T6732: added same as vyos 1x

6 files changed, 458 insertions, 0 deletions

diff --git a/src/migration-scripts/sstp/0-to-1 b/src/migration-scripts/sstp/0-to-1
new file mode 100644
index 0000000..1bd7d6c
--- /dev/null
+++ b/src/migration-scripts/sstp/0-to-1
@@ -0,0 +1,109 @@
+# Copyright 2020-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# - migrate from "service sstp-server" to "vpn sstp"
+# - remove primary/secondary identifier from nameserver
+# - migrate RADIUS configuration to a more uniform syntax accross the system
+#   - authentication radius-server x.x.x.x to authentication radius server x.x.x.x
+#   - authentication radius-settings to authentication radius
+#   - do not migrate radius server req-limit, use default of unlimited
+# - migrate SSL certificate path
+
+from vyos.configtree import ConfigTree
+
+old_base = ['service', 'sstp-server']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(old_base):
+        # Nothing to do
+        return
+
+    # ensure new base path exists
+    if not config.exists(['vpn']):
+        config.set(['vpn'])
+
+    new_base = ['vpn', 'sstp']
+    # copy entire tree
+    config.copy(old_base, new_base)
+    config.delete(old_base)
+
+    # migrate DNS servers
+    dns_base = new_base + ['network-settings', 'dns-server']
+    if config.exists(dns_base):
+        if config.exists(dns_base + ['primary-dns']):
+            dns = config.return_value(dns_base + ['primary-dns'])
+            config.set(new_base + ['network-settings', 'name-server'], value=dns, replace=False)
+
+        if config.exists(dns_base + ['secondary-dns']):
+            dns = config.return_value(dns_base + ['secondary-dns'])
+            config.set(new_base + ['network-settings', 'name-server'], value=dns, replace=False)
+
+        config.delete(dns_base)
+
+
+    # migrate radius options - copy subtree
+    # thus must happen before migration of the individual RADIUS servers
+    old_options = new_base + ['authentication', 'radius-settings']
+    if config.exists(old_options):
+        new_options = new_base + ['authentication', 'radius']
+        config.copy(old_options, new_options)
+        config.delete(old_options)
+
+    # migrate radius dynamic author / change of authorisation server
+    dae_old = new_base + ['authentication', 'radius', 'dae-server']
+    if config.exists(dae_old):
+        config.rename(dae_old, 'dynamic-author')
+        dae_new = new_base + ['authentication', 'radius', 'dynamic-author']
+
+        if config.exists(dae_new + ['ip-address']):
+            config.rename(dae_new + ['ip-address'], 'server')
+
+        if config.exists(dae_new + ['secret']):
+            config.rename(dae_new + ['secret'], 'key')
+
+
+    # migrate radius server
+    radius_server = new_base + ['authentication', 'radius-server']
+    if config.exists(radius_server):
+        for server in config.list_nodes(radius_server):
+            base = radius_server + [server]
+            new = new_base + ['authentication', 'radius', 'server', server]
+
+            # convert secret to key
+            if config.exists(base + ['secret']):
+                tmp = config.return_value(base + ['secret'])
+                config.set(new + ['key'], value=tmp)
+
+            if config.exists(base + ['fail-time']):
+                tmp = config.return_value(base + ['fail-time'])
+                config.set(new + ['fail-time'], value=tmp)
+
+        config.set_tag(new_base + ['authentication', 'radius', 'server'])
+        config.delete(radius_server)
+
+    # migrate SSL certificates
+    old_ssl = new_base + ['sstp-settings']
+    new_ssl = new_base + ['ssl']
+    config.copy(old_ssl + ['ssl-certs'], new_ssl)
+    config.delete(old_ssl)
+
+    if config.exists(new_ssl + ['ca']):
+        config.rename(new_ssl + ['ca'], 'ca-cert-file')
+
+    if config.exists(new_ssl + ['server-cert']):
+        config.rename(new_ssl + ['server-cert'], 'cert-file')
+
+    if config.exists(new_ssl + ['server-key']):
+        config.rename(new_ssl + ['server-key'], 'key-file')
diff --git a/src/migration-scripts/sstp/1-to-2 b/src/migration-scripts/sstp/1-to-2
new file mode 100644
index 0000000..2349e3c
--- /dev/null
+++ b/src/migration-scripts/sstp/1-to-2
@@ -0,0 +1,93 @@
+# Copyright 2020-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# - migrate relative path SSL certificate to absolute path, as certs are only
+#   allowed to stored in /config/user-data/sstp/ this is pretty straight
+#   forward move. Delete certificates from source directory
+
+import os
+
+from shutil import copy2
+from stat import S_IRUSR, S_IWUSR, S_IRGRP, S_IROTH
+from vyos.configtree import ConfigTree
+
+base_path = ['vpn', 'sstp', 'ssl']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base_path):
+        # Nothing to do
+        return
+
+    cert_path_old ='/config/user-data/sstp/'
+    cert_path_new ='/config/auth/sstp/'
+
+    if not os.path.isdir(cert_path_new):
+        os.mkdir(cert_path_new)
+
+    #
+    # migrate ca-cert-file to new path
+    if config.exists(base_path + ['ca-cert-file']):
+        tmp = config.return_value(base_path + ['ca-cert-file'])
+        cert_old = cert_path_old + tmp
+        cert_new = cert_path_new + tmp
+
+        if os.path.isfile(cert_old):
+            # adjust file permissions on source file,
+            # permissions will be copied by copy2()
+            os.chmod(cert_old, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)
+            copy2(cert_old, cert_path_new)
+            # delete old certificate file
+            os.unlink(cert_old)
+
+        config.set(base_path + ['ca-cert-file'], value=cert_new, replace=True)
+
+    #
+    # migrate cert-file to new path
+    if config.exists(base_path + ['cert-file']):
+        tmp = config.return_value(base_path + ['cert-file'])
+        cert_old = cert_path_old + tmp
+        cert_new = cert_path_new + tmp
+
+        if os.path.isfile(cert_old):
+            # adjust file permissions on source file,
+            # permissions will be copied by copy2()
+            os.chmod(cert_old, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)
+            copy2(cert_old, cert_path_new)
+            # delete old certificate file
+            os.unlink(cert_old)
+
+        config.set(base_path + ['cert-file'], value=cert_new, replace=True)
+
+    #
+    # migrate key-file to new path
+    if config.exists(base_path + ['key-file']):
+        tmp = config.return_value(base_path + ['key-file'])
+        cert_old = cert_path_old + tmp
+        cert_new = cert_path_new + tmp
+
+        if os.path.isfile(cert_old):
+            # adjust file permissions on source file,
+            # permissions will be copied by copy2()
+            os.chmod(cert_old, S_IRUSR | S_IWUSR)
+            copy2(cert_old, cert_path_new)
+            # delete old certificate file
+            os.unlink(cert_old)
+
+        config.set(base_path + ['key-file'], value=cert_new, replace=True)
+
+    #
+    # check if old certificate directory exists but is empty
+    if os.path.isdir(cert_path_old) and not os.listdir(cert_path_old):
+        os.rmdir(cert_path_old)
diff --git a/src/migration-scripts/sstp/2-to-3 b/src/migration-scripts/sstp/2-to-3
new file mode 100644
index 0000000..4255a89
--- /dev/null
+++ b/src/migration-scripts/sstp/2-to-3
@@ -0,0 +1,59 @@
+# Copyright 2020-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# - Rename SSTP ppp-settings node to ppp-options to make use of a common
+#   Jinja Template to render Accel-PPP services
+
+from vyos.configtree import ConfigTree
+
+base_path = ['vpn', 'sstp']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base_path):
+        # Nothing to do
+        return
+
+    if config.exists(base_path + ['ppp-settings']):
+        config.rename(base_path + ['ppp-settings'], 'ppp-options')
+
+    config_ns = base_path + ['network-settings', 'name-server']
+    if config.exists(config_ns):
+        config.copy(config_ns, base_path + ['name-server'])
+        config.delete(config_ns)
+
+    config_mtu = base_path + ['network-settings', 'mtu']
+    if config.exists(config_mtu):
+        config.copy(config_mtu, base_path + ['mtu'])
+        config.delete(config_mtu)
+
+    config_gw = base_path + ['network-settings', 'client-ip-settings', 'gateway-address']
+    if config.exists(config_gw):
+        config.copy(config_gw, base_path + ['gateway-address'])
+        config.delete(config_gw)
+
+    config_client_ip = base_path + ['network-settings', 'client-ip-settings']
+    if config.exists(config_client_ip):
+        config.copy(config_client_ip, base_path + ['client-ip-pool'])
+        config.delete(config_client_ip)
+
+    config_client_ipv6 = base_path + ['network-settings', 'client-ipv6-pool']
+    if config.exists(config_client_ipv6):
+        config.copy(config_client_ipv6, base_path + ['client-ipv6-pool'])
+        config.delete(config_client_ipv6)
+
+    # all nodes now have been migrated out of network-settings - delete node
+    config_nw_settings = base_path + ['network-settings']
+    if config.exists(config_nw_settings):
+        config.delete(config_nw_settings)
diff --git a/src/migration-scripts/sstp/3-to-4 b/src/migration-scripts/sstp/3-to-4
new file mode 100644
index 0000000..fd10985
--- /dev/null
+++ b/src/migration-scripts/sstp/3-to-4
@@ -0,0 +1,116 @@
+# Copyright 2021-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# - Update SSL to use PKI configuration
+
+import os
+
+from vyos.configtree import ConfigTree
+from vyos.pki import load_certificate
+from vyos.pki import load_private_key
+from vyos.pki import encode_certificate
+from vyos.pki import encode_private_key
+from vyos.utils.process import run
+
+base = ['vpn', 'sstp']
+pki_base = ['pki']
+
+AUTH_DIR = '/config/auth'
+
+def wrapped_pem_to_config_value(pem):
+    return "".join(pem.strip().split("\n")[1:-1])
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        return
+
+    if not config.exists(base + ['ssl']):
+        return
+
+    x509_base = base + ['ssl']
+    pki_name = 'sstp'
+
+    if not config.exists(pki_base + ['ca']):
+        config.set(pki_base + ['ca'])
+        config.set_tag(pki_base + ['ca'])
+
+    if not config.exists(pki_base + ['certificate']):
+        config.set(pki_base + ['certificate'])
+        config.set_tag(pki_base + ['certificate'])
+
+    if config.exists(x509_base + ['ca-cert-file']):
+        cert_file = config.return_value(x509_base + ['ca-cert-file'])
+        cert_path = os.path.join(AUTH_DIR, cert_file)
+        cert = None
+
+        if os.path.isfile(cert_path):
+            if not os.access(cert_path, os.R_OK):
+                run(f'sudo chmod 644 {cert_path}')
+
+            with open(cert_path, 'r') as f:
+                cert_data = f.read()
+                cert = load_certificate(cert_data, wrap_tags=False)
+
+        if cert:
+            cert_pem = encode_certificate(cert)
+            config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+            config.set(x509_base + ['ca-certificate'], value=pki_name)
+        else:
+            print(f'Failed to migrate CA certificate on sstp config')
+
+        config.delete(x509_base + ['ca-cert-file'])
+
+    if config.exists(x509_base + ['cert-file']):
+        cert_file = config.return_value(x509_base + ['cert-file'])
+        cert_path = os.path.join(AUTH_DIR, cert_file)
+        cert = None
+
+        if os.path.isfile(cert_path):
+            if not os.access(cert_path, os.R_OK):
+                run(f'sudo chmod 644 {cert_path}')
+
+            with open(cert_path, 'r') as f:
+                cert_data = f.read()
+                cert = load_certificate(cert_data, wrap_tags=False)
+
+        if cert:
+            cert_pem = encode_certificate(cert)
+            config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+            config.set(x509_base + ['certificate'], value=pki_name)
+        else:
+            print(f'Failed to migrate certificate on sstp config')
+
+        config.delete(x509_base + ['cert-file'])
+
+    if config.exists(x509_base + ['key-file']):
+        key_file = config.return_value(x509_base + ['key-file'])
+        key_path = os.path.join(AUTH_DIR, key_file)
+        key = None
+
+        if os.path.isfile(key_path):
+            if not os.access(key_path, os.R_OK):
+                run(f'sudo chmod 644 {key_path}')
+
+            with open(key_path, 'r') as f:
+                key_data = f.read()
+                key = load_private_key(key_data, passphrase=None, wrap_tags=False)
+
+        if key:
+            key_pem = encode_private_key(key, passphrase=None)
+            config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
+        else:
+            print(f'Failed to migrate private key on sstp config')
+
+        config.delete(x509_base + ['key-file'])
diff --git a/src/migration-scripts/sstp/4-to-5 b/src/migration-scripts/sstp/4-to-5
new file mode 100644
index 0000000..254e828
--- /dev/null
+++ b/src/migration-scripts/sstp/4-to-5
@@ -0,0 +1,41 @@
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# - move all pool to named pools
+#       'subnet' migrate to namedpool 'default-subnet-pool'
+#       'default-subnet-pool' is the next pool for 'default-range-pool'
+
+from vyos.configtree import ConfigTree
+
+base = ['vpn', 'sstp']
+pool_base = base + ['client-ip-pool']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        return
+
+    if not config.exists(pool_base):
+        return
+
+    range_pool_name = 'default-range-pool'
+
+    if config.exists(pool_base + ['subnet']):
+        default_pool = range_pool_name
+        for subnet in config.return_values(pool_base + ['subnet']):
+            config.set(pool_base + [range_pool_name, 'range'], value=subnet, replace=False)
+        config.delete(pool_base + ['subnet'])
+        config.set(base + ['default-pool'], value=default_pool)
+    # format as tag node
+    config.set_tag(pool_base)
diff --git a/src/migration-scripts/sstp/5-to-6 b/src/migration-scripts/sstp/5-to-6
new file mode 100644
index 0000000..fc3cc29
--- /dev/null
+++ b/src/migration-scripts/sstp/5-to-6
@@ -0,0 +1,40 @@
+# Copyright 2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# Migrating to named ipv6 pools
+
+from vyos.configtree import ConfigTree
+
+base = ['vpn', 'sstp']
+pool_base = base + ['client-ipv6-pool']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        return
+
+    if not config.exists(pool_base):
+        return
+
+    ipv6_pool_name = 'ipv6-pool'
+    config.copy(pool_base, pool_base + [ipv6_pool_name])
+
+    if config.exists(pool_base + ['prefix']):
+        config.delete(pool_base + ['prefix'])
+        config.set(base + ['default-ipv6-pool'], value=ipv6_pool_name)
+    if config.exists(pool_base + ['delegate']):
+        config.delete(pool_base + ['delegate'])
+
+    # format as tag node
+    config.set_tag(pool_base)