From fdafecc0c569f7d5f818a5a2c56bf7ea1983d2f4 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 22 Mar 2020 11:46:39 +0100 Subject: sstp: T2150: use full file path on SSL certificates --- src/conf_mode/vpn_sstp.py | 30 ++++------- src/migration-scripts/sstp/1-to-2 | 110 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 121 insertions(+), 19 deletions(-) create mode 100755 src/migration-scripts/sstp/1-to-2 (limited to 'src') diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 205702a9f..8583ece74 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -32,15 +32,11 @@ pidfile = r'/var/run/accel_sstp.pid' sstp_cnf_dir = r'/etc/accel-ppp/sstp' chap_secrets = sstp_cnf_dir + '/chap-secrets' sstp_conf = sstp_cnf_dir + '/sstp.config' -ssl_cert_dir = r'/config/user-data/sstp' # config path creation if not os.path.exists(sstp_cnf_dir): os.makedirs(sstp_cnf_dir) -if not os.path.exists(ssl_cert_dir): - os.makedirs(ssl_cert_dir) - sstp_config = """### generated by vpn_sstp.py ### [modules] log_syslog @@ -74,9 +70,9 @@ disable [sstp] verbose=1 accept=ssl -ssl-ca-file=/config/user-data/sstp/{{ ssl_ca }} -ssl-pemfile=/config/user-data/sstp/{{ ssl_cert }} -ssl-keyfile=/config/user-data/sstp/{{ ssl_key }} +ssl-ca-file={{ ssl_ca }} +ssl-pemfile={{ ssl_cert }} +ssl-keyfile={{ ssl_key }} {% if client_ip_pool %} [ip-pool] @@ -452,22 +448,18 @@ def verify(sstp): if not sstp['ssl_ca'] or not sstp['ssl_cert'] or not sstp['ssl_key']: raise ConfigError('One or more SSL certificates missing') - ssl_path = ssl_cert_dir + '/' - if not os.path.exists(ssl_path + sstp['ssl_ca']): - ca = ssl_path + sstp['ssl_ca'] - raise ConfigError(f'CA cert file {ca} does not exist') + if not os.path.exists(sstp['ssl_ca']): + raise ConfigError(f"CA cert file {sstp['ssl_ca']} does not exist") - if not os.path.exists(ssl_path + sstp['ssl_cert']): - cert = ssl_path + sstp['ssl_cert'] - raise ConfigError(f'SSL cert file {cert} does not exist') + if not os.path.exists(sstp['ssl_cert']): + raise ConfigError(f"SSL cert file {sstp['ssl_cert']} does not exist") - if not os.path.exists(ssl_path + sstp['ssl_key']): - key = ssl_path + sstp['ssl_key'] - raise ConfigError(f'SSL key file {key} does not exist') + if not os.path.exists(sstp['ssl_key']): + raise ConfigError(f"SSL key file {sstp['ssl_key']} does not exist") if sstp['auth_mode'] == 'radius': if len(sstp['radius_server']) == 0: - raise ConfigError('RADIUS authentication requires at least one server') + raise ConfigError("RADIUS authentication requires at least one server") for radius in sstp['radius_server']: if not radius['key']: @@ -489,7 +481,7 @@ def generate(sstp): with open(chap_secrets, 'w') as f: f.write(config_text) - os.chmod(chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP ) + os.chmod(chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: if os.path.exists(chap_secrets): os.unlink(chap_secrets) diff --git a/src/migration-scripts/sstp/1-to-2 b/src/migration-scripts/sstp/1-to-2 new file mode 100755 index 000000000..94cb04831 --- /dev/null +++ b/src/migration-scripts/sstp/1-to-2 @@ -0,0 +1,110 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# - migrate relative path SSL certificate to absolute path, as certs are only +# allowed to stored in /config/user-data/sstp/ this is pretty straight +# forward move. Delete certificates from source directory + +import os +import sys + +from shutil import copy2 +from stat import S_IRUSR, S_IWUSR, S_IRGRP, S_IROTH +from vyos.configtree import ConfigTree + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base_path = ['vpn', 'sstp', 'ssl'] +if not config.exists(base_path): + # Nothing to do + sys.exit(0) +else: + cert_path_old ='/config/user-data/sstp/' + cert_path_new ='/config/auth/sstp/' + + if not os.path.isdir(cert_path_new): + os.mkdir(cert_path_new) + + # + # migrate ca-cert-file to new path + if config.exists(base_path + ['ca-cert-file']): + tmp = config.return_value(base_path + ['ca-cert-file']) + cert_old = cert_path_old + tmp + cert_new = cert_path_new + tmp + + if os.path.isfile(cert_old): + # adjust file permissions on source file, + # permissions will be copied by copy2() + os.chmod(cert_old, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) + copy2(cert_old, cert_path_new) + # delete old certificate file + os.unlink(cert_old) + + config.set(base_path + ['ca-cert-file'], value=cert_new, replace=True) + + # + # migrate cert-file to new path + if config.exists(base_path + ['cert-file']): + tmp = config.return_value(base_path + ['cert-file']) + cert_old = cert_path_old + tmp + cert_new = cert_path_new + tmp + + if os.path.isfile(cert_old): + # adjust file permissions on source file, + # permissions will be copied by copy2() + os.chmod(cert_old, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) + copy2(cert_old, cert_path_new) + # delete old certificate file + os.unlink(cert_old) + + config.set(base_path + ['cert-file'], value=cert_new, replace=True) + + # + # migrate key-file to new path + if config.exists(base_path + ['key-file']): + tmp = config.return_value(base_path + ['key-file']) + cert_old = cert_path_old + tmp + cert_new = cert_path_new + tmp + + if os.path.isfile(cert_old): + # adjust file permissions on source file, + # permissions will be copied by copy2() + os.chmod(cert_old, S_IRUSR | S_IWUSR) + copy2(cert_old, cert_path_new) + # delete old certificate file + os.unlink(cert_old) + + config.set(base_path + ['key-file'], value=cert_new, replace=True) + + # + # check if old certificate directory exists but is empty + if os.path.isdir(cert_path_old) and not os.listdir(cert_path_old): + os.rmdir(cert_path_old) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) -- cgit v1.2.3