnect VPN authentication mode
---
 src/conf_mode/vpn_openconnect.py | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

(limited to 'src/conf_mode/vpn_openconnect.py')

diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 57eba17b0..12ddac23c 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -121,6 +121,14 @@ def verify(ocserv):
                 not is_listen_port_bind_service(int(port), 'ocserv-main'):
             raise ConfigError(f'"{proto}" port "{port}" is used by another service')
 
+    # Check accounting
+    if "accounting" in ocserv:
+        if "mode" in ocserv["accounting"] and "radius" in ocserv["accounting"]["mode"]:
+            if "authentication" not in ocserv or "mode" not in ocserv["authentication"]:
+                raise ConfigError('Accounting depends on OpenConnect authentication configuration')
+            elif "radius" not in ocserv["authentication"]["mode"]:
+                raise ConfigError('RADIUS accounting must be used with RADIUS authentication')
+
     # Check authentication
     if "authentication" in ocserv:
         if "mode" in ocserv["authentication"]:
@@ -202,10 +210,20 @@ def generate(ocserv):
         return None
 
     if "radius" in ocserv["authentication"]["mode"]:
-        # Render radius client configuration
-        render(radius_cfg, 'ocserv/radius_conf.j2', ocserv["authentication"]["radius"])
-        # Render radius servers
-        render(radius_servers, 'ocserv/radius_servers.j2', ocserv["authentication"]["radius"])
+        if "accounting" in ocserv and "mode" in ocserv["accounting"] and "radius" in ocserv["accounting"]["mode"]:
+            acct_and_auth_config = {'accounting': ocserv["accounting"], 'authentication': ocserv["authentication"]}
+            # Render radius client configuration
+            render(radius_cfg, 'ocserv/radius_conf.j2', acct_and_auth_config)
+            merged_servers = ocserv["accounting"]["radius"]["server"] | ocserv["authentication"]["radius"]["server"]
+            # Render radius servers
+            # Merge the accounting and authentication servers into a single dictionary
+            render(radius_servers, 'ocserv/radius_servers.j2', {'server': merged_servers})
+        else:
+            acct_and_auth_config = {'accounting': {'mode': ''}, 'authentication': ocserv['authentication']}
+            # Render radius client configuration
+            render(radius_cfg, 'ocserv/radius_conf.j2', acct_and_auth_config)
+            # Render radius servers
+            render(radius_servers, 'ocserv/radius_servers.j2', ocserv["authentication"]["radius"])
     elif "local" in ocserv["authentication"]["mode"]:
         # if mode "OTP", generate OTP users file parameters
         if "otp" in ocserv["authentication"]["mode"]["local"]:
-- 
cgit v1.2.3