From 018110200c9a82815dd5d0510f0732d7159c0d59 Mon Sep 17 00:00:00 2001
From: aapostoliuk <a.apostoliuk@vyos.io>
Date: Wed, 7 Feb 2024 12:26:49 +0200
Subject: T5960: Rewritten authentication node in PPTP to a single view
Rewritten authentication node in accel-ppp services
to a single view. In particular - PPTP authentication.
---
src/conf_mode/service_ipoe-server.py | 12 ++-----
src/conf_mode/service_pppoe-server.py | 8 +----
src/conf_mode/vpn_l2tp.py | 7 ----
src/migration-scripts/pptp/4-to-5 | 66 +++++++++++++++++++++++++++++++++++
4 files changed, 69 insertions(+), 24 deletions(-)
create mode 100755 src/migration-scripts/pptp/4-to-5
(limited to 'src')
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index 6df6f3dc7..5f72b983c 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -26,6 +26,7 @@ from vyos.utils.process import call
from vyos.utils.dict import dict_search
from vyos.accel_ppp_util import get_pools_in_order
from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
+from vyos.accel_ppp_util import verify_accel_ppp_base_service
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -68,18 +69,9 @@ def verify(ipoe):
raise ConfigError('Option "client-subnet" incompatible with "vlan"!'
'Use "ipoe client-ip-pool" instead.')
+ verify_accel_ppp_base_service(ipoe, local_users=False)
verify_accel_ppp_ip_pool(ipoe)
- if dict_search('authentication.mode', ipoe) == 'radius':
- if not dict_search('authentication.radius.server', ipoe):
- raise ConfigError('RADIUS authentication requires at least one server')
-
- for server in dict_search('authentication.radius.server', ipoe):
- radius_config = ipoe['authentication']['radius']['server'][server]
- if 'key' not in radius_config:
- raise ConfigError(f'Missing RADIUS secret key for server "{server}"')
-
-
return None
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index 31299a15c..c2dfbdb44 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -68,6 +68,7 @@ def verify(pppoe):
return None
verify_accel_ppp_base_service(pppoe)
+ verify_accel_ppp_ip_pool(pppoe)
if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2:
raise ConfigError('Not more then two WINS name-servers can be configured')
@@ -79,13 +80,6 @@ def verify(pppoe):
for interface in pppoe['interface']:
verify_interface_exists(interface)
- verify_accel_ppp_ip_pool(pppoe)
-
- if dict_search('authentication.radius.dynamic_author.server', pppoe):
- if not dict_search('authentication.radius.dynamic_author.key', pppoe):
- raise ConfigError('DA/CoE server key required!')
-
-
return None
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py
index 36b3d2a30..fc87d9539 100755
--- a/src/conf_mode/vpn_l2tp.py
+++ b/src/conf_mode/vpn_l2tp.py
@@ -26,7 +26,6 @@ from vyos.utils.dict import dict_search
from vyos.accel_ppp_util import verify_accel_ppp_base_service
from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
from vyos.accel_ppp_util import get_pools_in_order
-from vyos.base import Warning
from vyos import ConfigError
from vyos import airbag
@@ -60,14 +59,8 @@ def verify(l2tp):
return None
verify_accel_ppp_base_service(l2tp)
-
- if dict_search('authentication.radius.dynamic_author.server', l2tp):
- if not dict_search('authentication.radius.dynamic_author.key', l2tp):
- raise ConfigError('DA/CoE server key required!')
-
verify_accel_ppp_ip_pool(l2tp)
-
if 'wins_server' in l2tp and len(l2tp['wins_server']) > 2:
raise ConfigError(
'Not more then two WINS name-servers can be configured')
diff --git a/src/migration-scripts/pptp/4-to-5 b/src/migration-scripts/pptp/4-to-5
new file mode 100755
index 000000000..d4b3f9a14
--- /dev/null
+++ b/src/migration-scripts/pptp/4-to-5
@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# - Move 'require' from 'protocols' in 'authentication' node
+# - Migrate to new default values in radius timeout and acct-timeout
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'pptp', 'remote-access']
+
+if not config.exists(base):
+ exit(0)
+
+#migrate require to protocols
+require_path = base + ['authentication', 'require']
+if config.exists(require_path):
+ protocols = list(config.return_values(require_path))
+ for protocol in protocols:
+ config.set(base + ['authentication', 'protocols'], value=protocol,
+ replace=False)
+ config.delete(require_path)
+else:
+ config.set(base + ['authentication', 'protocols'], value='mschap-v2')
+
+radius_path = base + ['authentication', 'radius']
+if config.exists(radius_path):
+ if not config.exists(radius_path + ['timeout']):
+ config.set(radius_path + ['timeout'], value=3)
+ if not config.exists(radius_path + ['acct-timeout']):
+ config.set(radius_path + ['acct-timeout'], value=3)
+
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
--
cgit v1.2.3