T6357: create test repository to validate setup

5 files changed, 206 insertions, 0 deletions

diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
new file mode 100644
index 0000000..81f7770
--- /dev/null
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -0,0 +1,147 @@
+### generated by vpn_openconnect.py ###
+
+{% if listen_address is vyos_defined %}
+listen-host = {{ listen_address }}
+{% endif %}
+
+tcp-port = {{ listen_ports.tcp }}
+udp-port = {{ listen_ports.udp }}
+
+run-as-user = nobody
+run-as-group = daemon
+
+{% if accounting.mode.radius is vyos_defined %}
+acct = "radius [config=/run/ocserv/radiusclient.conf]"
+{% endif %}
+
+{% if "radius" in authentication.mode %}
+auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]"
+{%     if authentication.identity_based_config.disabled is not vyos_defined %}
+{%         if "group" in authentication.identity_based_config.mode %}
+config-per-group = {{ authentication.identity_based_config.directory }}
+default-group-config = {{ authentication.identity_based_config.default_config }}
+{%         endif %}
+{%     endif %}
+{% elif "local" in authentication.mode %}
+{%     if authentication.mode.local == "password-otp" %}
+auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
+{%     elif authentication.mode.local == "otp" %}
+auth = "plain[otp=/run/ocserv/users.oath]"
+{%     else %}
+auth = "plain[/run/ocserv/ocpasswd]"
+{%     endif %}
+{% else %}
+auth = "plain[/run/ocserv/ocpasswd]"
+{% endif %}
+
+{% if "identity_based_config" in authentication %}
+{%     if "user" in authentication.identity_based_config.mode %}
+config-per-user = {{ authentication.identity_based_config.directory }}
+default-user-config = {{ authentication.identity_based_config.default_config }}
+{%     endif %}
+{% endif %}
+
+{% if ssl.certificate is vyos_defined %}
+server-cert = /run/ocserv/cert.pem
+server-key = /run/ocserv/cert.key
+{%     if ssl.passphrase is vyos_defined %}
+key-pin = {{ ssl.passphrase }}
+{%     endif %}
+{% endif %}
+
+{% if ssl.ca_certificate is vyos_defined %}
+ca-cert = /run/ocserv/ca.pem
+{% endif %}
+
+socket-file = /run/ocserv/ocserv.socket
+occtl-socket-file = /run/ocserv/occtl.socket
+use-occtl = true
+isolate-workers = true
+keepalive = 300
+dpd = 60
+mobile-dpd = 300
+switch-to-tcp-timeout = 30
+{% if tls_version_min == '1.0' %}
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
+{% elif tls_version_min == '1.1' %}
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0"
+{% elif tls_version_min == '1.2' %}
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
+{% elif tls_version_min == '1.3' %}
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"
+{% endif %}
+auth-timeout = 240
+idle-timeout = 1200
+mobile-idle-timeout = 1800
+min-reauth-time = 3
+cookie-timeout = 300
+rekey-method = ssl
+try-mtu-discovery = true
+cisco-client-compat = true
+dtls-legacy = true
+max-ban-score = 80
+ban-reset-time = 300
+
+# The name to use for the tun device
+device = sslvpn
+
+# DNS settings
+{% if network_settings.name_server is vyos_defined %}
+{%     for dns in network_settings.name_server %}
+dns = {{ dns }}
+{%     endfor %}
+{% endif %}
+{% if network_settings.tunnel_all_dns is vyos_defined %}
+{%     if "yes" in network_settings.tunnel_all_dns %}
+tunnel-all-dns = true
+{%     else %}
+tunnel-all-dns = false
+{%     endif %}
+{% endif %}
+
+# IPv4 network pool
+{% if network_settings.client_ip_settings.subnet is vyos_defined %}
+ipv4-network = {{ network_settings.client_ip_settings.subnet }}
+{% endif %}
+
+# IPv6 network pool
+{% if network_settings.client_ipv6_pool.prefix is vyos_defined %}
+ipv6-network = {{ network_settings.client_ipv6_pool.prefix }}
+ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }}
+{% endif %}
+
+{% if network_settings.push_route is vyos_defined %}
+{%     for route in network_settings.push_route %}
+route = {{ route }}
+{%     endfor %}
+{% endif %}
+
+{% if network_settings.split_dns is vyos_defined %}
+{%     for tmp in network_settings.split_dns %}
+split-dns = {{ tmp }}
+{%     endfor %}
+{% endif %}
+
+{% if authentication.group is vyos_defined %}
+# Group settings
+{%     for grp in authentication.group %}
+select-group = {{ grp }}
+{%     endfor %}
+{% endif %}
+
+{% if http_security_headers is vyos_defined %}
+# HTTP security headers
+included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
+included-http-headers = X-Frame-Options: deny
+included-http-headers = X-Content-Type-Options: nosniff
+included-http-headers = Content-Security-Policy: default-src "none"
+included-http-headers = X-Permitted-Cross-Domain-Policies: none
+included-http-headers = Referrer-Policy: no-referrer
+included-http-headers = Clear-Site-Data: "cache","cookies","storage"
+included-http-headers = Cross-Origin-Embedder-Policy: require-corp
+included-http-headers = Cross-Origin-Opener-Policy: same-origin
+included-http-headers = Cross-Origin-Resource-Policy: same-origin
+included-http-headers = X-XSS-Protection: 0
+included-http-headers = Pragma: no-cache
+included-http-headers = Cache-control: no-store, no-cache
+{% endif %}
diff --git a/data/templates/ocserv/ocserv_otp_usr.j2 b/data/templates/ocserv/ocserv_otp_usr.j2
new file mode 100644
index 0000000..b2511ed
--- /dev/null
+++ b/data/templates/ocserv/ocserv_otp_usr.j2
@@ -0,0 +1,8 @@
+#<token_type> <username> <pin> <secret_hex_key> <counter> <lastpass> <time>
+{% if username is vyos_defined %}
+{%     for user, user_config in username.items() %}
+{%         if user_config.disable is not vyos_defined and user_config.otp is vyos_defined %}
+{{ user_config.otp.token_tmpl }} {{ user }} {{ user_config.otp.pin | default("-", true) }} {{ user_config.otp.key }}
+{%         endif %}
+{%     endfor %}
+{% endif %}
diff --git a/data/templates/ocserv/ocserv_passwd.j2 b/data/templates/ocserv/ocserv_passwd.j2
new file mode 100644
index 0000000..30c79d6
--- /dev/null
+++ b/data/templates/ocserv/ocserv_passwd.j2
@@ -0,0 +1,8 @@
+#<username>:<group>:<hash>
+{% if username is vyos_defined %}
+{%     for user, user_config in username.items() %}
+{%         if user_config.disable is not vyos_defined %}
+{{ user }}:*:{{ user_config.hash }}
+{%         endif %}
+{%     endfor %}
+{% endif %}
\ No newline at end of file
diff --git a/data/templates/ocserv/radius_conf.j2 b/data/templates/ocserv/radius_conf.j2
new file mode 100644
index 0000000..1ab322f
--- /dev/null
+++ b/data/templates/ocserv/radius_conf.j2
@@ -0,0 +1,36 @@
+### generated by vpn_openconnect.py ###
+nas-identifier VyOS
+
+#### Accounting
+{% if accounting.mode.radius is vyos_defined %}
+{%     for acctsrv, srv_conf in accounting.radius.server.items() if 'disable' not in srv_conf %}
+{%         if srv_conf.port is vyos_defined %}
+acctserver {{ acctsrv }}:{{ srv_conf.port }}
+{%         else %}
+acctserver {{ acctsrv }}
+{%         endif %}
+{%     endfor %}
+{% endif %}
+
+#### Authentication
+{% if authentication.mode.radius is vyos_defined %}
+{%     for authsrv, srv_conf in authentication.radius.server.items() if 'disable' not in srv_conf %}
+{%         if srv_conf.port is vyos_defined %}
+authserver {{ authsrv }}:{{ srv_conf.port }}
+{%         else %}
+authserver {{ authsrv }}
+{%         endif %}
+{%     endfor %}
+radius_timeout {{ authentication['radius']['timeout'] }}
+{%     if source_address %}
+bindaddr {{ authentication['radius']['source_address'] }}
+{%     else %}
+bindaddr *
+{%     endif %}
+{% endif %}
+
+servers /run/ocserv/radius_servers
+dictionary /etc/radcli/dictionary
+default_realm
+radius_retries 3
+#
\ No newline at end of file
diff --git a/data/templates/ocserv/radius_servers.j2 b/data/templates/ocserv/radius_servers.j2
new file mode 100644
index 0000000..302e916
--- /dev/null
+++ b/data/templates/ocserv/radius_servers.j2
@@ -0,0 +1,7 @@
+### generated by vpn_openconnect.py ###
+# server   key
+{% for srv in server %}
+{%     if not "disable" in server[srv] %}
+{{ srv }}   {{ server[srv].key }}
+{%     endif %}
+{% endfor %}