1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

StrongSwan gateway setup script cleanups

This commit is contained in:
Lauri Võsandi 2017-04-14 20:21:31 +03:00
parent b57fbfa696
commit ca0386b649
2 changed files with 46 additions and 32 deletions

View File

@ -220,15 +220,26 @@ def certidude_request(fork, renew):
remote = service_config.get(endpoint, "remote") remote = service_config.get(endpoint, "remote")
from ipsecparse import loads from ipsecparse import loads
config = loads(open("%s/ipsec.conf" % const.STRONGSWAN_PREFIX).read()) config = loads(open("%s/ipsec.conf" % const.STRONGSWAN_PREFIX).read())
if config["conn",remote]["left"] == "%defaultroute": for section_type, section_name in config:
config["conn",remote]["auto"] = "start" # This is client # Identify correct ipsec.conf section by leftcert
else: if section_type != "conn":
config["conn",remote]["auto"] = "add" # This is server continue
with open("%s/ipsec.conf.part" % const.STRONGSWAN_PREFIX, "w") as fh: if config[section_type,section_name]["leftcert"] != endpoint_certificate_path:
fh.write(config.dumps()) continue
os.rename(
"%s/ipsec.conf.part" % const.STRONGSWAN_PREFIX, if config[section_type,section_name]["left"] == "%defaultroute":
"%s/ipsec.conf" % const.STRONGSWAN_PREFIX) config[section_type,section_name]["auto"] = "start" # This is client
elif config[section_type,section_name]["leftsourceip"]:
config[section_type,section_name]["auto"] = "add" # This is server
else:
config[section_type,section_name]["auto"] = "route" # This is site-to-site tunnel
with open("%s/ipsec.conf.part" % const.STRONGSWAN_PREFIX, "w") as fh:
fh.write(config.dumps())
os.rename(
"%s/ipsec.conf.part" % const.STRONGSWAN_PREFIX,
"%s/ipsec.conf" % const.STRONGSWAN_PREFIX)
break
# Regenerate /etc/ipsec.secrets # Regenerate /etc/ipsec.secrets
with open("%s/ipsec.secrets.part" % const.STRONGSWAN_PREFIX, "w") as fh: with open("%s/ipsec.secrets.part" % const.STRONGSWAN_PREFIX, "w") as fh:
@ -242,10 +253,10 @@ def certidude_request(fork, renew):
# Attempt to reload config or start if it's not running # Attempt to reload config or start if it's not running
if os.path.exists("/usr/sbin/strongswan"): # wtf fedora if os.path.exists("/usr/sbin/strongswan"): # wtf fedora
if os.system("strongswan update") == 130: if os.system("strongswan update"):
os.system("strongswan start") os.system("strongswan start")
else: else:
if os.system("ipsec update") == 130: if os.system("ipsec update"):
os.system("ipsec start") os.system("ipsec start")
continue continue
@ -560,30 +571,31 @@ def certidude_setup_openvpn_client(authority, remote, config, proto):
@click.command("server", help="Set up strongSwan server") @click.command("server", help="Set up strongSwan server")
@click.argument("authority") @click.argument("authority")
@click.option("--common-name", "-cn", default=const.FQDN, help="Common name, %s by default" % const.FQDN)
@click.option("--subnet", "-sn", default=u"192.168.33.0/24", type=ip_network, help="IPsec virtual subnet, 192.168.33.0/24 by default") @click.option("--subnet", "-sn", default=u"192.168.33.0/24", type=ip_network, help="IPsec virtual subnet, 192.168.33.0/24 by default")
@click.option("--local", "-l", type=ip_address, help="IP address associated with the certificate, none by default")
@click.option("--route", "-r", type=ip_network, multiple=True, help="Subnets to advertise via this connection, multiple allowed") @click.option("--route", "-r", type=ip_network, multiple=True, help="Subnets to advertise via this connection, multiple allowed")
@apt("strongswan python-requests python-requests-kerberos")
@rpm("strongswan python2-requests python2-requests-kerberos")
@pip("ipsecparse") @pip("ipsecparse")
def certidude_setup_strongswan_server(authority, config, secrets, subnet, route, local, fqdn): def certidude_setup_strongswan_server(authority, common_name, subnet, route):
if "." not in common_name: if "." not in common_name:
raise ValueError("Hostname has to be fully qualified!") raise ValueError("Hostname has to be fully qualified!")
if not local:
raise ValueError("Please specify local IP address")
# Create corresponding section in Certidude client configuration file # Create corresponding section in Certidude client configuration file
client_config = ConfigParser() client_config = ConfigParser()
if os.path.exists(const.CLIENT_CONFIG_PATH): if os.path.exists(const.CLIENT_CONFIG_PATH):
client_config.readfp(open(const.CLIENT_CONFIG_PATH)) client_config.readfp(open(const.CLIENT_CONFIG_PATH))
if client_config.has_section(server): if client_config.has_section(authority):
click.echo("Section '%s' already exists in %s, remove to regenerate" % (authority, const.CLIENT_CONFIG_PATH)) click.echo("Section '%s' already exists in %s, remove to regenerate" % (authority, const.CLIENT_CONFIG_PATH))
else: else:
client_config.add_section(authority)
client_config.set(authority, "trigger", "interface up") client_config.set(authority, "trigger", "interface up")
client_config.set(authority, "common name", const.FQDN) client_config.set(authority, "common name", const.FQDN)
client_config.set(authority, "request path", "/etc/ipsec.d/reqs/%s.pem" % const.HOSTNAME) client_config.set(authority, "request path", "%s/ipsec.d/reqs/%s.pem" % (const.STRONGSWAN_PREFIX, const.HOSTNAME))
client_config.set(authority, "key path", "/etc/ipsec.d/private/%s.pem" % const.HOSTNAME) client_config.set(authority, "key path", "%s/ipsec.d/private/%s.pem" % (const.STRONGSWAN_PREFIX, const.HOSTNAME))
client_config.set(authority, "certificate path", "/etc/ipsec.d/certs/%s.pem" % const.HOSTNAME) client_config.set(authority, "certificate path", "%s/ipsec.d/certs/%s.pem" % (const.STRONGSWAN_PREFIX, const.HOSTNAME))
client_config.set(authority, "authority path", "/etc/ipsec.d/cacerts/ca.pem") client_config.set(authority, "authority path", "%s/ipsec.d/cacerts/ca.pem" % const.STRONGSWAN_PREFIX)
client_config.set(authority, "revocations path", "/etc/ipsec.d/crls/ca.pem") client_config.set(authority, "revocations path", "%s/ipsec.d/crls/ca.pem" % const.STRONGSWAN_PREFIX)
with open(const.CLIENT_CONFIG_PATH + ".part", 'wb') as fh: with open(const.CLIENT_CONFIG_PATH + ".part", 'wb') as fh:
client_config.write(fh) client_config.write(fh)
os.rename(const.CLIENT_CONFIG_PATH + ".part", const.CLIENT_CONFIG_PATH) os.rename(const.CLIENT_CONFIG_PATH + ".part", const.CLIENT_CONFIG_PATH)
@ -591,22 +603,23 @@ def certidude_setup_strongswan_server(authority, config, secrets, subnet, route,
# Create corresponding section to /etc/ipsec.conf # Create corresponding section to /etc/ipsec.conf
from ipsecparse import loads from ipsecparse import loads
config = loads(open('/etc/ipsec.conf').read()) config = loads(open("%s/ipsec.conf" % const.STRONGSWAN_PREFIX).read())
config["conn", server] = dict( config["conn", authority] = dict(
leftsourceip="%config", leftsourceip="%config",
left=common_name, left=common_name,
leftcert=certificate_path, leftcert=client_config.get(authority, "certificate path"),
leftsubnet=route.join(", "), leftsubnet=",".join(route),
right="%any", right="%any",
rightsourceip=subnet, rightsourceip=str(subnet),
keyexchange="ikev2", keyexchange="ikev2",
keyingtries="300", keyingtries="300",
dpdaction=dpdaction,
closeaction="restart", closeaction="restart",
auto="ignore") auto="ignore")
with open("/etc/ipsec.conf.part", "w") as fh: with open("%s/ipsec.conf.part" % const.STRONGSWAN_PREFIX, "w") as fh:
fh.write(client_config.dumps()) fh.write(config.dumps())
os.rename("/etc/ipsec.conf.part", "/etc/ipsec.conf") os.rename(
"%s/ipsec.conf.part" % const.STRONGSWAN_PREFIX,
"%s/ipsec.conf" % const.STRONGSWAN_PREFIX)
click.echo() click.echo()
click.echo("If you're running Ubuntu make sure you're not affected by #1505222") click.echo("If you're running Ubuntu make sure you're not affected by #1505222")
@ -616,8 +629,8 @@ def certidude_setup_strongswan_server(authority, config, secrets, subnet, route,
@click.command("client", help="Set up strongSwan client") @click.command("client", help="Set up strongSwan client")
@click.argument("authority") @click.argument("authority")
@click.argument("remote") @click.argument("remote")
@apt("strongswan-nm python-requests python-requests-kerberos") @apt("strongswan python-requests python-requests-kerberos")
@rpm("NetworkManager-strongswan-gnome python2-requests python2-requests-kerberos") @rpm("strongswan python2-requests python2-requests-kerberos")
@pip("ipsecparse") @pip("ipsecparse")
def certidude_setup_strongswan_client(authority, remote): def certidude_setup_strongswan_client(authority, remote):
# Create corresponding section in /etc/certidude/client.conf # Create corresponding section in /etc/certidude/client.conf

View File

@ -31,6 +31,7 @@ else:
HOSTNAME, DOMAIN = FQDN, "local" HOSTNAME, DOMAIN = FQDN, "local"
click.echo("Unable to determine domain of this computer, falling back to local") click.echo("Unable to determine domain of this computer, falling back to local")
# TODO: lazier, otherwise gets evaluated before installing package
if os.path.exists("/etc/strongswan/ipsec.conf"): # fedora dafuq?! if os.path.exists("/etc/strongswan/ipsec.conf"): # fedora dafuq?!
STRONGSWAN_PREFIX = "/etc/strongswan" STRONGSWAN_PREFIX = "/etc/strongswan"
else: else: